Publishing a VPN Server Behind the ISA Server 2004 Firewall
ISA Server allows you to configure Virtual Private Networks (VPNs) so you can create a Point-to-Point Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) over IPSec tunnels to the ISA Server. ISA Server also allows you to create site-to-site VPN tunnels. However, in some cases hosting VPNs on the ISA Server itself is not enough. In situations where you may be using a third-party VPN server, or if you want to host a VPN server on the internal network for your clients, you may be interested in setting up a VPN behind the ISA Server firewall on your private network.
You can configure VPN client access in ISA Server Management Console which allows VPN access to the ISA Server computer, not to another server on the private network. Normally you wouldn’t want your users to be tunneling into the ISA Server. You would want them to tunnel into a server behind the ISA Server firewall.
In this article we will learn how to configure a VPN server on the private network and configure ISA Server with the rules required to publish an internal VPN server. You can either use PPTP or L2TP over IPSec tunnel. Compared to L2TP over IPSec, PPTP is much easier to configure so we will use PPTP in this document.
Here’s what our scenario looks like.
The first thing you need to do is to install and configure your VPN server. The procedure for configuring a VPN server on a Windows Server 2003 is described in the KB article How To Install and Configure a Virtual Private Network Server in Windows Server 2003. Because we will use server publishing feature on the ISA Server, the VPN server should be using the private interface of ISA Server as its default gateway. In our scenario this will be the interface using IP address 10.0.0.1.
Creating a Server Publishing Rule
As mentioned above, we will use PPTP to publish our VPN server. This requires a server publishing rule on the ISA Server computer.
1. Open ISA Server Management console and select Firewall Policy.
2. In the task pane on the right hand side click on the Tasks tab.
3. Click on Create New Server Publishing Rule.
We will use the screen shots to look at the rest of the steps.
10.0.0.2 is the IP address of the internal VPN server that you are publishing through the ISA Server.
Selecting PPTP Server will configure inbound TCP port 1723 for VPN. It will also use the built-in PPTP filter on the ISA Server.
If you have more than one IP addresses on your external interface and you want to publish VPN server on all of them then you need to make sure that ISA Server listens on all of those networks. In our example we are only using one IP address on the external interface so will only configure ISA Server to listen on the External network.
Don’t forget to enable VPN access for clients either through Remote Access policy or through Active Directory in the users’ account properties or else users will not be able to create VPN connections.
For a printer friendly version of this article, click here.