Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario
Overview
Implementing a Site-to-Site VPN Scenario
Lab: Implementing a Site-to-Site VPN Scenario
Lesson: Implementing a Site-to-Site VPN Scenario
Issues in Deploying Site-to-Site VPNs
Guidelines for Implementing Distributed Configuration Storage Servers
Guidelines for Implementing Network Load Balancing for VPN
Guidelines for Configuring ISA Server Clients
Guidelines for Configuring Access Rules for Site-to-Site VPNs
Issues in Deploying Site-to-Site VPNs
Choosing a tunneling protocol Choosing a tunneling protocol
Common site-to-site VPN deployment issues Common site-to-site VPN deployment issues include: include:
Configuring the remote site VPN gateway server Configuring the remote site VPN gateway server
Configuring network rules and firewall access Configuring network rules and firewall access rules rules
ISA Server Enterprise Edition site-to-site ISA Server Enterprise Edition site-to-site deployment issues include: deployment issues include:
Creating a preliminary connection to install the Creating a preliminary connection to install the remote Configuration Storage server remote Configuration Storage server
Configuring Configuration Storage server Configuring Configuration Storage server replication between locations replication between locations
Implementing NLB for the site-to-site VPN Implementing NLB for the site-to-site VPN
Configuring firewall and Web proxy caching Configuring firewall and Web proxy caching
Guidelines for Implementing Distributed Configuration Storage Servers
To deploy the branch-office Configuration To deploy the branch-office Configuration Storage server: Storage server:
Use a third-party VPN solution Use a third-party VPN solution
Use Routing and Remote Access Service Use Routing and Remote Access Service
Use a server publishing rule Use a server publishing rule
Use a temporary ISA Server enterprise Use a temporary ISA Server enterprise
Use an ISA Server backup file Use an ISA Server backup file
To manage Configuration Storage server replication between office locations, use the ADAMSites tool to create ADAM sites and configure replication between sites
Guidelines for Implementing Network Load Balancing for VPN
When you enable NLB for site-to-site VPNs: When you enable NLB for site-to-site VPNs: The connection owner for the VPN connection is The connection owner for the VPN connection is automatically assigned with failover in the automatically assigned with failover in the event of a server failure event of a server failure
You must assign static IP addresses for VPN You must assign static IP addresses for VPN clients on each member of a multiple-server clients on each member of a multiple-server array array
You must configure the virtual IP address for You must configure the virtual IP address for the remote array as the VPN tunnel endpoint, the remote array as the VPN tunnel endpoint, and add all the dedicated IP addresses for the and add all the dedicated IP addresses for the array members to the remote site network array members to the remote site network properties properties
Guidelines for Configuring ISA Server Clients
When using ISA Server Enterprise Edition, Web When using ISA Server Enterprise Edition, Web Proxy and Firewall clients must connect to the Proxy and Firewall clients must connect to the array DNS name array DNS name The DNS name is assigned when the array is The DNS name is assigned when the array is configured, but can be modified configured, but can be modified
The client must be able to resolve the array DNS The client must be able to resolve the array DNS name using DNS name using DNS
Configure a DNS host record using the array Configure a DNS host record using the array DNS name and each array member’s dedicated DNS name and each array member’s dedicated IP address if NLB is not enabled and the shared IP address if NLB is not enabled and the shared IP address if NLB is enabled IP address if NLB is enabled
When configuring Web Proxy or Firewall client chaining, configure the downstream array to use the DNS name for the upstream array
Guidelines for Configuring Access Rules for Site-to-Site VPNs
When configuring access rules for site-to-site When configuring access rules for site-to-site VPNs, allow only required network traffic: VPNs, allow only required network traffic: Create computer sets to define specific Create computer sets to define specific computers that need access rather than using computers that need access rather than using the entire network the entire network
Configure access rules to allow only required Configure access rules to allow only required protocols protocols
Use Web and server publishing rules Use Web and server publishing rules
Restrict access based on user sets Restrict access based on user sets
When deploying main site domain members or members of a trusted domain in the remote site, you must enable the required protocols between the domain controllers, or between the domain members and domain controllers
Lab 13: Implementing a Site-to-Site VPN Scenario
Den-DC-01 192.168.1.10
Den-Web-01 172.16.1.10 172.16.1.11
Den-ISAEE-01 192.168.1.1 192.168.0.1 172.16.1.1
Den-Clt-01 192.168.2.10
RO-ISAEE-01 172.16.1.110 192.168.2.1
`
Shared IP 192.168.1.3
Shared IP 172.16.1.3
Den-ISAEE-02 192.168.1.2 192.168.0.2 172.16.1.2
Den-CSS-01 192.168.1.20
Exercise 1: Enabling NLB and CARP for the Main\Front-End Array Exercise 2: Configuring the Main Office Array for a Site-to-Site VPN Exercise 3: Deploying a ISA Server Remote Site Exercise 4: Configure the Branch Office Array for a Site-to-Site VPN
Den-DC-01
Den-ISAEE-01
Den-CSS-01
Den-ISAEE-02
Den-Web-01
RO-ISAEE-01
Den-Clt-01
Host2 Host1
