packet filtering
configuring for remote site-to-site connections 546
configuring for VPN 409–415
configuring on Internet interface for IAS 369
configuring on perimeter network for IAS 370
default exemptions to IPSec filtering 277–280
IPSec deployments 255–256
IPSec filters, filter actions, and filter lists 277–280
matching IP packet filters to demand-dial filters for VPN 486
predefined IPSec filter actions 276
predefined IPSec filter lists 276
servers behind firewalls for VPN 409
servers in front of firewalls for VPN 413
TCP/IP networks 32
PAP (Password Authentication Protocol) 357
password-based MS-CHAP v2 490
PBA (Phone Book Administrator)
creating phone books 436
described 432
installing 436
POPs (Points of Presence) 436
publishing phone books 436
regions 436
updating phone books 437
PBS (Phone Book Service) 432, 438
PEAP (Protected Extensible Authentication Protocol) 328, 335, 355
peer-to-peer communication, IPSec 257
perfect forward secrecy (PFS) 251
performance
DHCP servers 74–75
IAS See optimizing IAS
remote access servers 404
WINS 188–190
perimeter networks
deploying WINS 204
routers in remote site-to-site connections 526
securing IAS 360
securing TCP/IP networks 31–32
securing using ISA Server 233–235
permanent connections 481–482, 537
Permit IPSec filter action 276
persistent connections 481–482, 537
PFS (perfect forward secrecy) 251
Phone Book Administrator See PBA (Phone Book Administrator)
Phone Book Service (PBS) 432, 438
phone book support, Connection Manager
creating phone books 436
hosting phone books on PBS servers 438
installing PBA 436
outsourcing phone books 437
overview 434
POPs (Points of Presence) 436
publishing phone books 436
regions 436
updating phone books 437
planning Active Directory integration 510–512
planning CIDR (classless interdomain routing) 22–23
planning classless IP addressing 16–18
planning classless routing 18–20
planning IAS 346–347
planning IP addresses for remote site connectivity
accessing services on VPN routers using name resolution 509
assigning IP addresses for clients 507
assigning IP addresses for logical interfaces 508
avoiding name resolution issues 509
numbered connections 508
overview 507
unnumbered connections 509
planning IP configuration strategy
DHCP integration with DNS and WINS 27
DHCP, APIPA, and IP address allocation 27–28
overview 26
planning IP multicast-enabled routers 38–39
planning IP multicasting
configuring client computers 42
configuring IGMP 40
configuring IP multicast scopes 41
MADCAP 37–38
overview 35–37
routers 38–39
planning IP-based infrastructure
access tier 8
core tier 9
distribution tier 9
overview 7
planning IPv6 addressing
address types 49
addresses assigned to hosts and routers 54
anycast addresses 54
IPv4 vs. IPv6 55
multicast addresses 53
multicast solicited node addresses 54
overview 48–49
unicast 6to4 addresses 52
unicast global addresses 50
unicast ISATAP addresses 52
unicast link-local addresses 51
unicast loopback addresses 51
unicast site-local addresses 51
unicast unspecified address 51
planning MADCAP servers 37–38
planning name resolution for remote site connectivity
accessing services on VPN routers 509
assigning IP addresses for clients 507
assigning IP addresses for logical interfaces 508
avoiding name resolution issues using IP addresses 509
numbered connections 508
overview 507
unnumbered connections 509
planning TCP/IP network security
IPSec 30–31
overview 28
perimeter networks 31–32
planning VLSM (variable length subnet mask) 21–22
planning VPN security
account lockout 402–403
authentication protocols for L2TP/IPSec connections 394
authentication protocols for PPTP connections 392–393
certificates to support client authentication 396–397
components of Network Access Quarantine Control 399
connection attempts in quarantine mode 398
EAP-TLS authentication protocol 393
encryption scope and level 394–396
end-to-end encryption 395–396
guidelines for selecting authentication protocols 394
L2TP/IPSec 390
link encryption 395
MS-CHAP and MS-CHAPv2 393
mutual authentication 393
NAT requirements for VPN protocols 391–392
NAT-T (IPSec NAT Traversal) 392
Network Access Quarantine Control overview 397
overview 389
PPTP 390
quarantine-compatible access clients 400
quarantine-compatible access servers 401
quarantine-compatible RADIUS servers 401
selecting authentication protocols 392–394
selecting VPN protocols 389–392
planning wireless AP deployments 568–569
Points of Presence (POPs) 436
Point-to-Point Protocol (PPP) 329, 390
Point-to-Point Tunneling Protocol See PPTP (Point-to-Point Tunneling Protocol)
policies, IPSec See designing IPSec policies
policy types for remote access 500–501
POPs (Points of Presence) 436
PortProxy 64
ports for remote site-to-site connections 544
PPP (Point-to-Point Protocol) 329, 390
PPTP (Point-to-Point Tunneling Protocol)
authentication protocols for VPN connections 392–393
configuring filters for VPN servers behind firewalls 409
configuring filters for VPN servers in front of firewalls 414
connecting remote sites 478–480
described 390
IAS design planning 329
Internet interface of firewalls for VPN servers 410
NAT requirements for VPN protocols 392
perimeter network interface of firewalls for VPN servers 411
remote site connectivity overview 472
precedence, IPSec policies 297
Preparation for Running the CMAK Wizard worksheet 453–463
preshared keys
computer-level authentication for remote site connectivity 491
IPSec authentication 294
primary DNS server 119
primary IAS proxy 368
primary IAS server 365
primary DNS zones 148
private vs. public addresses 23–25
Protected Extensible Authentication Protocol (PEAP) 328, 335, 355
protocols, IPSec 283–284
Proxy Server 2.0 214, 241
proxy servers 32
public key certificate IPSec authentication 286
public space WLAN 572–575
public vs. private addresses 23–25