Upgrade your Internet Experience

Article ID: 884109 - Last Review: December 5, 2006 - Revision: 2.6

How to enable VPN access for users in a front-end or back-end scenario in ISA Server 2004

View products that this article applies to.

On This Page

Expand all | Collapse all

INTRODUCTION

This article discusses the recommended network design to enable virtual private network (VPN) access for users in a front-end or back-end scenario in Microsoft Internet Security and Acceleration Server (ISA) 2004. You may configure the back-end ISA Server computer to function as the VPN server or you may configure a VPN server on a computer that is located behind the back-end ISA Server computer.

Note We recommend that you use the back-end ISA Server computer as the VPN server. With this configuration, you can use ISA Server policies to control how VPN clients access the internal network based on protocols. Additionally, you can take advantage of the logging features in ISA Server 2004.

For additional information about how to configure logging in ISA Server 2004, click the following article number to view the article in the Microsoft Knowledge Base:
838241  (http://support.microsoft.com/kb/838241/ ) How to configure logging in ISA Server 2004
Back to the top

MORE INFORMATION

If you want to publish a VPN server behind ISA Server computers that are configured as front-end and back-end firewalls, we recommend that you publish the back-end ISA Server computer by using the front-end ISA Server computer. Then, publish the internal VPN server by using the back-end ISA Server computer. In this scenario, you would configure the internal network on the front-end ISA Server computer with the IP range that is used for the perimeter network. Additionally, you would configure the internal network on the back-end ISA Server computer to use the IP range that is used for the local network.
Back to the top

To publish the back-end ISA Server computer by using the front-end ISA Server computer

  1. Start the ISA Server Management tool.
  2. Expand Server_Name, where Server_Name is the name of your ISA Server computer.
  3. Click Firewall Policy, and then click Create New Server Publishing Rule.
  4. Type a name for the new server publishing rule, and then click Next. Use a descriptive name, such as PC1 on PC2.
  5. Type the IP address of the back-end ISA Server computer that you are publishing, such as 192.168.1.1, and then click Next.
  6. In the Selected protocol list, click to select PPTP Server, and then click Next.
  7. Select the network IP addresses that will listen for requests that are intended for the published server. Because you are publishing the server to the Internet, click to select the External check box, and then click Next.

    Note By default, ISA Server 2004 will listen on all external IP addresses for VPN connections. If there is more than one IP address on the external interface of the ISA Server computer, and you want to control which IP address is published for VPN access, click Address to open the External Network Listener IP Selection dialog box. Then, select the specific IP addresses to listen on.
  8. Review the summary on the Completing the New Server Publishing Rule Wizard page, and then click Finish.
  9. In the Firewall Policy pane, click Apply to apply the new server publishing rule.

    Note You can modify the properties of any rule by double-clicking the rule in the Firewall Policy pane to open the rule properties.
Back to the top

To publish the internal VPN server by using the back-end ISA Server computer

  1. Start the ISA Server Management tool.
  2. Expand Server_Name, where Server_Name is the name of your ISA Server computer.
  3. Click Firewall Policy, and then click Create New Server Publishing Rule.
  4. Type a name for the new server publishing rule, and then click Next. Use a descriptive name, such as VPN1 on back.
  5. Type the internal IP address, such as 192.168.2.1, of the back-end ISA Server computer that you are publishing, and then click Next.
  6. In the Selected protocol list, click to select PPTP Server, and then click Next.

    Note This step assumes that you are publishing a VPN server by using the Point-to-Point Tunneling Protocol (PPTP). If you are using the Layer 2 Tunneling Protocol (L2TP), visit the following Microsoft Web site for additional information:
    http://technet.microsoft.com/en-us/library/cc713323.aspx (http://technet.microsoft.com/en-us/library/cc713323.aspx)
  7. Select the network IP addresses that will listen for requests that are intended for the published server. Because the back-end ISA Server computer is the computer that listens for requests, click to select the External check box.
  8. Because you want the back-end ISA Server computer to listen for requests that come from the front-end ISA Server computer, click Address.
  9. In the Listen for requests on area, click Specified IP addresses on the ISA Server computer in the selected network.
  10. In the Available IP Addresses area, click the IP Address of the front-end ISA Server, such as 192.168.1.1, click Add, and then click OK.
  11. Click Next.
  12. Review the summary on the Completing the New Server Publishing Rule Wizard page, and then click Finish.
  13. In the Firewall Policy pane, click Apply to apply the new server publishing rule.
Note The procedures that are listed in this section may be used for other traffic. For example, you can use the same process to enable incoming SMTP traffic to your internal mail server.

We recommend that you add the back-end ISA Server computer to the maximum connection limit exception list on the front-end ISA Server computer. For additional information about connection limits, see the ISA Server Help documentation, or click the following article number to view the article in the Microsoft Knowledge Base:

838706  (http://support.microsoft.com/kb/838706/ ) Cannot connect to a service from a particular client computer in ISA Server 2004

The following information is an example of a network configuration for the front-end ISA Server computer and for the back-end ISA Server computer:

Front-end computer

Internal network adaptor:
IP address - 192.168.1.1
Perimeter network - 192.168.0.1- 192.168.0.255
Internal network - 192.168.1.1-192.168.1.255
Default gateway - 192.168.1.1

External network adaptor:
IP address - public interface

Back-end computer

Internal network adaptor:
IP address - 192.168.2.1
Internal network - 192.168.2.1-192.168.2.255
Default gateway - 192.168.2.1

External network adaptor:
IP address - 192.168.1.2
Default gateway - 192.168.1.1

Examine the following network diagram.
Collapse this imageExpand this image
Public/EN-US/ISA/884109.gif


This diagram shows an example configuration for ISA Server computers. If the diagram is not displayed correctly, click the following article number to view the article in the Microsoft Knowledge Base:

283807  (http://support.microsoft.com/kb/283807/ ) Pictures are not displayed on Web sites in Internet Explorer 
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
Back to the top
Keywords: 
                            
kbisa2006swept kbgraphxlink kbfirewall kbtshoot kbinfo KB884109
Back to the top
 
Get Help Now
Contact a support professional by E-mail, Online, or Phone
Article Translations