Contents
Overview 1
VPN Overview 2
Configuring VPNs 6
Lab A: Configuring
Virtual Private Networks 12
Review 20

Module 5: Configuring
Access for Remote
Clients and Networks

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2001 Microsoft Corporation. All rights reserved.

Operations Coordinator: John Williams
Lead Product Manager, Release Management: Bo Galford
Group Manager, Business Operations: David Bramble
Group Manager, Technical Services: Teresa Canady
Group Product Manager, Content Development: Dean Murray
General Manager: Robert Stewart
Module 5: Configuring Access for Remote Clients and Networks iii

Instructor Notes
This module provides students with the knowledge and skills to configure
virtual private network (VPN) access.
After completing this module, students will be able to:
!
Explain the use of VPNs and Microsoft
®
Internet Security and Acceleration
(ISA) Server 2000.
!
Configure VPNs by using ISA Server.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_05.ppt.

Presentation:
30 Minutes

Lab:
30 Minutes
iv Module 5: Configuring Access for Remote Clients and Networks

Module Strategy
Use the following strategy to present this module:
!
VPN Overview
Explain that by configuring an ISA Server computer as a VPN server,
remote users or remote networks can send data to an internal network across
the Internet while maintaining secure communications. Use the animated
slide to describe the use of an ISA VPN Server to connect remote users to
an internal network. Use the slide graphic to describe the use of an ISA
VPN Server to connect remote networks to an internal network. Mention
that ISA Server uses the Routing and Remote Access service component of
Windows 2000 to create and manage VPNs.
!
Configuring VPNs
Explain that ISA Server includes three taskpads for configuring VPNs: a
taskpad to configure a VPN to accept client connections, a taskpad to
configure a local VPN, and a taskpad to configure a remote VPN. Ensure
that students understand the difference between a local VPN and a remote
VPN. Demonstrate the procedure for creating a local VPN and demonstrate
the procedure for creating a remote VPN. Emphasize that you must have the
.vpc file and the password that were created during the setup of the local
ISA VPN Server to configure a remote ISA VPN Server.


!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Install the ISA Server administration tools manually.

Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all ISA
Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
!
Install the Firewall Client manually.

Important
vi Module 5: Configuring Access for Remote Clients and Networks

Setup Requirement 4
The lab in this module requires that the all ISA Server client computers be
configured to use the ISA Server computer’s IP address on the private network
as their default gateway. To prepare student computers to meet this
requirement, perform one of the following actions:
!
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

by using any protocol. To prepare student computers to meet this requirement,
perform one of the following actions:
!
Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
!
Create the rule manually.

Module 5: Configuring Access for Remote Clients and Networks vii

Lab Results
Performing the lab in this module introduces the following configuration
changes:
!
ISA Server is configured to allow outgoing Point-to-Point Tunneling
Protocol (PPTP) connections from internal clients.
!
The Administrator account is configured so that it has dial-in permissions.
!
The ISA Server computer is configured as a VPN server. This change
includes configuring the Routing and Remote Access service, adding
Internet Protocol (IP) packet filters in ISA Server, and creating a user
account.
!
The Routing and Remote Access service is configured with a static IP
address range for VPN connections.
!
On the ISA Server client computers, a new network connection called
Virtual Private Connection is created.


Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about configuring ISA
Server as a VPN server to
connect remote users and
remote networks to a local
network.
2 Module 5: Configuring Access for Remote Clients and Networks

"
""
"

VPN Overview
!
Understanding VPNs
!
Connecting Remote Users to a Corporate Network
!
Connecting Remote Networks to a Local Network

*****************************
ILLEGAL FOR NON
-
TRAINER USE

ILLEGAL FOR NON
-
TRAINER USE
******************************
A VPN is an extension of a private network that encompasses links across
public networks, such as the Internet. A VPN secures a connection by
encrypting all network traffic before sending it across the Internet and then
decrypting the traffic when it arrives at the other end of the VPN. Because the
public network transports all VPN traffic in encapsulated form, a VPN
connection is also referred to as tunneling.
By configuring an ISA Server computer as a VPN server, remote users or
computers on remote networks can send data to your internal network across
the Internet while maintaining secure communications. The ISA VPN Server
computer can use either PPTP or L2TP over IPSec to manage tunnels and
encapsulate private data.
ISA Server uses the Routing and Remote Access service component of
Microsoft Windows
®
2000 to create and manage VPNs. If your network
requires a VPN configuration that is different from the default configuration
that the Routing and Remote Access service uses, you must perform further
configurations after you have configured the ISA Server computer as a VPN
server. For example, if your network does not use the Dynamic Host
Configuration Protocol (DHCP) to assign Internet Protocol (IP) addresses to
client computers, you must configure the IP addresses that the Routing and
Remote Access service uses for the VPN.

For more information about VPNs, see Module 7, “Configuring Remote
Access,” Module 8, “Supporting Remote Access to a Network,” and Module 9,
“Extending Remote Access Capabilities by Using IAS,” in Course 2153,

and Remote Access service
uses.
Note
4 Module 5: Configuring Access for Remote Clients and Networks

Connecting Remote Users to a Corporate Network
VPN Tunnel
ISA Server
Computer
Remote User
Remote User
Internet
Internet
Corporate Network
Corporate Network

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
VPN connections allow users who work remotely to connect to the corporate
network over a public network, such as the Internet. From the user's
perspective, the infrastructure of the public network is irrelevant because it
appears as if the data is sent over a dedicated private link. To allow client
computers to establish a VPN connection, you must configure the ISA Server
computer to accept VPN client connections.
Topic Objective
To describe the use of ISA
Server for connecting