How to Configure VPN Client Access
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).
Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).
2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.
3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.
4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.
5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.
6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.
Before any users can access ISA Server using a VPN, you must enable VPN client access. When you enable this option, ISA Server enables VPN access using a default configuration that you can modify to meet your organization’s requirements.
The VPN client access configuration is managed using the Configure VPN Client Access dialog box in ISA Server Management. To access this dialog box, open ISA Server Management and click Virtual Private Networks (VPN).
Default VPN Client Access Configuration
When you enable VPN client access, the following default settings are applied:
1- System policy rules When VPN client access is enabled, a system policy rule named Allow VPN Client Traffic To ISA Server is enabled. Depending on which protocols are configured for remote-client access, the system policy rule allows the use of PPTP, L2TP, or both, from the external network to the computer running ISA Server (Local Host network).
2- VPN access network By default, ISA Server will listen for VPN client connections only on the external network. This property can be modified. When this property is modified, the system policy rule is changed automatically to apply to the additional or changed networks.
3- VPN protocol By default, only PPTP is enabled for VPN client access. This can be modified to include L2TP/IPSec only or both protocols. When this setting is modified, the system policy rule is updated to allow the appropriate protocol.
4- Network rules Enabling VPN client access does not modify the network rules configured on ISA Server. When you install ISA Server, two network rules are created that include the VPN Clients network, one specifying a route relationship between the VPN Clients network and the internal network, and one specifying a NAT relationship between the VPN Clients network and the external network. The second rule is part of the Internet access rule that also defines the relationship between the internal network and external network.
5- Firewall-access rules By default, clients on the VPN Clients network cannot access any resources on any other network. You can manually configure a firewallaccess rule that enables this access, or you can use a network template to configure the rule. If you use a network template, a firewall-access rule named VPN Clients to Internal Network is created. This rule allows access from the VPN Clients network to the internal network using all protocols. The VPN Clients network is also included in any rule that you create using a network template to grant Internet access. For example, if you use a network template to enable Internet access using all protocols, clients on the VPN Clients network will be able to access the Internet using that rule.
6- Remote-access policy When you enable ISA Server for VPN client access, a remote-access policy named ISA Server Default Policy is created in Routing and Remote Access. This default policy denies access to all VPN connections except those explicitly allowed by the remote-access profile. The remote-access profile for the default policy enables MS-CHAP v2 authentication and requires authentication for all VPN connections.
