Contents
Overview 1
VPN Overview 2
Configuring VPNs 6
Lab A: Configuring
Virtual Private Networks 12
Review 20
Module 5: Configuring
Access for Remote
Clients and Networks
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2001 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Instructional Designer: Victoria Fodale (Azwrite LLC)
Technical Lead: Joern Wettern (Independent Contractor)
Program Manager: Robert Deupree Jr.
Product Manager: Greg Bulette
Lead Product Manager, Web Infrastructure Training Team: Paul Howard
Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,
Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels,
Oren Trutner
Graphic Artist: Andrea Heuston (Artitudes Layout & Design)
Editing Manager: Lynette Skinner
Editor: Stephanie Edmundson
Copy Editor: Kristin Elko (S&T Consulting)
Production Manager: Miracle Davis
Production Coordinator: Jenny Boe
Production Tools Specialist: Julie Challenger
Production Support: Lori Walker ( S&T Consulting)
Test Manager: Peter Hendry
Courseware Testing: Greg Stemp (S&T OnSite)
Creative Director, Media/Sim Services: David Mahlmann
CD Build Specialist: Julie Challenger
Manufacturing Support: Laura King; Kathy Hershey
Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 5: Configuring Access for Remote Clients and Networks iii
Instructor Notes
This module provides students with the knowledge and skills to configure
virtual private network (VPN) access.
After completing this module, students will be able to:
!
Explain the use of VPNs and Microsoft
®
Internet Security and Acceleration
(ISA) Server 2000.
!
Configure VPNs by using ISA Server.
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_05.ppt.
Preparation Tasks
To prepare for this module, you should:
!
Read all of the materials for this module.
!
Complete the lab.
!
Study the review questions and prepare alternative answers to discuss.
!
Anticipate questions that students may ask. Write out the questions and
provide the answers.
!
Read “Using an ISA Server virtual private network,” “Virtual private
networks,” “Enterprise Scenario with VPN and Routing,” and “Configure
Virtual Private Networks” in ISA Server Help.
!
Read Module 6, “Configuring Network Security by Using IPSec,” Module
7, “Configuring Remote Access,” Module 8, “Supporting Remote Access to
a Network,” and Module 9, “Extending Remote Access Capabilities by
Using IAS,” in Course 2153, Implementing a Microsoft Windows
®
2000
Network Infrastructure.
!
Read Module 10, “Providing Secure Access to Remote Offices,” in Course
2150, Designing a Secure Microsoft Windows 2000 Network.
!
Read Module 6, “Configuring the Firewall,” in Course 2159A, Deploying
and Managing Microsoft Internet Security and Acceleration Server 2000.
Presentation:
30 Minutes
Lab:
30 Minutes
iv Module 5: Configuring Access for Remote Clients and Networks
Module Strategy
Use the following strategy to present this module:
!
VPN Overview
Explain that by configuring an ISA Server computer as a VPN server,
remote users or remote networks can send data to an internal network across
the Internet while maintaining secure communications. Use the animated
slide to describe the use of an ISA VPN Server to connect remote users to
an internal network. Use the slide graphic to describe the use of an ISA
VPN Server to connect remote networks to an internal network. Mention
that ISA Server uses the Routing and Remote Access service component of
Windows 2000 to create and manage VPNs.
!
Configuring VPNs
Explain that ISA Server includes three taskpads for configuring VPNs: a
taskpad to configure a VPN to accept client connections, a taskpad to
configure a local VPN, and a taskpad to configure a remote VPN. Ensure
that students understand the difference between a local VPN and a remote
VPN. Demonstrate the procedure for creating a local VPN and demonstrate
the procedure for creating a remote VPN. Emphasize that you must have the
.vpc file and the password that were created during the setup of the local
ISA VPN Server to configure a remote ISA VPN Server.
Module 5: Configuring Access for Remote Clients and Networks v
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on the student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.
Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Perform a full installation of ISA Server manually.
Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Install the ISA Server administration tools manually.
Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all ISA
Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Install the Firewall Client manually.
Important
vi Module 5: Configuring Access for Remote Clients and Networks
Setup Requirement 4
The lab in this module requires that the all ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Configure the default gateway manually.
Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Configure Internet Explorer manually.
Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Configure IIS manually.
Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
allows all members of the Domain Admins group to gain access to the Internet
by using any protocol. To prepare student computers to meet this requirement,
perform one of the following actions:
!
Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
!
Create the rule manually.
Module 5: Configuring Access for Remote Clients and Networks vii
Lab Results
Performing the lab in this module introduces the following configuration
changes:
!
ISA Server is configured to allow outgoing Point-to-Point Tunneling
Protocol (PPTP) connections from internal clients.
!
The Administrator account is configured so that it has dial-in permissions.
!
The ISA Server computer is configured as a VPN server. This change
includes configuring the Routing and Remote Access service, adding
Internet Protocol (IP) packet filters in ISA Server, and creating a user
account.
!
The Routing and Remote Access service is configured with a static IP
address range for VPN connections.
!
On the ISA Server client computers, a new network connection called
Virtual Private Connection is created.
Module 5: Configuring Access for Remote Clients and Networks 1
Overview
!
VPN Overview
!
Configuring VPNs
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can configure a Microsoft
®
Internet Security and Acceleration (ISA)
Server 2000 computer as a Virtual Private Network (VPN) server to allow
remote users, such as employees working away from the office, to gain access
to network resources. You can also configure an ISA Server computer to enable
computers on remote networks, such as branch offices, to connect networks by
using a VPN, such as a main office and a remote office. ISA Management
includes taskpads and wizards to help you set up and secure a VPN.
After completing this module, you will be able to:
!
Explain the use of VPNs and ISA Server.
!
Configure VPNs by using ISA Server.
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about configuring ISA
Server as a VPN server to
connect remote users and
remote networks to a local
network.
2 Module 5: Configuring Access for Remote Clients and Networks
"
""
"
VPN Overview
!
Understanding VPNs
!
Connecting Remote Users to a Corporate Network
!
Connecting Remote Networks to a Local Network
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server helps you set up and secure VPN connections for remote users and
remote networks. When a remote user or a remote network communicates with
an ISA Server computer through a VPN tunnel, data is encapsulated before and
after it is sent across the Internet. You can use either the Point-to-Point
Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP) over
Internet Protocol Security (IPSec) to manage tunnels and encapsulate private
data.
Topic Objective
To identify the topics related
to using ISA Server to set
up a VPN.
Lead-in
ISA Server helps you set up
and secure VPN
connections.
Module 5: Configuring Access for Remote Clients and Networks 3
Understanding VPNs
An ISA VPN Server:
!
Extends a Private Network
!
Secures Communication
!
Can Use PPTP or L2TP
Internet
Internet
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A VPN is an extension of a private network that encompasses links across
public networks, such as the Internet. A VPN secures a connection by
encrypting all network traffic before sending it across the Internet and then
decrypting the traffic when it arrives at the other end of the VPN. Because the
public network transports all VPN traffic in encapsulated form, a VPN
connection is also referred to as tunneling.
By configuring an ISA Server computer as a VPN server, remote users or
computers on remote networks can send data to your internal network across
the Internet while maintaining secure communications. The ISA VPN Server
computer can use either PPTP or L2TP over IPSec to manage tunnels and
encapsulate private data.
ISA Server uses the Routing and Remote Access service component of
Microsoft Windows
®
2000 to create and manage VPNs. If your network
requires a VPN configuration that is different from the default configuration
that the Routing and Remote Access service uses, you must perform further
configurations after you have configured the ISA Server computer as a VPN
server. For example, if your network does not use the Dynamic Host
Configuration Protocol (DHCP) to assign Internet Protocol (IP) addresses to
client computers, you must configure the IP addresses that the Routing and
Remote Access service uses for the VPN.
For more information about VPNs, see Module 7, “Configuring Remote
Access,” Module 8, “Supporting Remote Access to a Network,” and Module 9,
“Extending Remote Access Capabilities by Using IAS,” in Course 2153,
Implementing a Microsoft Windows 2000 Network Infrastructure.
Topic Objective
To describe the use of an
ISA VPN Server.
Lead-in
A VPN is an extension of a
private network that
encompasses links across
public networks such as the
Internet.
Key Points
By configuring an ISA
Server computer as a VPN
server, remote users or
remote networks can send
data to your internal network
across the Internet while
maintaining secure
communications.
ISA Server uses the Routing
and Remote Access service
component of Windows
2000 to create and manage
VPNs. You must use the
Routing and Remote Access
service to change any VPN
configuration from the
defaults that the Routing
and Remote Access service
uses.
Note
4 Module 5: Configuring Access for Remote Clients and Networks
Connecting Remote Users to a Corporate Network
VPN Tunnel
ISA Server
Computer
Remote User
Remote User
Internet
Internet
Corporate Network
Corporate Network
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
VPN connections allow users who work remotely to connect to the corporate
network over a public network, such as the Internet. From the user's
perspective, the infrastructure of the public network is irrelevant because it
appears as if the data is sent over a dedicated private link. To allow client
computers to establish a VPN connection, you must configure the ISA Server
computer to accept VPN client connections.
Topic Objective
To describe the use of ISA
Server for connecting
remote users to a corporate
network.
Lead-in
VPN connections allow
users who work remotely to
connect to the corporate
network over a public
network, such as the
Internet.
Key Points
To allow client computers to
establish a VPN connection,
you must configure the ISA
Server computer to accept
VPN client connections.