Welcome Sign in
Forefront Edge Security TechCenter
Printer Friendly Version      Send     
Click to Rate and Give Feedback
TechNet
TechNet Library
Microsoft Forefront
Operations
 VPN Roaming Clients and Quarantine ...
Microsoft Internet Security and Acceleration Server 2004
VPN Roaming Clients and Quarantine Control in ISA Server 2004

Microsoft Internet Security and Acceleration (ISA) Server 2004 provides secure virtual private network (VPN) functionality for roaming clients.

A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Data that is intercepted on the shared or public network is indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.

VPN connections allow users who work at home or travel to obtain a remote access connection to an organization server using the infrastructure provided by a public network such as the Internet. From the users perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations over a public network, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

By using the ISA Server computer as the VPN server, you can manage site-to-site VPN connections and VPN client access to the corporate network. VPN clients can be quarantined by ISA Server in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified, and can then be moved to the VPN Clients network. Both of these VPN client networks are subject to your ISA Server firewall access policy, so that you can control VPN client access to network resources. For example, you can allow quarantined clients access to only the resources needed to restore their security compliance. For more information about the implementation of VPN client quarantine for ISA Server, see Quarantine Control in this document. For information about how to configure Quarantine Control, see Quarantine Control Procedures in this document.

All VPN connections to the ISA Server computer are logged to the Firewall log, so that you can monitor VPN connections.

ISA Server enables VPN client access using Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec), which is superior from a security standpoint to the standard Point-to-Point Tunneling Protocol (PPTP) commonly used by VPN servers.

VPN Connections

There are two types of VPN connections:

  • Remote access VPN connection
  • Site-to-site VPN connection

Remote access VPN connection

A remote access client makes a remote access VPN connection that connects to a private network. ISA Server provides access to the entire network to which the VPN server is attached.

Site-to-site VPN connection

A router makes a site-to-site VPN connection that connects two portions of a private network. ISA Server provides a connection to the network to which the ISA Server computer is attached. Configuration of site-to-site VPN connections is described in the document Site-to-Site VPN in ISA Server 2004 (download solution documents from http://go.microsoft.com/fwlink?linkid=20746).

VPN Protocols

There are two VPN protocols for roaming client connections:

  • Point-to-Point Tunneling Protocol (PPTP)
  • Layer Two Tunneling Protocol (L2TP)

PPTP

Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multi-protocol, virtual private networking over public networks such as the Internet. PPTP allows IP traffic to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.

L2TP

Layer Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) frames across packet-oriented media. L2TP allows IP traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. The Microsoft implementation of L2TP uses Internet Protocol security (IPSec) encryption to protect the data stream from the VPN client to the VPN server. IPSec tunnel mode allows IP packets to be encrypted, and then encapsulated in an IP header to be sent across a corporate IP network or a public IP network such as the Internet.

PPTP connections require only user-level authentication through a PPP-based authentication protocol. L2TP/IPSec connections require the same user-level authentication and, in addition, computer-level authentication using computer certificates.

Quarantine Control

Quarantine Control provides phased network access for remote (VPN) clients by restricting them to a quarantine mode before allowing them access to the network. After the client computer configuration is either brought into or determined to be in accordance with your organizations specific quarantine restrictions, standard VPN policy is applied to the connection, in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while connected to your network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.

With ISA Server, you can select how to enable quarantine mode:

  • Enable quarantine mode, using Routing and Remote Access. This option is available only when ISA Server is installed on a computer running a member of the Microsoft® Windows Server 2003 family. When you select the Quarantine according to RADIUS Server policies option, then when a VPN client attempts to connect, ISA Server determines if the client will be subject to quarantine. After the client clears quarantine, the client unconditionally joins the VPN Clients network.
  • Enable quarantine mode, using ISA Server. This option provides use of the Quarantined VPN Clients network, for which you can set firewall policy. This option does not require Routing and Remote Access functionality, and therefore is available when ISA Server is installed on a computer running a member of the Windows® 2000 Server family.

You can also choose to disable quarantine mode.

Note:
For VPN connections to be established using ISA Server policies, you must disable the quarantine feature in the remote access policies (RAPs) that could be stored in a Remote Authentication Dial-In User Service (RADIUS) server or a Windows authentication provider.

To do so, open Computer Management, and expand the Routing and Remote Access node. Select Remote Access Policies. In the details pane, double-click each policy to open its properties, and select Edit Profile. On the Advanced tab, remove MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout from the attributes list, and then click OK.

For more information about Quarantine Control in ISA Server, see Quarantine Control Procedures in this document.

VPN Client Credentials

The credentials received by ISA Server when a user connects through a VPN client connection can vary depending on the connection scenario, as follows:

  • When a user establishes a VPN connection from a client computer, ISA Server associates those credentials with the connection. If other users use that connection, ISA Server will not receive their credentials, but will continue to associate the traffic with the credentials used to establish the connection. This would be the case if users use Terminal Services to connect to the client computer, and then make requests over the VPN connection. Another example is if the client computer is configured to act as a NAT device, allowing the VPN connection to be shared among many users on different computers.
  • When the computer that hosts a VPN client connection, or the computers behind it, have a properly installed and configured firewall client, those computers will join the VPN Clients network, but ISA Server receives the credentials of each user, rather than the credentials of the host computer.

Virus Infected VPN Clients

VPN client computers that are infected with viruses are not automatically blocked from flooding the ISA Server computer (or the networks it protects) with requests. To prevent this occurrence, implement monitoring practices to detect anomalies such as alerts or unusual peaks in traffic loads, and configure alert notification by e-mail. If an infected VPN client computer is identified, perform one of the following:

  • Restrict VPN access by user name by using the remote access policy (RAP) to exclude the user from the VPN clients who are allowed to connect.
  • Restrict VPN access by IP address. Do this by creating a new network to contain external IP addresses that are blocked, and move the IP address of the client out of the External network to the new network.

Using ISA Server 2004, you want to enable part of your workforce to connect to your Internal network from anywhere in the world, using a local Internet connection. For example, your offices are located in New York City, and your salesperson is working in Chicago. Rather than have the salesperson call in to New York City to connect directly to your Internal network (using Routing and Remote Access), you want the salesperson to connect to the Internet locally and use a VPN connection to access the Internal network. This is the remote access VPN scenario.

You may want to quarantine each VPN client when it connects, to ensure that it complies with your security policy. VPN clients that do not comply will be allowed to connect to resources on the Internal network from which they can retrieve the software or updates needed to achieve compliance, but will not be allowed general access to corporate resources.

Using ISA Server 2004, two solutions are described in this document. One uses the Point-to-Point Tunneling Protocol (PPTP), and the other uses the Layer Two Tunneling Protocol (L2TP). Quarantine Control procedures are also described following the PPTP and L2TP solutions. This section contains the following topics:

  • Network Topology
  • Remote Access Using PPTP ” Walk-through
  • Remote Access Using L2TP ” Walk-through
  • Quarantine Control Procedures

The following figure describes a typical network topology for the roaming VPN client solutions.

Three networks are shown:

  • The Internet, where the VPN client is located. The VPN client in this solution is a computer running Windows® XP, although other clients are supported.
  • The VPN gateway, consisting of an ISA Server computer. This computer has Windows Server 2003 and ISA Server 2004 installed.
  • The Internal network. The Internal network includes:
    • The domain controller, which has Windows Server 2003 or Windows 2000 Server installed. The domain controller stores user information needed for authentication of roaming VPN clients.
    • A Web server, used in this case to test roaming VPN client access to the Internal network.
    • A DHCP server, which dynamically assigns IP addresses to roaming VPN clients.
    • A certification authority (CA), needed only for the L2TP solution. Setup of the certification authority is described in the topic Remote Access Using L2TP ” Walk-through in this document.

This walk-through contains the following procedures:

  • Configure users and Windows services
  • Configure VPN on ISA Server
  • Configure the VPN client
  • Test the connection

PPTP Walk-through Procedure 1: Configure Users and Windows Services

You can configure users and Windows services, using the following steps:

  • Creating VPN clients and user group on the domain controller
  • Configuring the DHCP server and scope

Creating VPN clients and user group on the domain controller

The first step is to create VPN clients on the domain controller computer. This computer contains the user group and user information that is necessary to authenticate your remote user. To keep track of the VPN users, this step also creates a new users group called VPN Clients.

To create VPN clients and user group on the domain controller:

  1. Select Start, point to All Programs, point to Administrative Tools, and click Active Directory Users and Computers.

  2. In Active Directory Users and Computers, in the domain node, right click Users, point to New and click Group.

  3. In the New Object - Group dialog box, create a new group with the name VPN Clients. Leave the default selections for Group Scope (Global) and Group Type (Security) and click OK.

  4. In Active Directory Users and Computers, in the domain node, right click Users, point to New and click User.

  5. In New Object - User, provide the user information and then click Next. Provide the password information and then click Next. On the final page, click Finish.

  6. Double click the VPN Clients group. On the Members tab, click Add to add the users you created. After you add the users, click OK.

Configuring the DHCP server and scope

A DHCP server will dynamically assign IP addresses to VPN clients when they connect. This is the recommended approach to assigning IP addresses to VPN clients. Alternatively, you can provide the IP addresses from a static pool of addresses, an approach that can be used, for example, when your Internal network IP addresses are statically assigned.

Any computer running Windows Server 2003 or Windows 2000 Server in the Internal network can serve as the DHCP server. The existing DHCP server of your Internal network will serve VPN client needs. If you do not have a DHCP server, configure a server using one of the procedures described in the following articles:

  • HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=18606).
  • HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=18607).
  • HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000 (http://go.microsoft.com/fwlink/?LinkId=18608).
  • HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows 2000 (http://go.microsoft.com/fwlink/?LinkId=18609).
    Note:
    If you use a DHCP server for address assignment, when a VPN client establishes a connection, its address is automatically moved from the Internal network to the VPN Clients network (or Quarantined VPN Clients network, if quarantine is enabled and the client is quarantined). The address is restored to the Internal network when the client disconnects. This address assignment is not visible in ISA Server Management. If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks, because the overlapping of IP addresses between networks is not allowed.You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.)The ISA Server computer acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the Internal network segment, whether addresses are assigned from a static pool or by a DHCP server, computers from the Internal network will send ARP queries to VPN clients. ISA Server will intercept the queries and reply on behalf of the connected VPN client.If you use a DHCP server to assign IP addresses on the Internal network, but will assign a group of IP addresses from the Internal network to be a static pool for VPN clients, you must configure the DHCP server to not assign those addresses.

PPTP Walk-through Procedure 2: Configure VPN on ISA Server

You can now configure the VPN settings on the ISA Server computer, using the following steps:

  • Enabling and configuring VPN client access
  • Creating a VPN access rule
  • Checking the VPN networks routing rule

Enabling and configuring VPN client access

To enable and configure VPN client access:

  1. Open Microsoft ISA Server Management.

  2. In the console tree, select Virtual Private Networks (VPN).

  3. In the details pane, make sure that the VPN Clients tab is selected.

  4. In the task pane, on the Tasks tab, click Enable VPN Client Access. This action automatically enables the system policy access rules needed to allow VPN client access, and starts Routing and Remote Access, needed for VPN client connection.

  5. In the task pane, on the Tasks tab, click Configure VPN Client Access.

  6. On the General tab, select the Enable VPN client access check box, and then set the maximum number of VPN clients allowed.

  7. On the Groups tab, click Add, and add the VPN Clients group that you created in Procedure 1. Click OK to close the VPN Clients Properties dialog box.

    Note:
    You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the ISA Server computer is also the domain controller).

  8. In the task pane, on the Tasks tab, click Define Address Assignments to open the Virtual Private Networks (VPN) Properties dialog box on the Address Assignment tab. Select Dynamic Host Configuration Protocol (DHCP). From the drop-down menu below Use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click OK, to indicate that the DHCP server is on the Internal network. You may be prompted to restart the computer.

    Tip:
    To use DHCP to assign IP addresses to VPN clients, you must have a DHCP server located on the Internal network side of the ISA Server computer, as shown in the following figure.

    Or, there must be a router specifically configured to pass DHCP requests to a DHCP server behind the router. If you do not want to set up a DHCP server or configure a router to pass DHCP requests, select Static address pool in this step, rather than Dynamic Host Configuration Protocol (DHCP). Then click Add to add IP address ranges to the static address pool. Note that IP addresses in the static address pool cannot be addresses that are included in the Internal network. If necessary, edit the Internal network to remove addresses, so that they can be included in the static address pool.

    To remove the IP addresses included in the Internal network, in the ISA Server console, expand the Configuration node and click Networks. In the details pane, on the Networks tab, double-click the Internal network. On the Addresses tab, select a range of IP addresses, and click Remove to remove that range.

  9. You may want to modify the authentication method used to authenticate VPN clients. (MS-CHAPv2 is selected by default.) To do so, in the task pane, on the Tasks tab, click Select Authentication Methods to open the Virtual Private Networks (VPN) Properties dialog box on the Authentication tab. The authentication methods are described in Appendix D: Authentication Methods in this document.

  10. In the ISA Server details pane, click Apply to apply the changes to ISA Server.

    Important:
    You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer.

Creating a VPN access rule

Create a new access rule with the properties shown in the following table. This rule will allow access from the VPN Clients network to the Internal network on all protocols. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. After you create the new access rule, click Apply in the ISA Server details pane to apply the new access rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

Tab

Property

Setting

General

Name

Provide a name: VPN Client access.

General

Description

Provide a description: Allows access from the VPN Clients network to the Internal network.

General

Enable

Select Enable.

Action

Allow

Deny

Select Allow.

Action

Redirect HTTP requests to this Web page

Optional. If selected, specify a Web page location.

Action

Log requests matching this rule

Select if you want ISA Server to log requests that match the rule.

Protocols

This rule applies to

Select All outbound protocols.

From

This rule applies to traffic from these sources

Select VPN Clients.

From

Exceptions

None

To

This rule applies to traffic sent to these destinations.

Specify Internal network.

To

Exceptions

None

Users

This rule applies to requests from the following user sets

Select All Users.

Users

Exceptions

None

Schedule

Schedule

Select Always.

Content Types

All content types

Selected content groups

Select All content types.

Notes:  You can limit VPN client access to certain protocols by selecting Selected Protocols, and choosing the protocols from the Add Protocols dialog box.

If you consider the VPN Clients network to be identical to the Internal network from a firewall policy perspective, you may also want to create an access rule allowing all traffic from the Internal network to the VPN Clients network.

If ISA Server is configured as a VPN server and acts as a firewall server for Firewall clients, VPN client computers with Firewall Client installed will use port 1745 of the ISA Server Internal network interface. Also, if ISA Server is configured as a VPN server and acts as a proxy server for Web Proxy clients, VPN client computers using the ISA Server as a proxy will use port 8080 of the ISA Server Internal network interface. By default, when you define a rule allowing access from the VPN Clients network to the Internal network, access is allowed to all ports. However, if you choose to limit the ports, you must allow access to ports 1745 and 8080, respectively, for these scenarios.

Checking the VPN networks routing rule

When you install ISA Server, a default network rule is created, establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). To view the rule, expand the Configuration node and click Networks. In the details pane, on the Network Rules tab, the VPN Clients to Internal Network rule is listed. To view the rules properties, double-click the rule. For more information about the relationship between the VPN Clients networks and the Internal network, see Appendix C: Network Relationships in this document.

PPTP Walk-through Procedure 3: Configure the VPN Client

This procedure is performed on the VPN client computer. The procedure is based on the features of Windows XP, although other clients are supported.

1.

Select Start, point to All Programs, point to Accessories, point to Communications, and then click New Connection Wizard.

2.

On the Welcome screen, click Next.

3.

On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.

4.

On the Network Connection page, select Virtual Private Network connection, and then click Next.

5.

On the Connection Name page, provide a name for the new connection, such as VPN Connection, and then click Next.

6.

On the Public Network page, select whether you want Windows to automatically dial the initial connection to the network, and which connection to dial, and then click Next.

7.

On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet (also referred to as the External network). Click Next.

8.

On the Connection Availability page, select My use only to ensure that VPN access will only be available when you are logged on to the computer. Click Next.

9.

On the Completing the New Connection Wizard page, you may choose to have a connection shortcut created on your desktop, and then click Finish.

PPTP Walk-through Procedure 4: Test the Connection

You can test the connection, using the following steps:

Checking the connection from the client to the ISA Server computer

Checking ISA Server for connection information

Checking the connection from the client to the ISA Server computer

This procedure is performed on the VPN client computer.

1.

Dial into the network with the credentials of the user you created earlier in this document.

2.

Ping the IP of the HTTP server.

3.

Browse to a site on the HTTP server.

Checking ISA Server for connection information

This procedure is performed on the ISA Server computer.

1.

In the ISA Server console tree, click Monitoring.

2.

In the details pane, on the Sessions tab, verify that your VPN client session is listed.

This walk-through contains the following procedures:

Configure users and the DHCP server

Set up the certification authority

Configure VPN on ISA Server

Install a certificate on the server computer

Install a certificate on the client computer

Configure the VPN client

Test the connection

L2TP Walk-through Procedure 1: Configure Users and the DHCP Server

You can configure users and the DHCP server, using the following steps:

Creating VPN clients group and users on the domain controller

Configuring the DHCP server and scope

Creating VPN clients group and users on the domain controller

The first step is to create VPN clients on the domain controller computer. This computer contains the user group and user information that is necessary to authenticate your remote user. To keep track of the VPN users, this step also creates a new users group called VPN Clients.

1.

Select Start, point to All Programs, point to Administrative Tools, and click Active Directory Users and Computers.

2.

In Active Directory Users and Computers, in the domain node, right click Users, point to New and click Group.

3.

In the New Object - Group dialog box, create a new group with the name VPN Clients. Leave the default selections for Group Scope (Global) and Group Type (Security) and click OK.

4.

In Active Directory Users and Computers, in the domain node, right click Users, point to New and click User.

5.

In New Object - User, provide the user information and then click Next. Provide the password information and then click Next. On the final page, click Finish.

6.

Double click the VPN Clients group. On the Members tab, click Add to add the users you created. After you add the users, click OK.

Configuring the DHCP server and scope

A DHCP server will dynamically assign IP addresses to VPN clients when they connect. This is the recommended approach to assigning IP addresses to VPN clients. Alternatively, you can provide the IP addresses from a static pool of addresses, an approach that can be used, for example, when your Internal network IP addresses are statically assigned.

Any computer running Windows Server 2003 or Windows 2000 Server in the Internal network can serve as the DHCP server. The existing DHCP server of your Internal network will serve VPN client needs. If you do not have a DHCP server, configure a server using one of the procedures described in the following articles:

HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=18606)

HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkId=18607)

HOW TO: Install and Configure a DHCP Server in an Active Directory Domain in Windows 2000 (http://go.microsoft.com/fwlink/?LinkId=18608)

HOW TO: Install and Configure a DHCP Server in a Workgroup in Windows 2000 (http://go.microsoft.com/fwlink/?LinkId=18609)

Notes:  If you use a DHCP server for address assignment, when a VPN client establishes a connection, its address is automatically moved from the Internal network to the VPN Clients network (or Quarantined VPN Clients network, if quarantine is enabled and the client is quarantined). The address is restored to the Internal network when the client disconnects. This address assignment is not visible in ISA Server Management.

If you use a static address pool for address assignment, the addresses that you want to assign to the pool must first be removed from other defined networks, because the overlapping of IP addresses between networks is not allowed.

You must provide one more IP address in the static address pool than the expected number of remote VPN connections. (This includes remote site and roaming client connections.)The ISA Server computer acts as an Address Resolution Protocol (ARP) proxy for VPN clients. For example, when addresses assigned to the VPN Clients network are part of the Internal network segment, whether addresses are assigned from a static pool or by a DHCP server, computers from the Internal network will send ARP queries to VPN clients. ISA Server will intercept the queries and reply on behalf of the connected VPN client.

If you use a DHCP server to assign IP addresses on the Internal network, but will assign a group of IP addresses from the Internal network to be a static pool for VPN clients, you must configure the DHCP server to not assign those addresses.

L2TP Walk-through Procedure 2: Set up the Certification Authority

You need a certification authority (CA) to issue IP security (IPSec) certificates. Because the certificates are for internal use only (to be used on your servers and your VPN clients), it is advisable to create a local CA. This procedure is performed on a computer running Windows in the Internal network. For a stand-alone root CA, this can be any computer running Windows in the Internal network. An enterprise root CA must be installed on a domain controller.

Because L2TP with IPSec requires IPSec certificates to be installed from a CA, you will also install the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages installations described in this procedure.

1.

Open the Control Panel.

2.

Double-click Add or Remove Programs.

3.

Click Add/Remove Windows Components.

4.

Double-click Application Server.

5.

Double-click Internet Information Services (IIS).

6.

Double-click World Wide Web Service.

7.

Select Active Server Pages.

8.

Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

9.

Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows Components dialog box.

10.

On the CA Type page, choose one of the following, and then click Next:

Enterprise-rootCA. An enterprise root CA must be installed on a domain controller. The enterprise root CA will automatically issue certificates when requested by authorized users (recognized by the domain controller).

Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.

11.

On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

12.

On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.

13.

On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

L2TP Walk-through Procedure 3: Configure VPN on ISA Server

You can now configure the VPN settings on the ISA Server computer, using the following steps:

Enabling and configuring VPN client access

Creating a VPN access rule

Checking the VPN networks routing rule

Enabling and configuring VPN client access

1.

Open Microsoft ISA Server Management.

2.

In the console tree, select Virtual Private Networks (VPN).

3.

In the details pane, make sure that the VPN Clients tab is selected.

4.

In the task pane, on the Tasks tab, click Enable VPN Client Access. This action automatically enables the system policy access rules needed to allow VPN client access and starts Routing and Remote Access, needed for VPN client connection.

5.

In the task pane, on the Tasks tab, click Configure VPN Client Access to open the VPN Clients Properties dialog box.

6.

In the VPN Clients Properties dialog box, on the Protocols tab, select Enable L2TP/IPSec. You can choose to clear the Enable PPTP check box so that only L2TP connections with IPSec will be allowed.

7.

On the General tab, set the maximum number of VPN clients allowed.

8.

On the Groups tab, click Add, and add the VPN Clients group that you created in Procedure 1, and then click OK. Click OK to close the VPN Clients Properties dialog box.

Note:  You cannot add the Windows built-in user groups as VPN users. Built-in domain groups may be used (even in a situation where the ISA Server computer is also the domain controller).

9.

In the task pane, on the Tasks tab, click Define Address Assignments to open the Virtual Private Networks (VPN) Properties dialog box on the Address Assignment tab. Select Dynamic Host Configuration Protocol (DHCP). From the drop-down menu below Use the following network to obtain DHCP, DNS and WINS services, select Internal, and then click OK, to indicate that the DHCP server is on the Internal network. You may be prompted to restart the computer.

Tip:  To use DHCP to assign IP addresses to VPN clients, you must have a DHCP server located on the Internal network side of the ISA Server computer, as shown in the following figure.

R0lGODlhbwHFAPcAABAQABwcCCwsBCwsGDAwKDg4DDg8FDw4KDw8HDxAKEBEFERAKEBANEREHERI KEREQERIMERINExINExMIExIPExQLFBQKExQNFBQMExQPFBQRFBQUFBVPFVVNFVVPFlVRFVZRFlV UFVZSFldMF1dOFldRF1dPFldTF1dWWFhQGFhRGFhTGVhTGVlOGVlVWVpRGllUGVlZWlpWWltUGlt aXFxRG1xUHFxTHFxUHFtbXFxWXVxXXF1aXV5SHF1dXl5UHV5XXl1aXl5dX19WYF9WX19aX19cX19 eX19gYWFVYWFXYWFZYWFcYWJYYWFeY2JaYmNZY2JcY2NXY2JeYmJhY2RZY2RbY2ReZWRZZGVXZWV XZWReZGRhZWVbZmVZZGRkZWZXZWZZZmZYZmZZZmZaZWZdZmZbZWZfZmdXZmViZWdbZmdZZ2daZ2d cZmZlZ2ddZ2deZ2ZlaGdeZ2dhaGlcZ2hlaWhhaGlfaWhlaWqhaqqfaWloaqqka6qiaqqnaqqqrKy ibKykbK2fbKyma6yqrq6iba6lbq2pba2tr66lbq6rsLCicLCkcLClcLCmb7CpcLCrsLCtsrGjcLK kcLKlcrGlcLCwsbGocLKmcrGmcrGpc7KkcrOicrGus7KmcrOkc7KncrOlcrOmc7OkcrOnc7OlcrO ocbOrs7OmcrSldLOlc7KutLOmcrSncrKys7OqsrOts7SldLOpcrOvs7Snc7SodLSrtLSstLWodLO ztLSvtbWndLWqtLapdrWqtrWstbastrWvtbW1treqtrayt7ett7eut7evtre2uLizuLi1ubi0uLi 3uLm1ubqwubm4urm6urq1ubq7u7q7u7u4u7u5u7u6u7y1u7u7u7u8u7u9vLu7vbu8vLy7vLy8vL2 5vL26vL27vby+vb27vry+vr25vb28vb29vb2+vr28vr29vb67v/28vr2//r67v/2+v/65vr68vr6 9v/67vr6+vr6///69vr/8v/6//r/9vr/+v//8vr/////9v//+v///ywAAAAAbwHFAAAI/wD/CRxI sKDBgwgTKlzIsKHDhxAjSpxIsaJFiv4O0vvnz188f/vmRTs075rIQQg8QCqX8Z+4izBjypxJs6bN mzhz0mx50N+6fv7AFVHhocSqOSVwnDLkAcaqatB0Sp1KtarVq1ip8ixIL1/HPRlKnIF3xQMAILdu vbp1hUUQYtyyyp1Lt67duxW3Fuw4jkuEGSpSLAs26IUJK7+cOUMK4A/ex5AjS548U+9Aeh394Qly rQ+QBFcSOetSY4KUChWI+rFMubXr17Dnsv7nLTOVFa/K3DL0wsMQW3IKFCBRxdCCOrNjK1/OvHlE yxs5yuvLhA+CEkV0FU5h4cWPAnDKYP9Y7by8+fPoZ5/z6o+LjCtLdDEpYWeZgyF6ehjIAwfDnOTo BSjggLIlJE8+8cTBwxw7lDMPMRLosgAOVjxhQBdwLOCHPQZFR+CHIIa4k0YceeTeFjrMM88+H/Dh wRJ9vGAAHIEMwEdG52zkoYg89uhjQ6xt1FE+cRThIjXlgJOBLhKoAEcTDuSxxAJTIMPVj1hmmWVy XvUThwyHpKADSRlAIkEUZSgBAAbXnaABIv+co+WcdIpoWT0C2ZbAIK/wwUIJAWhywQt5DCEABnLY wQEAVMR5WZ2QRtrcnQKx90UEHWAAyCtzDKHJfWXUMAIRFSywggaNXrajpKy2Clly8nT/VIcMzoQx QgVnnHIMBj/o8QMADVTwBB8o+ICNjq4mq2xr0fljjnvGkFKLISk4AEgBLYyArRR3dHFGCEfkGWus HS1r7rlYRYdZN3+goIspiSgBSCEKBCDACFK00cYbXfChgRAe9SOwwNV4mUZH6fjTjUB41oNniehG LHFE0Z3jBgGQaHKMCRZYMMwEP9ChRxJlyLFEAhQoIvA+LujQSTmDfHBCECxMIXBLDw9U7sQ893zQ OXL+A00kCaSwBTx53OGMAj+UYUUgQ3TwwhzV7KOMEyhwscUOA0CARzTBzDHFAYpU40/DBO3s89oT B512P5184AEfy9ziABB2RAHBCkVQ/zNP1QSYekg0usBxAQ5PHBMMYSscYeVAD6vN9uQ803OOP2bj sYILfCTAggwJ1EFMR/2EJAEfS/jWxzW3dJFCA3oEEkgGA1jyz8ORA0j57pDmaFBc1SiSAwAEcEFN RtUI1A81KwyyzCM4VFBDH86YUggAATjARACr/KPNXrrzLv6Pq9KDDp7b6IxIR9xwk36e+2gAyQw6 6KLJDy+MAIgFFTTwAx8EWIU/0IGPtIVvfAjs0aoYRhBzyIMg7fhHPPrBAEh4YAcVIIImAEEEBdRA Dw1owRwSEImM5CxPCUwh5fyxAUQ8gBjXWAIGEgEIA+iBDgV4wR0SoAuz/QMdaVOhEP97ho93aCAX FNDFPOARCBzkwQBm6MMESJCHAehiH/7Axl6GyMWJPcASISDGPMrBBxgEQgB9kMMCfnAHAcwhGpLj SBfnaC5zbEARA7gCPOBhhxf0YQFy2EIHAtAAA2CHGP+ghzR0RsdGtoob/tCAIiKhgwsc4gpE6MOF 5FCtHhiiLA9ghiNHmSx/9CMADODCKg4BhAHMQJOA0IMAUlAIJSAgAQF4xj+yQcpeQqpq74HBmXYj B0AgwAx6GAEJJlAAE6ThAIj0pTTn1I9yUOAQuuDDDBbwBlkAQgG+UoAAWtCEPKSBAKKcpjrxkhnd LewfcREIPszREXv4Ix3/iKApMzD/iFXc4hKvIAEJUgCACRigBmaAwx3OwAQCUCN564yobDKDEHNg oyPuqAYVVpE+atRBA36Ixj6AkidqUGAQ0TjGExYgizeMQAA16IIZnHaFNBQhAshgTRwlytPKUJQg 6PCQPHIxBwkUYQVc8IMGjLAK0B1idO94xz1loIEdPOIWeUAAHAwhAEAkFA58+AwH9tCRBe60p2i1 SDsR0hFCJMADp0jLDpoyh2NcAhIykIETBGJPe8hnBVe4xTFeYYcK2AEOTxhCAjhQB7Pp9Kxpjexz fspAgVjDHxcjQQsKcQl4nOIJL8BAHm4RjTmEgAFwSp8/3HGIIHhgCoRBwBaW0AEP/xzCHfcYhz/o kY0TluiAkg1uTyBbojrogBdJUEALlAYMR9yhBRQqwQceQIUC/kMdHdlHMlzgARkEoAQSwEMywAEU Z7GVuMJN73ARIidTHoEFtqDFMH6AARIYwhamMAMAAFCEQwxAEf8gRzsKyA16wg0FDIjDPkbaEW8E 7XvgA6561QudPHWEC0U44w8ccYknVOAHE5hADWY0hwXgITqR40g3/DGOeEwwHo5aCHonTOOEeEM6 46gDD+yAg7boQBOfesHIBHCHMlzgPxB+iUHWCiQJ1/jJFu5HGmTAhCKUoxx4MMoFlBAGJRSgDXcw AB8eKBAg/lCtUE7zQoREz3twgf8HfgiCO/phjSRO6A09KEAY6ICBQGREi75Vs6Bvkt06FME9A3sA JDpAhDckoQCC6AIA8mCNGJ950JieiZB+UocymZgY1oREBV5QhUcXsgkpOIEwBALhQGf61RChx7gm eE76FOEDIzxEB5rQBzU1DQoQAIATYuU2GcsR1sgGXz+YkYMVlCEFL9jaAOzWAjr8oAFPQAAGViCC I3hFIEoebjuZnGxMd8Qa/QCHEwLAGUM8gQQUioYFkqCHFgDAATcgwiBEEARnhW/clC03lDETlH64 Yx/f4MEKTgAEY2SiGLKoggVaEIAWMLMFZtgXHFwQA4EgS+Cvhqx143HwkMyjCBn/IEYdEnCMX8SS F8N4A7Z6kAQzvOENJmPAFzyeyAWCHNbWvZxPEE4MI2TgEPs4xAlYkIdldCAFXTAECdgYHjtEbQFH 0CLPf/7zh8l6YPvgwQkiUbrlzUFumlgCEK6xgCFEAQ5RuIAE7ECM5N04kVznutDzMVJwBEEDkQBH PH7iD3ZYQxEMCEJII2CENKyAAlzQxWUFonVL5z3ZphwYMZzwALLrFnMt4UaCXOACAmiAATl4xj0H ErS7+/zygpZH6cbRj2ZwIQSryMc6/JGPSgdYTnHB7AOEYKWW4ON9AvEd7JN9j33MeR1GkORHyjoQ cvxjkf94R88Jgrvt3/j1y5co/4Ci041q7qMaPBCBJWasM/aHP726kwdmEE4NJ4z9I00m9/sxL3Rz lI4aRQB45cUQAOd++zdh0ZEPsicw12AEIkB2XmEOBFiAB4hsQtd8CHdrkLAPu3dABehkFRhcpFM6 xMAEIBAJztcRxaYQABeCr7YR/TAO2nUFJbASI9UPMHZ3QOKCyOYVcyYUHIB0AhMOHfFOPLh8BEde B0cNPAACsIBFBniENSZyAkFyC/YN1MAEY1cOJOVTUihZQdcR63CFAYiCDPaF4ed1C7g8R/CA+3AP MYiG77d3fXcEIUB2hAeCcihomScwm/eAONgR9LSHsCd7+0B7tneH0+cPD2SEhP/4c833fNGnCJlx dzooES3YKuDXIaryiCyoEORnfuinAZ3QhQ+xIw6kMB4xUtRwMPinfdYFKfSgLuA3i55obAohfyCB hfYXCbtHEZaTJ53gBAq2DE6QADKQAXVADQnDKpt4izLhD/1XOt9QhgN4ih4nJ9iwB0HwAVPwATrA X8ewDJCwAxowBaqnhwFSiwlhi9DIEAm4hg0IiF5xifDocRtBCASwAroANnYABB2wBIdwDLoACUXg AnHge84Iiu8oERdIhh+wgR3okKz3BQ8gAxiwBILlCIZgAxjwBI+wDIewAgAQCefijh6Skg0pY5m3 DyV4gikojRUxi27AA6VlAqT/ZgvGUAuAgAMpMAMXAAMHgAfquI4DoXXngAy5gAw3VnmPspIIAYMy mAw0CAngcIMPZI9rtnVuQAN8YAFVcAM/0AJSwAiYQAT7tQV8oAIHEynkQg2RkAZpcAQacAAacARx gAc5FTBR+IiYMUHlUARBeINEqDAToYNIEARzYAJd4B1d0ACPlgJeZgd2gACE4IF3UV6UsnX/UECe qTPgwAQsgAOBQWqOMFhb8AIwMAMswAJbsAwq0g8SWA/4EEHtV5QQMRvyx30CYZu/5TbTYBDfpxP4 oHzk8DDW1U5kBmGR8TArZg/9gH4esArwcI3ASBBxkANTAATwcA1XMAPHgAA4/wAHXgYFeZAAfHAP LSEnJ5QZpjgXN7MVSsacCQFJeBABUWAHSzAMw0ALoiAKtSALvOALxQAIZQAHQ2ACT0AMWMSet5M7 uOkQ+rcqu+USeMIN8iAPi7gwERRBG+ENwZgT2uBq5GB95DJn8SCB6vAPwYkX/ECLGFUN8wEJ8IBF NGEOX5ADfLACIlEOHDAIJtAEd4AD+3GeeAAUsVJmsTiCsxGhudkR/GAQ+EBwdFZP6aAOUmVKh2BV j7CTtQAKqIAKocAIZikLpmAKr2ALwZB2CzAIJPWZFjYV+pczq1IP2AUSy7NRGUEPsXglUlEP54Cl 1vcPsZJu+6ALZCcPg6iVc//BD+1lYOAQfZGgIjZ6ESkZB0fgBEVAqRGwCglgAnfgZXdgBR5ACOCA I+fVl4T2D/wQpaxHDx9hNe4hASXAAnIjA3yQDFugAsdgC45QC41ACaFQCaEACrRQC2fqCLbwC5eQ CJpgC5owJkCBD33qpBJ6Vg5TEDdGctSQDGmQAPZnBLmQGfTglFPhW+9gDfZUOrBAVRkQBMrgD/ZE ZnXhdeyxPEzwASi4IpNHE3XglTAQDfAwDwugCR5gBWXwAwagBA5wACvgBMljDq+nqlXBF4eKBwuw A3wQCHlgB3kQCHCwAxgQAClgBr0gCsMwCbEQCpTQCI2QCaLQsrXgCI1gCmb/agrAkAglEAk+tKRa sVO06XEORE9VQwx8cAH1cwqPgHJTcAhdaIvP+BB3ErQCEVWm5A7R0AlFwAJXAAnH0FB1oAi6VRPq 2F5lF6kR6XzWCRNJygUPEDYD0AnwwAKHsAA30AVNAAAGgAOBAChxIEd4YmawYUr7cA1FYAMeoAlr gQmmwAs3u6yAID0joAeh8AmxMAm0gAu4IAu0AAqi0Ai0IAukkAmj2wiXoAsQIHn2dKfW2mRbCRID WwQpUAKnoLSXoCunoANAwAOrRhAriBHJgQ9BxRHgUA4lKAFLcAqvcAmPEJKfIwNwFI3612Qr85Ib OA8IExPRQWZcwAAQAAeX/xAEXBMMUpMINSAAjkAEC1ACBHAEQRO1jwES4MAHSQEH1+AIpkAKuOCf pEsKZ1oLzgAIbLAIuxALi0AJMVsIhcAIsYALvdAIiyAKtBAKooALpOAIr6ASVTq9hJYcthgUywAH CLAEgeAMhmAKvloMhnAJzpAHAIACDga/Uvtv7CAfFwAEmhAMl2AKl8CslxANdjAAGdC6v/WBRsyI HnGVy3AFEVkODMYh8WQRq+IGKJAILyAsUdABmuA/dKAFBdAAAnADW+ACR1Auffoa6XYNEJAHxeAL gEALl1u5oRALtEALmdAIoNAIvkALvlAIsfDH/inBuCAKi7AIdDymnzCmlP/AC8AQCAuwD9EwMGvb wQbhdRxBDHOAAUOww7LgCLiACY3wyQWaAgUAAwTAmTLMgsH7D+kQCUwQAUvwCsbwCppgCo6ACb1Q DHcwAwOQAhFAxCO4Mgs2zMRMzGe7D4EZhCsSgxkRxZbaEjiaA8ewQR1wGLYwdVIwAQDwA20gB3AQ AjlQTxlBr5KhZCBRDkMAB4lQC6LACKgQC59QCvJcCmHqCfbsCWEapvL8n/wsCqHwzwAtx3NcCL7w CzjwObYaBMvAhTwRK/kAMTCxU9Yle0dwAjIQCMWgCfhbC4wgCqCAC4DQAspVBVvAAJRcEPUAYc+Q jExwC8HwCidcC4kwDL7/oAckoAAkUAZlsABE7H/EcgIrAAO2+gEsINQqAAMwoAJEzQIq4AJ/AgMD wAE2eIZk+6F/4ALB4AjFYAxycMUCUAAhxs1tYAZb8AFlbMRRUSL0xIgx5lvqgo8T4SHeUED1AKvu UARX4Mm9QAmLMMfxLM/5fM/2jAr4HKb9/J8B/c+fsNiWuwi1AAxWIABbMAdzYAcZ8Gns4G+OhUI3 EUHesAcDwASRMFiZkAmywAiNIAvDUG8KgC90wAZNYNKrehDckAMnYAS6sAqPkAi2YAt6jAttMAKt 3QV60AU/AAHWWhsecQQuMAdnkCiUeQfhAQdW0AV50AdwAAf8Qdk7WgQi/0XVZEt5XEAAx+ALhlAF y5oIBWABUvDaUoBMV0ABTjBB4GAJyjBS1RAJTqABcVAN8XBZvLen3sMwC6SSFIN3t5NPEmRBnjzB hTzHgB3Y9gwKFO4JoHDP/ZzYib3YizAJlCALmiAASxAMt/AIr/AKSB0MWFSY30bEbEUAf/EIwMAL jFvBwyAIIt0CWUAHYZAFWlAFsm0TlnFjkQAAHhBYayELiWAKvSAINaBcWcAGVSAFctAFC9APMCF0 4JADPKALhvDliZAIhpAIjfALvMCRgDDmNGQIrxAMQLAF8zDJM5Gk/xAJR9ABb2ALN4ABOPAL7M0G StAGgPADFYABacAO/f+gDNEnA1OQDPm6BZ0gAzrABAOzYh73ML7ppzEBRCCxAnLwC5jACItguZVb CflM2IJt4RZe4Rmu4QG92LGA2reAA+hrC6+Av7fQBx2g0Jkhe+RcE3iyDg9wCFBgAA1QBZgwDKBQ CC/VAkkgMlnQ3tYW5FSxDopQAo+QAiNgBoAAuS1QACOgBWvw2lhQBWbwBA6A5RG9WkbABK8w5VIQ 7UmwZ6Sw7GugBFKABe99B23eY/vw6zVhORkRFNnuAIGwBXZwCR1wA2aQB0SAAJYED9TQDycQAi5A DHiFAAOwCrmtC3MQBCfABdPXDT73MO/7u/DoIUHzEv6QDAtwCqYACqH/UAp/LAmMUAmpnvOCjQr+ 7OoU/PP/PAqSUAmZwAuaUAGJ4AuN4AmykAkB/AQ8YHAK6BMuvmTRUAJ8YAyA0Agj4Ow/oFx6wAav PQZaIAVaMAZAfhX9EAkRcAzAAAhTJAffEe5iPwZS0N7F/QNXfhF4crVMwASGgAVjwAZsQAZjoAeM AAqZgAqZIAj6zgZSsAamYAwzcAX+oH1LBhPNQi7+4CDRQAE5cAXRkABLIEMd4DzusFoUtAMZoAN8 cA2oM8KP4AwEqQMMkAv7MIiVpQ0+l8pP2SH+gDr4Gws0XwqVcPMXrvM6jwql4OqHjdijIAiogAsP pwm8wAi4sAiosAgP//cKRhD15aX7N/EM83ABt1wLlNALdBAAE4AFZIAFY50ESSD2bKAFSkDtUmEO 4LBoxoAJtNALAKEHgAI6bKSw0TJGTxssUuRUWeDv30SKFS3+k2ixHsZ+7oIUeYRFy8gxdBgNq0TL Fy1BY6SIAUOHljEcVzJa9Hfz4k6eF/PFc9cvnj9COVAEIJAhDbV+/f698xeNQqdgQ1KQeFXMFA4H L+RUyABgVb91/s79w7fxn1qK9M72hEsRGr2J+J6CYzHnEi5KkiQtYpQJFChPhQuXQpw4sSfEoRw7 FhVZ8uRYnFIWSsQrEaNdi2INE8TIlC4CyNz562dOZ1zWOPddu2Cq1f+kYaScjfhhhk0bNmbavPEi RQubLgxaH2ftb98hB8UoFRpmrMUPOmbouBSOpbeZJhhWx/0+sek8IExO8R6jhYyeQoz0VJJViA5v MWjohBqGY8q7nTmRx6Uno5z8MccbiiwJYY9w/MmnImv2WYGPQR5xxAwDagCkFjoAaMCGQxIYyz90 JhrxH1csOYcueuiCBpn/JjrrC2FSxAcqYga4wRdGKkEFFR4Ha8QTVIQUUjHFhIRsMiUnW6QzUGTh pRBcOhtmEUl2iSWTV/yQYZlx/KHrReQCBIcDQ14hhRJZfimAiDa6YIgMKbxgo04ymjBOTD0xWueR FF6phZZFZLHghjf/tEuiIDawIMOMN55YwKk9K5KnoyKYMEQKLMwwo4sqcBiBhBqeuIOOKqQgI6ZG gNlhCnX6C2/Sf1b8560StZm1Ilwx2ieDQy7AYIZEjPnBAhIUkMKCF86AYJZ9/JHnImY2eICZiVTc ww0x6drAErqgiiaKBQzApZFMaGlkMF8S8QWXYQAZ7FxacBEEFFrsZUQWSnCRMpNG+MoEl8FAaUQW WVCRpD1ZQEmJsSM90eQYGaZw5x8DZWUNGwJyOOSWYGyxpQIiqqhCjyzISGgNMNZYAwoKoJnIm7cw 7km1QyS4RBNTfnmlAhzeMIOMMdDQAowswti0iQQkpfmfeIJg4pEq/7DowwoYJNBhFXYOcWGAJcqQ owwp6LjlFhjS8Ieci/xrelLl5vngkBJ0SaMEGI7JQwBAzJiABDkgiKSfjDbCFdo9nPDHkg1QIMSb BwJA4h8qaEDkH0TioGGPL0JAgRl6sEEiBmH+QcHbf+ypBhIYHJmgkFjSzcSUTOJrg4xEnCmGFGMc 8deZRjDBpZdiGMGlll6cAYQX36U0pRdcMmGkEF+GWYmWShgxLHshZXHkFRU6SQetiQaMtTXUBP+n HXzwiWEKDYIIpGwTWihDDyWE1qI+MNBYo4kDsKkIgdqGEfL9wxy5CEAJomAITTgjWGXoghIOsj8w hKEK3HHAPjCWlv92YCQIS7iEHMwAhQvIYBVy+YclKMABFtwiEHJIxDF24AT0BRA15RsgrFCzj3Iw IBIRWEU5ojGFHfShAm/4SgrugABd7IM/bGGQP/ZwBH/wQAjI8AEhvuADZFBhA194gDC+wABEQOMB iBDGBmZFBSo8gHSuGF8nPKALXqxhAsMIjCl4IQtGYAEAXnBEDTDQguSNAAAkMIUzaqDEX5iKBF3A Qg0ssDNT3CEFRHBGEgAwAjqwQhKMAMUuhqQ9IZ3kEoGQQD/SMaCmCI58r4QlLFvpn2784wH7mMcO XoCDXzjgBoBgFBvSMwaVsawJHshJNZoylFg205msnKVEEHGEb+j/YJeJwAARDsUyKaxsDWSoQheg gIFnPbOABBwQRbihHCAs4RZ3GAIQrrEPd/DHYrwaRBFSQIeCAWMGTBDKK6NpToIW1Jkd2YcGIkEB YuzjG3xQwSAcAIc3KCAFfTBAE63BDYuUpQ484McXvgANH1hiD1SgxxE2gAQCuCIOVJhV5+jhxj8I AQkB+EcMLDGraMjgDJoYhnzmBQp/ZcIXvphAIkwhgCY8IQXH+AEC7pCIH5DgBw0IpACGAAgB3IAI I9CEI5TVABJYoQBSWES7WMEKT1SClIxZRCh48Yoi4KEf4NhHXvXaFL321a995Stgc9IPAhThEvC4 BhxIAICR3S8J/8MsZv8SQI193KMplv1rZjX713nMI6+CwwaCiDGPaGzBAwEYwh2mxgYwgEGY4OxC Exzg2c0CtpV77Yc87DGeISzhFYDAQB4Al1uOzsof5ZjHMjAQAEH4whZDOINnWxnY2mZ2utfFbnax 69dkPCASCSAED+0wAzsMoA96wMAIUpBAYpiFIt7Qhz+Y8QAGhIMKcfiHEBCBjRzQ4BlCQMEfoPEF QkwEBc/4Rw6e4QoUxCAEzKACHOnRiQx8jBG92EUoFoEKXJiCd6AoQCIugYBbGAIBmviKM35BAgOM AKtWPYYmECCLVxjgF2YQQAoq0IRLNAAl7QHFItL61lJgqRC9WP/CHHUxC1g0GRazgHKUpTxlKjPZ ybPoRCQUQQEWYOAOsiiHM15ABEehJ2XelG0kOqGLVUQCFpGocpzl7OQrW8ISrthDAEJwBWIgFgMv 0E0WssAG/qmnC2ZQAgKeLOc5Q7kTq8hFlv1UBWPYIgBXeAQFaBAt48ajHHOIAA4EIKVaAOEFh1hy J6JMZ0a32tWvnsUqIKFQI7hgCuUYxA4GgQA4yKEBARiBGV4ggTTUsiLhWJE0wnEtuqRoLp+D2T+g cZZoqwgb0/7ctfgwg2OYQlCL+EQsUNGIdMVHAX24RQMu0YcGFKMPDtCEMVJwg2LAIRE3+EExNGGA 7hlAE4FwgCn/+tCEWxSgELtYCWF2RGQh92IYVkhgBEAwcYqLwOIgEAHGNZ5xjmPc4hmnOMZD4IIM BMAZtmjBCIgAj/m9QQlHgyyaAeACDnCAAhk4QQY6vvON95znIPBA0D2A8Q1sIAQECMEyguCBIcBj l75RmRTQgIaTOYoIBhg6z7X+cZB7XAMh0IAHZiAAIhQjEUqYQQogkQYNUMEaqAlCCSRwBbPq4TNE QIAHPsD1rk9c6z7ne+AFP3jBR0AHANABJA6xgyJIoAOBGIAc2F0DOgACCgIAwOjCRBF+wOhib0nR 5mtVkYv1ZAGDeEUhFjGMWFipFAXjBSh+IIAk9AEDpjAEImWh/wQFOEIWI5jAC4rxAyVwLwWJcEQF XuEIJWDAAnKwRRUmwAZUAOaokiAyJ8BNCygAYRnUWMYykjH+ZjCDGc1Af/rVv371jz8Z4W/oKjxg iEs4oxA/qEAAfvAGOpBhDTH/piaQAGJQhmWoBmqgBvZTwAVcP/cbv2V4hgNCBBRYhWQIhCVwAABI LSmQgjVAg/pQD0dpAgRYBgZkP/NrBvcLP2WghmiIhmXAASVoBDMoBkOwggQ4Gyc4ASYYAMa7AhxA gCQQBFrYCihIhhdcBhRMwWQwwSZswvCDwiiUwvCLBmLIgBmYu1sYhBfYgkAQAD14gwKogSQQgAYY AgJ4BomQB/+zCIfO+4cSMZBzOIvNoweZuSdaea+KmIt/EIBjuARe0LDKaJJMIEQdGQxSiD1MGIZE qIVMIIVEIAVTaARewIRMqAXZaYRacIReIMT42ERHwIUNYwVUAAUfoQUii4VUrIUn0IF5cAe/ciXt kkXqagp/wKsMMARHEAVQsIVfaIAboAMpQBoAJAMoOICmCAp3WIdZZMbt2it/+JKFOoZH4AVbeAUM +AFIWgPWWpkwIAMsKAMM3IdmjKZ+wK2ceEV4IIIlwIQIcgQ96IIX6Io5uIAEOAMTQIAK0IM6qYVi uIErkC5o+ixyJEhn1CvaGsda7Id5gAcJeIRHUAEHaIJerCj/OniDFgiAAvgBKDiDA0AGiQDJiQiH XSm9fwCge2qL0QuTmfGGArsWk3OERkiFyuCEUSiFIRmMwkCFJeHJnvRJUUCFTWCETdiF66GFTRCS oETKUvCMRfiFJSiCoDgfVxofg2qm8XEHh3wFR9SEX7CAGmgDMwiDMCCmMDiaNQgDKGCAblhDfxiK trTKWKpKgYoED/iFTIiFUAAGX3qDMFiZ/WGDLEiCsLlBVyqoqqzFjEgHdpiHIlgCTSCDLNCUN3iU IbgBAQiAFmsCOjBLOsCEYsABJvCsm4jLglIN1SAfvnpFHnrFu/KHbsiJcoAHCDiTYzCEIZiAH2iD CUiCApiA/xYISys4AwJgBriMlhjwgXVABjcoScmZwzABoLPwhpWcFWRwI4qAgTIwhl5wHc+wSZzU yVJ4jPEkz/I0z/KshFKshErwC1bYhPXchB5BhVKIBdp4BRbAA2ZKJ4xZjXSggEfYSlLoygkASzIY S7MMAzZYAw60gutckZnJIZBEDUjogF8IhVj4hF7gS79UmSQYjjV4gyp4AgjAIZ7YzxJBDcfUhG5a g4ZYj0QoBCVIAjPAgiqQkyzwzGAIzRrKIYqYGbbMh36ghob6hn2IBl3wA2I4DcGBinm4hhI4hVN4 BEDoAkcgQwAQQy1Y0DfIg+H8yJywhokggAfQhj8IgYnYg/8/oAdEIIA/EIZnaBF6EIZmQwRCACBh gIY4sAQUMEk4OoQUuAVToI3W+87smc9PQNREVdRFZdRGRdRQkIQeic97EZL15JFRTAlAsAVDoAB7 EJ8erQh1+M8AHdACHUuWMUsyqJ0lyJONYAtQFQ8K/YVw4wQNNRS/RIOYGANwqgIreAIJKFHWsAu7 YIccCIJL8D+jAYP3GAY8EoWgUhmXuINLkKEpCFaa2Tx/eAYd1ABIgIcggAEYyAEZiAZ/eBV7eI0E sIFHOAY4GAELAARAKIB9pMw3gAMbAAEXMId/WENzWDYaoIEvkIYYoAcq8IEc+IM/IAAh2AM+fQB6 oIGdMtj/HMCvoqOCP4iB/EIEejgEFui2UBCEVCxUwzhURzXZk31UT4pUWpAFVmCEHsmeTciEQrCF W1iATvhUWJ0IUQXQTBAFoyLQ2hnLsjwaNgiDJXgAcWCLEtFZf4iECr3QWt1QCqK6OukCOXiCBLhW 1hAHfPAHJoiCV8ACQesmOiiEC2WEWGAJKciCNaiCaT0GHWACeYDQHGLaiRAGGjgBJzgEO9ABBNC1 axiEWksDYVileNiHWbiCD/CtYyiDPPA1PWiCN+iCJzgADVAEa6GIAdkAZECCL4gcAKCBDchYNcKG gGXYDRAGb9gAOVSjB1DTNKKBP5gIXSiBS5AFlhDZmxwl/4c5z98F3vHUkfS8nvd0K0x1K1BwLj6A AWuYBp2tCP98BNkRBVJAKlM1S00xWgmCAw0YkY1IC+jFiLr8BVHAUFttA1wFA7ZlA3C6gyWIgK2N C7vwh494hDmpEw5kA0HwEUYQBIMYibFxBGMAApuA3lethzyjgEFIhlt4hEDogBmwgmDQhUMoAg2I A2YA036IhiCIgCXQhWPog8jDWgfwgEOIB0/9h12RB9U40z9YHMexmD34BzWCBiTwgT2wKWt5gOl0 IxqAGWEggACji334gCuwhUD5hEVADJg9jJ38ySj2SVoAJVkQMlwY3uxhBYN5hROOh3+QBvH9h3Rw yFqohP9QsN6gNdAwGA45WY82aAICOMm61dm6DAZNyEv0VV/WyoJwugMciIgBcocdWIJfKIRDLoR4 PWRQEJhEPmRAEIRCMIVi2IEo2Id9hV5aoYc9cAE7gIEKyINK+4UnCL48eAUm+AAA2IOZQQ1imAIJ 2II0WAAmOAAPwIN9sAZOgxECuocHQIZwAAAf+IcviAGdgoY9EJ2TOoc4+AIDIYTRrZwNyAVoEAY+ RYI/OId+mIMduAVHoIQmaeLe7REpJucl8QRGoAUqpgVU0AP3XE9S9BE9GIIrKFf+2BVY9YesfARa 4IRPEIXrFdqxLAhhDMYXyIGTpE7+PKe6QAQNuONG1GP/ChI0MrDIJzABGJDfzU2njYCKfmCCKzAG 3LEFXygGY6Aed6GeYSiGlS6GZiXgLXiWpqVDKsiBYOgDQLAA4FxpY3iDAMgxOCC2idiVc1inSOCC AAAAhmKHjpAI9QnfAHm7t/sHZhidFJKwFKqV6YSGi8EGV8gFraYIFzERekDcBTAEW5AdcZPP+USM cpYMUgAFUfAEuabrufYEuPYE62mrSsAFPZgAX+Ce2ZGFTEgEEliCchActQkgWfmOfI6AR6gFSgiF fybQ9j1QJTADKnU+HFgGft3cplloiogEh9YEiG4AsOTQCtoNi74AHLiGjEYntvkHdUANGEiAF/AA FXiB/xdIARNIgRfw7d8G7g54ARLAABIQNRdAbNjW6PCQUNj0Byo4Aj4YABy4hCeogBaggySYgAIQ gCfggwXYA3FInzfc2Zx4hj3wB3uACok4C7tYC3QqCwTLlWvJFdGrlWariLMAoNKjbTzImmMABE5M 51CYhE8YhXBbhHW+0EIYjB2hBQ2jhUmoBEJshEtFBVGKT0/IBCGRhEngMF60AAH4hZw5Bl2YAxjw AGr4EuYGj/5wB195BVNIE1zITQsyg3DKgy1IAQmIAl2ABxffk5z4lWNYvkYYht9sA85sg7ddAhPA gCJoopimGTm0B2ZQBDzYAz/g8i7n8j0AczzQckIQc/8/OBwNoKHTiAe6gCK4CO3+kAd5iIMc8IMI 4AMd4INjsIIJsIAZFYAtmAPxXouNuFsxnhR2iAMZOIRoUCpKYIRwS8X6zMtQSOfn6QVQ6AVKmITW u8nBmJJNEDJBkIRYcM+kxCNCxARbwAAHuIVl0IUtWAEdOARwMAf8Bu3v8AZ/sAYCmANdOAU0GQYF oDwrKIM+MK0DCAJdaCVDD6B+OAQVmPFT6AVMyM0mr4IyKAMVkIAgSIa8qgYh32+LsPXWyHV/wIMQ oCFwYJswxgg338+dCJDxcQMaiAMjKIdIKIErOAYCFYQeaIBAOAMJwAOdGHdmP45v74c0uIAouAVb wAT/4Pk2QekFwKCETBSEJJh2SugFUQiFl2UERkAMv4iFItuFv5CESmgEQBiGWlgVObg0FliBD4AB PIiGcQR3d+eJdXACHSiBCZnkQsH2LbiAA2CCZRCcFL55MVENYigBIDBlUwCGClCCOyiDLZgBBJBy b88JTJaVlVyRgme2ishWf7gHP0D3pliHXBkRHHrz/Q4TenADHsADF8ireViAR+gAJXiDGigAKwj0 OpAH0cNDg3+RnNgHXQACB3gCR/iFmDyqRNB4U6iFS9QEQACAALiDYgAEn8WF3A3KStiEURgFVfgL JlZbojKFRPiFW5gBACiCQ1AEXWCKZWra70CHABkH/3DggxLQgUAIhg4AgjnQOyZQUn/ghuLaBsIX ybvyg9zOg2NwgAIugQgogoaKB/QxBzqelJkBe3EnEbowB2XqB0J4gKVwpTApUdl282U+gi0IAngo Bwh5hAowgTyoAgHIAz5AAC7IiGhTfjEBiG3c/PVz9+2aihRLXh1zZAiYLEemHD16pQlYngYA4ECU ZahQJVSSJMUqtejTokWxcFVqlOmSI2OvZsyZ962gNX86+/n75/Mn0KBChwLVSRSaTmrg5niQMYBB Bh3LjALFV48o1qxai/Yrd43PiiIBIlAIQoynP3rcyG1t+5MeUHrn2tKDG9TfPXD7CGWYsq/fOHk9 3f9urevPDQo+C3TNm3dAl4MoXW4YwIEAQQInlv55I+z5s1uC/faVg6eryAIIRQIdCtTnVjBdtwIZ 0sQCwYwztxI5k8VLVktUqCrRQkWLViZGmWzdijYEAh54/dD6fGfv3T+7oLVSBYrOZ7ed0/cQCGLt uk98+HySW7/9/b/v//yt2zePmhMNTnLp9CcPqDjaXAXfT539M9d72szlzz7uNEiIBlxQw9M6gxHo E4JcMLDFEzPocM0Cq0gAhBVdBDABDnlEAIAPcWl3IYxC4WOOYPbEM90+3ySzCh4yJMCBCkUwwUQQ JUTgQh3RlFPCBVdsEYwspshSCyaY1NIIKZk4con/Lba8wocMTBDzVzqD1SPfP2zFKFR33snnjX/+ cPPfNnCpGdSda9I1Xz7r8ASnTy8GpY2eb9GlXTvgERSNfYdQMEVB+7T5Xlo+cfEABkMAccYKAUBy wRBwNCFAFSQYAMQDVGQnV6Gt/oPdP4LFeSNP040WzRw8BOFHNf1MWM0++xAjgw4ppFBEIrdocskt r/yi7C268KGDC0GA0088Rg3o07auzmchUIT+hCA3eKrnLWGJtiOuYP/Flx28P+GDJox2CYOED38Q Zdc5wgiDzT+JxupPPtcG6w5fTvzV35r0uCHDNUpgkMIVVxyDARB5/CBAAxO8cQYKR5yjnaDottpT /3+2Ttdfyrbu48cgW5RwgAdL2DEHH3NMsUMEH8ShFHWtIhgUwD/RN99PZ/5z1Xfi/lP0NtXJi2Gg hmJIsk8GluxZPd0e+DVnWcerJz2IPOAGFXtk5wrA2MB1zlw+0ODKP8wI41M1/hDTq4P7HCLCEdj6 Q+PS2yEozzlfyNDLML5A0cEMdiDwAgkCCJBEG22U4YIQYG9tMrostyn6Tu5UQw0xaXywwgkaBBEJ MxOOE3TDgSKDiBv/ILLHFxhCswcz/kDjEzrafLEHIuIU/o8275RLT9Tv9FSuP9jYg/U/hOzxjE+I /HG3T3HkHrYwzHyW6DRO/zO81fmY09N/Bl7I/f8/cXTuRgzYUBFCDq4gE8I/LJGDczDgAf2jQgyQ AA1CoABJfnLHPV4Wsn6EgyrSAA09LFSHFTgDEJiAxyuskAIBBOAHSshcG7qQBwYcIV6fA52rWIaV /pgjgwTpzzgIkhOjMExoPhFGAHyACCRQgYjmcwUACOENd9EjB384ghAQcRVm2KUzcMkHPeTxvrzp pIJuWx8ickAFH3jjD0JAQv/KOEYh0MMb0HhAHD5zJuXVQ2A+Wcd86NGNCuatG+aoYO0IQQAfoAAb rkABPfZABWQg8g85+Icj/0GFB/iAAMJwwwO4iK3pjMMPInACJytFr8+cwwkEkAgwGmAF2SRACW// 6MIPAGEGIlxABoiICwxz6RNwEYWXgWKYu4yGLnoAbIBfEAIy/sE9aORAGDQwH1yYEYJbQuMc3tiD EIRgNyTwgAZp84cTIqEIFCCzGjngQQwCBY3ObIAZ+TqHD1xBjwfcbQPYgIYPQhBHz+BjA/4UgjCe kc5/HE8nZtsAMnnwgA1s5kJw6QwiaMDABdKgfs1M5yEdVlEhHMEVfzhHHLjwrQoNjiCEoEAaesWT obmlLvHqBjEq8AIrJAIHDjhGBW4AhzcYYggX6MAc6Fa1F+oyK5OaoS/Z9BMF3WVkd/GWdlBwyy/k IAfeGNkG6IGCZ9jFHM8QQg4IcQ5XEIAHG6CC/zcC4IqxUgERR/gDA5CgASo8AwCKoBrAaHBLIRCC HjG4ZQjuhgJXsPELt/TMMx6QHUK0taLnoIG+CHEEfVTDFYR4QJ82UKgvkBERVHAFFXLgA0t8NQco QME/QJsDAe7hCLn4gqrMgSAbmrQvfwnMe85hDnP4aR6DkEEJ5rCKZThgCHbYAgI8wARqDMaKYysq YXpo1KMq9RzbOodg4uKNRGXQVbOlhw9ygY25hJGgAYgBAVA7MGuYg7XMeADvhOEKGszlGWeNgzDg izxspLOayiSoUPPljdH+YwPco4EQGLABAijWM+dAQT3gggQkKBi9txwsP/Txj3UM1hIDhdHw6P8B Pld4AxlxaCgy9rAHYZBXX4jAb92gwT50XMWl/kBYhHpVUsK0sSj+uFY/4hAEDfBBAjh4gQPmQIye oGM9s2UpdNsi3V5OuZc/4QdcWCaPYApzuknNil2YQYA4eJbMiNwAIVxhiawWjQd7+IMT9mAJHmjv eyjAR2eQ8QBtSGMDwnhzfoPigw18wRKJo4IbcoCIc1DhC19AAjOgwQwUqIow8qiGZn2SwLkhIwZ/ 0AYNGsqPcCw0BkIlUNE4M5fOzKWNdkm1N972D3MQz2nZuIq4zEGaQ2TgCtjKR3eoWxRav28w74CG NXJBAQAcgAnJkJTy/oGPFxE1ymwSttGwLZT/cPhYhhr+Bz+krG2seONeqvqDDxRYNoBBAxEG8sYz jnAEQrwvF0LoHTOkuLRsEOKHPuidNA5rF0IQMQdua20uAkUFIbCPHq5IuIMV6/AoArAe+YIkErLB D2H8Yatkc+rY7KIdKIMnKPUQ14DqwaB54BiUpPty1WI1MLhwwz3hIQQ1guUPdajHydkhubWDLvSh D71k8/RnDJ7BDCHgkQt/CDci/EkDZPjAfFRzabWJPh9aQcgI/fDTOLLF5aG8nOxV1jra0672oHsj 1sKAC6z55carupClWSf6OfwzHT+gAJTXMgr7qCy6tRO+8IZfO9xijpWHHp7ssnKHH0IASsHl/+O5 jb885jPfKqz1mDMuHReCnErtsCn+8LQuaT9OmtKV4VHzrn897AlEv7kM7UW1B4r8wHb52QJ7NBCC FGAqFPvhE7/4uEcECgjN+J8/jfZAod+r7552u8TJH/GAEBdUOg7jc7/7h+eXfbGBjS/IkxlfuJv/ EOG/unGVGX+gGzRc4YpFvz4bVKOP9RWhAV+7o/Le/z8Aoh09xJsP0M98IYFUMUACxUEL+cCKUZpU 5QID5MA+dV7jiYvIpQyETB7MBaAHfqCrwAUDiYwgxQB8PcDwPEMOcBY0/AEBmKAlCEOmfQ3QZZ71 9cM9dB22HMh/SJ/VgCAQBqF23dLSqdgROP+ch9HdH8SA2izhP8gXA9ke8eVdPNwI3x2BP4SHUVTD 4sVLq41N4gmhGHafXHjDEcQApcGbEJDTmvnE8GjWOSDD/sSAMFjCF3xe6b1e9a2DH+iHTryPYNTg DxKFII6hIWYeXFiCK9DPM+QCq7kRZwBMZ0BDLgxPucFLIWbegrzPXmiAG+QET2QLzBUN7ZGMDx4i Kh4egsRa4A1VzLWi7l1elc3WTuTg/nGSKDqY1pxiKvYi0blaoGAPwMzFeD0NmMlilaFJ6WDfhFBQ lcEFv9RFyWSiL1aj2n3RMA5i1RgINa6dDAGF/c2aTsTDrj1KQYjiUdHfXLjCimVNN1ojPFr/29tw Iy4xHx5qI+Z9o09EWwaORidO3spQhd5oAA+cgB/EgwygQEEaATLoRLnEI0RGpObtxPVJXrD8BU/k gzxogAPkQSAEggpMjCNcgyEUwQVsQSR0oESuJEsGXRYSRB2cgMIwyjqAgz/EwQCQgB4YgyMUQx+8 QAX8gC84gy0wAQXEATG0pFIupdD1HjjwgQYkCUbGAxeswBakwAgAgiY8SxmQwAiYgSEswQcEgNow pVme5TDNhzVMBx8wABc0SK9wQRFcAw7IgQqYwBwYgzM4gxmQkApMgQb0DloOJmESyLb4h5/wwQNw wTfswz04gQxIDgsswRxggArcwQ1YgAAY/wAczEEElGVhhqZotgWaCMbeMUAa7MM1pEEQbMEUEEMQ sMAgnAECdMAQyEEBWIEhLEAdjKZv/qZQyAfA+IM1+MkhMIARzINczsEKBAs1MIAu1MxPFoAdlMEF 1IFKAqd2KqV8DEgFTQc4KEIG8AEX6MAcBMFfgMMDBEMC1CURCAAcBEIC+EF2bqd9MqVO/AXklcAA MAEXUECw9MMKHIIDpEgPFIAjzAACiEnYgNyqBON9RuhKAps7jIYfDIAL6IIE6IAfRMMBBAOoWEEV bCYC2IAKMEAuaEfuhaGEtmg8poxeXMEAnAGu6AB/QkIFDIEZJIEA1IAcwIEDBAAVfN6Wdf/DLg2G kbqokvaif6zlPjhBCaRABWzBJTyCCjxCB7yAGfyAAiSBBSBAERAkysRF6PHikp6pDfrSghAEODiB DhwDIJCACRDBMfwCBiSBHiRBADQACTQBHJxAC/VEN3SGu2yZT4wdmiYq8Z3dggDLHpzAMCyCLLwB CXRAHghACkyAABRAEryBHkBl51hIT3RXHimqqRqfPv5ENwhGPBzBDAzDLtBCMfSCGaQAAAhAC1SB FOjBG1jBFfihTmjh+1iDG3zi4JwqssJeqqKDXQgGTt4BJpDCBBCBLQDDCCRBFdCBGpRBFyyBB2iA JfjDOERDEYRAJHxDGpyADMjACaRBTiT/K7waH/V1wzN4gA1AQR4MQQdcggXcgBrAwR0UgQOUAB5w oS5cQQmUQR68gAAgQCBcw2zogAQQQt6wxVUMyLjFq8bKI1CYAzhEggyswBk8wjVUQMYIbAkkST/8 QzccQAK8gCn0QjEAAgaYwBIcA3PYRg4k011k7Mb+rEt+HSHMwArMwQCwwAVAwBx8AzjYpDr4gwYc AhBUhh78wjU8wQssQCAkAhx4gFoVDsb6LNCOrS4hhbj2AyToQAAkAB9MiAz5wwPwwTUAAw6QwAs8 rLIAQABgABMMQMKxhcCcHdkOri59XjhanzVEgkqBC0FoQNrOQCJcwg54wAxsQQc0QAvU/4AdMIAl pIO0ZVt9Eq7owsfWyId8VJBR0EMdMc8/jMMJQEIGMIEH7MAq6AIMIMAS6IEC1AAcSEAk0FqNfUvo ji7xxojAiMvIqO4+Hmo/ZMAhJAAxlIPqzMEhHIAc9EEBtIAcJIAurCxbrOnwFq/41ks9XgU+3BgF QAILdEJj7IEMVK8dvMEEtEAfDEAw7IM9POSRji//uoodvYV2dI1PkGMGwC5j7EOP8EECbAEgKEAK AIIAnIGkwMr+9q8Fp6VQZFA1rIAiLAATXEM5EIIOVG8fyIECtAAGOMAF8MCSpRrSXDAMk+5gVJ9/ yBb1pUM/UEAddMIMlMAjXAEMHMIA6P/mCACABdwBHEAAA3DVYcawE2/H4I2pTsiK9R1ABkQBs+CA AOBAIHTAFryBAbRAIdRABSQAAIDPE6fxe2RXdiDOi6TF06JAEehAcb3CIwRCGTiACo1ABSiAArzA FWQAMuSeGheyVoicdXkHlHXDA+jCMgTCC1jAE2hCICCAHbwnrlbBHTABAXChIX/yIQuFONBY0hgN BQxCILwCLzhCCpAACQRABywA77ZBGMDBGRAAMZgpKFvwHzLDM+hELlABCpwftwAFA/DBMRhDEzSA IdBBCwgACXSBHHRBGZSBFRRBAvzyLm/zOZAUHxaBBwxoHUgAEzwCEBwAHkSDPLiHNfD/gAbowCkc QxkgwB0AQgPcQRVYwRnUgQw8gAsowqhu8wXDXH8gAg9cABRcgx2oAAAQQTDcgjE8AgvIQBqUC1L0 QzM4AQdcwS0cQzF0QQEYwh1cMwNAltVZnkAXL8yZphu0Jw7AwStEgx0AAQI8ASAoSRRQwAPcFWcQ xCFg8xVAAh84gBXgQAokgCKgcUrDMMytgzz0Qx24wCWUQZYisy04gisrwQ+kwInWwYAUm6+sAHAN QAmUAB/Mw2Do8lLHqy9F2LdQJQ8cgyHcwhJ0gArkgSwMQxEHZSAMwB6ci6LcyCrwwAH8zHTIg1qv NVsPRZbphBPwgCEgABBURBSYwAs0/4AF/IAF5MEZSEBvLk23+EM4vE+sGJ1i8y9B6wQVFEEUDMEV eAAMaMIr9Osd8OgTBMJ1msmAvMiAVJOgJPZpn6ma7pJgUEEQzAEMwAM18IEK6EIF4MAd9ABnSg4f WMh3yEcij9I9BjfxwlzvcQEPbMEOzAM8lEME6EKmwBICWMEcSAAf8ARpZxF3f3Jqx0McGAEelEBj zsMK8MEFRM6oHFcA8MHfDd58qzFB5wNUy4BiKNk+QO8F4EAfLIEBOIAA7AAHBMEqTAdJhe+BE25S NbY/fEECHEIwzAALMMEBYOkSlMENNLQdgAkATB469qyHf3iyhrjwckECzGkwBELfPv8CBrwAPhcA HNzAAFxAZhQ46YEujo+vjhNMkLHAI9SAATQBHzSHA0ABHfxAAXz5EASCTAJbpXjNtzy5+Lb1kcaD G/CAMfRCIZTKDdiCAfxAC0xAAdQAIzTBFZTFYKgPmoOyTuQDFciALVAJIOhBFRRAAAjACLSAIGRB GJSBHZwAGxVzoG8zXJiDGxDAMZiCJlRACvyAKZwwG4SBK8nBE+AAAfRbpi+1vcSBBAzBJcjzE9TC BPzAHejBNL9ACsAAIbjwO7468YrcT8jDwUbAFRzCMRyDAbyAHJTBDFyAChyCpMTcsBO76JriLgGL DqyACiyDB1zBDizACkDCX1gDhG4Yt7anMR7mxDJcqN7KgCLwRDWUi91hXkAAADs=

Or, you must have a router specifically configured to pass DHCP requests to a DHCP server behind the router. If you do not want to set up a DHCP server or configure a router to pass DHCP requests, select Static address pool in this step, rather than Dynamic Host Configuration Protocol (DHCP). Then click Add to add IP address ranges to the static address pool. Note that IP addresses in the static address pool cannot be addresses that are included in the Internal network. If necessary, edit the Internal network to remove addresses, so that they can be included in the static address pool.

To remove the IP addresses included in the Internal network, in the ISA Server console, expand the Configuration node and click Networks. In the details pane, on the Networks tab, double-click the Internal network. On the Addresses tab, select a range of IP addresses, and then click Remove to remove that range.

10.

In the ISA Server details pane, click Apply to apply the changes.

Important:  You may be required to restart the ISA Server computer after you make VPN configuration changes. To check whether a restart is needed, in ISA Server Management, expand the ISA Server computer node, and click Monitoring. In the details pane, on the Alerts tab, look for an alert that reads ISA Server computer restart needed. The alert information for that alert will read Changes made to the VPN configuration require the computer to be restarted. If you see that alert, you are required to restart the ISA Server computer.

Creating a VPN access rule

Create a new access rule with the properties shown in the following table. This rule will allow access from the VPN Clients network to the Internal network on all protocols. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. After you create the new access rule, click Apply in the ISA Server details pane to apply the new access rule. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

Tab

Property

Setting

General

Name

Provide a name: VPN client access.

General

Description

Provide a description: Allows access from the VPN Clients network to the Internal network.

General

Enable

Select Enable.

Action

Allow

Deny

Select Allow.

Action

Redirect HTTP requests to this Web page

Optional. If selected, specify a Web page location.

Action

Log requests matching this rule

Select if you want ISA Server to log requests that match the rule.

Protocols

This rule applies to

Select All outbound protocols.

From

This rule applies to traffic from these sources

Select VPN Clients.

From

Exceptions

None.

To

This rule applies to traffic sent to these destinations

Specify Internal network.

To

Exceptions

None.

Users

This rule applies to requests from the following user sets

Select All Users.

Users

Exceptions

None.

Schedule

Schedule

Select Always.

Content Types

All content types

Selected content types

Select All content types.

Notes:  You can limit VPN client access to certain protocols by selecting Selected Protocols on the Protocols tab, and choosing the protocols from the Add Protocols dialog box.

If you consider the VPN Clients network to be identical to the Internal network from a firewall policy perspective, you may also want to create an access rule allowing all traffic from the Internal network to the VPN Clients network.

If ISA Server is configured as a VPN server and acts as a firewall server for Firewall clients, VPN client computers with Firewall Client installed will use port 1745 of the ISA Server Internal network interface. Also, if ISA Server is configured as a VPN server and acts as a proxy server for Web Proxy clients, VPN client computers using the ISA Server as a proxy will use port 8080 of the ISA Server Internal network interface. By default, when you define a rule allowing access from the VPN Clients network to the Internal network, access is allowed to all ports. However, if you choose to limit the ports, you must allow access to ports 1745 and 8080, respectively, for these scenarios.

Checking the VPN networks routing rule

When you install ISA Server, a default network rule is created, establishing a routing relationship between the Internal network and the two VPN clients networks (VPN Clients and Quarantined VPN Clients). To view the rule, expand the Configuration node and click Networks. In the details pane, on the Network Rules tab, look for the VPN Clients to Internal Network rule. For more information about the relationship between the VPN clients networks and the Internal network, see Appendix C: Network Relationships in this document.

L2TP Walk-through Procedure 4: Install a Certificate on the Server Computer

This procedure is performed on the ISA Server computer, using the following steps:

Creating an access rule from the ISA Server computer to the Internal network

Installing the certificates on the ISA Server computer

Creating an access rule from the ISA Server computer to the Internal network

For the ISA Server computer to access the certification authority (CA), you must create an access rule. ISA Server requires this access rule to obtain its certificate.

1.

Create a new computer object representing the certification authority computer. This computer object will be used when creating the access rule. Follow the instructions in Appendix A: Creating Rule Elements in this document.

2.

Create a new access rule with the properties shown in the following table. This rule will allow access from the ISA Server computer to the Internal network on the HTTP protocol. To create a new access rule, follow the instructions in Appendix B: Using the New Access Rule Wizard in this document. Some properties cannot be set in the wizard. To set those properties, in the Firewall Policy details pane, double-click the rule to open the rule properties dialog box.

Tab

Property

Setting

General

Name

Provide a name: ISA Server computer to Internal network access.

General

Description

Provide a description: Allows access from the ISA Server computer to the certification authority on the Internal network.

General

Enable

Select Enable.

Action

Allow

Deny

Select Allow.

Action

Redirect HTTP requests to this page

Optional. Do not select.

Action

Log requests matching this rule

Select if you want ISA Server to log requests that match the rule.

Protocols

This rule applies to

Select Selected protocols, and then add HTTP.

From

This rule applies to traffic from these sources

Select Local Host (ISA Server computer).

From

Exceptions

None.

To

This rule applies to traffic sent to these destinations

Specify the computer object representing the certification authority on the Internal network

To

Exceptions

None

Users

This rule applies to requests from the following user sets

Select All Users.

Users

Exceptions

None.

Schedule

Schedule

Select Always.

Content Types

All content types

Selected content types

Select All content types.

3.

In the ISA Server details pane, click Apply to apply the new access rule.

Installing the certificates on the ISA Server computer

This procedure is performed on the ISA Server computer. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that are performed on the certification authority.

1.

Open Internet Explorer.

2.

From the menu, select Tools, and then select Internet Options.

3.

Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium. Certificate installation is not possible when the setting is High.

4.

Browse to: http://IP address of certification authority server/certsrv.

5.

Request a certificate. This is the certificate for the ISA Server computer.

6.

Select Advanced Certificate Request.

7.

Select Create and submit a request to this CA.

8.

Fill in your details, and select IPSec certificate from the Type drop-down list.

9.

Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

10.

If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.

1.

Go to the Microsoft Management Console (MMC) Certification Authority snap-in. Click Start, point to All Programs, click Administrative tools, and then click Certification Authority.

2.

Click the Pending requests node, right click your request, and then select All Tasks and Issue.

11.

On the ISA Server computer, return to the Web page http://IP address of certification authority server/certsrv, and click View status of a pending request.

12.

Click your request and choose Install this certificate.

13.

Return to the Web page http://IP address of certification authority server/certsrv, and click Download a CA certificate. This is the trusted root certificate that must be installed on the ISA Server computer.

14.

Click Install this CA Certificate chain and confirm.

15.

Verify that the certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), and double-click the certificate. On the General tab, there should be a note that says You have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the root certificate, and a note that says This certificate is OK.

L2TP Walk-through Procedure 5: Install a Certificate on the Client Computer

This procedure is performed on the VPN client computer. For purposes of this procedure, it is assumed that initially, the client computer is connected to the Internal network to obtain the certificate. If you installed a stand-alone root CA rather than an enterprise root CA, there are also actions that take place on the certification authority.

1.

Open Internet Explorer and browse to http://IP address of certification authority server/certsrv.

2.

Request a certificate.

3.

Choose Advanced Certificate Request.

4.

Select Create and submit a request to this CA.

5.

Fill in your details, and select IPSec certificate from the Type drop-down list.

6.

Select Store Certificate in the local computer certificate store and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

7.

If you installed a stand-alone root CA, perform the following steps on the certification authority computer. These steps are automated in an enterprise root CA.

1.

Go to the Microsoft Management Console (MMC) Certification Authority snap-in (through Admin tools).

2.

Click the Pending requests node, right click your request, and then select All Tasks and Issue.

8.

On the client computer, return to the Web page http://IP address of certification authority server/certsrv, and click View status of a pending request.

9.

Click your request and choose Install this certificate.

10.

Return to the Web page http://IP address of certification authority server/certsrv, and click Download a CA certificate. Save the file on your desktop. Note that you cannot install the CA certificate by running it.

11.

Click Start, click Run, type MMC, and then press Enter.

12.

Click File, and then click Add/Remove Snap in.

13.

Click Add, and then from the list select Certificates.

14.

Click Computer Account, click Next, and then click Finish.

15.

Right-click Trusted Root Certification Authority and choose All-Tasks/Import.

16.

Browse to where you saved the certificate file (your desktop), and import it.

L2TP Walk-through Procedure 6: Configure the VPN Client

This procedure is performed on the VPN client computer. The procedure is based on the features of Windows XP, although other clients are supported.

1.

Click Start, point to All Programs, point to Accessories, point to Communications, click New Connection Wizard, and then click Next

2.

On the Network Connection Type page, select Connect to the network at my workplace, and then click Next.

3.

On the Network Connection page, select Virtual Private Network connection, and then click Next.

4.

On the Connection Name page, provide a name for the new connection, such as VPN Connection, and then click Next.

5.

On the Public Network page, select whether Windows should automatically dial the connection, and which connection to use, and then click Next.

6.

On the VPN Server Selection page, provide the external IP address of the ISA Server computer. This will be the address of the network adapter that connects the ISA Server computer to the Internet (also referred to as the External network). Click Next.

7.

On the Connection Availability page, select My use only to ensure that VPN access will only be available when you are logged on to the computer. Click Next.

8.

On the Completing page, you may choose to have a connection shortcut created on your desktop, and then click Finish.

L2TP Walk-through Procedure 7: Test the Connection

You can test the connection, using the following steps:

Checking the connection from the client to the ISA Server computer

Checking ISA Server for connection information

Checking the connection from the client to the ISA Server computer

This procedure is performed on the VPN client computer.

1.

Dial the L2TP dial-up entry using the credentials of the user you created during the previous procedure.

2.

Ping the IP address of the HTTP server.

3.

Browse to a site on the HTTP server.

Checking ISA Server for connection information

This procedure is performed on the ISA Server computer.

1.

In the ISA Server console tree, click Monitoring.

2.

On the Sessions tab, verify whether your VPN client session is listed. The VPN Client session has the following properties:

Session Type shows VPN Client.

Client Host Name shows the VPN client machines public IP address. Client IP shows the IP address assigned for the VPN session.

Application Name shows that this is a VPN connection and shows the protocol used for the connection. Application Name is not displayed by default. To add it, right-click one of the columns headings in the Sessions tab, and select Application Name.

You can create a session filter so that only VPN client sessions are displayed. Follow these steps to create a filter.

1.

In the ISA Server console tree, click Monitoring, and select the Sessions tab.

2.

In the task pane, on the Tasks tab, click Edit Filter to open the Edit Filter dialog box.

3.

In the Edit Filter dialog box, in Filter by, select Session Type. In Condition select Equals, and in Value select VPN Client.

4.

Click Add To List and then click Start Query. You must click Start Query to save the filter.

Quarantine Control is an option available to you as a means of controlling the compliance of VPN clients with your corporate security requirements. Note that when quarantine mode is disabled, all remote VPN clients with appropriate authentication permissions are placed in the VPN Clients network, and will have the access you have allowed the VPN Clients network in your firewall policy.

NoteQuarantine Control is an administrative tool that enables you to ensure that your clients are in compliance with your policies. It is not a security feature. Quarantine Control does not provide encryption or authentication mechanisms.

Quarantine Control for ISA Server works with Routing and Remote Access to provide a means of restricting VPN client access to corporate networks. With ISA Server, you can require that a newly connected VPN client is assigned to the Quarantined VPN Clients network, with a restrictive firewall policy, until the client’s Connection Manager indicates that the client is in compliance with corporate connection policy.

Quarantine Control relies on the Connection Manager (CM) profile you create for your VPN clients. CM profiles are created with the Connection Manager Administration Kit (CMAK) provided in Windows Server 2003 and Windows 2000 Server. The CM profile contains a post-connect action that runs a network policy requirements script, configured when the CM profile is created with CMAK.

You will require a network policy requirements script that performs validation checks on the remote access client computer to verify that it conforms to network policies. This is the script that is called by the CM profile. This can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters. If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.

You will also require a notifier component that sends a message indicating a successful execution of the script to the quarantine-compatible ISA Server array. This is the component that is called by the network policy requirements script. You can use your own notifier component or you can use Rqc.exe, which is provided with the ISA Server 2004 Resource Kit in the RQSUtils executable.

With these components installed, the remote access client computer uses the CM profile to perform network policy requirements tests and indicate its success to the ISA Server array as part of the connection setup.

For more information about CMAK profiles, download the document "Network Access Quarantine Control in Windows Server 2003". For sample quarantine scripts, see VPN Quarantine Sample Scripts for Verifying Client Health Configurations.

Enabling Quarantine Using ISA Server

You can use ISA Server to process specific options for remote VPN clients in quarantine mode. When a client attempts a VPN connection, the client is placed in a Quarantined VPN Clients network. You can apply specific policies for clients in this network, which specify the resources that are accessible to clients in the Quarantined VPN Clients network.

When you enable quarantine for ISA Server, you can configure the following:

Timeout. The amount of time that a client attempting to create a VPN connection is allowed to remain in quarantine mode. The client is disconnected after the specified time passes, if the client was not removed from quarantine mode (and placed in the VPN Clients network).

Exemption list. You can specify a list of Remote Authentication Dial-In User Service (RADIUS) or Windows users to whom quarantine is not applied. Users in this list are automatically joined to the VPN Clients network.

If you are running ISA Server on Windows Server 2003, you can enable quarantine by using RADIUS policy or by using ISA Server policy. When you run ISA Server on Windows 2000 Server, you can enable quarantine using ISA Server policy. RADIUS quarantine policy is not supported in Windows 2000 Server.

Selecting RADIUS quarantine policy or ISA Server policy

RADIUS quarantine policy provides two features: