ISA Server 2004's site-to-site VPN capabililties are powerful, and give network and security architects a great deal more flexibility in designing an organization's network. To fully understand what is possible with ISA, it is important to understand what type of deployment scenarios ISA supports.
Extending the Network Without WAN Links or Unnecessary Complexity
The traditional method of extending a network to a remote location was to order a secured, dedicated wide area network (WAN) link from one of the Telecom providers. These links were always available, dedicated to the company itself, and relatively expensive.
With the rise of the Internet, organizations found that they could purchase and maintain much bigger "pipes" of bandwidth to the Internet from their remote locations, and transmit data between their various network locations over the Internet. The big downside to this was that the traffic was subject to snooping by unauthorized personnel; the Internet itself was untrusted from the organization's perspective.
This was one of the factors that led to the development and rise of Virtual Private Networks (VPNs), a concept which enables the traffic sent between disparate networks to be encrypted and then tunneled across the untrusted networks. If the data packets are intercepted, the intercepter is not able to decipher the contents of the message itself. On the other end, however, the traffic is decrypted and accepted by the remote host, as shown in Figure 10.1.
Figure 10.1. Understanding VPN concepts.
Controlling and Filtering Traffic Across WAN Segments
One of the additional advantages to deploying ISA Server 2004 site-to-site VPNs is the capability to create specific rules to govern traffic sent between VPN networks. ISA Server 2004 sees the remote sites as individual network elements, which are then subject to inspection and Application-layer filtering. This is in contrast to ISA 2000 functionality, which did not scan site-to-site VPN traffic at the Application layer.
Understanding Site-to-Site VPN Capabilities and Options
ISA Server 2004 site-to-site VPNs are versatile in that they allow for multiple authentication methods and encryption protocol support. For example, the following protocols are supported for encryption of the site-to-site VPN traffic:
Understanding RADIUS Authentication Options for Site-to-Site VPN Connections
In addition to supporting Windows-based authentication for VPN connections, ISA Server 2004 supports authentication against a remote authentication dial-in user service (RADIUS) authentication infrastructure. This can be useful for environments that have an existing RADIUS environment deployed and that want to take advantage of that environment for authentication of the site-to-site VPN connections.
Outlining a Site-to-Site VPN Scenario
For the exercises in this chapter, a site-to-site VPN connection is made between two ISA Servers, one in the San Francisco location and the other in the Toronto location, as illustrated in Figure 10.2.
Figure 10.2. Examining the site-to-site VPN scenario illustrated in this chapter.
Although the actual network design may be different, the concept is the same. After it is established, a site-to-site VPN connection enables clients in the local network to access resources in the remote network as if they were local.
The IPSec tunnel mode scenario is the only one that differs slightly from this model: The remote firewall server is not an ISA server, but a third-party VPN box.