This article was previously published under Q303503
This article describes how to join or access an internal domain from an external client or server by using a virtual private network (VPN). This article describes how to set up the VPN (PPTP) with Internet Security and Acceleration (ISA) Server acting as a firewall (integrated mode) when the external computer is outside the local address table (LAT), while the domain is inside the LAT.
When ISA Server is acting in integrated mode (firewall started), it does not allow domain traffic from internal to external computers or from external to internal computers (such as LDAP, NetBIOS, SMB, and so on), because the required ports are not enabled by default. You can open all required ports, but this solution has some administrative overhead and raises security issues (unneeded ports opened to the external network). For additional information about how to open all required ports, click the article number below to view the article in the Microsoft Knowledge Base:
179442 How to Configure a Firewall for Domains and Trusts
The following scenarios describe alternative solutions to join or access an internal domain by using a VPN connection (PPTP).
Local area network (LAN) (Domain) <-> ISA1 <-> Internet <-> ISA2 <-> remote client or server (that is supposed to join or access the domain)
The following procedure describes how to set up the VPN connection between the first ISA Server computer (ISA1) and the second ISA Server computer (ISA2) (or how to set up the VPN tunnel used for the domain-related traffic):
How to Configure the First ISA Server Computer
On ISA1, right-click Network Configurations, and then click Setup Local ISA VPN Server to start the Local ISA VPN Wizard.
In the wizard, type a name for the local and remote network, and then click Next.
Click Use PPTP, and then click Next.
Click Both the local and the remote can initiate communication.
Type the fully qualified domain name (FQDN) or Internet protocol (IP) address of the remote ISA Server computer in the first box and the domain name of server name in the second box.
Specify the IP range to allow access.
Type the external IP address of the ISA Server computer where the VPN connection will be established over, and then specify the IP addresses of remote clients that are allowed to access over this VPN connection.
Type the file name (for example, VPN_ISA1_ISA2.vpc), and then finish the wizard.
The wizard generates the following four packet filters (Access policies and packet filters):
Allow PPTP protocol packets (client) for VPN connection
Allow PPTP protocol packets (server) for VPN connection
In addition, the wizard starts the Routing and Remote Access service (if it was not already started) and configures one additional routing interface (VPN) with the name that you entered in the wizard, and then adds static routing rules, which are required to initiate the VPN connection over the new VPN routing interface.
How to Configure the Remote ISA Server Computer
To configure ISA2:
On ISA2, right-click Network Configurations, and then click Setup Remote ISA VPN Server to start the Remote ISA VPN Wizard.
Point to the configuration file (for example, VPN_ISA1_ISA2.vpc) that was generated in step eight in the preceding procedure.
NOTE: It is recommended that you copy this file to the hard disk of ISA2 before you start this procedure.
The wizard creates the appropriate packet filters and Routing and Remote Access entries (VPN interface, Static Routing entries) on the remote ISA Server computer as well to ensure remote clients and servers are routed over this VPN connection when they access the domain.
How to Join the Domain from the Client by Using a VPN
Join the domain from the remote client or server.
Resolve DNS names for the domain (LDAP, domain controller, and so on) by forwarding a request to the DNS server which is a member domain. Because ISA2 has a routing entry for the domain by using the VPN routing interface, it establishes the VPN connection to ISA1 and forwards the DNS query to ISA1, which routes the query to the DNS server of the domain.
The DNS server responds to remote client or server by using the VPN connection (ISA1 -> ISA1).
Now all traffic (LDAP, SMB, NetBIOS, DNS, and so on) is routed over the VPN connection and the remote client or server can access the domain, because it is local.
LAN (Domain) <-> ISA1 <-> remote client or server (that is supposed to join or access the domain)
In this scenario you have to configure the ISA Server computer (ISA1) to enable external VPN clients for dialing in by using a VPN. Scenario two is different from scenario one in that you do not have to create a VPN tunnel because you are only one using one ISA Server computer; therefore, there is one border from the external to the internal computer.
On ISA1, right-click Network Configuration, and then click Allow VPN Client Connections to start the Allow VPN Client Connections Wizard.
This wizard creates the following packet filters on the ISA Server computer:
Allow PPTP protocol packets (client)
Allow PPTP protocol packets (server)
Now, ISA1 (the external adapter) is able to accept VPN connections from external clients (outside the LAT, for example, the Internet).
Create a VPN connection to ISA1 (external adapter) on the client (Internet).
NOTE: The following procedure assumes that there is already an existing Internet connection.
Open Network and Dial-Up Connections.
Click Make New Connection, and then click Connect to a private network through the Internet.
Type the name or IP address of the public interface of the ISA Server computer as the destination address.
Make sure that the users that are configured on the ISA Server computer are able to dial in remotely. To make sure that the users can dial in remotely, either use Domain Users to allow these users dial-in permissions when your ISA Server computer is connected to the local domain or use a local user on the ISA Server computer and grant dial-in permissions.
To connect from an external client (Internet) to the domain, follow these steps (it is assumed that the client is already connected to the Internet):
Establish the VPN and make sure you enter a valid account which has dial-in permissions.
Join the domain (for example, support.ms.com) from the remote client or server.
Forward a request to the DNS server that is a member of the domain to resolve DNS names. This traffic is now routed over the VPN connection.
The local DNS server responds to the remote client or server by using ISA Server as the VPN router. All traffic (LDAP, SMB, NetBIOS, DNS, and so on) is routed over the VPN connection and the remote client or server can access the domain as if it is on the intranet relative to the domain.
If the domain controller is on a separate computer, make sure that the domain controller is in the internal domain and the client or server that wants to access the domain are SecureNAT clients (make sure that they have configured the IP address of the internal ISA Server network adapter as the default gateway). This scenario does not work with Firewall/Winsock clients.
Make sure that the client or server that wants to access the domain is able to resolve the DNS names of the internal domain. The best way to do so is to configure the DNS server of the internal domain as the DNS server on the remote client or server.
Make sure that ISA1 is able to provide an IP address to the remote client when the VPN connection is established either by using an IP address provided by the DHCP server of the local domain or by using an IP address from a static address pool. To configure this, click Administrative Tools, click Routing and Remote Access, right-click the server (in this case ISA1), click Properties, and then click the IP tab.
Ensure that all routing entries are correct and both endpoint servers (the domain controller in the local domain and the remote client or server) are able to find each other when a ping command is used when the VPN connection is established.
If you are following scenario two, you must establish the VPN connection before you can access the domain.