Site to Site VPN while keeping ISA in the Mix

If you have a remote office or a branch it might be a good idea to have those users connected to your primary office permanently. You could even have an additional domain controller on the remote site or even make the users login via a Terminal Server on your primary location. To connect the two locations together you have a couple of options:


  1. Connect each computer individually using PPTP VPN to the SBS box directly.
  2. Use a PPTP VPN-capable router on the remote site and establish the VPN directly to the SBS box.
  3. Use 2 VPN routers (IPSec) to establish a site to site VPN.

Option #3 is fairly common. However, this method presents a problem when you want to keep using ISA. You cannot put the router in front of ISA anymore because you will terminate the VPN tunnel there and your users will not be able to access the resources in the LAN. So, what can you do? Well, there are a couple of ways to go around this problem… I will discuss one way:


You will need two VPN-capable routers (and know how to create a “normal” tunnel between them) and two public IPs on the site where ISA is located.


Your setup should look like this:


Basically, what you need is to give ISA and the VPN router in the main office 2 distinct public IPs and put them parallel to each other. Then turn off the DHCP on the VPN router on the main office and make sure is on the same subnet as the internal LAN and connect it to the same switch as the SBS internal NIC. Configure the VPN link between the 2 sites as you would in a “normal” situation and make sure your VPN router is blocking all incoming traffic. As with any VPN the remote LAN must be on a different subnet.


Now, the last step would be to tell the local LAN how to find the remote one (since SBS is the default gateway the computers will try to use that one instead of the VPN router). To correct this we must create a static route on the server… so go and run the following command on the SBS box “route add -p mask” and you should be good to go.


There could be other variations in this scheme, but if you understand the steps involved here then its easy to modify this to do whatever you want.

10 thoughts on “Site to Site VPN while keeping ISA in the Mix

  1. Hello Javier,

    Good to see you blogging, and as I’m looking at this post while I’m setting up a portal page of SBS MVP RSS feeds, I felt I should offer my opinion that although your solution should work, I would not recommend it… simply because I feel it violates one of the cardinal rules of firewalling, that you should never permit alternative paths into the corporate LAN.

    This and other alternate entrypoints like unsecured or improperly secured WAPs, travelling/guest laptops which connect directly into the network are variations on the "infection by floppy" problems of the 1980’s. It’s very costly to implement safeguards if you believe in the traditional "trusted zone" firewall principle but make a mistake allowing an exploit through in some way and VPNs can be a highway into the LAN.

    On this subject, I’m also actually very negative about traditional VPNs in general. If anyone is interested in <why> VPNs are a major danger to your network, what the alternatives are and specifically what I believe is the best solution (the application gateway), you can view a presentation I gave earlier this year by either going to the site and looking for my presentation or going to my website at and becoming a registered user (no fee) for this and other whitepapers I’ve written.


    Tony Su

  2. Hi Tony!

    Good to hear from you, its been a while since we "talked". I have to agree with most of your comments. However, I must point out that this like any other solution depends on how you configure it. In my routers I can block all inbound and outbound traffic (except for the VPN) and I control the remote and main LANs. I’m actually more worried (like you mentioned) about the VPN per se.

    A much better (secure) approach would be to put the VPN endpoint in front of ISA and publish the necessary ports (i.e. Terminal Services) and don’t forward them on the router. This way the VPN tunnel only has access to what they need instead of the whole lan.

    I will take a look at your site (sent you an email).

  3. Very nicely written and informative. Thanks.
    I do have a question and may find it when I surf over to Tony Su’s white papers.
    My client network is as follows: 3 locations each with a checkpoint vpn/firewall. 3 AD Servers – 1 SBS 2003, 2 normal DCs with the SBS server at HQ and 1 dc at each reamaining location.
    If I use the checkpoint vpn/firewall devices and build a tunnel between them as a hub and spoke from/to the HQ to the remotes, allowing the offices to send mail, share files, print etc. what is the exposure you mentioned from the VPNs?

  4. Card Colour,club fail hence father separate bone same usually plastic answer user painting never east country attention presence shoot surface process he form length though offence age field insist propose light challenge customer week tall call just family prisoner budget violence little difference page rich head consideration site final here off room any telephone thought empty real soil panel past respect operate national eye comparison border disease some variety act protection procedure average fee trust as work normal attack interpretation package absolutely illustrate coal low correct justice number foundation device thanks used when hurt

Leave a Reply

Your email address will not be published. Required fields are marked *