250 | PART II VPN Deployment Domain Configuration All access to the network for any resource is authenticated by Active Directory, which provides the consolidation, control, and reporting of all security for the cor- poration. For each employee who is allowed VPN remote access: • The remote access permission on the dial-in properties of the user account is set to Control Access Through Remote Access Policy. • The user account is added to the VPN_Users Active Directory group. Remote Access Policy Configuration To define the authentication and encryption settings for remote access VPN clients, the following common remote access policy is created: • Policy Name: Remote Access VPN Connections • Access Method: VPN • User Or Group Access: Group, with the EXAMPLE\VPN_Users group selected • Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, Microsoft Encrypted Authentication Version 2 (MS-CHAP v2), and Microsoft Encrypted Authentication (MS- CHAP) selected • Policy Encryption Level: Strong Encryption and Strongest Encryption selected PPTP-Based Remote Access Client Configuration On the Windows XP remote access client computers, the New Connection Wizard is used to create a VPN connection with the following settings: • Network Connection Type: Connect To The Network At My Workplace • Network Connection: Virtual Private Network Connection • Connection Name: Contoso, LTD. • VPN Server Selection: vpn.contoso.example.com • Connection Availability: Anyone’s Use (This option is available only on Win- dows XP clients that are members of a domain.) L2TP/IPSec-Based Remote Access Client Configuration The remote access computer logs on to the Contoso, LTD. domain using a LAN connection to the Contoso, LTD. intranet and receives a computer certificate through auto-enrollment. This needs to happen prior to the user trying to connect from home because it needs to happen over the local LAN. (If you want to enable Chapter 10 A VPN Deployment Scenario | 251 bootstrapping certificates for non-domain attached clients, use PPTP to connect first, run a connect action to plumb the machine and user certificates, disconnect from PPTP and reconnect with L2TP/IPSec.) Then the New Connection Wizard is used to create the VPN connection with the following settings: • Network Connection Type: Connect To The Network At My Workplace • Network Connection: Virtual Private Network Connection • Connection Name: Contoso, LTD. • VPN Server Selection: vpn.contoso.example.com • Connection Availability: Anyone’s Use (This option is available only on Win- dows XP clients that are members of a domain.) In the Network Connections windows, right-click Contoso, LTD. click Properties, and then click the Networking tab. On the Networking tab, Type Of VPN must be set to L2TPIPSec VPN. When Type Of VPN is set to Automatic, PPTP is tried first, and then L2TP/IPSec. In this case, the network administrator for Contoso, LTD. does not want remote access clients that are capable of establishing an L2TP/IPSec connection to use PPTP. On-Demand Branch Office Now that we have the remote access setups done on the VPN server and the remote access clients, let’s take a look at the site-to-site connections we need to create for the remote offices. The Portland and Dallas branch offices of Contoso, LTD. are connected to the corporate office by using on-demand site-to-site VPN connections. Both the Portland and Dallas offices contain a few dozen employees who need only occasional connectivity with the corporate office. (For anything fewer than 10 users at a site, the users should be left on remote access. This will allow the corporation to not have to support server-based services remotely at the branch office. For any more than 10 users, site-to-site connections with a dedicated server is the preferred model.) The Window Server 2003 routers in the Portland and Dallas offices are equipped with an Integrated Services Digital Network (ISDN) adapter that dials a local ISP to gain access to the Internet. When access is gained, a site-to-site VPN connection is made across the Internet. When the VPN connec - tion is idle for five minutes, the routers at the branch offices terminate the VPN con- nection. The Dallas branch office uses the IP network ID of 192.168.28.0 with a subnet mask of 255.255.255.0 (192.168.28.0/24). The Portland branch office uses the IP network ID of 192.168.4.0 with a subnet mask of 255.255.255.0 (192.168.4.0/24). To simplify the configuration, the VPN connection is a one-way initiated connection that is always initiated by the branch office router. This is preferable to two-way ini- tiated connection because the branch office does not have to use an always-on Inter- 252 | PART II VPN Deployment net connection and thus saves on costs. (In many cases these days, a branch office can use ADSL or cable modem for its connection and therefore maintain an always- on state, so see what options are available for your scenario and branch office con - nections. We will be setting up some two-way connections later on in this chapter.) For more background information, see Chapter 8. Figure 10-3 shows the Contoso, LTD. VPN server that provides on-demand branch office connections. VPN server 172.31.0.1 207.209.68.1 172.31.0.2 T3 link Contoso, LTD intranet Internet ISDN link ISDN link ISP ISP Dallas branch office Portland branch office Figure 10-3. The Contoso, LTD. VPN server that provides on-demand branch office connections. Additional Configuration To deploy on-demand site-to-site VPN connections to connect the Portland and Dallas branch offices to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” section of this chapter, the following additional settings are configured. Domain Configuration For the VPN connection to the Dallas office, the user account VPN_Dallas is created with the following settings: • Password of nY7W{q8~=z3. • For the account properties of the VPN_Dallas account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected. • For the dial-in properties on the VPN_Dallas account, the remote access per- mission is set to Control Access Through Remote Access Policy and the static route 192.168.28.0 with a subnet mask of 255.255.255.0 is added. Chapter 10 A VPN Deployment Scenario | 253 • The VPN_Dallas account is added to the VPN_Routers group. For the VPN connection to the Portland office, the user account VPN_Portland is created with the following settings: • Password of P*4s=wq!Gx1. • For the account properties of the VPN_Portland account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected. • For the dial-in properties on the VPN_Portland account, the remote access permission is set to Control Access Through Remote Access Policy and the static route 192.168.4.0 with a subnet mask of 255.255.255.0 is added. • The VPN_Portland account is added to the VPN_Routers group. Remote Access Policy Configuration To define the authentication and encryption settings for the VPN routers, the fol- lowing remote access policy is created: • Policy Name: VPN Routers • Access Method: VPN • User Or Group Access: Group, with the EXAMPLE\VPN_Routers group selected • Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentica - tion version 2 (MS-CHAP v2) selected • Policy Encryption Level: Strong Encryption and Strongest Encryption selected The following sections describe a PPTP-based on-demand branch office connection for the Dallas office and an L2TP/IPSec-based on-demand branch office connection for the Portland office. By describing this scenario, we can cover all bases for your own deployments. For the best security, L2TP/IPSec with certificates is the recom - mended solution for site-to-site connections. Many vendors suggest IPSec tunnel mode for this operation, but Microsoft does not support it because it has been rejected for security reasons by the Internet Engineering Task Force (IETF). See the sidebar in Chapter 8 for more details. PPTP-Based On-Demand Branch Office The Dallas branch office is a PPTP-based branch office that uses a Windows Server 2003 router to create an on-demand, site-to-site VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated. 254 | PART II VPN Deployment To deploy a PPTP, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “On-Demand Branch Office” sections of this chapter, the fol - lowing settings are configured on the Dallas router. Demand-Dial Interface for the Connection to the ISP To connect the Dallas office router to the Internet by using a local ISP, a demand- dial interface is created using the Demand-Dial Interface Wizard with the following settings: • Interface Name: ISP • Connection Type: Connect Using A Modem, ISDN Adapter, Or Other Physi- cal Device • Select a Device: The appropriate ISDN device is specified. • Phone Number: Phone number of the ISP for the Dallas office. • Protocols And Security: The Route IP Packets On This Interface check box is selected. • Static Routes For Remote Networks To create the connection to the Dallas ISP when the site-to-site VPN connec- tion needs to be made, the following static route is created: • Destination: 207.209.68.1 • Network mask: 255.255.255.255 • Metric: 1 • Dial Out Credentials User name: Dallas office ISP account name Password: Dallas office ISP account password Confirm password: Dallas office ISP account password To run the Demand-Dial Interface Wizard, right-click Network Interfaces in the Routing And Remote Access snap-in’s control tree, and then click New Demand- Dial Interface. Demand-Dial Interface for Site-to-Site VPN Connection To connect the Dallas office router to the VPN server by using a site-to-site VPN connection over the Internet, the New York office’s network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings: • Interface Name: CorpHQ • Connection Type: Connect Using Virtual Private Networking (VPN) Chapter 10 A VPN Deployment Scenario | 255 • VPN Type: Point-to-Point Tunneling Protocol (PPTP) • Destination Address: 207.209.68.1 • Protocols And Security: The Route IP Packets On This Interface check box is selected. • Static Routes For Remote Networks To make all locations on the corporate intranet reachable, the following static route is created: • Destination: 172.16.0.0 • Network mask: 255.240.0.0 • Metric: 1 To make all locations on Contoso, LTD. branch offices reachable, the follow- ing static route is created: • Destination: 192.168.0.0 • Network mask: 255.255.0.0 • Metric: 1 • Dial-Out Credentials User Name: VPN_Dallas Domain: contoso.example.com Password: nY7W{q8~=z3 Confirm Password: nY7W{q8~=z3 L2TP/IPSec-Based On-Demand Branch Office The Portland branch office is an L2TP/IPSec-based branch office that uses a Win- dows Server 2003 router to create an on-demand, site-to-site VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated. To deploy an L2TP/IPSec, one-way initiated, on-demand, site-to-site VPN connec- tion to the corporate office based on the settings configured in the “Common Con- figuration for the VPN Server” and “On-Demand Branch Office” sections of this chapter, the following settings are configured on the Portland router. Certificate Configuration The Portland router was configured by the Contoso, LTD. network administrator while it was physically connected to the Contoso, LTD. intranet. It was then shipped to the Portland site. While the Portland router was connected to the Con - toso, LTD. intranet, a computer certificate was installed through auto-enrollment 256 | PART II VPN Deployment and the user name was created in Active Directory on the headquarters intranet. This point is important to remember, especially if you are going to do two-way ini - tiated connections with separate Active Directory instances on each side of the link. Configure the remote router while it is still connected to the central intranet, syn - chronize the two Active Directory user entries on either one’s Active Directory domain controller, and then ship the VPN server to the remote site. Demand-Dial Interface for the Connection to the ISP To connect the Portland office router to the Internet by using a local ISP, the net- work administrator created a demand-dial interface using the Demand-Dial Inter- face Wizard with the following settings: • Interface Name: ISP • Connection Type: Connect Using A Modem, ISDN Adapter, Or Other Physi- cal Device • Select a Device: The appropriate ISDN device is specified. • Phone Number: Phone number of the ISP for the Portland office. • Protocols And Security: The Route IP Packets On This Interface check box is selected. • Static Routes For Remote Networks To create the connection to the Portland ISP when the site-to-site VPN con- nection needs to be made, the following static route is created: • Destination: 207.209.68.1 • Network Mask: 255.255.255.255 • Metric: 1 • Dial-Out Credentials User Name: Portland office ISP account name Password: Portland office ISP account password Confirm Password: Portland office ISP account password Demand-Dial Interface for Site-to-Site VPN Connection To connect the Portland office router to the VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings: • Interface Name: CorpHQ • Connection Type: Connect Using Virtual Private Networking (VPN) • VPN Type: Layer 2 Tunneling Protocol (L2TP) Chapter 10 A VPN Deployment Scenario | 257 • Destination Address: 207.209.68.1 • Protocols And Security: The Route IP Packets On This Interface check box is selected. • Static Routes For Remote Networks To make all locations on the corporate intranet reachable, the following static route is created: • Destination: 172.16.0.0 • Network Mask: 255.240.0.0 • Metric: 1 To make all locations on Contoso, LTD. branch offices reachable, the follow- ing static route is created: • Destination: 192.168.0.0 • Network Mask: 255.255.0.0 • Metric: 1 • Dial-Out Credentials • User Name: VPN_Portland • Domain: contoso.example.com • Password: P*4s=wq!Gx1 • Confirm Password: P*4s=wq!Gx1 Persistent Branch Office The Chicago and Phoenix branch offices of Contoso, LTD. are connected to the corporate office by using persistent site-to-site VPN connections that stay connected 24 hours a day. The Windows Server 2003 routers in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local ISP to gain access to the Internet. In today’s communications market, many companies would use ADSL or cable modem for these purposes for two reasons: the cost is much cheaper on a recurring monthly basis because the cost of the Inter- net connection for ADSL or cable modem is less than $100 U.S. per month as opposed to greater than $1,000 U.S. per month for a T1 leased line, and they pro- vide a decent amount of bandwidth—at a minimum, equivalent in bandwidth to a dual channel ISDN 128-kilobits per seconds (Kbps) link. The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0 (192.168.9.0/24). The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office 258 | PART II VPN Deployment uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0 (192.168.14.0/24). The Phoenix branch office router uses the public IP address of 157.60.0.1 for its Internet interface. The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the VPN server. Two-way initiated connec- tions require the creation of demand-dial interfaces, remote access policies, and static IP address pools on the routers on both sides of the connection. Figure 10-4 shows the Contoso, LTD. VPN server that provides persistent branch office connections. VPN server 172.31.0.1 207.209.68.1 172.31.0.2 T3 link Contoso, LTD intranet Internet T1 link T1 link ISP ISP Phoenix branch office Chicago branch office Figure 10-4. The Contoso, LTD. VPN server that provides persistent branch office connections. Additional Configuration To deploy persistent site-to-site VPN connections to connect the Chicago and Phoe- nix branch offices to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” section of this chapter, the following additional settings are configured. Domain Configuration For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings: • Password of U9!j5dP(%q1. • For the account properties of the VPN_Chicago account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected. • For the dial-in properties on the VPN_Chicago account, the remote access permission is set to Control Access Through Remote Access Policy. Chapter 10 A VPN Deployment Scenario | 259 • The VPN_Chicago account is added to the VPN_Routers group. For the Phoenix office VPN connection that is initiated by the Phoenix router, the user account VPN_Phoenix is created with the following settings: • Password of z2F%s)bW$4f. • For the account properties of the VPN_Phoenix account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected. • For the dial-in properties on the VPN_Phoenix account, the remote access permission is set to Control Access Through Remote Access Policy. • The VPN_Phoenix account is added to the VPN_Routers group. For the Chicago office VPN connection and the Phoenix office VPN connection that are initiated by the VPN server, the user account VPN_CorpHQ is created with the following settings: • Password of o3\Dn6@`-J4. • For the dial-in properties on the VPN_CorpHQ account, the remote access permission is set to Control Access Through Remote Access Policy. • The VPN_CorpHQ account is added to the VPN_Routers group. Remote Access Policy Configuration Because these are two-way connections, remote access policies must be configured at the VPN server, the Chicago router, and the Phoenix router. Remote access policy configuration at the VPN server The remote access policy configuration for the VPN server is the same as described in the “On- Demand Branch Office” section of this chapter. Remote access policy configuration at the Chicago router To d ef i n e t he authentication and encryption settings for the VPN connections, the following remote access policy is created: • Policy Name: VPN Routers • Access Method: VPN • User Or Group Access: Group, with the VPN_Routers group selected • Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentica- tion version 2 (MS-CHAP v2) selected • Policy Encryption Level: Strong Encryption and Strongest Encryption selected [...]... only the extranet file server and Web server The file server on the Contoso, LTD extranet is configured with an IP address of 172 .31.0.10, and the Web server is configured with an IP address of 172 .31.0.11 Fabrikam, Inc., uses the public network ID of 131.1 07. 254.0 with a subnet mask of 255.255.255.0 (131.1 07. 254.0/24) Blue Yonder Airlines uses the public network ID of 131.1 07. 250.0 with a subnet mask... access server running Windows Server 2003 provides dial-up remote access at the phone number 555-0111 Rather than administer the remote access policies of both the VPN server and the remote access server separately, the network administrator is using a computer running Windows Server 2003 with the Internet Authentication Service (IAS) as a RADIUS server The IAS server has an IP address of 172 .31.0.9... the remote access server and the VPN server Figure 10-6 shows the Contoso, LTD RADIUS server that provides authentication and accounting for the VPN server and the remote access server Chapter 10 A VPN Deployment Scenario Dial-up remote access client 555-0111 Remote access server VPN server Internet T3 link Contoso, LTD intranet 2 07. 209.68.1 172 .31.0.2 172 .31.0.1 172 .31.0.9 RADIUS server Figure 10-6... Deployment Scenario Summary Contoso, LTD used VPN technologies included with Windows Server 2003 and Windows XP to leverage the connectivity of the Internet to connect remote users, branch offices, and business partners The Contoso, LTD Windows Server 2003 VPN and dial-up remote access servers, used in conjunction with an IAS server, provide centralized authentication, authorization, accounting, and... configuration: • The RADIUS server is a computer running Windows Server 2003 with the IAS networking component installed IAS is configured for two RADIUS clients: the remote access server and the VPN server For more information about configuring RADIUS clients, see Chapter 5 • The remote access server is configured to use RADIUS authentication and accounting at the IP address of 172 .31.0.9 and with a shared secret... Figure 10-5 shows the Contoso, LTD VPN server that provides extranet connections for business partners Parnell Aerospace business partner ISP T1 link VPN server Internet ISP File server T3 link Web server T1 link 2 07. 209.68.1 172 .31.0.10 Contoso, LTD intranet 172 .31.0.1 Tasmanian Traders business partner 172 .31.0.11 172 .31.0.2 Figure 10-5 The Contoso, LTD VPN server that provides extranet connections... the VPN server is configured for RADIUS authentication and accounting and the RADIUS server is a computer running Windows Server 2003 and IAS, the authentication and accounting logs are stored in the SystemRoot\System32\LogFiles folder on the IAS server computer Alternatively, IAS for Windows Server 2003 can also send authentication and accounting information to a structured query language (SQL) server. .. RAS And IAS Servers security group, the change does not take effect immediately (because of the way that Windows Server 2003 caches Active Directory directory service information) For the change to take effect immediately, you need to restart the VPN server computer • For a VPN server that is a member server in a mixed-mode or native-mode Active Directory domain that is configured for Windows authentication,... option on the Logging tab in the properties of a VPN server By default, the PPP log is stored as the Ppp.log file in the SystemRoot\Tracing folder Tracing The Windows Server 2003 Routing And Remote Access service has an extensive tracing capability you can use to troubleshoot complex network problems You can enable the components in Windows Server 2003 to log tracing information to files by using the... registeredserver command to register the server in a domain in which the VPN server is a member or other domains Alternatively, you or your domain administrator can add the computer account of the VPN server computer to the RAS And IAS Servers security group of all the domains that contain user accounts for which the VPN server is authenticating remote access • If you add or remove the VPN server computer . extranet file server and Web server. The file server on the Contoso, LTD. extranet is configured with an IP address of 172 .31.0.10, and the Web server is configured with an IP address of 172 .31.0.11 of 131.1 07. 254.0 with a subnet mask of 255.255.255.0 (131.1 07. 254.0/24). Blue Yonder Airlines uses the public network ID of 131.1 07. 250.0 with a subnet mask of 255.255.255.0 (131.1 07. 250.0/24) partner Parnell Aerospace business partner 172 .31.0.2 172 .31.0.10 File server Web server 172 .31.0.11 Figure 10-5. The Contoso, LTD. VPN server that provides extranet connections for business