TABLE OF CONTENTS You can configure the ISA firewall to allow outbound access to VPN servers on the Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec, and IPSec NAT Traversal (NAT-T).
The ISA firewall can pass PPTP VPN connections from any Protected Network to the Internet with the help of its PPTP filter. The ISA firewall's PPTP filter intercepts the outbound PPTP connection from the Protected Network client and mediates the GRE (Generic Routing Encapsulation/IP Protocol 47) Protocol and the PPTP control channel (TCP 1723) communications. The only thing you need to do is create an Access Rule allowing outbound access to PPTP.
| Warning | In the following example, we configure outbound access to PPTP only from Remote Management Computers. We do this to emphasize that only highly-trusted hosts should be allowed outbound access to VPN servers. The VPN client connects to a network that you likely have no administrative control over. The VPN client acts as a potential security bridge between your network and the remote network. Therefore, you must be very strict on what machines are allowed outbound VPN access. This example also allows a connection to a specific VPN server. You should always pre-qualify VPN servers where your users connect to reduce the overall negative security impact outbound VPN connections can have on your corporate network. |
Perform the following steps to allow outbound PPTP access through the ISA firewall:
In the Microsoft Internet Security and Acceleration Server 2004
