The first thing we need to tackle is the remote access solutions because that will enable all remote users to access resources. Then we will go through the process of configuring site-to-site connections for the remote offices. Remote access for Contoso, LTD. employees is deployed by using remote access VPN connections across the Internet, based on the settings configured in the “Common Configuration for the VPN Server” section seen earlier in this chapter and the following additional settings.
Figure 10-2 shows the Contoso, LTD. VPN server that provides remote access VPN connections.
Figure 10-2: The Contoso, LTD. VPN server that provides remote access VPN connections.
All access to the network for any resource is authenticated by Active Directory, which provides the consolidation, control, and reporting of all security for the corporation. For each employee who is allowed VPN remote access:
The remote access permission on the dial-in properties of the user account is set to Control Access Through Remote Access Policy.
The user account is added to the VPN_Users Active Directory group.
To define the authentication and encryption settings for remote access VPN clients, the following common remote access policy is created:
Policy Name: Remote Access VPN Connections
Access Method: VPN
User Or Group Access: Group, with the EXAMPLE\VPN_Users group selected
Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, Microsoft Encrypted Authentication Version 2 (MS-CHAP v2), and Microsoft Encrypted Authentication (MS- CHAP) selected
Policy Encryption Level: Strong Encryption and Strongest Encryption selected
On the Windows XP remote access client computers, the New Connection Wizard is used to create a VPN connection with the following settings:
Network Connection Type: Connect To The Network At My Workplace
Network Connection: Virtual Private Network Connection
Connection Name: Contoso, LTD.
VPN Server Selection: vpn.contoso.example.com
Connection Availability: Anyone’s Use (This option is available only on Windows XP clients that are members of a domain.)
The remote access computer logs on to the Contoso, LTD. domain using a LAN connection to the Contoso, LTD. intranet and receives a computer certificate through auto-enrollment. This needs to happen prior to the user trying to connect from home because it needs to happen over the local LAN. (If you want to enable bootstrapping certificates for non-domain attached clients, use PPTP to connect first, run a connect action to plumb the machine and user certificates, disconnect from PPTP and reconnect with L2TP/IPSec.) Then the New Connection Wizard is used to create the VPN connection with the following settings:
Network Connection Type: Connect To The Network At My Workplace
Network Connection: Virtual Private Network Connection
Connection Name: Contoso, LTD.
VPN Server Selection: vpn.contoso.example.com
Connection Availability: Anyone’s Use (This option is available only on Windows XP clients that are members of a domain.)
In the Network Connections windows, right-click Contoso, LTD. click Properties, and then click the Networking tab. On the Networking tab, Type Of VPN must be set to L2TPIPSec VPN. When Type Of VPN is set to Automatic, PPTP is tried first, and then L2TP/IPSec. In this case, the network administrator for Contoso, LTD. does not want remote access clients that are capable of establishing an L2TP/IPSec connection to use PPTP.