Bi thc hnh: VPN (Virtual Private Network) 1.

VPN Client to Site: Chun b:

t thng s IP cho cc Interface trn ISA Server: Trn ISA, m bo rng Internal Network l dy IP t 192.168.100.0 192.168.100.255 Test h thng: M ht port kim tra giao tip internet ca Client. Tn Rule Action Protocols Source Destination Mo het Allow All Outbound All Network All Network Dng PING kim tra: o Trn my thuc Internal: PING v 8.8.8.8 / ping v C2 / Kha ton b port trn ISA Server (Default Policy) trc khi thc hnh. Cho php Internal PING n mi ni (dng kim tra): Tn Rule Action Protocols Source Cho PING Allow PING Anywhere Yu cu: Destination Anywhere User sets All Users User sets All Users

Cu hnh h thng VPN Client sao cho C2 v C1 giao tip nhau. C1 chia s d liu cho C2 truy cp. Hng dn:

a. Cu hnh VPN Client trn my ISA:

-

Configure Address Assignment Method: Xc nh dy IP address s cp pht cho cc VPN interface ca cc my VPN Client. Dy IP ny khng cng mng vi cc network c nh ngha trong ISA nh Internal, DMZ, IP address u tin c dnh cho VPN Server Enable VPN Client Access: o Cho php VPN Client kt ni vo o Maximum number of VPN Client: s lng my VPN Client kt ni vo (khng nhiu hn s IP adrress cp pht trn) Specify Windows Users: Ch nh Group (cha cc User c php VPN). S dng Local Users ca VPN Server hoc Domain Users (nu VPN Server c tham gia Domain). VPN Properties: La chn giao thc kt ni VPN: PPTP (Point-to-Point Tunneling Protocol): to 1 ng hm trn ng kt ni internet c sn truyn d liu ring. Giao thc ny khng m ha d liu truyn.

L2TP (Layer 2 Tunneling Protocol): M ha d liu truyn trn PPTP. C th dung L2TP vi Preshared Key. Remote Access Configuration: m bo rng cc yu cu kt ni VPN c tip nhn trn giao tip mng External. o

p t ln VPN Client.

View Firewall Policy for the VPN Client Network: Xem v iu chnh cc policy View Network Rule: kim tra li cc quan h routing ca VPN Client vi cc Network

khc.

b. To Access Rule cho my VPN Client truy cp d liu trong Internal:

Tn Rule Cho VPN Client truy cp Share file trong INT Action Allow Protocols NetBIOS Session NetBIOS Datagram NetBIOS Nam Service Source VPN Client Destination Internal User sets All Users

c. Trn my Client bn ngoi:

-

To kt ni VPN trn my Client o M Network Connections chn Create a new Connection o Chn Connect to the network at my workplace o Nhp tn connection (tn Cng ty) o Nhp IP address (mt ngoi ca ISA server) hoc tn min Thc hin kt ni VPN ti ISA Server
o o o o o

Kim tra kt qu kt ni VPN ti Client:

Double click biu tng VPN va to. Nhp User / pass.

Xem IP address ca kt ni VPN. Th PING vo my C1 (trong Internal ca ISA) Th truy cp d liu chia s bi my trong Internal.

d. Cc thc nghim v x l cc s c:
a. Kim tra kt ni internet ca VPN Client trong 2 trng hp: Thc nghim 1 Dng lnh: pathping 8.8.8.8 kim tra ng i ca gi ping Duyt Web Truy cp my trong Internal ca ISA Khi kt ni VPN tt Khi kt ni VPN m Kt lun

2 3

Khng c

Khi kt ni VPN bt, vic truy cp internet ca VPN Client s l thuc vo ISA Server

b. X l trng hp VPN Client khng duyt Web c khi kt ni VPN bt: - Trn ISA: to Access Rule cho php mng VPN Clients truy cp Web (HTTP, HTTPs, DNS) bn ngoi External c. X l yu cu VPN Client truy cp c my internal nhng khng mun l thuc ISA Server khi truy cp internet: Properties cho kt ni VPN Properties cho Internet protoco (TCP/IP) nt Advanced b chn Use default gateway on remote network (khng dng DG ca mng xa VPN Server)

Dng lnh to static route Client c th kt ni vo mng internal: Route add <mng internal> mask <mask> <IP ca VPN interface> VD: Route add 192.168.10.0 mask 255.255.255.0 192.168.11.2

2. VPN Site to Site: Chun b:

t thng s IP cho cc Interface trn 2 ISA Server. m bo ISA server giao tip c internet. Trn ISA-1, m bo rng Internal Network l dy IP t 192.168.100.0 192.168.100.255 Trn ISA-2, m bo rng Internal Network l dy IP t 192.168.200.0 192.168.200.255 Kha ton b port trn ISA Server (Default Policy) trc khi thc hnh. Cho php PING mi ni (dng kim tra giao tip): Tn Rule Action Protocols Source Cho PING Allow PING Anywhere Yu cu: Cu hnh VPN Site-to-Site cho C1 v C2 giao tip nhau. C1 v C2 truy cp d liu chia s ln nhau. Hng dn thc hin: 1. To Ti khon cp php truy cp VPN Site-to-Site: Ni dung Site 1 (HCM) Site 2 (HN) To Ti khon v cp php Dial-In cho ti khon ny HaNoi / pass1 HCM / pass2 Ghi ch TK ny s c cp cho Site xa khai bo khi truy cp VPN Destination Anywhere User sets All Users

2. Cu hnh VPN Site-to-Site trn ISA.

Khai bo cc thng s theo Wizard: Ni dung Network Name Site 1 (HCM) HaNoi Site 2 (HN) HCM Ghi ch

Khai bo cho ISA mt Network mi (l mng xa). Tn mng phi trng tn ti khon to phn trn. IP s cp cho Tunnel (IP u tin s gn cho VPN Server) IP ngoi ca ISA server bn kia. Khai bo Account c php dial-In ca site mun kt ni ti nh ngha Internal Network ca site xa. Khng dng (Network Load Balancing) To LAN routing gia Internal v Site xa

IP range (*)

Fr: 192.168.102.1 To: 192.168.102.5 10.0.0.y HCM / pass2

Fr: 192.168.201.1 To: 192.168.201.5 10.0.0.x HaNoi / pass1

Remote site (**) Dial User / pass

Address Range of the remote site Remote NLB Site to site Network rule Site to site Access rule

Fr: 192.168.20.0 To: 192.168.20.255

Fr: 192.168.10.0 To: 192.168.10.255

Not use HaNoi to Internal network rule: ROUTE

Not use HCM to Internal network rule: ROUTE

Allow access Allow access All Protocols hoc between HaNoi and between HCM and Selected protocols Internal Internal (*) Nn nh ngha dy IP cho Tunnel trc khi to mi kt ni mng VPN. (**) Nu ISA server t di xDSL Router: phi nhp IP (public) ca xDSL Router. ng thi, phi m cc port PPTP, L2TP, IPSec trn xDSL tr v IP mt ngoi ca ISA server
Kim tra kt qu: Kim tra giao tip (PING) gia C1 v C2 (ISA server s t ng kt ni VPN site-to-site. To Access Rule cho C1 v C2 truy xut d liu chia s ln nhau. Kim tra kt ni VPN trn ISA Server: chy Routing and Remote Access Network Interfaces right click trn VPN interface Connect / Disconnect.

3. Trin khai bo mt VPN bng giao thc L2TP/IPSec.

Cu hnh trn VPN Server: M VPN Properties