• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to setup VPN on Isa2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> How to setup VPN on Isa2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to setup VPN on Isa2004 - 21.Aug.2012 2:49:14 PM   
jjj0923

 

Posts: 14
Joined: 7.May2010
Status: offline
I have a remote user who would like me to setup a VPN. We're running ISA2004 and I've never setup a VPN before so I need a lot of guidance.

I have 3 network cards in our ISA2004 Server
* One for the external links
* One that goes to a hub where our internet accessible web servers are located
* One that goes to hub where our office PC's are located.

All computers behind the ISA box are natted. None of the web servers are configured to their externally broadcast IP address. I have rules setup for each and block certain IP addresses and ranges from any access at all based on observed past behavior and only certain ports are opened up to the web servers.

So - here's what I need. How go I go about setting up a VPN using the existing ISA2004 box. I want the remote user to have access to all of my internal network and my exchange server (2003) like anyone here in the main office who logs in and is authenticated by my Domain controllers.

where do I start?

thanks in advance.

Jeff
Post #: 1
RE: How to setup VPN on Isa2004 - 21.Aug.2012 2:56:58 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Check out http://www.isaserver.org/articles/2004vpnserver.html

HTH,
Stefaan

(in reply to jjj0923)
Post #: 2
RE: How to setup VPN on Isa2004 - 23.Aug.2012 9:52:04 AM   
jjj0923

 

Posts: 14
Joined: 7.May2010
Status: offline
quote:

ORIGINAL: spouseele

Check out http://www.isaserver.org/articles/2004vpnserver.html

HTH,
Stefaan


Ok - I printed and read the article and tried to follow the directions but it all failed right off the bat.

The article refers to the ISA server keeping tracking of users in groups etc...

My ISA server runs what I would call standalone. It does not need to be logged into my domain controller and does not use the DC's for DNS. I have separate dns servers that it points to.

Should I change things and have it point to the dc's for dns and get authenticated by my network so that it has access to my user logins and groups?

In addition unlike the article I do not use DHCP or WINS. All of the computer behind my ISA Server are natted and have static IP's.

thanks in advance.

(in reply to spouseele)
Post #: 3
RE: How to setup VPN on Isa2004 - 23.Aug.2012 3:38:16 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
In my opinion ISA/TMG should be a domain member. For more info why, check out http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html .

Is there a particular reason why you want to have the ISA/TMG in a workgroup?

HTH,
Stefaan

(in reply to jjj0923)
Post #: 4
RE: How to setup VPN on Isa2004 - 23.Aug.2012 4:02:23 PM   
jjj0923

 

Posts: 14
Joined: 7.May2010
Status: offline
quote:

ORIGINAL: spouseele

In my opinion ISA/TMG should be a domain member. For more info why, check out http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html .

Is there a particular reason why you want to have the ISA/TMG in a workgroup?

HTH,
Stefaan


I inherited this setup - no objections personally or professionally

(in reply to spouseele)
Post #: 5
RE: How to setup VPN on Isa2004 - 23.Aug.2012 4:58:21 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
OK. I have no experience running ISA/TMG in a workgroup but I think it is possible to use for the VPN user a local defined Windows user account or group.

Also, instead of a DHCP server you can configure a local IP pool for the VPN users. If I remember correctly, the DNS/WINS servers defined on the ISA internal interface will then be pushed to the VPN client.

However, take note that you are limited to PPTP as VPN protocol (L2TP/IPsec requires certificates and hence domain membership) and that the authentication protocol is at best MS-CHAPv2 which is considered broken nowadays (http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/).

In my opinion, you shouldn't go that path and instead require mutual certificate authentication and therefore domain membership for the ISA/TMG server and preferable also for the VPN client.

HTH,
Stefaan

(in reply to jjj0923)
Post #: 6
RE: How to setup VPN on Isa2004 - 29.Aug.2012 9:54:14 AM   
jjj0923

 

Posts: 14
Joined: 7.May2010
Status: offline
ok - I tried to add my isa firwall to my domain and it keeps failing

I keep getting "the remote procedure call failed and did not execute"

any ideas why?

I pointed the dns on that internal network card to my domain controllers. I did not change the default gateway on the internal card - it's blank and always has been.

any ideas to help me?

short of this are there any other easy ways to setup a VPN on my network to allow one of my remote users to get access to my network?

this is getting really complex.

(in reply to spouseele)
Post #: 7
RE: How to setup VPN on Isa2004 - 30.Aug.2012 1:38:14 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
You should have joined the box to the domain before installing ISA server.

Create a temporary rule from Local Host to Internal allowing All TCP Outbound for All Users. Once the box is joined remove that rule.

HTH,
Stefaan

(in reply to jjj0923)
Post #: 8
RE: How to setup VPN on Isa2004 - 30.Aug.2012 3:23:58 PM   
jjj0923

 

Posts: 14
Joined: 7.May2010
Status: offline
quote:

You should have joined the box to the domain before installing ISA server.

Create a temporary rule from Local Host to Internal allowing All TCP Outbound for All Users. Once the box is joined remove that rule.

HTH,
Stefaan


i tried this and it did not work - same error as before. I even made it the very first rule and monitored the activity for the rule - nothing traced as I tried to join the domain.

any other ideas?

(in reply to spouseele)
Post #: 9
RE: How to setup VPN on Isa2004 - 30.Aug.2012 5:04:26 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Please post the result of an "ipconfig /all" command on the ISA box as well as on a DC.

HTH,
Stefaan

(in reply to jjj0923)
Post #: 10
RE: How to setup VPN on Isa2004 - 31.Aug.2012 7:10:47 AM   
jjj0923

 

Posts: 14
Joined: 7.May2010
Status: offline
thanks for the reply.

I finally gave up on this due to the complexity and went with Hamachi instead.

Had Hamachi up and running in 30 minutes and had my remote user online and rocking.

(in reply to spouseele)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> How to setup VPN on Isa2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts