• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IPSec VPN Between 3 Buildings

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> IPSec VPN Between 3 Buildings Page: [1]
Login
Message << Older Topic   Newer Topic >>
IPSec VPN Between 3 Buildings - 29.Aug.2007 7:36:19 AM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline
I have 3 buildings.  My main building has a 2003 domain.  i want to connect in two more buildings using ISA 2006 server.  How do i setup the two ISA servers that will be at building 2 and 3?  If I build them on those buildings they will need to be in a workgroup since the domain in building one is not reachable.  Once the buildings are connected I'm going to put a domain controller in building 2 and 3.  Now there is no servers in either building.

Would I be better off connecting the buildings with a Cisco router or ASA firewall?  What is the down side to having ISA servers in building 2 and three that are not active directory intergrated?

Thanks,
Scott
Post #: 1
RE: IPSec VPN Between 3 Buildings - 29.Aug.2007 8:39:03 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Scott,
After all what's the exact problem you are facing?
If I remember correctly you already asked about this design.
Where are you stuck?
What have you tried so far?
Who says that building 2 and 3 will remain in workgroup mode?

(in reply to stosti)
Post #: 2
RE: IPSec VPN Between 3 Buildings - 29.Aug.2007 8:46:59 AM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline
Good Morning,

I'm ok in building one.  In building two I'm not sure what to do with the server.  Workgroup or domain member.  I really have no way to make it a domain member until we are connected...  Do I connect them and then make the ISA server a domain member?  Do I leave the USA server in a workgroup?  Does it matter that it is in a workgroup since no one will be using it for VPN or OWA?  It's just there to connect the buildings and allow the users to browse the internet.

I have never done this before.  I typically connect the building with 2800 series routers.  This takes 5 minutes.  I then put an ISA server behind the router for extra protection.  I looked at the article explaining how to connect an ISA server using IPSec and it looked very complicated!  Do ISA servers work well in scenario?

Thank You

(in reply to justmee)
Post #: 3
RE: IPSec VPN Between 3 Buildings - 29.Aug.2007 10:23:55 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Scott,
Well, if you can transport the ISA server from building two and three into the building 1 you can do the job there.
If not you can add to the domain after you connect.
So connect first.
Make sure you allow the protocols needed from local host to the domain controller in building 1 and you  give ISA the correct DNS server IP address.
Or you can install an additional domain controller(with DNS server) in building 2 and the use this one for joining ISA.
If they are browsing Internet then you might want to log the usernames, if so it is good to make ISA a domain member. Maybe add some restriction based on users names(no messenger to X but ok to Y).
If do not need any user filtering then you do not need to make ISA a domain member. If ISA is a domain member you can play more easy with certificates, for example from your enterprise CA for ISA. And so on. Check this article to see where your needs fit:
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
Why is that so complicated?
You can use a long complicated pre-shared key(known only by you and maybe another network admin) until you join ISA and get a certificate from your Ent CA or even better you can use an offline machine one for the start phase. Actually you can use an user one for IPsec IKE authentication(don't forget to add the CA certificate to Trusted Root Store).
Just use the site-to-site VPN wizard and you are done.
Yes, ISA servers work fine.
That full mesh topology is not available(I was never able to get it working). Only the partial one. I think I have read something about this too in Tom's blog.
The hub and spoke one works(I've done this too).
Remember to uncheck that register this connection's address in DNS on every ISA in RRAS.
Since this is the first time, just give it a go and see what's happening.

(in reply to stosti)
Post #: 4
RE: IPSec VPN Between 3 Buildings - 29.Aug.2007 3:01:17 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline
Hi,

Yes I will build them all at building one and then move the servers to building two and three.  I was hoping that this would work.

I understand about local host access to domain controllers.

When i use certificates i buy them...

I plan on using a pre-shared key to begin.  i will buy a certificate later...

Once connected I will have a domain controller in building two and three.  Then they will do local DNS to the internet using forwarders.

Can ISA provide internet DNS?

Thanks,
Scott

(in reply to justmee)
Post #: 5
RE: IPSec VPN Between 3 Buildings - 30.Aug.2007 4:46:47 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Scott,
Since you will have a DC in building two and three I supposed that on these DCs you will have an active directory integrated DNS. If so the only thing to do is to configure these DNS servers to use as forwarders the ISP DNS servers. On ISA's internal interface put the IP address of your local DNS server.
You will have a good performance like so.
ISA resolves names on behalf web proxy clients for example.
Do not install any DNS services on ISA.
Are you having any problems with the ISP DNS servers?
You can build on an ISA DMZ network your own DNS forwarders(caching only DNS servers).
I suppose you can install such a DNS server on ISA, but personnaly I do not like the idea of installing any additional services on ISA. ISA is a firewal and must do what a firewall will do.
Why would you need to buy a certificate?
Actually having your own CA gives your more flexibility and in my opinion more security since you can customise the certificate to fit your needs(long keys...).
Since you do not publish a web server which will be accessible by, say, public people, you do not need a commercial certificate(you do not worry about the CA being untrusted thus being MITM-ed).
It is very good to have your own PKI.
I do not advertise the use of pre-shared keys. If you read my previoulsy posts you will find some reasons.
If you use them make sure they remain secret and they are complicated(not guessible)
Regards!

(in reply to stosti)
Post #: 6
RE: IPSec VPN Between 3 Buildings - 30.Aug.2007 6:09:34 AM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline
Hi,

Yes I will set the DNS servers up as you say.  That has worked well for me in the past.

My ISP DNS servers are fine.

I have never seen the need to publish my own CA.  You can buy a certificate cheap or use a 32 character pre-shared key that know one will no accept me.  If you use symbols, numbers, upper case and lower case characters they are virtually impossible to crack.

I have always wanted to setup a terminal server environment.  That I guess would be where I would need a CA?

Regards,
Scott

(in reply to justmee)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> IPSec VPN Between 3 Buildings Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts