Planning a Virtual Private Networking Infrastructure
Before you deploy a virtual private network solution using ISA Server 2004, you must plan the deployment so that you can take full advantage of the ISA Server VPN features. This lesson discusses the protocols and authentication methods available when using ISA Server 2004 to implement virtual private networking. Moreover, the chapter describes how VPN quarantine control works. The chapter then describes how you can use ISA Server 2004 to implement a VPN solution and provides guidelines for planning the deployment.
What Is Virtual Private Networking?
Virtual private networking allows secure remote access to resources on an organization’s internal network for users outside the network. These resources would otherwise be available only if the user were directly connected to the corporate network. A VPN is a virtual network that enables communication between a remote access client and computers on the internal network or between two remote sites separated by a public network such as the Internet.
How VPNs Work
When you configure a VPN, you create a secured, point-to-point connection across a public network such as the Internet. A VPN client uses special tunneling protocols, which are based on Transmission Control Protocol/Internet Protocol (TCP/IP), to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network. The two VPN protocols supported by ISA Server are Microsoft Point-to-Point Tunneling Protocol (PPTP) or the Layer Two Tunneling Protocol with Internet Protocol Security(L2TP/IPSec).
PPTP and L2TP create "virtual" direct connections between a VPN client and VPN remote-access server, or between two VPN gateways. This connection allows a computer connected over the virtual network to send and receive TCP/IP messages in the same way as it does on other directly connected networks, such as computers located on the same Ethernet local area network (LAN). The actual network connection is transparent to the applications running on the client computer.
PPTP and L2TP use encryption protocols to ensure that the connection is private or secure by encrypting all traffic sent across a public network. PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol to protect data moving through the PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses Internet Protocol Security (IPSec) to encrypt data moving through the L2TP virtual network.
VPN scenarios
VPNS are used in two primary scenarios, as shown in Figure 10-1:
1- Network access for remote clients In this scenario, a remote user establishes a connection to the Internet and then creates a tunneling protocol connection to the VPN remote-access server. The remote user can use any available technology to connect to the Internet, including dial-up connection to an Internet service provider (ISP) or a direct connection such as a cable or digital subscriber line (DSL) connection. Once connected to the Internet, the VPN client makes a virtual private network connection to the VPN remote-access server that is also connected to the Internet. The remote-access server authenticates the user and possibly the remote computer, establishes a secure connection and transfers encrypted data between the virtual private networking client and the organization’s network.
2- Site-to-site VPNs A site-to-site VPN connection connects two or more networks in different locations using a VPN connection over the Internet. In this scenario, each site requires a VPN gateway and an Internet connection. When the gateways establish a VPN connection with one another, the site-to-site VPN link is established. Users can then communicate with other networks over the VPN site-to-site link. The VPN gateways act as VPN routers that route the packets to the appropriate network. In most cases, a site-to-site VPN connection is made between branchoffice
and main-office networks.
Before you deploy a virtual private network solution using ISA Server 2004, you must plan the deployment so that you can take full advantage of the ISA Server VPN features. This lesson discusses the protocols and authentication methods available when using ISA Server 2004 to implement virtual private networking. Moreover, the chapter describes how VPN quarantine control works. The chapter then describes how you can use ISA Server 2004 to implement a VPN solution and provides guidelines for planning the deployment.
What Is Virtual Private Networking?
Virtual private networking allows secure remote access to resources on an organization’s internal network for users outside the network. These resources would otherwise be available only if the user were directly connected to the corporate network. A VPN is a virtual network that enables communication between a remote access client and computers on the internal network or between two remote sites separated by a public network such as the Internet.
How VPNs Work
When you configure a VPN, you create a secured, point-to-point connection across a public network such as the Internet. A VPN client uses special tunneling protocols, which are based on Transmission Control Protocol/Internet Protocol (TCP/IP), to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network. The two VPN protocols supported by ISA Server are Microsoft Point-to-Point Tunneling Protocol (PPTP) or the Layer Two Tunneling Protocol with Internet Protocol Security(L2TP/IPSec).
PPTP and L2TP create "virtual" direct connections between a VPN client and VPN remote-access server, or between two VPN gateways. This connection allows a computer connected over the virtual network to send and receive TCP/IP messages in the same way as it does on other directly connected networks, such as computers located on the same Ethernet local area network (LAN). The actual network connection is transparent to the applications running on the client computer.
PPTP and L2TP use encryption protocols to ensure that the connection is private or secure by encrypting all traffic sent across a public network. PPTP uses the Microsoft Point-to-Point Encryption (MPPE) protocol to protect data moving through the PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses Internet Protocol Security (IPSec) to encrypt data moving through the L2TP virtual network.
VPN scenarios
VPNS are used in two primary scenarios, as shown in Figure 10-1:
1- Network access for remote clients In this scenario, a remote user establishes a connection to the Internet and then creates a tunneling protocol connection to the VPN remote-access server. The remote user can use any available technology to connect to the Internet, including dial-up connection to an Internet service provider (ISP) or a direct connection such as a cable or digital subscriber line (DSL) connection. Once connected to the Internet, the VPN client makes a virtual private network connection to the VPN remote-access server that is also connected to the Internet. The remote-access server authenticates the user and possibly the remote computer, establishes a secure connection and transfers encrypted data between the virtual private networking client and the organization’s network.
2- Site-to-site VPNs A site-to-site VPN connection connects two or more networks in different locations using a VPN connection over the Internet. In this scenario, each site requires a VPN gateway and an Internet connection. When the gateways establish a VPN connection with one another, the site-to-site VPN link is established. Users can then communicate with other networks over the VPN site-to-site link. The VPN gateways act as VPN routers that route the packets to the appropriate network. In most cases, a site-to-site VPN connection is made between branchoffice
and main-office networks.