Wow! Lots of good info, couple of questions.... I was planning on using RRAS for the connections, should I go ahead and set everything up unsecured, just to get functional, before I install ISA and do all the other stuff? Also, I'm using Ameritech Business DSL at my "main" location. Unfortunately they support only NAT to give me my real ip address, is that going to affect IPSec? NAT takes place on the router, unless there's a way to get around that. In ISA< I assume I will only have to allow a VPN protocol or port to pass through, will all the traffic from the VPN be allowed (IPX traffic, game traffice, file transfers) I know this is going to be really hard, but I would really like to do it all to build my skill set. We're all really excited (geeks at heart). Thanks for all your help. Andrew "Gary Anderson" <gary.anderson@w To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> anadoo.fr> cc: Subject: [isalist] RE: My little WAN 01/04/2002 08:04 AM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org I'm sorry didn't read all of thread before. Ok, here's the deal. You set up a VPN between your LANs. I've never tried to set this up with ISA before but I understand that it would work. I've always used Cisco, Watchguard or RRAS. With a VPN that uses W2K, you can use PPTP or IPsec. Actually it is L2TP with IPSec but that's another story. IPSec creates an encrypted channel between two end points. The traffic is encrypted and it is also verified that nothing has been modified. That what you can't use Network Address Translation with IPSec. You change the source/destination address, IPSec will detect this and throw out the packet. Since the ISA server is your perimeter security device, it is going to go from ISA Server to ISA Server. To encrypt the traffic, both ends use an agreed upon method for encryption. This can be a "shared key" or a certificate. Shared key is less secure but it is easier to set up. Don't worry about someone determining the "shared key". It is used to calculate another key. It is never sent in the clear during you communication. In words, don't see it to someone via unencrypted email while you are trying to set it up. To avoid a lot of headaches, set up your VPN with PPTP and the change it to IPSec. PPTP is a lot easier to set up. Once it works, try an IPSec with a shared key. If you want to use certificates, that's ok but it is harder to set up. -----Original Message----- From: HCALM1@xxxxxxxx [mailto:HCALM1@xxxxxxxx] Sent: Friday, January 04, 2002 13:32 To: [ISAserver.org Discussion List] Subject: [isalist] RE: My little WAN http://www.ISAserver.org You mean use that with the IPSec? Do you see any security issues with this. I'm not sure how to configure ISA, since I don't want to block RPC services. I guess I have to tell ISA that the VPN connections are somehow part of the lan.... ??? "Gary Anderson" <gary.anderson@w To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> anadoo.fr> cc: Subject: [isalist] RE: My little WAN 01/04/2002 06:47 AM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org It's a password or even a phrase that both ends of the connection know. -----Original Message----- From: HCALM1@xxxxxxxx [mailto:HCALM1@xxxxxxxx] Sent: Friday, January 04, 2002 12:27 To: [ISAserver.org Discussion List] Subject: [isalist] RE: My little WAN http://www.ISAserver.org What is a "shared secret" ? -Andrew "James McDonald (IS)" To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> <James.McDonald@e-pr cc: ofile.com> Subject: [isalist] RE: My little WAN 01/03/2002 02:28 PM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org I would recommend you use IPsec and a shared secret for a secure tunnel between your machines. Create filters that allow only the machines you want to include in your forest to connect threw your ISA servers Good luck, You've got allot of work ahead. -----Original Message----- From: HCALM1@xxxxxxxx [mailto:HCALM1@xxxxxxxx] Sent: Thursday, January 03, 2002 12:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] My little WAN http://www.ISAserver.org I'm settin up four servers... kind of an experiment. We all have high bandwidth connections so we decided to create one domain forest, and all of us will have our own domain within to manage. We want to set up active directory replication and general connectivity using Routing and Remote Access to create VPN connections. Probably all connected to one server, the first one in the forest. Security with ISA is agreed upon, but how to configure is up for much debate. We want security but we want to be able to function as if we were on a LAN together (share files, use DFS, play games even). Any suggestions or input from anyone that would help us with this experiment? Thanks, andrew ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: james.mcdonald@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') *************************************************************************** This electronic mail transmission contains confidential and/or privileged information intended only for the person(s) named. Any use, distribution, copying or disclosure by another person is strictly prohibited. *************************************************************************** ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: hcalm1@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gary.anderson@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: hcalm1@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gary.anderson@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: hcalm1@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')