When you create a site-to-site virtual private network (VPN)
connection, Microsoft® Internet Security and Acceleration (ISA)
Server 2006 provides a summary of the local site-to-site
settings. Based on the local settings, and the need to mirror local
site settings on the remote site, ISA Server also provides
recommended settings for the remote site. This summary is available
for Internet Protocol security (IPSec), Point-to-Point Tunneling
Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPsec
site-to-site connections.
IPSec settings
The following setting information is provided for IPsec
site-to-site connections in the summary for the local site-to-site
settings, and also makes reference to the settings of the other end
of the tunnel:
Local Tunnel Endpoint. The local IP address through
which the VPN connection is made. This IP address is the
recommended remote tunnel endpoint for the remote site.
Remote Tunnel Endpoint. The remote IP address through
which the VPN connection is made. This IP address is the
recommended local tunnel endpoint for the remote site.
IKE Phase I and Phase II Parameters. The parameters used
to negotiate the IPsec tunnel settings. These settings are the
recommended IPsec settings for the remote site. It is particularly
important that the authentication method be identical for both the
remote and local sites. If a preshared key is used, it must be
identical for both ends of the tunnel. These are described further
in Solution: Virtual Private Networking in ISA
Server 2006 on the Microsoft
ISA Server TechCenter Web site(http://www.microsoft.com).
Remote Network myIPSec IP Subnets.myIPSec
represents the name you configured for the remote network. This is
the address range you provided for the remote site, converted to
subnet format, which is standard for IPsec connections.
Local Network IP Subnets. The address ranges of all of
the other ISA Server networks, converted to subnet format.
Note
If you did not create a network rule establishing the
relationship between the remote networks and at least one other ISA
Server network (typically, the Internal network), traffic to and
from the remote network will be dropped, and a warning will appear
on the summary page. Similarly, if you do not create an access rule
allowing traffic to and from the remote network, traffic will be
blocked by ISA Server.
PPTP and L2TP settings
The following setting information is provided for PPTP and L2TP
site-to-site connections in the summary for the local site-to-site
settings, and also makes reference to the settings of the other end
of the tunnel:
Remote Gateway Address. For the local site, this is the
address on the remote site to which ISA Server connects. On the
remote site, the Remote Gateway Address should be an IP
address, or a Domain Name System (DNS) name that resolves to an IP
address on this ISA Server computer (Standard Edition) or array
(Enterprise Edition).
VPN Network Authentication Protocols (outgoing). These
are the protocols used to authenticate to the remote site. One of
these protocols must be part of the remote site's General VPN
Settings authentication protocols. In the recommended settings
for the remote site, these appear as the General VPN Settings
Authentication Protocols.
General VPN Settings Authentication Protocols
(incoming). The local site must be configured to accept one of
the outgoing authentication methods of the remote site. In the
recommended settings for the remote site, these appear as the
VPN Network Authentication Protocols.
Outgoing Authentication Method (L2TP over IPsec only).
This can be a preshared secret or a certificate. At least one of
these methods has to be an Incoming Authentication Method on
the remote site.
Incoming Authentication Method (L2TP over IPsec only).
This can be a preshared secret, a certificate, or both. One of
these methods must be used by the remote site as its Outgoing
Authentication Method.
Local User. A user with dial-in properties must be
configured on the local network for the remote network to initiate
a connection to the local network. The name of the user account and
the name of the site-to-site network must be identical. ISA Server
indicates the name of the user that you must create on the local
site, based on the name of the site-to-site connection. When you
configure settings for the remote site, you must use the same user
name to connect to the local site. This is provided under
Required settings for the other end of this tunnel in the
Remote Site User listing.
Remote User. This is the user name that the local site
uses to authenticate to the remote site, in a scenario where you
allow the local site to initiate connections to the remote site.
The user name must match the name of the network on the remote
site. The name of the user account and the name of the network on
the remote site must be identical. ISA Server indicates the name of
the user that you must create on the remote site, based on the name
you provided for the remote site user. When you configure settings
for the remote site, you must have a network and a local user with
the same name. This is provided under Required settings for the
other end of this tunnel in the Local User listing.
Site-to-Site Network IP Address. In the local settings
list, the addresses of the remote site network are provided. In the
listing for the other end of the tunnel, ISA Server indicates that
you must provide network addresses with which the remote site has a
network relationship. This can be either a route relationship or a
NAT relationship where the remote site is the source, and the local
site is the destination. ISA Server lists the IP addresses that
meet these requirements, in Required site-to-site settings for
the other end of this tunnel, under Routable Local IP
Addresses.