There are several ways you can assign IP addressing information to VPN clients and gateways. The easiest way to do this with ISA Server 2004 is to use a DHCP server on the internal network located behind the ISA Server 2000 firewall. When the ISA Server 2004 firewall receives a block of IP addresses from the DHCP server, it automatically places these addresses in the VPN clients network. You can then use this network to configure access policies that control what resources the VPN clients and gateways can access on the corporate network.

In the current example, we will install a DHCP server on the Internal network and configure the DHCP server with a scope of IP addresses to assign to the VPN clients. We will not create custom DHCP scope options. If you want to deliver custom scope options to the DHCP clients, then you must install and configure the DHCP Relay Agent on the ISA Server 2004 firewall machine.

DHCP server configuration varies with the operating system you are installed on the DHCP onto. In the following example we will install the DHCP Server service on a Windows Server 2003 machine that is also acting a the domain controller.

Install the DHCP Server

Perform the following steps on the domain controller computer to install the DHCP server service:

1. Click Start, point to All Programs and point to Control Panel. Click on Add or Remove Programs.

2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button.

3. In the Windows Components dialog box, click on the Networking Services entry in the Components list, then click the Details button.

4. In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox and click OK.

5. Click Next in the Windows Components dialog box.

6. Click Finish on the Completing the Windows Components Wizard page.

7. Close the Add or Remove Programs window.

Now that the DHCP Server service is installed on the domain controller for the domain, the next step is to create a DHCP scope.

Create the DHCP scope

A DHCP scope is a collection of IP addresses that the DHCP server can use to assign to DHCP clients on the network. In addition, a DHCP scope can include additional TCP/IP settings, which are referred to as DHCP options. DHCP options can assign various TCP/IP settings such as a DNS server address, WINS server address, and primary domain name to DHCP clients. In this example we will configure DHCP options so that the lab is configured to support them in the future, but we will not assign DHCP options to the VPN clients in this document.

Perform the following steps on the DHCP server to enable the DHCP server and create the DHCP scope:

1. Click Start and then point to Administrative Tools. Click DHCP.

2. In the DHCP console, right click on your server name in the left pane of the console. Click on the Authorize command.

3. Click the Refresh button in the button bar of the console. You will notice that the icon to the left of the server name changes from having a red, down pointing arrow to having a green, up pointing arrow.

4. Right click the server name in the left pane of the console again and click the New Scope command.

5. Click Next on the Welcome to the New Scope Wizard page.

6. Enter a name for the scope on the Scope Name page. This name is descriptive only and does not affect the functionality of the scope. You can also enter a Description in the description box if you wish. Click Next.

7. You enter a range of IP addresses that can be assigned to DHCP clients on the IP Address Range page. Enter the first address in the range into the Start IP address range text box and the last IP address in the range in the End IP address text box. Enter the subnet mask for your IP address range in the Subnet mask text box.

In our current example, the internal network is on network ID 10.0.0/24. We do not want to assign all the IP addresses on the network ID to the DHCP scope, just a selection of them. So in this example we will enter 10.0.0.100 as the Start IP address and 10.0.0.150 as the end IP address and use a 24 bit subnet mask.

Note that on production networks it is often better to assign the entire network ID to the IP address range used in the scope. You can then create exceptions for hosts on the network that have a statically assigned IP address that is contained in the scope. This allows you to centrally manage IP address assignment and configuration using DHCP. Click Next.

8. Do not enter any exclusions in the Add Exclusions dialog box. Click Next.

9. Accept the default settings on the Lease Duration page and click Next.

10. On the Configure DHCP Options page, select the Yes, I want to configure these options now option and click Next.

11. Do not enter anything on the Router (Default Gateway) page. If we were to use SecureNAT clients on the network, we would enter the IP address of the internal interface of the ISA Server 2000 firewall on this page. However, with the current scenario, we want to explicitly test only the Web Proxy and Firewall client configurations. Click Next.

12. On the Domain Name and DNS Servers page you enter the primary domain name you want to assign to DHCP clients and the DNS server address you want the DHCP clients to use. The primary domain name is a critical setting for your Firewall and Web Proxy clients. The reason for this is that in order for autodiscovery to work correctly for Firewall and Web Proxy clients, these clients must be able to correctly fully qualify the unqualified name wpad. In this example, we will enter msfirewall.org in the Parent domain text box. This will assign the DHCP clients the primary domain name msfirewall.org, which will be appended to unqualified names. Enter the IP address of the DNS server in the IP address text box. In this example the IP address of the DNS server is 10.0.0.2. Click Add after entering the IP address. Click Next.

13. Do not enter a WINS server address on the WINS Servers page. In this example we will not use a WINS server. However, WINS servers are very useful in VPN server environments where you wish your VPN clients to be able to browse the campus network using the My Network Places or Network Neighborhood application. Click Next.

14. On the Activate Scope page, select the Yes, I want to activate this scope now option and click Next.

15. Click Finish on the Completing the New Scope Wizard page.

16. In the right pane of the DHCP console you will see the two DHCP options you created in the Wizard.

Create User Account

The next step is to configure a user account that we can place in the Exchange Users group that we will create later. In this example the ISA Server 2004 firewall is not a member of the internal network domain. For this reason, we will create the user account in the local SAM database of the ISA Server 2004 firewall computer. In a production environment you would either join the ISA Server 2004 firewall to the user domain, or preferable use RADIUS authentication so that the ISA Server 2004 firewall does not be a member of the domain, but can still authenticate users on the Internal network Active Directory domain.

Perform the following steps to create the user account on the ISA Server 2004 firewall computer:

1. Right click on the My Computer icon on the desktop and click Manage.

2. In the Computer Management console, expand the System Tools node and then expand the Local Users and Groups node.

3. Right click the Users node and click New User.

4. In the New User dialog box, enter the name of the user in the User name text box. In this example the user name is User1. Enter a password and confirm the password in the Password and Confirm Password text boxes. Remove the checkmark from the User must change password at next logon and select the User cannot change password and Password never expires option. Click Create, then click Close.

5. Double click the User1 account. Click on the Dial-in tab. Notice that the option Control access through Remote Access Policy is selected by default. We want to leave this option as it is so that we can control access via ISA Server 2004 Remote Access Policy. Click Cancel in the User1 Properties dialog box.

6. Close the Computer Management console.

Create Exchange Users Group and Add account to the Exchange Users Group

The next step is to create a Group in the ISA Server 2004 local SAM named Exchange Users. We will add the User1 account to this group and then later create a ISA Server 2004 firewall group from this local computer group.

Perform the following steps to create the local computer group:

1. Right click the My Computer icon on the desktop and click Manage.

2. In the Computer Management console, expand the System Tools node and then expand the Local Users and Groups node. Right click on the Groups node and click New Group.

3. In the New Group dialog box, enter the name Exchange Users in the Group name text box. Click the Add button.

4. In the Select Users dialog box, enter the user name User1 in the Enter the object names to select text box and then click the Check Names button. When the name is found, it will be underlined. Click OK in the Select Users dialog box.

5. Click Create in the New Group dialog box.

6. Click Close in the New Group dialog box.

7. Close the Computer Management console.

Enable VPN Clients

The next step is to enable the ISA Server 2004 firewall machine to accept VPN client connections. This can be done from the Microsoft Internet Security and Acceleration Server 2004 management console, you do not need to go into the Routing and Remote Access console to enable VPN client connections.

Perform the following steps to enable VPN client connections:

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand your server name in the left pane of the scope pane of the console and then click the Virtual Private Networks (VPN) node. Click the Enable VPN Client Access link in the Tasks tab of the Task pane.

2. Do not click the Apply button yet. We will continue to configure the VPN client access parameters in the next step.

Configure VPN Client Access

There are several VPN client options you can configure in the Microsoft Internet Security and Acceleration Server 2004 management console. The next step is to configure these options so that you can assign the correct IP addresses and use L2TP/IPSec without requiring user certificates.

Perform the following steps to configure VPN client access:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Configure VPN Client Access link in the Tasks tab of the Task Pane.

2. On the General tab, notice that the Enable VPN client access checkbox is checked and that the Maximum number of VPN clients allowed is set to 5. You can change this value if you need to. However, make sure that you have enough IP addresses in your DHCP scope for all of your VPN clients, plus an IP address of the ISA Server 2004 firewall’s virtual interface.

3. Click the Users tab. Here you can select domain or local computer groups for which the ISA Server 2004 Remote Access Policy applies. In this example we will enable VPN access to the Exchange Users group. Note that the groups you select here will have VPN access only if the remote access permission is set to Control access through remote access policy in the user account. You can override this setting by configuring individual user accounts with Dial-in access permission.

4. Click the Add button on the Users tab. In the Select Groups dialog box, enter Exchange Users in the Enter the object names to select text box, then click the Check Names button. The group name will be underlined when found. Click OK in the Select Groups dialog box.

5. Click the Protocols tab. Place a checkmark in the Enable L2TP/IPSec checkbox.

6. Click Apply and then click OK in the VPN Clients Properties dialog box.

7. Do not click Apply yet. We will continue to configure the VPN clients network in the next step.

Configure General Virtual Private Networks (VPN) Properties

In the next step we will configure some parameters that apply to the VPN clients network. Perform the following steps to configure some general properties of the VPN clients network:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the VPN Access Points link in on the Tasks tab of the Task Pane.

2. Notice on the Allowed Networks tab of the Virtual Private Networks (VPN) Properties dialog box that the External checkbox is checked by default. This indicates that the ISA Server 2004 firewall will listen for incoming VPN client connections on the external network interface.

3. Click on the Address Assignment tab. Notice that default address assignment method for DHCP clients is to use DHCP. You have the option to create a static address pool in this dialog box. However, you will need to make sure that these addresses do not overlap with any other network you have configured. For example, if you wanted to use an on subject address collection, you would have to remove those addresses from the Internal network. If you do not remove those addresses, then you see an error message. In contrast, you can use on subnet addresses when using DHCP, because these addresses are automatically entered into the VPN Clients Network that ISA Server 2000 dynamically creates. Select the internal interface in the Use the following network to obtain DHCP, DNS and WINS service list. This is the interface that is closest to the DHCP server.

4. Click the Authentication tab. Notice that the Microsoft Encrypted authentication version 2 (MS-CHAPv2) option is selected by default. All Microsoft clients support this authentication method. Put a checkmark in the Allow custom IPSec policy for L2TP connection checkbox. Enter a pre-shared key in the Pre-shared key text box. Please note that pre-shared keys are not considered secure, as they are stored in the interface and the Registry in clear text. You should use computer certificates if you wish to create highly secure L2TP/IPSec VPN connections. We use the pre-shared key in this example to provide an illustration on how to configure an L2TP/IPSec connection before you have deployed your certificate infrastructure. Enter a complex key in a production environment. In this example, we will enter 123.

5. Click Apply and then click OK in the Virtual Private Networks (VPN) Properties dialog box.

6. Click OK in the Microsoft Internet Security and Acceleration Server 2004 dialog box informing you that the Routing and Remote Access may need to restart. In this example, the Routing and Remote Access Service has not yet started, so this is not an issue.

7. Click OK in the Virtual Private Networking (VPN) Properties dialog box.

8. Do not click the Apply button yet. We will continue configuring the firewall and then click the Apply button when configuration is complete.

Create Computer a Network Objects for the DNS

The next is to create network a network objects for the DNS computers. ISA Server 2004 allows you to create a great variety of computer objects that you can use in firewall Access Policies. These network objects provide you a high level of granularity when configure access controls.

We need to create a computer object for the DNS server. The Outlook clients need access to the DNS server to resolve the name of the Exchange Server and Global Catalog servers.

Perform the following steps to create the DNS and Exchange Computer Objects:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Firewall Policies node. Click the Toolbox tab in the Task Pane. Click the Network Objects entry.

2. In the Network Objects list, click the New menu. Click on the Computer entry.

3. In the New Computer Rule Element dialog box, enter a name for the Computer in the Name text box. In this example we will name the object DNS Server. Enter the IP address of the DNS server in the Computer IP Address text box. In the example, we will enter the number 10.0.0.2. You can also enter and option description in the Description (optional) text box. Click OK.

4. Click OK in the New Computer Rule Element dialog box.

Create Exchange RPC Server Publishing Rule

The first firewall Access Policy we will create allows inbound access to the Exchange Server using secure Exchange RPC. In this instance, we use a Server Publishing Rule instead of an Access Rule to allow the VPN clients access to the Exchange Server on the Internal network. The reason why we use a Server Publishing Rule instead of an access rule is that there is no protocol definition that allows outbound access to secure RPC UUID interfaces. Perform the following steps to create the secure Exchange RPC Server Publishing Rule:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Tasks tab in the Task Pane. On the Tasks tab, click the Publish a Mail Server link.

2. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the secure Exchange RPC Server Publishing rule in the Mail Server Publishing Rule name text box. In this example, we will enter the name Secure Exchange RPC. Click Next.

3. On the Select Access Type page, select the Client access: RPC, IMAP, POP3, SMTP option and click Next.

4. On the Select Services page, put a checkmark in the Outlook (RPC) checkbox. Do not select any of the other checkboxes. Click Next.

5. On the Select Server page, enter the IP address of the Exchange Server on the Internal network in the Server IP address text box. Clic