The advantage to this approach is that even if a user??™s password is stolen, access
is not automatically granted. The Layer 2 Tunneling Protocol (L2TP) with IP Security
(IPSec) is the supported method within ISA Server for accomplishing this level of security.
Unfortunately, however, unlike PPTP VPN connections, L2TP VPN tunnels cannot reliably
traverse NAT connections. For example, if the ISA server resides on the inside of a packetfilter
firewall, such as a PIX firewall, and that firewall provides for a NAT relationship to
the ISA server, the L2TP tunnel will fail to be established. L2TP relies on an accurate negotiation
between two known addresses.
Recent moves have been made to move to a model known as NAT-T (NAT traversal),
which enables this type of access to occur, but this implementation is currently in its
infancy, and all routers between source and destination must support its implementation.
In the meantime, if a NAT relationship exists between ISA and the clients it supports,
PPTP protocol support is the only reliable way to create VPN connections.
If the ISA server holds a public IP address (or if all devices support NAT traversal properly),
then L2TP protocol VPN connections can be established.
Pages:
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437