DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

ISA Server VPN behind 2820n model?

  • shrikeh
  • Topic Author
  • Offline
  • New Member
  • New Member
More
31 Mar 2011 14:16 #1 by shrikeh
ISA Server VPN behind 2820n model? was created by shrikeh
Hi there,

I'm wondering if anyone has any experience of using ISA Server as a VPN endpoint behind a Vigor router. I'm having trouble publishing the VPN server. I'll explain the full scenario to help anyone who could assist.

We have a Vigor 2820n router, and a three tier network: red zone (internet), orange zone (restricted, WiFi), green zone (super restricted). Our Web servers each have two NIC cards, one on the orange zone, one on the green zone. Only port 80, and 8080 is open on the orange side.

The idea therefore is that red zone traffic can see the public website (the router forwards port 80 traffic to the Web stack). In the orange zone (10.0.0.x), you can see other stuff (staging sites, development tools, etc). Green zone is for access to code and administrating servers.

Clients in the office (using the WiFi) or remotely can VPN via the Vigor and use apps in the Orange Zone. This is working fine at present with either a PPTP or L2TP-IPSEC VPN hosted by the Vigor router. However, we also wish to grant some users access to the green zone (192.0.x.x). This is an Active Directory-controlled network. Access to this should be via the ISA Server VPN endpoint and require a certificate. We want the certificate authority to require at least orange zone access.

Workflow:

1. User connects to VPN/WiFi, and navigates to the certificate authority issue website (currently viewable via ISA server) on 10.0.0.2. CA only accepts traffic from within Orange Zone.
2. User is granted certificate, disconnects from Orange Zone VPN.
3. User connects directly to ISA Server VPN. Certificate required to connect. User now can access Green Zone.

The problem is that this doesn't seem to actually work. Within the Orange Zone on WiFi, certificates are issued fine and we can VPN into the Green Zone. The problem is for remote users. We cannot seem to publish the ISA Server for VPN access with either PPTP or L2TP protocols. Currently, we have to create a VPN PPTP tunnel to the Vigor, and then a second PPTP tunnel to the ISA Server's 10.0.0.2 address, affecting both speed and reliability. If either the Vigor or the ISA Server uses L2TP-IPSEC, it won't work at all.

Surely it should be fairly easy to have all L2TP-IPSEC traffic forwarded to the ISA server, while the Vigor continues to offer PPTP access?

Any help with this would be wonderful.

Please Log in or Create an account to join the conversation.