Microsoft Internet Security and Acceleration Server 2004 SDK

About Virtual Private Networks

ISA Server helps you set up and secure a virtual private network (VPN). A VPN is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.

VPN connections allow users who work at home or on the road to obtain a remote access connection to an organization server using the infrastructure provided by a public internetwork such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations over a public internetwork such as the Internet while maintaining secure communications, such as offices that are geographically separate. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

Benefits of co-locating VPN functionality on ISA Server

By using the ISA Server computer as the VPN server, you benefit from protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the ISA Server access policy. All VPN clients belong to the VPN Clients network; they are allowed access to resources on the internal network, in accordance with a predefined policy.

Furthermore, all VPN connections to the ISA Server are logged to the Firewall log. This offers you more auditing possibilities.

Finally, ISA Server enables VPN clients access using L2TP over IPSec, which is superior from a security standpoint to the standard PPTP protocol favored by VPN servers.

Types of VPN

There are two types of VPN connections:

VPN Components

VPN and multi-networking

When you configure the VPN, you can set aside a pool of static IP addresses for the VPN users' computers. When a VPN client connects to the local network, it is assigned an IP address from this address pool. This IP address is added to the VPN Clients network.

In the multi-network environment supported by ISA Server, VPN users are part of the VPN Clients network.

Although the VPN users are virtually part of the local network address range, they are not subject to the local network's access policy, as you configured it for ISA Server. Special rules can be configured to allow them access to network resources.