To configure advanced IPsec settings for Phase II

1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN).
2. In the details pane, click the Remote Sites tab, and then select the applicable remote IPsec site network.
3. On the Tasks tab, click Edit Selected Network.
4. On the Connection tab, click IPsec Settings.
5. On the Phase II tab, in Encryption algorithm, select one of the following:
   • 3DES, to use Triple Data Encryption Standard algorithm, and three unique 56-bit keys. This option offers higher security.
   • DES, to use the DES algorithm and a single 56-bit key.
6. In Integrity algorithm, select one of the following:
   • MD5, to use a 128-bit key (faster).
   • SHA1, to use a 160-bit key (stronger).
7. Select Generate a new key every to limit the amount of time a key is reused before reauthentication is required. Specify the time limit by typing a value in Kbytes, in seconds, or in both fields.
8. Select Use Perfect Forward Secrecy (PFS) if master key material should not be used to generate more than one session key. Enabling PFS requires reauthentication and, therefore, may affect performance. Then, in Diffie-Hellman group, select one of the following:
   • Group 1 (768 bit), to generate 768 bits of master key keying material.
   • Group 2 (1024 bit), to generate 1,024 bits of master key keying material (stronger security).
   • Group 3 (2048 bit), to generate 2,048 bits of master key keying material (strongest security).

Notes

• For more information about VPN, see Solution: Virtual Private Networking in ISA Server 2006 on the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).
• To open ISA Server Management, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
• For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
• For ISA Server 2006 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Server_Name, and then click Virtual Private Networks (VPN).

Important

• If you set a Kbytes or seconds limit for session key settings, whichever interval is reached first will start a new key.
• When you use a stronger group for the Diffie-Hellman settings, the secret key derived from Diffie-Hellman exchange has greater strength. Use Group 2 when required for interoperability with Microsoft Windows Server 2003, Windows 2000 Server, and Windows XP.

---

Get latest ISA Server content at ISA Server Guidance(http://www.microsoft.com/). Send feedback about this page.

• English-to-Russian translation