VPN Remote Access for Employees


The first thing we need to tackle is the remote access solutions because that will enable all remote users to access resources. Then we will go through the process of configuring site-to-site connections for the remote offices. Remote access for Contoso, LTD. employees is deployed by using remote access VPN connections across the Internet, based on the settings configured in the “Common Configuration for the VPN Server” section seen earlier in this chapter and the following additional settings.

Figure 10-2 shows the Contoso, LTD. VPN server that provides remote access VPN connections.

click to expand
Figure 10-2: The Contoso, LTD. VPN server that provides remote access VPN connections.

Domain Configuration

All access to the network for any resource is authenticated by Active Directory, which provides the consolidation, control, and reporting of all security for the corporation. For each employee who is allowed VPN remote access:

  • The remote access permission on the dial-in properties of the user account is set to Control Access Through Remote Access Policy.

  • The user account is added to the VPN_Users Active Directory group.

Remote Access Policy Configuration

To define the authentication and encryption settings for remote access VPN clients, the following common remote access policy is created:

  • Policy Name: Remote Access VPN Connections

  • Access Method: VPN

  • User Or Group Access: Group, with the EXAMPLE\VPN_Users group selected

  • Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, Microsoft Encrypted Authentication Version 2 (MS-CHAP v2), and Microsoft Encrypted Authentication (MS- CHAP) selected

  • Policy Encryption Level: Strong Encryption and Strongest Encryption selected

PPTP-Based Remote Access Client Configuration

On the Windows XP remote access client computers, the New Connection Wizard is used to create a VPN connection with the following settings:

  • Network Connection Type: Connect To The Network At My Workplace

  • Network Connection: Virtual Private Network Connection

  • Connection Name: Contoso, LTD.

  • VPN Server Selection: vpn.contoso.example.com

  • Connection Availability: Anyone’s Use (This option is available only on Windows XP clients that are members of a domain.)

L2TP/IPSec-Based Remote Access Client Configuration

The remote access computer logs on to the Contoso, LTD. domain using a LAN connection to the Contoso, LTD. intranet and receives a computer certificate through auto-enrollment. This needs to happen prior to the user trying to connect from home because it needs to happen over the local LAN. (If you want to enable bootstrapping certificates for non-domain attached clients, use PPTP to connect first, run a connect action to plumb the machine and user certificates, disconnect from PPTP and reconnect with L2TP/IPSec.) Then the New Connection Wizard is used to create the VPN connection with the following settings:

  • Network Connection Type: Connect To The Network At My Workplace

  • Network Connection: Virtual Private Network Connection

  • Connection Name: Contoso, LTD.

  • VPN Server Selection: vpn.contoso.example.com

  • Connection Availability: Anyone’s Use (This option is available only on Windows XP clients that are members of a domain.)

In the Network Connections windows, right-click Contoso, LTD. click Properties, and then click the Networking tab. On the Networking tab, Type Of VPN must be set to L2TPIPSec VPN. When Type Of VPN is set to Automatic, PPTP is tried first, and then L2TP/IPSec. In this case, the network administrator for Contoso, LTD. does not want remote access clients that are capable of establishing an L2TP/IPSec connection to use PPTP.




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net