Head office has an IP/domain based subscription to a web-based business-critical information resource.  ISA 2004 is running with VPN enabled.

Branch offices will setup ISA 2004 VPN tunnels to the head office, and have not only LOCAL LAN traffic fired through the tunnel, but also certain internet traffic.

I'm working at the branch office doing deployments, and I need access to the Terminal Servers at head office for configuration purposes.  The infrastructure here is completely separate - I'm using the VPN tunnel basically to route 1 way Terminal Server traffic (branch to head office) and so that I have access to our web subscription only.

The setup is rather unusual, but given the number of "guides" already available... =)  I thought I'd document my one slightly more obscure case.  You can easily adopt this to turn it into a 2 way link: Change the routing method as necessary (route vs NAT) and setup a VPN site to site at head office as well.

Here's what I did...

Head Office:

a) Enable regular Client VPN access.  We don't need head office firing anything down to the branch office, except for branch-office initiated connections.  You can change these rules quite easily... but we just need to add one access rule.  Ensure VPN Quarantining is disabled, or exclude the user you added at the branch office to initiated the connections, and allow all VPN Clients access to "Everywhere".

b) Jump into Configuration, Networks, then Network Rules.  Find the "Internet Access" rule and add VPN Clients to the source networks category.  Ensure that they also have access to the local network.  No further VPN sites setup is necessary here, since we don't need a true 2 way link.

c) Create a user and give it dialin privledges.  Test this client's connectivity by leaving "Use Default Gateway on Remote Network" checked in TCP/IP properties, and dialing manually on a computer.  Visit some IP checking site like www.justinho.com and confirm that its "Your IP is..." is consistent with something originating from head office.  If it isn't check the monitoring on head office looking for denied connections.  Or post a comment here and I'll see what I can do.

Branch office:

a) Setup new VPN Remote Site connection: Give it a name, use PPTP (for simplicity - you can use others if you wish...), choose a NLB connection owner (Enterprise only), give it the remote VPN server IP, give it the necessary login credentials - LOCAL SITE definitely needs to be able to initiate connections, and add a basic range for the remote LAN for now.  Finish up.  Apply the settings.

b) Setup network rules: Go into Configuration, Network.  You should see the new network that you defined earlier showing up in the list here.  Jump over to the Network Rules tab, and find or create a new rule.  Relation: NAT, from source: Internal to: Destination VPN Network.

c) Restart the ISA Server.  Restarting services will NOT do.  (Yes, you REALLY do need to do this to get it to work!)

d) Perform DNS lookups via nslookup for all sites that need to be routed.  Enter these IPs into the Remote Network's IP range.  Apply the settings.

e) Reboot if necessary.  If you get a message like "An address has not yet been associated with the network endpoint" confirm that the VPN connection is auto dialing as necessary.  If you're using a router/hardlinked connection to the internet, set up dialup preferences and set it as a dialup connection, but do NOT set it as the default gateway.  Confirm the VPN connection again - it should be autodialling.  A reboot seriously does wonders.  Don't sit there banging your head against the wall like I did =)