http://msmvps.com/blogs/javier/archive/tags/ISA/default.aspxTags: ISAenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspxThu, 09 Dec 2004 04:04:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:23045Javier6http://msmvps.com/blogs/javier/rsscomments.aspx?PostID=23045http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspx#comments<P class=MsoNormal style="MARGIN: 0in 0in 0pt">If you have a remote office or a branch it might be a good idea to have those users connected to your primary office permanently. You could even have an additional domain controller on the remote site or even make the users login via a Terminal Server on your primary location. To connect the two locations together you have a couple of options:</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p>&nbsp;</o:p></P> <OL style="MARGIN-TOP: 0in" type=1> <LI class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-list: l0 level1 lfo1; tab-stops: list .5in">Connect each computer individually using PPTP VPN to the SBS box directly. <LI class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-list: l0 level1 lfo1; tab-stops: list .5in">Use a PPTP VPN-capable router on the remote site and establish the VPN directly to the SBS box. <LI class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-list: l0 level1 lfo1; tab-stops: list .5in">Use 2 VPN routers (IPSec) to establish a site to site VPN.</LI></OL> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Option #3 is fairly common. However, this method presents a problem when you want to keep using ISA. You cannot put the router in front of ISA anymore because you will terminate the VPN tunnel there and your users will not be able to access the resources in the LAN. So, what can you do? Well, there are a couple of ways to go around this problem&#8230; I will discuss one way:</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">You will need two VPN-capable routers (and know how to create a &#8220;normal&#8221; tunnel between them) and two public IPs on the site where ISA is located.</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Your setup should look like this:</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">&nbsp;</P><IMG src="http://www.msmvpsphotos.com/Javier/VPN.gif"> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Basically, what you need is to give ISA and the VPN router in the main office 2 distinct public IPs and put them parallel to each other. Then turn off the DHCP on the VPN router on the main office and make sure is on the same subnet as the internal LAN and connect it to the same switch as the SBS internal NIC. Configure the VPN link between the 2 sites as you would in a "normal" situation and make sure your VPN router is blocking all incoming traffic. As with any VPN the remote LAN must be on a different subnet.</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Now, the last step would be to tell the local LAN how to find the remote one (since SBS is the default gateway the computers will try to use that one instead of the VPN router). To correct this we must create a static route on the server&#8230; so go and run the following command on the SBS box "route add -p 10.0.0.0 mask 255.255.255.0 192.168.16.3" and you should be good to go.</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><o:p>&nbsp;</o:p></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">There could be other variations in this scheme, but if you understand the steps involved here then its easy to modify this to do whatever you want.</P><div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=23045" width="1" height="1">ISAGeneralOther