January 2, 2009

VPN Concepts in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Standard Edition and ISA Server 2006 Enterprise Edition provide secure site-to-site virtual private network (VPN) functionality and secure VPN client access. In ISA Server 2006 Enterprise Edition, this functionality works with the ISA Server Network Load Balancing (NLB) functionality to provide redundancy and failover capacity for VPN.


A VPN is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers or two networks across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a VPN.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.

VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From a user's perspective, you are connected to the corporate network, and do not consider that you are communicating over a public infrastructure. The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations or branch offices over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. These connections are made over the Internet using a site-to-site VPN connection. Companies are changing from leased lines to standard Internet connections, because of the higher costs of leased lines, the complexities of maintaining these leased lines, and time required to have leased lines installed.

By using ISA Server, you can manage site-to-site VPN connections and VPN client access to the corporate network. All VPN connections to the ISA Server array are logged to the Firewall log, so that you can monitor VPN connections.