Site to site VPN and Windows Essential Business Server
[Today's post comes to us courtesy of Alok Goyal]
My name is Alok Goyal and I am a part of the Essential Business Server (EBS) team. Today, I wanted to talk about a new document I posted on the Microsoft Connect site. The document is titled "Site to site VPN and Windows Essential Business Server." It talks about how to establish site to site VPN tunnel in an Essential Business Server environment. The core audience of this document is the network engineers who need to configure and test a site to site VPN tunnel between the two network sites when Essential Business Server is present in the environment.
A site to site VPN tunnel establishes a secure channel between the two sites via the Internet. It enables organizations to extend their networks across low cost Internet connections without compromising the security. It establishes an authentication mechanism at both ends of the VPN tunnel by encrypting all the data.
Many of you have been using Windows Essential Business Server in the mid-sized marketplace as it boosts productivity and growth. It helps view, deploy, manage and administer applications from one central point. Windows Essential Business Server includes Security Server which protects your network through a Threat Management Gateway (TMG) component. It acts as a software firewall between your network and the outside world. It also includes site to site VPN functionality based on IPsec tunnel mode protocol.
There are two main ways you can install Essential Business Server:
1. Replace your existing firewall with the Essential Business Server Security Server
2. Install Essential Business Server Security Server behind your existing firewall
Essential Business Server team recommendation is to choose option 1) as it is the best choice for our customers. It reduces complexity and lowers down your cost of maintaining the additional firewall. However, sometimes this transition is difficult for some of you. However, you still can choose option 2) when you install EBS.
That said, in a site to site VPN scenario, option 2) becomes very tricky as you get two more options:
a. Terminate your existing site to site VPN tunnel at your existing firewall
b. Terminate your existing site to site VPN tunnel at Essential Business Server Security Server
Option a) is advanced and more complex than option b). The "Site to site VPN and Windows Essential Business Server" document talks about a generic approach and discusses how you can use option a) after installing Essential Business Server in your environment. It starts with a network configuration as an example and helps you understand the required steps necessary for a site to site VPN tunnel to work. In addition to that, the document provides step by step instructions for configuring the IPsec VPN tunnel between the ISA server and one of the IPsec compatible gateways such as Netscreen 25 device when Essential Business Server is present in the environment. The document assumes that you have a computer on the branch office network running ISA server. As you understand, it is impossible to foresee every possible combinations as you may use any of the available industry leading gateways providing site to site VPN technology. The example listed in this document is for reference only and illustrating only the concepts. Also, we recommend you to go to www.vpnc.org to check for any firewall/gateway compatibility issues.
Download Full Document
To download this document, go here.
If you are not already registered with Microsoft Connect, you may need to do so (it's a simple process and it's free).
Supporting Documents
A few other great artciles on how to configure VPN tunnels include:
https://www.firewall1.nu/docs/Watchguard_V60_and_Fortigate_60_VPN.pdf
Comments
Anonymous
November 06, 2009
Interesting document. Screenshots with Firefox browser and ISA server on Windows Server 2003 instead TMG which is included in EBS in Windows Server 2008. And the best is "Microsoft Confidental" in footer of the document :-))). Great job. Don´t worry i´m not from Linux community, i am certified for EBS but this document is funny :-).Anonymous
November 06, 2009
Netscreen device user interface does not work properly with IE :) and that is the reason the screenshots have been taken with Firefox. The idea was to demonstrate how users could establish VPN connections in their existing environment with legacy devices when EBS is installed. This is the reason why you see ISA and netscreen 25 device in this document :) Yes, it is funny to have "Microsoft Confidential" in the document BTW :), i will get it removed quickly.