Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004

Enterprise Edition: Site-to-Site VPN Scenario

Overview

Implementing a Site-to-Site VPN Scenario

Lab: Implementing a Site-to-Site VPN Scenario

Lesson: Implementing a Site-to-Site VPN Scenario

Issues in Deploying Site-to-Site VPNs

Guidelines for Implementing Distributed Configuration Storage Servers

Guidelines for Implementing Network Load Balancing for VPN

Guidelines for Configuring ISA Server Clients

Guidelines for Configuring Access Rules for Site-to-Site VPNs

Issues in Deploying Site-to-Site VPNs

Common site-to-site VPN deployment issues include:Common site-to-site VPN deployment issues include:

Choosing a tunneling protocol

Configuring the remote site VPN gateway server

Configuring network rules and firewall access rules

Choosing a tunneling protocol

Configuring the remote site VPN gateway server

Configuring network rules and firewall access rules

ISA Server Enterprise Edition site-to-site deployment issues include:ISA Server Enterprise Edition site-to-site deployment issues include:

Creating a preliminary connection to install the remote Configuration Storage server

Configuring Configuration Storage server replication between locations

Implementing NLB for the site-to-site VPN

Configuring firewall and Web proxy caching

Creating a preliminary connection to install the remote Configuration Storage server

Configuring Configuration Storage server replication between locations

Implementing NLB for the site-to-site VPN

Configuring firewall and Web proxy caching

Guidelines for Implementing Distributed Configuration Storage Servers

To deploy the branch-office Configuration Storage server:To deploy the branch-office Configuration Storage server:

Use a third-party VPN solution

Use Routing and Remote Access Service

Use a server publishing rule

Use a temporary ISA Server enterprise

Use an ISA Server backup file

Use a third-party VPN solution

Use Routing and Remote Access Service

Use a server publishing rule

Use a temporary ISA Server enterprise

Use an ISA Server backup file

To manage Configuration Storage server replication between office locations, use the ADAMSites tool to create ADAM sites

and configure replication between sites

Guidelines for Implementing Network Load Balancing for VPN

When you enable NLB for site-to-site VPNs:When you enable NLB for site-to-site VPNs:

The connection owner for the VPN connection is automatically assigned with failover in the event of a server failure

You must assign static IP addresses for VPN clients on each member of a multiple-server array

You must configure the virtual IP address for the remote array as the VPN tunnel endpoint, and add all the dedicated IP addresses for the array members to the remote site network properties

The connection owner for the VPN connection is automatically assigned with failover in the event of a server failure

You must assign static IP addresses for VPN clients on each member of a multiple-server array

You must configure the virtual IP address for the remote array as the VPN tunnel endpoint, and add all the dedicated IP addresses for the array members to the remote site network properties

Guidelines for Configuring ISA Server Clients

When using ISA Server Enterprise Edition, Web Proxy and Firewall clients must connect to the array DNS nameWhen using ISA Server Enterprise Edition, Web Proxy and Firewall clients must connect to the array DNS name

The DNS name is assigned when the array is configured, but can be modified

The client must be able to resolve the array DNS name using DNS

Configure a DNS host record using the array DNS name and each array member’s dedicated IP address if NLB is not enabled and the shared IP address if NLB is enabled

The DNS name is assigned when the array is configured, but can be modified

The client must be able to resolve the array DNS name using DNS

Configure a DNS host record using the array DNS name and each array member’s dedicated IP address if NLB is not enabled and the shared IP address if NLB is enabled

When configuring Web Proxy or Firewall client chaining, configure the downstream array to use the DNS name for the

upstream array

Guidelines for Configuring Access Rules for Site-to-Site VPNs

When configuring access rules for site-to-site VPNs, allow only required network traffic:When configuring access rules for site-to-site VPNs, allow only required network traffic:

Create computer sets to define specific computers that need access rather than using the entire network

Configure access rules to allow only required protocols

Use Web and server publishing rules

Restrict access based on user sets

Create computer sets to define specific computers that need access rather than using the entire network

Configure access rules to allow only required protocols

Use Web and server publishing rules

Restrict access based on user sets

When deploying main site domain members or members of a trusted domain in the remote site, you must enable the required protocols between the domain controllers, or between the domain members and domain controllers

Lab 13: Implementing a Site-to-Site VPN Scenario

Exercise 1: Enabling NLB and CARP for the Main\Front-End Array

Host1 Host2

Den-DC-01

Den-ISAEE-02

Den-ISAEE-01

Den-CSS-01

RO-ISAEE-01Den-Web-01

Den-Clt-01

Exercise 2: Configuring the Main Office Array for a Site-to-Site VPN Exercise 3: Deploying a ISA Server Remote Site Exercise 4: Configure the Branch Office Array for a Site-to-Site VPN

Den-CSS-01192.168.1.20

RO-ISAEE-01172.16.1.110192.168.2.1

Den-Web-01172.16.1.10172.16.1.11

Den-DC-01192.168.1.10

Den-ISAEE-02192.168.1.2192.168.0.2172.16.1.2

Shared IP192.168.1.3

Shared IP172.16.1.3

Den-ISAEE-01192.168.1.1192.168.0.1172.16.1.1

`

Den-Clt-01192.168.2.10

Course Evaluation