Enable the VPN Server

By default, the VPN server component is disabled. The first step is to enable the VPN
server feature and configure the VPN server components.
Perform the following steps to enable and configure the IS Server !""# VPN Server$
%. &pen the Microsoft Internet Security and Acceleration Server 2004
management console and e'pand the server name. (lic) on the Virtual Private
Networks VPN! node.
!. (lic) on the "asks tab in the Tas) Pane. (lic) the Enable VPN #lient Access
lin).
3. Click Apply to save the changes and update the firewall policy.
4. Click OK in the Apply New Configuration dialog box.
5. Click the Configure VPN Client Access link.
6. On the General tab, change the value for the Maximum number of VPN clients
allowed fro 5 to !.
!. Click on the Groups tab. On the Groups tab, click the Add button.
". #n the "elect Groups dialog box, click the #ocations button. #n the #ocations dialog
box, click the msfirewall$org entry and click OK.
$. #n the "elect Group dialog box, enter %omain &sers in the 'nter t(e ob)ect names to
select text box. Click the C(ec* Names button. %he group nae will be underlined when
it is found in the &ctive 'irectory. %his value is used in the reote access policy anaged
by the #(& (erver )**4 firewall achine. +hen the user accounts are configured to use
reote access policy for dial,in access, then #(& (erver )**4 reote access policy will be
applied to the -./ client connections. Click OK.
10.Click the Protocols tab. On the Protocols tab, put a checkark in the 'nable
#+,P-.P"ec checkbox. /ote that you will have to issue a achine certificate to the #(&
(erver )**4 firewall0-./ server, and to the connecting -./ clients, before you can use
1)%.0#.(ec. &n alternative is to use a pre,shared key for the #.(ec security negotiations.
11.Click the &ser Mapping tab. .ut a checkark in the 'nable &ser Mapping checkbox.
.ut a checkark in the /(en username does not contain a domain0 use t(is
domain checkbox. 2nter msfirewall$org in the %omain Name text box. /ote that these
settings will only apply when using 3&'#4( authentication. %hese settings are ignored
when using +indows authentication 5such as when the #(& (erver )**4 firewall achine
belongs to the doain and the user explicitly enters doain credentials6. Click Apply and
then click OK$ 7ou ay see a Microsoft .nternet "ecurity and Acceleration "er1er
+!!2 dialog box inforing you that you need to restart the coputer for the settings to
take effect. #f so, click OK in the dialog box.
12.On the ,as*s tab, click the "elect Access Networ*s link.
83. #n the Virtual Pri1ate Networ*s 3VPN4 Properties dialog box, click the Access
Networ*s tab. /ote that the 'xternal checkbox is selected. %his indicates that the
external interface is listening for incoing -./ client connections. 7ou could choose other
interfaces, such as '9: or extranet interfaces, if you wish to provide dedicated -./
services to trusted hosts and networks. #;ll go over this type of configuration, as well as
how to configure additional interfaces for +1&/ access, in future articles here on the
www.isaserver.org +eb site and in our #(& (erver )**4 book.
84. Click the Address Assignment tab. (elect the internal interface fro the list in the &se
t(e following networ* to obtain %5CP0 %N" and /.N" ser1ices list box. %his is a
critical setting, as it defines the network on which access to the '<C. is ade. /ote that
in this exaple we are using a '<C. server on the internal network to assign addresses
to -./ clients. %he '<C. server will not assign '<C. options to the -./ clients unless
you install the '<C. 3elay &gent on the #(& (erver )**4 firewall0-./ server achine.
7ou have the option to create a static address pool of addresses to be assigned to the -./
clients. #f you choose to use a static address pool, you will not be able to assign '<C.
options to these hosts. &lso, if you choose to use a static address pool, you should use an
off,subnet network #'. .lease refer to (tefaan .ouseele;s article on off,subnet address
configuration over at
http=00isaserver.org0articles0<ow>to>#pleent>-./>Off(ubnet>#.>&ddresses.htl.
15.Click on the Aut(entication tab. /ote that the default setting is to enable only Microsoft
encrypted aut(entication 1ersion + 3M"6C5AP1+4. #n later docuents in this ."A
"er1er +!!2 VPN %eployment Kit we will enable the 2&. option so that high security
user certificates can be used to authenticate with the #(& (erver )**4 firewall -./ server.
/ote the Allow custom .P"ec policy for #+,P connection checkbox. #f you do not
want to create a public key infrastructure or in the process of creating one but have not
yet finished, then you can enable this checkbox and then enter a pre6s(ared key. %he
-./ clients will need to be configured to use the sae pre,shared key.
16.Click the 7A%.&" tab. <ere you can configure the #(& (erver )**4 firewall -./ server to
use 3&'#4( to authenticate the -./ users. %he advantage of 3&'#4( authentication is
that you can leverage the &ctive 'irectory 5and others6 user database to authenticate
users without needing to ?oin the &ctive 'irectory doain. +e;ll go over the deep details
of 3&'#4( configuration to support -./ connections in later docuents on the
www.isaserver.org +eb site and in our #(& (erver )**4 book.
8!. Click Apply in the Virtual Pri1ate Networ*s 3VPN4 Properties dialog box and then
click OK.
8". Click Apply to save the changes and update the firewall policy.
8$. Click OK in the Apply New Configuration dialog box.
)*. 3estart the #(& (erver )**4 firewall achine.
%he achine will obtain a block of #. addresses fro the '<C. (erver on the #nternal network
when it restarts. /ote that on a production network where the '<C. server is located on a
network segent reote fro the #(& (erver )**4 firewall, all interposed routers will need to
have @OO%. or '<C. relay enabled so that '<C. reAuests fro the firewall can reach the reote
'<C. servers.

#reate an Access $ule Allowin% VPN #lients Access to
the Internal Network
%he #(& (erver )**4 firewall will be able to accept incoing -./ connections after the restart.
<owever, the -./ clients cannot access any resources on the #nternal network because there are
no &ccess 3ules enabling this access. 7ou ust create an &ccess 3ule that allows ebers of the
-./ clients network access to the #nternal network. #n contrast to other cobined firewall -./
server solutions, the #(& (erver )**4 firewall -./ server applies access controls for network
access to -./ clients.
#n this exaple you will create an &ccess 3ule allowing all traffic to pass fro the -./ clients
network to the #nternal network. #n a production environent you would create ore restrictive
access rules so that users on the -./ clients network have access only to resource they reAuire.
#;ll show you how to create ore sophisticated user0group based access controls on -./ clients in
future articles on the www.isaserver.org site and in our #(& (erver )**4 firewall book.
.erfor the following steps to create an &ccess 3ule to allow -./ clients unrestricted access to the
#nternal network=
8. #n the Microsoft .nternet "ecurity and Acceleration "er1er +!!2 anageent
console, expand the server nae and click the 8irewall Policy node. 3ight click the
8irewall Policy node, point to New and click Access 7ule.
). #n the /elcome to t(e New Access 7ule /i9ard page, enter a nae for the rule in the
Access 7ule name text box. #n this exaple we will nae the rule VPN Client to
.nternal. Click Next.
3. On the 7ule Action page, select the Allow option and click Next.
4. On the Protocols page, select the All outbound protocols option in the ,(is rule
applies to list. Click Next.
fig8*
5. On the Access 7ule "ources page, click the Add button. On the Add Networ* 'ntities
dialog box, click the Networ*s folder and double click on VPN Clients. Click Close.
6. Click Next on the Access 7ule "ources page.
!. On the Access 7ule %estinations page, click the Add button. On the Add Networ*
'ntities dialog box, click the Networ*s folder and double click on .nternal. Click Close.
". On the &ser "ets page, accept the default setting, All &sers, and click Next.
$. Click 8inis( on the Completing t(e New Access 7ule /i9ard page.
8*. Click Apply to save the changes and update the firewall policy.
88. Click OK in the Apply New Configuration dialog box. %he -./ client policy is now the
top listed &ccess 3ule in the &ccess .olicy list.
Enable &ial'in Access for the Ad(inistrator Account
#n non,native ode &ctive 'irectory doains, all user accounts have dial,in access disabled by
default. 7ou ust enable dial,in access on a per account basis for these non,/ative ode &ctive
'irectory doains. #n contrast, native ode &ctive 'irectory doains have dial,in access
controlled by 3eote &ccess .olicy by default. +indows /% 4.* doains always have dial,in
access controlled on a per user account basis.
#n our current exaple, the &ctive 'irectory is in +indows (erver )**3 ixed ode, so we will
need to anually change the dial,in settings on the doain user account. # highly recoend
that if you do not have any +indows /% 4.* doain controllers on your network, that you elevate
your doain functionality level.
.erfor the following steps on the doain controller to enable 'ial,in access for the &dinistrator
account=
8. Click "tart and point to Administrati1e ,ools. Click Acti1e %irectory &sers and
Computers.
). #n the Acti1e %irectory &sers and Computers console, click on the &sers node in the
left pane. 'ouble click on the Administrator account in the right pane of the console.
3. Click on the %ial6in tab. #n the 7emote Access Permission 3%ial6in or VPN4 frae,
select the Allow access option. Click Apply and click OK.
f
4. Close the Acti1e %irectory &sers and Computers console.
"est the PP"P VPN #onnection
%he #(& (erver )**4 -./ server is now ready to accept -./ client connections.
.erfor the following steps to test the -./ (erver=
8. On the +indows )*** external client achine, right click the My Networ* Places icon on
the desktop and click Properties.
). 'ouble click the Ma*e New Connection icon in the Networ* and %ial6up Connections
window.
3. Click Next on the /elcome to t(e Networ* Connection /i9ard page.
4. On the Networ* Connection ,ype page, select the Connect to a pri1ate networ*
t(roug( t(e .nternet option and click Next.
5. On the %estination Address page, enter the #. address :+$;<$$=! in the 5ost
name or .P address text box. Click Next.
6. On the Connection A1ailability page, select the 8or all users option and click Next.
!. 9ake no changes on the .nternet Connection "(aring page and click Next.
". On the Completing t(e Networ* Connection /i9ard page, enter a nae for the -./
connection in the ,ype t(e name you want to use for t(is connection text box. #n
this exaple, we;ll nae the connection ."A VPN. Confir that there is a checkark in
the Add a s(ortcut to my des*top checkbox. Click 8inis(.
$. #n the Connect ."A VPN dialog box, enter the user nae M"8.7'/A##>administrator
and the password for the adinistrator user account. Click Connect.
fig85
8*. %he -./ client establishes a connection with the #(& (erver )**4 -./ server. Click OK in
the Connection Complete dialog box inforing that the connection is established.
88. 'ouble click on the connection icon in the syste tray and click the %etails tab. 7ou can
see that MPP' +< encryption is used to protect the data and the #. address assigned to
the -./ client.
8). Click "tart and then click the 7un coand. #n the 7un dialog box, enter
>>'?C5ANG'+!!@A' in the Open text box and click OK. %he shares on the doain
controller coputer appear. Close the windows displaying the doain controllers contents.
/ote that we were able to use a single label nae to connect to the doain controller
because the #(& (erver )**4 firewall -./ server assigned the -./ client a +#/( server
address.
83. 3ight click the connection icon in the syste tray and click %isconnect.