How to setup VPN on Isa2004 (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


jjj0923 -> How to setup VPN on Isa2004 (21.Aug.2012 2:49:14 PM)

I have a remote user who would like me to setup a VPN. We're running ISA2004 and I've never setup a VPN before so I need a lot of guidance.

I have 3 network cards in our ISA2004 Server
* One for the external links
* One that goes to a hub where our internet accessible web servers are located
* One that goes to hub where our office PC's are located.

All computers behind the ISA box are natted. None of the web servers are configured to their externally broadcast IP address. I have rules setup for each and block certain IP addresses and ranges from any access at all based on observed past behavior and only certain ports are opened up to the web servers.

So - here's what I need. How go I go about setting up a VPN using the existing ISA2004 box. I want the remote user to have access to all of my internal network and my exchange server (2003) like anyone here in the main office who logs in and is authenticated by my Domain controllers.

where do I start?

thanks in advance.

Jeff




spouseele -> RE: How to setup VPN on Isa2004 (21.Aug.2012 2:56:58 PM)

Check out http://www.isaserver.org/articles/2004vpnserver.html

HTH,
Stefaan




jjj0923 -> RE: How to setup VPN on Isa2004 (23.Aug.2012 9:52:04 AM)

quote:

ORIGINAL: spouseele

Check out http://www.isaserver.org/articles/2004vpnserver.html

HTH,
Stefaan


Ok - I printed and read the article and tried to follow the directions but it all failed right off the bat.

The article refers to the ISA server keeping tracking of users in groups etc...

My ISA server runs what I would call standalone. It does not need to be logged into my domain controller and does not use the DC's for DNS. I have separate dns servers that it points to.

Should I change things and have it point to the dc's for dns and get authenticated by my network so that it has access to my user logins and groups?

In addition unlike the article I do not use DHCP or WINS. All of the computer behind my ISA Server are natted and have static IP's.

thanks in advance.




spouseele -> RE: How to setup VPN on Isa2004 (23.Aug.2012 3:38:16 PM)

In my opinion ISA/TMG should be a domain member. For more info why, check out http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html .

Is there a particular reason why you want to have the ISA/TMG in a workgroup?

HTH,
Stefaan




jjj0923 -> RE: How to setup VPN on Isa2004 (23.Aug.2012 4:02:23 PM)

quote:

ORIGINAL: spouseele

In my opinion ISA/TMG should be a domain member. For more info why, check out http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html .

Is there a particular reason why you want to have the ISA/TMG in a workgroup?

HTH,
Stefaan


I inherited this setup - no objections personally or professionally




spouseele -> RE: How to setup VPN on Isa2004 (23.Aug.2012 4:58:21 PM)

OK. I have no experience running ISA/TMG in a workgroup but I think it is possible to use for the VPN user a local defined Windows user account or group.

Also, instead of a DHCP server you can configure a local IP pool for the VPN users. If I remember correctly, the DNS/WINS servers defined on the ISA internal interface will then be pushed to the VPN client.

However, take note that you are limited to PPTP as VPN protocol (L2TP/IPsec requires certificates and hence domain membership) and that the authentication protocol is at best MS-CHAPv2 which is considered broken nowadays (http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/).

In my opinion, you shouldn't go that path and instead require mutual certificate authentication and therefore domain membership for the ISA/TMG server and preferable also for the VPN client.

HTH,
Stefaan




jjj0923 -> RE: How to setup VPN on Isa2004 (29.Aug.2012 9:54:14 AM)

ok - I tried to add my isa firwall to my domain and it keeps failing

I keep getting "the remote procedure call failed and did not execute"

any ideas why?

I pointed the dns on that internal network card to my domain controllers. I did not change the default gateway on the internal card - it's blank and always has been.

any ideas to help me?

short of this are there any other easy ways to setup a VPN on my network to allow one of my remote users to get access to my network?

this is getting really complex.




spouseele -> RE: How to setup VPN on Isa2004 (30.Aug.2012 1:38:14 PM)

You should have joined the box to the domain before installing ISA server.

Create a temporary rule from Local Host to Internal allowing All TCP Outbound for All Users. Once the box is joined remove that rule.

HTH,
Stefaan




jjj0923 -> RE: How to setup VPN on Isa2004 (30.Aug.2012 3:23:58 PM)

quote:

You should have joined the box to the domain before installing ISA server.

Create a temporary rule from Local Host to Internal allowing All TCP Outbound for All Users. Once the box is joined remove that rule.

HTH,
Stefaan


i tried this and it did not work - same error as before. I even made it the very first rule and monitored the activity for the rule - nothing traced as I tried to join the domain.

any other ideas?




spouseele -> RE: How to setup VPN on Isa2004 (30.Aug.2012 5:04:26 PM)

Please post the result of an "ipconfig /all" command on the ISA box as well as on a DC.

HTH,
Stefaan




jjj0923 -> RE: How to setup VPN on Isa2004 (31.Aug.2012 7:10:47 AM)

thanks for the reply.

I finally gave up on this due to the complexity and went with Hamachi instead.

Had Hamachi up and running in 30 minutes and had my remote user online and rocking.




Page: [1]