Because ISA Server 2004 is first and foremost a security server, many pieces of ISA functionality are disabled by default. This is true for VPN functionality as well. All VPN options, including site-to-site VPN capabilities, must be physically enabled before VPN connections can be made. In short, enabling site-to-site VPN access between two sites involves the following high-level steps:
Each of these steps is explained further in the following sections of this chapter.
Enabling VPN Client Access
Even though the VPN access that will be set up is for site-to-site VPNs, the server must have VPN client access enabled first. The ISA server views the VPN connection from the remote server as a VPN client itself. The following procedure must be followed on both servers:
Creating VPN User Accounts on Both Servers
After VPN client access has been enabled, local user accounts must be created on each of the VPN servers. These user accounts will be used by the remote ISA server to authenticate the VPN connection and to gain dial-in access rights. To create this user account, do the following:
After an account is created, the user must then be granted the proper dial-in access rights. If this step isn't taken, the site-to-site VPN connection creation fails. To enable this, do the following:
Defining Address Assignments
When connecting to the remote network, an ISA server needs to be given an IP address in that network, similar to how a standard VPN client would connect to that server. Usually a local DHCP server is available to provide addresses. If a local DHCP server is not available, a static pool of IP addresses can be used.
If a static pool of addresses is to be used for the VPN connection, they must first be excluded from the local site definition. If they are not, ISA complains that the static addresses fall within the range of an existing network.
In this scenario, because the DHCP service is running in both the Toronto and San Francisco networks, DHCP is used to assign IP addresses to the site-to-site VPN connections via the following procedure:
Selecting the Correct VPN Interface
In most site-to-site VPN scenarios the ISA server has two NICs: an internal NIC and external NIC. In this case the VPN is established with the external NIC.
This may not always be true, such as if the ISA server has more than two NIC's or is part of a hub-and-spoke VPN topology. To configure on what interface the ISA server can establish VPN communication, perform the following steps:
Choosing Between Authentication Mechanisms
After the initial preparation steps have been taken, the decision on which protocol to be used to set up the site-to-site VPN tunnel must be reached. To recap, this involves choosing between the following options:
The subsequent sections of this chapter cover setting up each type of protocol access.