News Stay informed about the latest enterprise technology news and product updates.

Tom Shinder: Using ISA Server to create VPN gateways

Author and ISA Server expert Dr. Tom Shinder answers user questions about how to use an ISA Server to create VPN gateways across networks. Topics include creating multiple remote branch offices to call the central VPN gateway, using a VPN gateway on a domain controller, and the ports that need to be open when a local VPN gateway is behind a firewall.
To view the PowerPoint presentation associated with this Webcast, click here.
To watch the archived Webcast, click here.

Is it possible if you have a VPN-to-VPN gateway to access the Internet, or is that risky?
The gateway won't interfere with Internet access for internal network clients. So users can use SecureNAT, Firewall and Web Proxy clients and access Internet resources. Does ISA include any mechanisms to ensure that the client hasn't already been compromised?
The ISA Server won't inspect the client configuration. You'll have to run antivirus and other software to insure client integrity. Can the local VPN gateway be behind a firewall? If so, which ports need to be opened?
The gateway can be behind a firewall, but you should use public addresses on the DMZ segment behind your firewall so that all VPN protocols can pass through. The ports you need to open depend on the protocol. PPTP requires GRE (IP Protocol 47) and TCP 1723. L2TP/IPSec requires UDP 500 and UDP 1701. Are there any issues with Ethernet MTU and L2TP, especially over xDSL links?
There is a Q article that address MTU issues that might affect your configuration. It is Q301337. What else is needed to configure a VPN Gateway while going through a PIX 515 Firewall?
All you need to do is open the appropriate packet filters in the PIX to allow the VPN protocols through and you're set. Make sure that you don't use NAT behind the PIX, though. Should it be a public IP address at the VPN gateway then a private IP?
The external interfaces of the VPN gateways should be public addresses. You can use private addresses inside the internal networks that are behind the gateways. Must the VPN be dial-on-demand?
The interface must be a dial-on-demand interface. However, you can configure the dial-on-demand interface to be a permanent connection. When you configure it as a permanent connection, the link will not drop after a period of inactivity and will redial if for some reason the link is dropped. Remember that the "redial" is to the IP address of the remote VPN gateway. Does Win2000 Server support a gateway environment for an ISA Server to connect to?
Yes! In fact, you don't even need to use ISA Server to create a gateway-to-gateway VPN. There are RRAS Wizards that will help you with the configuration. But you'll need to do some tweaking, as I mentioned in the talk. I'm trying to get a remote NetMeeting client to connect via ISA, but I keep getting "Error: the person you are calling cannot accept Netmeeting calls."
It could be that the NetMeeting client doesn't have permission to use the H.323 Protocol. Check out my article "Adventures with the NetMeeting Client" over at

About the author:
Thomas W. Shinder is an M.D. and Microsoft Certified Systems Engineer. Tom was a Series Editor of the Syngress/Osborne Series of "Windows 2000 Certification Study Guides" and author of the best selling book on ISA Server 2000 "Configuring ISA Server 2000: Building Firewalls with Windows 2000." He is the editor of the Win2k News newsletter, the Sunbelt Software WinXP News newsletter, a regular contributor to TechProGuild, and content editor, contributor and moderator for the World's leading site on ISA Server 2000.

Click here to ask Tom a question. Will you cover an ISA Server-to-Win2k Server VPN gateway in addition to an ISA-to-ISA gateway?
The principles are the same, except that you can't use the Wizards to create the gateways. You'll have to manually create the Local and Remote gateways, and then create the appropriate packet filters on the ISA Server. This is a great idea for an article and I'll write it up in the near future. Thanks! Can I run a VPN Server and a VPN gateway on the same machine?
Yes! You can run both a VPN Server and a VPN gateway on the same machine. There will be no adverse effects from doing this. Should I use a gateway or a server to connect a remote network of only two or three computers to my main office?
You'll simplify your configuration if you use a VPN gateway. The VPN gateway won't prevent the clients from using the Internet through their local ISA Server, and the clients won't need to create a VPN connection to the main office VPN server individually. They'll all go thorugh the VPN gateway to access resources at the remote office. Are there any problems with using a VPN gateway on a domain controller?
No specific ones that I know of, but keep in mind that the VPN gateway is a security device. You wouldn't try to make a PIX box a domain controller, if you could. So why do that with your ISA Server firewall/VPN gateway? Will the VPN gateway interfere with my internal network clients making outbound calls to external VPN Servers?
No! The VPN gateway will not have any adverse affect on your Internet network clients ability to access Internet-based VPN servers. May I have an AD Domain Controller on a VPN Gateway synchronizing with another DC behind another VPN Gateway?
If both DCs are behind the ISA/VPN gateway machine, you should have no problems at all -- as long are your DNS infrastrucure is in place to support both networks. You may run into problems if you put the DC on the ISA Server, but I've never tested that configuration for security reasons. Concerning the Pix 515 Config -- I would assume a static route would have to be made from the external NIC of ISA to the Public NIC of the Pix Firewall, correct?
Yes, on the external interface of the ISA Server, if the PIX is your gateway to the Internet, you'll need to make the LAN interface of the PIX your default gateway on the external interface of the ISA Server. How can I get my Cisco VPN clients working through the gateway?
If the Cisco VPN client allows for IPSec passthrough by encapsulating the request in a UDP 500 packet, you can create a Protocol Rule to allow outbound UDP 500 and the packets will go through. This is the IETF implemention. If the Cisco client doesn't allow this type of encapsulation, it won't work. Can I create multiple remote branch offices to call the central VPN gateway?
Yes! The ISA Server Local and Remote VPN Wizards make it easy to create a spoke and hub VPN gateway network.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.