ISA Server 2004 - Configurar Una VPN

8/12/2019 ISA Server 2004 - Configurar Una VPN

1/14

Enable the VPN Server

By default, the VPN server component is disabled. The first step is to enable the VPN

server feature and configure the VPN server components.

Perform the following steps to enable and configure the IS Server !""# VPN Server$

%. &pen the Microsoft Internet Security and Acceleration Server 2004

management console and e'pand the server name. (lic) on the Virtual Private

Networks VPN!node.

!. (lic) on the "askstab in the Tas) Pane. (lic) the Enable VPN #lient Access

lin).

3. Click Apply to save the changes and update the firewall policy.

4. Click OKin the Apply New Configurationdialog box.

5. Click the Configure VPN Client Accesslink.

6. On the Generaltab, change the value for the Maximum number of VPN clients

allowedfro 5to !.


2/14

!. Click on the Groupstab. On the Groupstab, click the Addbutton.

". #n the "elect Groupsdialog box, click the #ocationsbutton. #n the #ocationsdialog

box, click the msfirewall$orgentry and click OK.

$. #n the "elect Groupdialog box, enter %omain &sersin the 'nter t(e ob)ect names toselecttext box. Click the C(ec* Namesbutton. %he group nae will be underlined when

it is found in the &ctive 'irectory. %his value is used in the reote access policy anagedby the #(& (erver )**4 firewall achine. +hen the user accounts are configured to use

reote access policy for dialin access, then #(& (erver )**4 reote access policy will beapplied to the -/ client connections. Click OK.


3/14

10.Click the Protocolstab. On the Protocolstab, put a checkark in the 'nable

#+,P-.P"eccheckbox. /ote that you will have to issue a achine certificate to the #(&

(erver )**4 firewall0-/ server, and to the connecting -/ clients, beforeyou can use1)%0#(ec. &n alternative is to use a preshared key for the #(ec security negotiations.


4/14

11.Click the &ser Mappingtab. ut a checkark in the 'nable &ser Mappingcheckbox.

ut a checkark in the /(en username does not contain a domain0 use t(is

domaincheckbox. 2nter msfirewall$orgin the %omain Nametext box. /ote that thesesettings will only apply when using &'#( authentication. %hese settings are ignoredwhen using +indows authentication such as when the #(& (erver )**4 firewall achinebelongs to the doain and the user explicitly enters doain credentials. Click Apply and

then click OK$ 7ou ay see a Microsoft .nternet "ecurity and Acceleration "er1er+!!2 dialog box inforing you that you need to restart the coputer for the settings to

take effect. #f so, click OKin the dialog box.


5/14

12.On the ,as*stab, click the "elect Access Networ*slink.

83. #n the Virtual Pri1ate Networ*s 3VPN4 Propertiesdialog box, click the AccessNetwor*stab. /ote that the 'xternalcheckbox is selected. %his indicates that the

external interface is listening for incoing -/ client connections. 7ou could choose otherinterfaces, such as '9: or extranet interfaces, if you wish to provide dedicated -/

services to trusted hosts and networks. #;ll go over this type of configuration, as well ashow to configure additional interfaces for +1&/ access, in future articles here on the

www.isaserver.org +eb site and in our #(& (erver )**4 book.84. Click the Address Assignmenttab. (elect the internal interface fro the list in the &se

t(e following networ* to obtain %CP0 %N" and /.N" ser1iceslist box. %his is acritical setting, as it defines the network on which access to the '


6/14

offsubnet network #'. lease refer to (tefaan ouseele;s article on offsubnet address

configuration over athttp=00isaserver.org0articles0to>#pleent>-/>Off(ubnet>#>&ddresses.htl.

15.Click on the Aut(enticationtab. /ote that the default setting is to enable only Microsoft

encrypted aut(entication 1ersion + 3M"6CAP1+4. #n later docuents in this ."A

"er1er +!!2 VPN %eployment Kitwe will enable the 2& option so that high securityuser certificates can be used to authenticate with the #(& (erver )**4 firewall -/ server.

/ote the Allow custom .P"ec policy for #+,P connectioncheckbox. #f you do notwant to create a public key infrastructure or in the process of creating one but have notyet finished, then you can enable this checkbox and then enter a pre6s(aredkey. %he

-/ clients will need to be configured to use the sae preshared key.
http://isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.htmlhttp://isaserver.org/articles/How_to_Implement_VPN_OffSubnet_IP_Addresses.html


7/14

16.Click the 7A%.&"tab.


8/14

8!. Click Applyin the Virtual Pri1ate Networ*s 3VPN4 Properties dialog box and thenclick OK.

8". Click Apply to save the changes and update the firewall policy.

8$. Click OKin the Apply New Configurationdialog box.

)*. estart the #(& (erver )**4 firewall achine.

%he achine will obtain a block of # addresses fro the '


9/14

#;ll show you how to create ore sophisticated user0group based access controls on -/ clients in

future articles on the www.isaserver.org site and in our #(& (erver )**4 firewall book.

erfor the following steps to create an &ccess ule to allow -/ clients unrestricted access to the

#nternal network=

8. #n the Microsoft .nternet "ecurity and Acceleration "er1er +!!2anageentconsole, expand the server nae and click the 8irewall Policynode. ight click the8irewall Policynode, point to Newand click Access 7ule.

). #n the /elcome to t(e New Access 7ule /i9ardpage, enter a nae for the rule in theAccess 7ule nametext box. #n this exaple we will nae the rule VPN Client to

.nternal. Click Next.

3. On the 7ule Actionpage, select the Allowoption and click Next.

4. On the Protocolspage, select the All outbound protocolsoption in the ,(is ruleapplies tolist. Click Next.

fig8*

5. On the Access 7ule "ourcespage, click the Addbutton. On the Add Networ* 'ntities

dialog box, click the Networ*sfolder and double click on VPN Clients. Click Close.


10/14

6. Click Nexton the Access 7ule "ourcespage.!. On the Access 7ule %estinationspage, click the Addbutton. On the Add Networ*

'ntitiesdialog box, click the Networ*sfolder and double click on .nternal. Click Close.

". On the &ser "etspage, accept the default setting, All &sers, and click Next.


11/14

$. Click 8inis(on the Completing t(e New Access 7ule /i9ardpage.

8*. Click Apply to save the changes and update the firewall policy.

88. Click OKin the Apply New Configurationdialog box. %he -/ client policy is now the

top listed &ccess ule in the &ccess olicy list.

Enable &ial'in Access for the Ad(inistrator Account

#n nonnative ode &ctive 'irectory doains, all user accounts have dialin access disabled bydefault. 7ou ust enable dialin access on a per account basis for these non/ative ode &ctive

'irectory doains. #n contrast, native ode &ctive 'irectory doains have dialin accesscontrolled by eote &ccess olicy by default. +indows /% 4.* doains always have dialin

access controlled on a per user account basis.

#n our current exaple, the &ctive 'irectory is in +indows (erver )**3 ixed ode, so we will

need to anually change the dialin settings on the doain user account. # highly recoendthat if you do not have any +indows /% 4.* doain controllers on your network, that you elevate

your doain functionality level.

erfor the following steps on the doain controller to enable 'ialin access for the &dinistrator

account=

8. Click "tartand point to Administrati1e ,ools. Click Acti1e %irectory &sers and

Computers.). #n the Acti1e %irectory &sers and Computersconsole, click on the &sersnode in the

left pane. 'ouble click on the Administratoraccount in the right pane of the console.

3. Click on the %ial6intab. #n the 7emote Access Permission 3%ial6in or VPN4frae,

select the Allow accessoption. Click Applyand click OK.


12/14

f

4. Close the Acti1e %irectory &sers and Computersconsole.

"est the PP"P VPN #onnection

%he #(& (erver )**4 -/ server is now ready to accept -/ client connections.

erfor the following steps to test the -/ (erver=

8. On the +indows )*** external client achine, right click the My Networ* Placesicon onthe desktop and click Properties.

). 'ouble click the Ma*e New Connectionicon in the Networ* and %ial6up Connections

window.

3. Click Nexton the /elcome to t(e Networ* Connection /i9ardpage.

4. On the Networ* Connection ,ypepage, select the Connect to a pri1ate networ*t(roug( t(e .nternetoption and click Next.

5. On the %estination Addresspage, enter the # address :+$;


13/14

$. #n the Connect ."A VPNdialog box, enter the user nae M"8.7'/A##>administrator

and the password for the adinistrator user account. Click Connect.

fig85

8*. %he -/ client establishes a connection with the #(& (erver )**4 -/ server. Click OKinthe Connection Completedialog box inforing that the connection is established.

88. 'ouble click on the connection icon in the syste tray and click the %etailstab. 7ou cansee that MPP' +


14/14

Date post:	03-Jun-2018
Category:	Documents
Upload:	juan-carlos
View:	229 times
Download:	0 times

ISA Server 2004 - Configurar Una VPN

Documents