Diagram, Final Steps, and References
Below are simplified diagrams of the previously-mentioned setup:
= INTERNAL =
[Co. Wkstn 10.1.1.3] -> [Main internal+DNS server 10.1.1.2] (def g/w = ISA Inside interface)] -->
--> 10.1.1.1 [Inside [ISA] Outside] 10.1.1.249 (def g/w = Edge Router Inside interface) -->
--> 10.1.1.250 [Inside [Edge Router] Outside] 18.104.22.168 <--> [INTERNET a.k.a 'the cloud']
<-- [remote wkstn on Comcast, for example] <-- 192.168.1.3 / 10.1.1.21(VPN-assigned once connected)
= EXTERNAL =
Diagram of the above Dedicated VPN Server setup (click to enlarge):
Two final steps to allow testing of the VPN gateway
Authorize VPN Users
Go to Active Directory Users and Computers and either create an AD Group (i.e. “VPN Users") for VPN access, or choose the user accounts for which you want to allow access, go to 'Properties' on the AD user account, click the Dial-in tab, click Allow Access, then click OK.
Go back to the RRAS interface on the server, expand the server name, then click “Remote Access Policies." Right-click in the right-hand pane, choose “New," then click “Remote Access Policy."
Click next, then give it a name like “Allow VPN Users," then next, click “VPN," then next. Click “Add," then type the name of the group that you created for VPN access (“VPN Users," in this case), click “Next," then follow the on-screen steps to “Finish."
Setup VPN Client
Outside the scope of this document is the fact that you also want to setup at least one VPN client (XP or Vista workstation) with a VPN connection, which can be done via Microsoft's "Create a new connection" option under Network Tasks, “Connect to the network at my workplace," click “Next," choose “Virtual Private Network connection," “Next," give the network connection the appropriate name, i.e., "Connect to Company VPN," “Next," “Do not dial the initial connection," “Next," type the IP address of your public interface; in this example: 22.214.171.124, “Next," “Anyone's use," “Next," “Finish." You can then do “Start," “Connect To" and choose the "Connect to Company VPN" connection that you just created – you will be prompted for username/password credentials if appropriate. Once you successfully authenticate to your work network, you then should be able to access resources over the VPN as if you were on the LAN locally at the office.
Conclusion and Disclaimer
This is a broad and simplified overview of setting up a Windows Server as an ISA VPN gateway server - details will vary, depending upon the VPN product(s) you use, but this article includes the basics and is an adquate overview of the steps needed.
Microsoft's Server VPN setup instructions can be found here.
A TechRepublic VPN setup article can be found here.
Microsoft's Client VPN setup instructions can be found here.
Microsoft ISA VPN Configuration overview can be found here.