Module 8: Configuring
Virtual Private Network
Access for Remote Clients
and Networks
Overview
Virtual Private Networking Overview
Configuring Virtual Private Networking for
Remote Clients
Configuring Virtual Private Networking for Remote Sites
Configuring VPN Quarantine Control Using
ISA Server 2004
Lesson: Virtual Private Networking Overview
What Is Virtual Private Networking?
VPN Protocol Options
VPN Authentication Protocol Options
VPN Quarantine Control
Virtual Private Networking Using Routing and
Remote Access
Virtual Private Networking Using ISA Server 2004
Benefits of Using ISA Server for
Virtual Private Networking
What Is Virtual Private Networking?
ISA
Server
ISA
Server
Branch Office
Branch Office
VPN Protocol Options
Factor
PPTP advantages

and disadvantages
L2TP/IPSec
advantages and
disadvantages
Client operating
systems
supported
Windows 2000,
Windows XP, Windows Server 2003,
Windows NT Workstation 4.0,
Windows ME, or Windows 98
Windows 2000,
Windows XP, or
Windows Server 2003
Certificate
support
Requires a certificate infrastructure
only for EAP-TLS authentication
Requires a certificate
infrastructure or a
pre-shared key
Security
Provides data encryption
Does not provide data integrity
Provides data
encryption, data
confidentiality, data
origin authentication,
and replay protection
NAT support

To locate PPTP-based VPN clients
behind a NAT, the NAT should
include an editor that can translate
PPTP
To locate L2TP/IPSec–
based clients or servers
behind a NAT, both
client and server must
support IPSec NAT-T
VPN Authentication Protocol Options
Authentication
protocol
Considerations
PAP
Uses plaintext passwords and is the least secure
authentication protocol
SPAP
Uses a reversible encryption mechanism employed by
Shiva
CHAP
Requires passwords stored by using reversible encryption
Compatible with Macintosh and UNIX-based clients
Data cannot be encrypted
MS-CHAP
Does not require that passwords be stored by using
reversible encryption
Encrypts data
MS-CHAPv2
Performs mutual authentication
Data is encrypted by using separate session keys for

transmitted and received data
EAP-TLS
Most secure remote authentication protocol
Enables multifactor authentication
VPN Quarantine Control
VPN Quarantine Control:
VPN Quarantine Control:
Enables screening of VPN client machines
before granting them access to the organization’s
network
Uses a client script that analyzes the security
configuration of the remote access client
VPN clients connecting to ISA Server with approved
security configurations are moved from the VPN
Quarantine network to the VPN Clients network
Enables screening of VPN client machines
before granting them access to the organization’s
network
Uses a client script that analyzes the security
configuration of the remote access client
VPN clients connecting to ISA Server with approved
security configurations are moved from the VPN
Quarantine network to the VPN Clients network
Virtual Private Networking Using Routing and Remote
Access
RRAS supports:
RRAS supports:
Remote access policies that define remote access
connections and connection parameters
Connection Manager components to simplify the

configuration of remote access clients
RADIUS servers for authentication and the
centralization of remote access policies
VPN quarantine control to restrict network access to
quarantined clients
Packet filtering for securing VPN and network
quarantine connections
Remote access policies that define remote access
connections and connection parameters
Connection Manager components to simplify the
configuration of remote access clients
RADIUS servers for authentication and the
centralization of remote access policies
VPN quarantine control to restrict network access to
quarantined clients
Packet filtering for securing VPN and network
quarantine connections
Virtual Private Networking Using ISA Server 2004
ISA Server enables VPN access:
ISA Server enables VPN access:
Including remote client VPN access for individual
clients and site-to-site VPN access to connect
multiple sites
By enabling VPN-specific networks including:

VPN Clients network

Quarantined VPN Clients network

Remote-site networks

By using network and access rules to limit network
traffic between the VPN networks and the other
networks with servers running ISA Server
By extending RRAS functionality
Including remote client VPN access for individual
clients and site-to-site VPN access to connect
multiple sites
By enabling VPN-specific networks including:

VPN Clients network

Quarantined VPN Clients network

Remote-site networks
By using network and access rules to limit network
traffic between the VPN networks and the other
networks with servers running ISA Server
By extending RRAS functionality
Benefits of Using ISA Server for Virtual Private Networking
Benefits Explanation
Connection
security
ISA Server uses firewall access policies to inspect
and filter all traffic from VPN clients
Performance
ISA Server is optimized to enforce complex security
requirements on VPN connections
Quarantine control
for Windows 2000
VPN quarantine is not available in Windows 2000

RRAS but can be enabled with ISA Server 2004 on
Windows 2000
Logging and
monitoring
ISA Server can log all VPN connections and enables
live monitoring of VPN connections
IPSec tunnel-mode
stateful inspection
Enables stateful inspection to enforce user/group,
site, computer, protocol, and application-layer access
controls for IPSec tunnel-mode traffic
Enhanced
protection
ISA Server is protected via firewall access policy on
all interfaces
Lesson: Configuring Virtual Private Networking for
Remote Clients
VPN Client Access Configuration Options
How to Enable and Configure VPN Client Access
Default VPN Client Access Configuration
How to Configure VPN Address Assignment
How to Configure VPN Authentication
How to Configure Authentication Using RADIUS
How to Configure User Accounts for VPN Access
How to Configure VPN Connections from
Client Computers
VPN Client Access Configuration Options
Click the
Virtual Private
Networks

(VPN) node to
access the
VPN client
access
configuration
options
Click the
Virtual Private
Networks
(VPN) node to
access the
VPN client
access
configuration
options
How to Enable and Configure VPN Client Access
Use user mapping is to apply firewall policies to users who do not
use Windows authentication
Use user mapping is to apply firewall policies to users who do not
use Windows authentication
Default VPN Client Access Configuration
Component Default Configuration
System policy rules
System policy rule that allows the use of
PPTP, L2TP, or both is enabled
VPN access network
ISA Server will listen for VPN client
connections only on the External network
VPN protocols Only PPTP is enabled for VPN client access
Network rules

A route relationship between the VPN Clients
network and the Internal network
A NAT relationship between the VPN Clients
network and the External network
Firewall access rules No firewall access rules are enabled
Remote access policy
Default policy requires MS-CHAP
v2 authentication
How to Configure VPN Address Assignment
Configure static IP address
assignment or DHCP
Configure static IP address
assignment or DHCP
Configure DNS and WINS servers
using DHCP or manually
Configure DNS and WINS servers
using DHCP or manually
How to Configure VPN Authentication
Configure EAP for
additional security
Configure EAP for
additional security
Configure less secure
options only if required
for client compatibility
Configure less secure
options only if required
for client compatibility
Accept default for
secure authentication

Accept default for
secure authentication
How to Configure Authentication Using RADIUS
Enable RADIUS for authentication
and accounting, and then
configure a RADIUS server
Enable RADIUS for authentication
and accounting, and then
configure a RADIUS server
How to Configure User Accounts for VPN Access
Configure dial-in and
VPN access permissions
Configure dial-in and
VPN access permissions
How to Configure VPN Connections from Client Computers
Practice: Configuring VPN Access for Remote Clients
Configuring VPN access on ISA Server
Configuring user account
dial-in permissions
Configuring and testing a VPN
client configuration
Internet
Den-ISA-01
Den-DC-01
Gen-Clt-01
Lesson: Configuring Virtual Private Networking for
Remote Sites
Site-to-Site VPN Access Configuration Components
About Choosing a VPN Tunneling Protocol
How to Configure a Remote-Site Network

Network and Access Rules for Site-to-Site VPNs
How to Configure the Remote-Site VPN Gateway Server
How to Configure Site-to-Site VPNs Using IPSec
Tunnel Mode
Site-to-Site VPN Access Configuration Components
Component Default Configuration
Choose a
VPN protocol
Choose the appropriate protocol-based
security requirements and the VPN gateway
servers
Configure a remote-
site network
The remote-site network includes all IP
addresses in the remote site
Configure VPN
client access
VPN client access must be enabled in order to
enable site-to-site access
Configure network
rules and access
rules
Use access rules or publishing rules to make
internal resources accessible to remote office
users
Configure the
remote-site VPN
gateway
Configure the remote office VPN server to
connect ISA Server and to accept connections

from ISA Server
About Choosing a VPN Tunneling Protocol
Protocol Use to Comments
IPSec Tunnel
Mode
Connect to non-
Microsoft VPN
gateways
Only option if you are
connecting to a non-Microsoft
VPN server
Requires certificates or
pre-shared keys
L2TP over
IPSec
Connect to ISA
Server or Windows
RRAS VPN
gateways
Requires user name and
password and certificates or
pre-shared keys for
authentication
PPTP
Connect to ISA
Server or Windows
RRAS VPN
gateways
Requires user name and
password for authentication

Less secure than L2TP over
IPSec
How to Configure a Remote-Site Network
Configuration Option Explanation
VPN protocol
Choose the tunneling protocol that you will
use to connect to the remote site
Remote VPN server
Enter the server name or IP address for
the VPN gateway server in the remote site
Remote authentication
Enter a user name and password that will
be used to initiate a VPN connection to the
remote-site VPN gateway server
L2TP/IPSec
authentication
If required, configure a pre-shared key that
will be used to authenticate the computers
when creating the tunnel
Network address
Configure the IP address range for all of
the computers in the remote-site network
Network and Access Rules for Site-to-Site VPNs
To enable network traffic across a site-to-site VPN:
To enable network traffic across a site-to-site VPN:
Two system policy rules are enabled:

Allow VPN site-to-site traffic to ISA Server

Allow VPN site-to-site traffic from ISA Server

Create a network rule for remote-site networks
Configure access rules or publishing rules enabling or
restricting network access

For full access, allow all protocols through
ISA Server

For limited access, configure access rules or
publish rules that define allowed network traffic
Two system policy rules are enabled:

Allow VPN site-to-site traffic to ISA Server

Allow VPN site-to-site traffic from ISA Server
Create a network rule for remote-site networks
Configure access rules or publishing rules enabling or
restricting network access

For full access, allow all protocols through
ISA Server

For limited access, configure access rules or
publish rules that define allowed network traffic