System Requirements

The Supplemental CD-ROM consists of the eBook and a number of files and folders containing content intended to augment this book. To view the eBook, you need any system that is capable of running the Adobe Reader or Adobe Acrobat ( http://www.adobe.com ).

The basic requirements of processor speed, memory size , hard disk space, display color depth and resolution, and a pointing device are determined by the version of Microsoft Windows that you use to process the contents of the CD.

The CD-ROM drive should be 4X or faster. A faster drive is recommended if you intend to access the files from the CD rather than copy them to a hard disk. Copying the CD contents to a hard disk will require approximately 365 MB of hard disk space.

There are no audio or video files on the CD; therefore, there are no requirements for sound cards.

Part I: VPN Technology

In This Part:

Chapter 1: The Business Case for Virtual Private Networks
Chapter 2: VPN Overview
Chapter 3: VPN Security
Chapter 4: VPN Interoperability

Chapter 1: The Business Case for Virtual Private Networks

Overview

Congratulations on purchasing this book! You have just taken a major step in bringing the power of the Internet to your company’s arsenal of business tools. This book will show you how to design, implement, and use virtual private networks (VPNs) that are based on Microsoft Windows Server 2003 and Microsoft client operating systems. VPN can be a very complex topic—it is the convergence of several networking protocols and services, some of which you might already know and some of which you will be encountering for the first time. Don’t worry, though, because we’ll help you through that complexity, and in the end you’ll be able to use the power of the Internet to enable your business to reach new heights of communications, collaboration, and productivity. The beauty of VPN is that it is a network layer technology, which means that the applications your company runs do not need to know about it or support it. VPN will operate across the board for all applications, extending your company’s reach and user productivity with full security and functionality to the mobile-computing world.

For any technology this powerful and that adds this much functionality and value to your company, most IT administrators are willing to invest heavily in third-party VPN concentrators , special client applications, and special services from different vendors to enable secure remote access for their users. The really good news is that VPN services are built into the Windows Server 2003 family, and all Windows client operating systems have VPN client software built in as well. If you are running Windows servers and clients , you are capable of deploying VPN today with no extra software or hardware costs. In this book, we’ll show you how to implement a fully functioning remote access solution based solely on Windows features you already own in the server and client operating systems.

To cover VPN properly, we need to set the stage by telling you what brings VPN to the forefront of your networking needs. VPN is not a luxury anymore. In the current day business environment, it is a necessity. Without VPN, you are missing a major portion of your potential as a business—no matter what type of business you are in.

Overview of VPNs

In the following chapters, we’ll dive into all the technical details of VPN. You’ll get more technical VPN knowledge than you can imagine, but let’s start with a lay person’s view of virtual private networking and what it can do for you.

Because you are interested in this book—and therefore are interested in VPN and remote access solutions—it’s a safe bet that your company is running a network to access computer resources and services within the walls of your offices. Also, you more than likely have Internet access for your users to access resources and services out on the Internet. The two concepts sound similar, don’t they? Your users are accessing services on your network or out on the Internet, and that means the Internet is a network like the one in your office. More importantly, the Internet is a free network that spans the entire planet, interconnects everything and everyone, and can be considered an extension of your network. That means you can use it to communicate with all your users while they are out of the office or to interconnect various office sites. These Internet capabilities eliminate the need for modem pools, ISDN servers, and private leased WAN lines.

There is a problem, though. The network within your walls is a private network that only your authorized users can access and work with, while the Internet is available for everyone’s use. Without proper precautions , the Internet can be a dangerous place for a company to live—your assets, customer data, control systems can all be exposed to unauthorized users if you use the Internet as a communications system. That is where the power of VPN comes in. VPN transforms the communications systems of the Internet into a virtual private network for your company’s use.

Until recently (about 10 years ago), the Internet was virtually untapped as a resource. Now it is arguably the most powerful communications medium on the planet. The world of computing has been completely transformed in recent years by the emergence of the Internet, which makes technologies that were once only dreamed about a complete reality. Let’s take a look at history so that we can understand why VPN and the Internet are two of the most awesome tools for your business.

The World as It Was

Four or five years ago, the computing world was a different place—the Internet was just starting to show its potential as a communications medium and drive innovation to new levels. Back then, the computing world had some constants you could count on if you were running a business:

All client PCs were the same. Every PC was pretty much like every other PC. Your PC was a box that sat on your desk and had the same parts and and followed the same processes as others of its kind. Even though there were different systems—UNIX, Apple, Windows, and so forth—for the most part the hardware had the same configurations. There were very few surprises , and IT administrators didn’t have to worry about different types of hardware clients and operating system clients on their network.
Networks were wired. If you wanted your computer to talk to another computer, that communication would take place over a modem or hard- wired connection. There simply were no other options. Telecommuting was virtually unknown because of lack of connectivity options and bandwidth resources.

These facts allowed IT administrators to make some base assumptions on how to run their network and what to do to service their users. Remote access options for users were limited and considered to be a luxury that came at a high cost. The only kind of remote access available consisted of expensive in-house modem banks that required dedicated telephone lines and that incurred thousands of dollars a month in communications charges. Most companies considered the Internet to be a toy—it was not yet fully developed into the business tool it is today. Most companies did not even bother to provide Internet access for their users. The concept of “constant” communication from office to office was virtually unheard of, as e-mail— another emerging technology considered to be a luxury—required only occasional or once-a-day delivery.

Because of the overhead required to support remote access for a company, the concept of a “home office” and telecommuting were not a reality. Bandwidth constraints over modems made any kind of remote application work unworkable. The concept of remote access was extremely limited and was certainly not an option for most users. It was an option only for executives (who didn’t find it very useful) and for IT administrators, who needed to have emergency access to the network to service it.

The World as It Is Today

Now we jump forward in time to today’s computing environment. As is always the story with technology, all the assumptions we made about communications and clients in the past are now invalid.

Figure 1.1: The many types of client computers today.

We do not know what a computer looks like anymore. Figure 1-1 shows an entire suite of computer clients powered by Microsoft operating systems. They come in all shapes and sizes. There are hundreds of ways to access your data and services—you can have desktops, laptops, Tablet PCs, Pocket PCs, Smartphones, television-based clients, watches , or even computing devices specifically designed to handle particular business needs. For instance, some Pocket PCs can withstand arctic cold tempatures or other environmental extremes. It is very difficult to anticipate what type of computer users will use to access their data.
Multiple connectivity options exist today. Almost every laptop available can be purchased with optional wireless network communications. Ethernet adapters are a commodity that every laptop and desktop computer has built in by default. (Remember when not too long ago this was an expensive add-on option?) Users now have ready options to communicate over wired, wireless, cellular, or even personal satellite communications. IT administrators have to plan and provide for all of these options.

The world of the IT administrator has changed drastically in recent years—the types of client computers and the ways they communicate have increased immensely. Yet administrators still have to provide the same level of service and connectivity for all options and users.

VPN: The Logical Solution for Enhancing Corporate Communications and Operations over the Internet

The Internet has revolutionized the way people do business. It hasn’t simply changed the way businesses advertise or the way people find information; it has fundamentally changed the way businesses operate and communicate. E-mail, which not too long ago was considered a toy and a luxury, is now a primary communications medium for business. When was the last time you met a person, bought a product, or requested information and the company or person you were talking to did not ask for your e-mail address? Can you imagine trying to conduct business without an e-mail address?

A business’s e-mail address is as much a part of its identity as its phone number, and is likely used as much as or more than its telephone. I receive over 100 e-mail messages a day, compared to one or two phone calls in the same period of time. E- mail and the Internet give every business an instant global presence and opportunity, and they expose a company to the dangers of the Internet as well.

VPN provides the way to take advantage of all the power the Internet can give you and keep your company’s resources secure. However, danger is out there— thieves and hackers are looking for ways to grab and control your company’s resources! So, how do you make sure the data and operations you place on the Internet are safe, secure, and authenticated? Only by ensuring these things can you know who sent information, that information you are receiving or sending was not or will not be modified, and that information is safe from end-to-end while passing through the wilderness of the Internet.

VPN provides a low-cost, effective, and versatile solution for secure communications over the Internet. Specifically, it does the following:

Allows for a fully functional remote access work force. This alone is a compelling solution for any company with a sales force that is mobile, that needs to have access to company resources, and that needs to keep in touch with its customers. For a company providing on-site services to other companies, this capability allows for instant access to its remote work force.
Allows for transactions to occur without delay and thereby reduces the chance of losing an opportunity. It doesn’t take a top sales executive to know that having instant access to company inventory and purchasing systems while on a customer’s premises can vastly improve sales performance. For services companies, the ability to route emergency or last- minute information can lead to many recovered man-hours in the week, day, and year. For special verticals markets such as healthcare, the ability to communicate instantly with personnel can mean the difference between life and death.
{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}
Allows for a true international presence without the high cost of maintaining international operations. With the Internet, every company can be a global company. Your Internet presence gives you instant access to millions of businesses and potential customers around the world.
Worldwide connectivity allows for the best-of-breed large-scale corporate functionality. For corporations that have multiple remote offices, communications previously accounted for a huge part of the overhead in operations and budgets . Now offices can be connected over the Internet inexpensively and with ease. This drastically reduces expansion costs and makes global growth a reality for companies that previously had no such options available to them.

The World as It Will Be

The capabilities of the Internet and the options for computing clients seem boundless, but there’s probably a few capabilities you haven’t thought of. Certainly you didn’t think Microsoft would just sit still, did you? A whole new world of functionality is coming.

Internet Protocol version 6 (IPv6) will change the way the world will communicate yet again. Internet and network communications are currently based on one main network layer communications protocol, IP version 4 (IPv4). In the computing world, nothing is constant except innovation, and the Internet is no exception. IPv6 is the next communications protocol that will be available on the Internet, making every computer, both server and client, uniquely identifiable on the Internet. The communications possibilities are staggering—as you’ll see in the next few sections—and Windows servers and clients fully support IPv6 today and will continue to do so in the versions to come. IPv6 is the undiscovered country of network computing.

Voice Communications

What makes a person’s telephone number so unique? The answer is simply that there is no other person in the world with that number. That telephone number is truly unique in the world. That is why when you dial a certain sequence of numbers on your phone, you know for a fact you will always reach the right person. Similarly, TCP/IP v6 makes a person’s computing device unique in the world and accessible anywhere , anytime —and this makes global voice communications over the computer and the Internet a powerful business tool. We are seeing the beginning of this trend now with applications such as MSN Instant Messenger. These new advancements are powerful because they use the Internet as the primary communications channel. VPN is the base security operations mechanism that ensures secure communications for all of it.

Video Communications

Just a few years ago, the concept of video conferencing was pure Star Trek–type stuff. Now everyone can do it with a PC, a small camera, and an Internet connection. The problem, however, is that people are not always able to use video communications because of the limitations of TCP/IP v4, client hardware, and Internet routing. Instant access to people you want to communicate with is much more widely available with new solutions such as TCP/IP v6. Eventually, this technology will make video calls almost as commonplace as voice calls. Consider that in the past year, cellular phones with built-in cameras have hit the marketplace —the future is closer than you think.

New Applications

Instant messaging is rapidly becoming a corporate standard for communications. Services such as location awareness, personalized Web services, and intelligent devices that adapt to their environment and connectivity are helping to make instant messaging a primary communication method. The potential is boundless, and Microsoft is working on many new ideas and technologies to make the science fiction of yesterday the reality of today and tomorrow. Again, VPN will be central to ensuring secure communications for all these technologies.

The Need for Security and Control

One constant fact throughout time, regardless of the advances in communications and computing, is that there will always be someone out there who is up to no good. The more communications technologies evolve , the more open and dangerous the Internet can become. Security is no longer an option, it is a base requirement for all business applications and this is the reason that VPN is so important to your company’s growth.

VPN is One of the Centerpoints of a Business Model

VPN will enable your company to survive on the Internet and operate with the complete security it needs. It is not an option, but a mandatory solution for collaborating and competing with other businesses. A company without this communications capability will be the last to the table and will miss many opportunities. Agility is a key factor to a successful business, and agility requires state-of-the-art communications.

As technology progresses, we can see that the more powerful the technology, the more powerful is the security required to maintain it. VPN will always have a role to play in enabling secure remote access to all of a company’s employees , in connecting offices to each other with the touch of a button at minimal cost, and in connecting businesses of all sizes and providing increasing levels of functionality.

VPN is the answer to secure communications on the Internet, and this book will show you how it works!

VPN Technology

Now that we have made the case for using VPN in your company, it’s time to put the technology to work for you. Here is a synopsis of what you’re about to learn in this book:

We’ll cover the basic concepts of VPN for remote access and site-to-site solutions, including all dependent services and components you need to build a successful VPN infrastructure. There are a lot of choices to be made—from the type of tunneling protocols and authentication systems to be used to the entire physical setup of the VPN environment. We’ll cover it all and guide you through the entire process. By the time you’re done using this book, you’ll be a VPN professional on Microsoft Windows technologies!
Next, we’ll cover setting up remote access and site-to-site VPN individually, as each technology has its own concepts and considerations. We’ll give you a complete breakdown of each type of VPN service and a complete run- through of the decision points and options available to you for establishing the physical, logical, and software setups. We provide complete step-by-step instructions on how to set up each service, component, and connection. Follow our lead, and you can’t miss.
We will cover options that are available with Connection Manager and Phone Book Services that make the user ’s experience the best it can possibly be. Your users will have a one-click experience for VPN, and the various offices will have site-to-site connectivity without a second thought. It will seem completely natural to the users to be communicating over the Internet with Microsoft VPN.
We will cover advanced features such as client state checking with quarantine and IP firewalling so that you can be sure none of your users are compromising your network when they are on the Internet and connected to the home office. You can enjoy peace of mind when using VPN because Microsoft provides a complete suite of client control options to protect your corporate assets.
We will also provide detailed troubleshooting processes and procedures to ensure the complete success of your rollout.

By the time you reach the end of this book, you will be able to use the Internet as the ultimate remote access and office connectivity technology. You’ll be able to do this with full security and control using native Microsoft technologies on Windows Server 2003 and Windows XP.