When designing a VPN infrastructure, there are many important aspects to consider. These considerations are largely based on an organization's current infrastructure and definitive goals. Analyzing and making design decisions around these aspects early on allows for a much more secure and robust VPN implementation, enhancing the overall functionality of the network while providing a positive experience for end-users.
Although there are almost unlimited network configuration possibilities, the ISA VPN server is generally involved in two types of scenarios: It is either a member server in a domain or a stand-alone workgroup server separate from a domain. Each configuration is valid and has different advantages; each type of configuration should be evaluated and implemented when appropriate. More about these configurations appears in subsequent sections of this chapter.
Server placement can also affect the VPN protocols that are available, or at least may influence the decision on what protocols to implement. The PPTP protocol supports many different configurations, including being implemented with a private IP address behind a NAT firewall or having a public IP address connected directly to the Internet or within a section of the internal network designed with routable IP addresses, such as the DMZ. A L2TP/IPSec VPN is best implemented when the ISA Server has a public IP address either directly connected to the Internet or within a section of the internal network designed with routable IP addresses, for the NAT-T limitation reasons described in the above sections.
Deploying an ISA VPN Server as a Domain Member
There are several advantages when the ISA VPN server is a member of an internal Active Directory domain. These advantages often result in a much lower total cost of ownership and overall simplicity regarding system management and overall maintenance, and are defined as follows:
The process to configure ISA server as a member server is straightforward, consisting of joining the domain and then proceeding with the ISA server installation. For a step-by-step procedure to make the ISA server a domain member, see the section titled "Changing Domain Membership" in Chapter 2, "Installing ISA Server 2004."
Deploying an ISA VPN Server as a Standalone Server (Workgroup Member)
There are also a number of advantages, as described in the following list, when the ISA VPN server is not a member of an internal domain. Often it is very important for an organization to apply multiple secure layers between the internal network and remotely accessible systems; this can be accomplished by keeping the ISA VPN server as a stand-alone system located in a DMZ.