Designing an ISA Server 2004 VPN Infrastructure

When designing a VPN infrastructure, there are many important aspects to consider. These considerations are largely based on an organization's current infrastructure and definitive goals. Analyzing and making design decisions around these aspects early on allows for a much more secure and robust VPN implementation, enhancing the overall functionality of the network while providing a positive experience for end-users.

Although there are almost unlimited network configuration possibilities, the ISA VPN server is generally involved in two types of scenarios: It is either a member server in a domain or a stand-alone workgroup server separate from a domain. Each configuration is valid and has different advantages; each type of configuration should be evaluated and implemented when appropriate. More about these configurations appears in subsequent sections of this chapter.

Server placement can also affect the VPN protocols that are available, or at least may influence the decision on what protocols to implement. The PPTP protocol supports many different configurations, including being implemented with a private IP address behind a NAT firewall or having a public IP address connected directly to the Internet or within a section of the internal network designed with routable IP addresses, such as the DMZ. A L2TP/IPSec VPN is best implemented when the ISA Server has a public IP address either directly connected to the Internet or within a section of the internal network designed with routable IP addresses, for the NAT-T limitation reasons described in the above sections.

Deploying an ISA VPN Server as a Domain Member

There are several advantages when the ISA VPN server is a member of an internal Active Directory domain. These advantages often result in a much lower total cost of ownership and overall simplicity regarding system management and overall maintenance, and are defined as follows:

• Group Policy Objects Active Directory group policies can be leveraged to create a highly controlled, standardized, and very secure environment by enforcing security settings and security auditing and helping to eliminate human error and repetitive configuration tasks.

• Direct Access to Active Directory As a member server, ISA can authorize existing groups for remote access and authenticate incoming domain users without the need for a RADIUS server and complex remote access policies. Security groups defined in Active Directory can be selected from within the ISA management console, allowing easy-to-use, centralized management of remote access for the entire network.

The process to configure ISA server as a member server is straightforward, consisting of joining the domain and then proceeding with the ISA server installation. For a step-by-step procedure to make the ISA server a domain member, see the section titled "Changing Domain Membership" in Chapter 2, "Installing ISA Server 2004."

Deploying an ISA VPN Server as a Standalone Server (Workgroup Member)

There are also a number of advantages, as described in the following list, when the ISA VPN server is not a member of an internal domain. Often it is very important for an organization to apply multiple secure layers between the internal network and remotely accessible systems; this can be accomplished by keeping the ISA VPN server as a stand-alone system located in a DMZ.

• Limiting Internal Domain Boundaries Many organizations that provide VPN access for remote users or any type of Internet-accessible system feel it is an unacceptable risk to extend the internal domain into the DMZ, and as a result have implemented company policies that prevent such a configuration.

• Restrictive Firewall Rules When a system in the DMZ is a member of the internal domain, the appropriate ports need to be opened; this would include NetBIOS and the often exploited RPC ports required to communicate with internal domain controllers. Internal domain controllers are often considered the most critical systems on the network and should not be accessible from the DMZ.

• Limited Access to Active Directory By leveraging Microsoft Internet Authentication Service (IAS), which allows for RADIUS authentication against an Active Directory domain, an organization can still leverage its current directory infrastructure to control remote access. The IAS service uses the RADIUS protocol to authenticate VPN users' credentials obtained from the ISA VPN server against Active Directory users.