Contact

admin

About Me · Send mail to the author(s) E-mail · Twitter

At GROSSWEBER we practice what we preach. We offer trainings for modern software technologies like Behavior Driven Development, Clean Code and Git. Our staff is fluent in a variety of languages, including English.

Feed Icon

Tags

Open Source Projects

Archives

Blogs of friends

Now playing [?]

Error retrieving information from external service.
Audioscrobbler/Last.fm

ClustrMap

Updating ISA Server's Local IPSec Endpoint Address for Dial-Up Site-To-Site VPNs Through PowerShell

Posted in Networking | PowerShell at Sunday, September 16, 2007 11:50 PM W. Europe Daylight Time

Wow, what a mouthful of a title.

What do we have here? We've got a Site-To-Site VPN to be established from a ISA Server with a dynamic IP address. Dynamic IP addresses are assigned by ISPs for consumer cable and DSL internet connections and will be renewed at least each 24 hours. That is, every time your internet connection is established, your public IP changes. This prevents you from hosting internet servers on top of your cheapo DSL service.

Site-To-Site VPNs basically connect two private networks over a secured internet tunnel. ISA Server supports Site-To-Site VPNs but requires a static IP address for the local VPN gateway. Since the local VPN gateway is your ISA Server that has a dynamic IP address, you have to either purchase a static IP address (expensive) or update the local endpoint's IP address every time your internet connection is established. A pitfall I ran into when I was setting up the VPN connection together with my very helpful colleague Timo from Synexus was that we were able to successfully connect to the remote site until the DSL connection dropped. All further VPN connection attempts failed because due to the reconnect, ISA Server's public IP changed. This isn't reflected by the remote site configuration, the dropdown box is just emptied:

Local Endpoint IP is empty after reconnects

Now you'll either have to change the local endpoint address using the ISA Server management console every time your DSL line is connected or you could automate that using ISA's rich COM object model.

Scripting the ISA Server COM objects with Windows PowerShell is easy. It actually takes just six lines of code to set the new public IP for all Site-To-Site VPN connections.

param([string] $newIP = $(throw "Update-IsaServerIPSecPublicIp: New IP address is missing"))

$root = New-Object -comObject "FPC.Root" -strict
$server = $root.Arrays | Select-Object -first 1
$publicNetwork = $server.NetworkConfiguration.Networks | Where-Object { $_.NetworkType -eq 3 }
$ipSecSite2SiteNetworks = $server.NetworkConfiguration.Networks | Where-Object { $_.NetworkConnectionType -eq 4 }

$ipSecSite2SiteNetworks | ForEach-Object { $_.VpnConfiguration.IPSecSettings.LocalServerAddress = $newIP; $_.VpnConfiguration.IPSecSettings.Save() }

The next step will be to integrate this script to an application that detects changes to IP address of certain network interfaces – we use DirectUpdate to keep our dyndns.org domains current. But any other tool like the free DynDNS Updater that is able to spawn a process when a new IP is detected will certainly do.

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command C:\Tools\Update-IsaServerIPSecPublicIp.ps1 <new IP address>

If you didn't use PowerShell until now, take a look at Scott Hanselman's most recent dnrTV webcast. Scott has recorded a really nice piece where he starts downloading the PowerShell bits and walks you though the basic concepts and some more interesting details.

Saturday, May 24, 2008 10:22:18 PM (W. Europe Daylight Time, UTC+02:00)
Thank you for a usefuul article. It can help me to solve the task.
Sunday, August 15, 2010 1:04:55 AM (W. Europe Daylight Time, UTC+02:00)
great share, i am reading much about VPN and Security. This is great post to share with my twitter followers.
Saturday, August 28, 2010 1:10:57 AM (W. Europe Daylight Time, UTC+02:00)
I actually wrote a powershell script to do something similar, but for the remote end of the IPSEC tunnel. This updates in a similar way.

http://www.extropy.com/forums/knowledge-bases-extropedia/microsoft/dynamic-ipsec-remote-gateway-addresses-tmg-and-isa
Tuesday, September 14, 2010 4:11:50 PM (W. Europe Daylight Time, UTC+02:00)
Every day more and more people want to protect their privacy on Internet. Governments around the world put different kind of restrictions on Internet connections of their citizens. VPN is solution for all that with which you can bypass all restrictions and protect your privacy. Many expert predict that VPN is future of Internet freedom.
All comments require the approval of the site owner before being displayed.
(will show your gravatar icon)
 
[Captcha]Enter the code shown (prevents robots):

Live Comment Preview