From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

If You Have ISA You Have L2TP VPN

VPN connectivity for many small businesses is key to success. Having your staff be able to access resources externally in a secure manner greatly improves productivity. There are many small medium business solutions to obtain VPN access. We are going to take a look at our good old firewall, Microsoft Internet Security and Acceleration Server – for short - ISA. ISA comes with built in VPN support. If you have already purchased a ISA license; why not use it as your VPN server.

Configuring Certificate Services

If you have configured a Certificate Authority on your network we can use L2TP (Layer Two Tunnelling Protocol) for a secure connection mechanism from home to your office. L2TP takes a little bit to setup, but the security it offers is well worth it. L2TP is based on certificates. So to be able to use it we have to call in our Trusty CA. Here are the steps to configure ISA for VPN access using L2TP. For a refresher on installing a Certificate Server please go here.

We will concentrate on the Certificate setup, not so much the VPN setup of ISA. We will assume you have already enabled VPN access and configured your groups to allow VPN access. You will want to ensure that we choose to use L2TP in the protocols section. Click here to view the VPN Client Properties for L2TP. You will need to configure ISA rules to allow the VPN users to access the internal resources. Even though the users will be on the same network as internal users, ISA sees them differently. You will need to grant access from The VPN network to the internal resources you require.

1. Double click on the ISA Server Management icon on the desktop.
2. Expand ISA2004 and click Firewall Policy.
3. Right click Firewall Policy, Select New and select Access Rule.
4. Call the rule VPN to Internal.
5. Click Next. Select Allow. Click Next.
6. Select All outbound protocols. Click Next.
7. On the Access Rule Sources page, click Add.
8. Click the Networks folder and double click VPN Clients.
9. Click Close. Click Next on the Access Rule Sources page.
10. On the Access Rule Destinations page, click Add.
11. On the Add Network Entities dialog box, click Networks folder and double click on Internal. Click Close.
12. Click Next. Click Finish. Click Apply. Click OK.

Getting the Certificate into ISA and to Your Users

At this point you will want to obtain a certificate to use for the L2TP session. This is carried out by sending the ISA server to your CA request page (http://YourTrustyCA/Certsrv) and requesting a certificate. Once the certificate is obtained, it will need to be installed on the local computer certificate store (All of these directions can be found in our requesting a Certificate article). At this point, you need to export the certificate to ISA and then import it. Once this is accomplished the ISA server will be able to use the certificates as desired. The next step is to get the client setup to use the certificate. It is nearly the same steps again. You need to request a certificate from the same CA as ISA did. You need to import the certificate and then setup the VPN connection for the client. As a side note, be sure to restart the remote Access Service on the ISA server before any attempts to connect are made. Once that is done, you can have the client connect using L2TP as the protocol of choice

All Done

And that is all there is to using L2TP as part of your VPN solution for your business. PPTP may be easier to setup and get using but L2TP will give you a more secure VPN solution.