January 3, 2009

VPN Connections

There are two types of VPN connections:

* Remote access VPN connection
* Site-to-site VPN connection

Remote Access VPN Connection

A remote access client makes a remote access VPN connection to a VPN server that connects the remote access client to a private network. ISA Server provides access to the entire network to which the VPN server is attached.By using the ISA Server computer as the VPN server, you can manage VPN client access to the corporate network. VPN clients can be quarantined by ISA Server in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to your ISA Server firewall access policy, so that you can control VPN client access to network resources.

Site-to-Site VPN Connection

A site-to-site VPN connection connects two separate private networks. ISA Server provides a connection to the network to which the ISA Server array is attached.

There are three VPN protocols for site-to-site connections:

* L2TP over IPsec
* IPsec tunnel mode


Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiple protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.
L2TP over IPsec

Layer Two Tunneling Protocol (L2TP) is an industry standard tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPsec) encryption to protect the data stream from one VPN server to the other VPN server. IPsec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.

PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP over IPsec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates or a preshared key.

IPsec tunnel mode

When Internet Protocol security (IPsec) is used in tunnel mode, IPsec itself provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPsec or PPTP VPN tunneling

January 2, 2009

VPN Concepts in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Standard Edition and ISA Server 2006 Enterprise Edition provide secure site-to-site virtual private network (VPN) functionality and secure VPN client access. In ISA Server 2006 Enterprise Edition, this functionality works with the ISA Server Network Load Balancing (NLB) functionality to provide redundancy and failover capacity for VPN.


A VPN is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers or two networks across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a VPN.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.

VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From a user's perspective, you are connected to the corporate network, and do not consider that you are communicating over a public infrastructure. The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations or branch offices over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. These connections are made over the Internet using a site-to-site VPN connection. Companies are changing from leased lines to standard Internet connections, because of the higher costs of leased lines, the complexities of maintaining these leased lines, and time required to have leased lines installed.

By using ISA Server, you can manage site-to-site VPN connections and VPN client access to the corporate network. All VPN connections to the ISA Server array are logged to the Firewall log, so that you can monitor VPN connections.