Launch the site-to-site VPN wizard by clicking on the Create VPN Site-to-Site Connection task in the right-hand pane. When the wizard launches, it asks for a site-to-site network name; this name should match the name of the user account that you created earlier. After entering the name, press the Next button. On the next screen. select the VPN protocol to be used—in my example, this is L2TP over IPsec. Press Next and the wizard helpfully warns you that a user account matching the network name must be available—since you were careful and did this, you can just press OK to get to the next screen.
Now you have to create an IP address pool. You have two choices here: you can either create a static address pool on the ISA Server or you can use your existing DHCP server to handle address assignment. Since both methods are acceptable, your decision should be guided by your company’s procedures as they relate to this particular option. The screen now asks you to input the remote server name. Enter the fully qualified domain name (FQDN) of the remote server and then enter the user credentials for the connection. Remember that you have to enter the user account information you created on the remote ISA Server.
On the next screen, select the outgoing authentication method. (As I mentioned earlier, it is always preferable to use a certificate.) Then, input the IP address range being used on the internal network at the remote site.
After this, if you are using ISA Server 2006 Enterprise Edition, the wizard will allow you to configure the Network Load Balancing dedicated IP addresses of the remote site. If you are using ISA Server 2006 Standard Edition, skip the load-balancing step and go directly to the next screen , which is where you create the network rule used to route traffic from the remote site to the local network.
You also have to create an access rule, which is the next step in the process. When you configure the access rule, there are three options for allowing protocols to be used—you can choose to allow all outbound traffic, allow all outbound traffic with the exception of certain protocols, or allow only certain protocols. In most situations you’ll want to select the all outbound traffic option.
You’re nearly finished. At this point, the wizard will present a summary of your configuration and once you press the Finish button, the Site-to-Site VPN connection will be created. You will receive a dialog indicating that a system policy rule needs to be enabled for Certificate Revocation List downloads—press Yes to enable this rule. The wizard will then provide information about any additional configuration steps that may be needed. After completing the configuration of ISA Server at the main site, you need to follow all the same steps to configure the remote site. Once both steps have been completed, users at both sites will be able to communicate across the VPN.
Remote Access VPN Connection
The first step is to select VPN in the left-hand pane of the ISA Server administration console. Then select the Enable VPN Client Access task in the right-hand pane. You will receive a warning that this may cause the Routing and Remote Access service to restart. (Since this can cause connection issues, you may want to implement this change during a scheduled maintenance window.) Click OK to proceed past this warning; ISA Server enables a system policy that allows VPN client traffic to access the ISA Server. You can view this rule by selecting Firewall Policy in the ISA Server administration console and then selecting the Show System Policy Rules task.
A default network rule is also enabled to allow routing between the internal network and the two VPN networks (VPN Clients and Quarantined VPN Clients). This network rule can be viewed or edited by selecting Networks in the left pane and then opening the Network Rules tab in the center pane.
Now you have to configure VPN client access. There are three additional parameters that need to be configured: the Windows Security Groups that are permitted access, the protocols that may be used by the clients, and user mapping.
The Groups tab simply requires that you select which Windows groups should be allowed remote access via VPN. From an administration perspective, I think it’s a good idea to create a single group to which permission is given. This makes it very easy to manage remote access.
The Protocols tab shows that only PPTP is enabled by default. You should definitely enable L2TP over IPsec if this is at all feasible in your environment.
User Mapping lets you map user accounts from namespaces, such as Remote Authentication Dial-In User Service (RADIUS), to Windows accounts to ensure that access policies are applied correctly. Once you have completed these configuration options and applied the changes to ISA Server you are finished. Clients should now be able to seamlessly access your internal network data and applications using a VPN connection.
Enhancements to ISA Server 2006
ISA Server 2006 introduces a number of enhancements that increase its power and performance over previous versions. These features—which include HTTP compression, Background Intelligent Transfer Service (BITS) support, and Quality of Service (QoS)—provide various techniques for optimizing network usage. Of course, even with these techniques, you should also continue to use common bandwidth optimization technologies that are core to ISA Server, including caching.
HTTP compression has been supported in various Microsoft products for some time now—it’s been in Internet Explorer® since version 4 and Windows Server since Windows® 2000. However, this is the first version of ISA Server to support HTTP compression as well as the industry standard GZIP and Deflate algorithms.
What does this mean? With support for HTTP compression, a Web browser that complies with HTTP 1.1 can request compressed content from any Web site. Remember, though, that only the responses are compressed, not the initial outgoing connections from the client.
HTTP compression is a global HTTP policy setting that applies to all HTTP traffic that passes through ISA Server, as opposed to being associated with a specific network rule. You do, however, have the option of implementing HTTP compression on a per-listener basis; this is configured through the Web Listener wizard.
HTTP compression, which can be accessed through the General option in the left-hand pane, is enabled by default. You have to configure the network elements where compression should be used. Continuing with the site-to-site VPN example, you need to select the Return Compressed Data tab and add the Site VPN network element that you created earlier. At this point you also have the option of configuring which content types should be compressed. ISA Server 2006 comes with a list of standard content types, but you can add custom content types through the Firewall Policy task pane on the Toolbox tab. Remember that the Return Compressed Data tab refers to ISA Server compressing the data before it is returned to the client. In order to have ISA Server request that a Web server handle the compression of data before the data is sent to ISA Server, you need to use the Request Compressed Data tab.
Background Intelligent Transfer System is an asynchronous file transfer service for HTTP and HTTPS traffic. Windows Server 2003 includes BITS version 1.5, which supports downloads and uploads, though uploads also require Internet Information Services (IIS) version 5.0 or higher. As an intelligent file transfer service, BITS has the ability to examine network traffic and use only the idle portion of your network bandwidth. In addition, the file transfer is dynamic and BITS will respond to spikes in normal network traffic by throttling back its network usage. The advantage here is that BITS ensures that downloads and uploads of large files will not negatively impact other network usage. From an administrator’s perspective, this means you should receive far fewer calls complaining about poor network performance. Good news!
BITS offers other benefits that can improve the user experience and make for better network performance. For instance, a file transfer that uses BITS is binary, meaning BITS can resume file transfers (without starting from scratch) that have been interrupted by such factors as a network outage. And ISA Server 2006 includes built-in support for a Microsoft Update caching feature that uses BITS caching to optimize updates.
The Differentiated Services (DiffServ) protocol enables packet prioritization (or QoS) for HTTP and HTTPS traffic. In other words, depending on your ISA Server configuration, certain traffic will receive priority. This is useful on networks that have limited bandwidth, either due to traffic volume or network connection speed. According to the Internet Engineering Task Force (IETF), DiffServ is a class-based traffic management mechanism. Thus, DiffServ can differentiate between types of traffic and manage them accordingly, ensuring that high-priority traffic gets preference.
To provide this feature, ISA Server works in conjunction with routers that support QoS. It is important to ensure that ISA Server DiffServ bits match the priorities on your routers if you want the packets to be routed with the same prioritization.
As implemented in ISA Server, this type of packet prioritization is an HTTP policy setting that is global and is applied to all HTTP traffic that passes through ISA Server 2006 using a DiffServ Web filter. This means that ISA Server does not support DiffServ for other protocols and may, in fact, drop existing DiffServ bits on non-HTTP traffic.
. It is important that you not change the default settings or the priority order of the DiffServ filter due to the need for ISA Server to inspect the size of request/response at the time it is processed.
The DiffServ filter is not enabled by default. To enable the filter, simply select the Enable Selected Filters in the Tasks pane and then configure the filter. Since the DiffServ packet prioritization in ISA Server is based on either specific URLs or domains, you need to add this information to the DiffServ preferences. To do this, select General in the left pane of the management console and then, under Global HTTP Policy Settings, select Specify DiffServ Preferences. When you specify these preferences, you must define the priorities and the URLs and domains that should be prioritized. ISA Server 2006 provides powerful new capabilities for setting up remote access for VPN clients or creating site-to-site VPNs. It should be at the top of your list when considering which VPN solution to implement.