General question - is this possible?

• Previous message: DIR: "VPN Between two locations"
• Next in thread: Tim Stannard: "Re: General question - is this possible?"
• Reply: Tim Stannard: "Re: General question - is this possible?"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 29 May 2004 18:23:33 +0100

Report from microsoft.public.isaserver. (No response after two weeks
so trying here)

There's plenty of good stuff here about specifics but I'm looking for
a higher level answer. Fundamentally, the question is does ISA Server
do the following and do I have the kit to do it?

I have a main office running ISA Server 2000 SP1 (soon-to-be-SP2)
SBS2000 with a mixture of XP & NT Workstations. ISA is working fine
and those clients I have allowed can access the web through the proxy
server.

I have a remote office with four NT4.0 SP6a workstations on a local
workgroup.

Both sites have permanent connections to the internet via ZyXel
Prestige 652HW ADSL routers (which have a certain amount of firewall
capability and VPN built in).

Basic question: Have I got what I need in order to create a VPN such
that the remote workstations can see the server (and beyond?) and,
secondly, main office workstations can access the remote workstations?

More detail/reason for asking:

On the remote site the workstations have fixed IPs in the subnet
192.168.20.x. The router's inward IP is on the same subnet. The
outward IP address for the router is a fixed public address.

The ISA Server acts as a DHCP server. It's inward facing IP address is
192.168.16.2 and all workstations are assigned IPs in the 192.168.16.x
subnet. (all standard stuff) The second NIC sits on 10.0.0.2 and is
connected to the router on 10.0.0.3. The outward facing IP address of
the router is another fixed public IP address.

The guys who came to set up the VPN successfully built a VPN tunnel
between the two routers - successful in that from a workstation on the
remote site, one could connect to the ISA server on 10.0.0.2. However,
it could not go any further and see any workstations (presumably ISA
server preventing this) and one cannot connect from a main office
workstation to a remote workstation (although one can from the ISA
server.

The proposed solution is to put some more serious routers in and
bypass ISA Server. I'm not sure that this is necessary or a good idea.

Surely the VPN server within ISA is meant to do exactly this. Surely I
just set this up (is it true I need to set up RRAS to allow Dial-in
connections, even though these connections are "permanent" ADSL?) and
set the router at the main office to forward everything received on
the public IP to 10.0.0.2 and vice versa. What do I set the router at
the remote office to do?

Sorry for the long post. I have spent many hours browsing through
stuff here and at isaserver.org but all that stuff seems either very
specific and complex. The microsoft site on the other hand seems far
too simplistic ("Just set up VPN and everyone you want can dial in
securely" sort of thing)

-- 
Tim Stannard

• Previous message: DIR: "VPN Between two locations"
• Next in thread: Tim Stannard: "Re: General question - is this possible?"
• Reply: Tim Stannard: "Re: General question - is this possible?"
• Messages sorted by: [ date ] [ thread ]