Index_P

packet filtering

configuring for remote site-to-site connections 546

configuring for VPN 409–415

configuring on Internet interface for IAS 369

configuring on perimeter network for IAS 370

default exemptions to IPSec filtering 277–280

IPSec deployments 255–256

IPSec filters, filter actions, and filter lists 277–280

matching IP packet filters to demand-dial filters for VPN 486

predefined IPSec filter actions 276

predefined IPSec filter lists 276

servers behind firewalls for VPN 409

servers in front of firewalls for VPN 413

TCP/IP networks 32

PAP (Password Authentication Protocol) 357

password-based MS-CHAP v2 490

PBA (Phone Book Administrator)

creating phone books 436

described 432

installing 436

POPs (Points of Presence) 436

publishing phone books 436

regions 436

updating phone books 437

PBS (Phone Book Service) 432, 438

PEAP (Protected Extensible Authentication Protocol) 328, 335, 355

peer-to-peer communication, IPSec 257

perfect forward secrecy (PFS) 251

performance

DHCP servers 74–75

IAS See optimizing IAS

remote access servers 404

WINS 188–190

perimeter networks

deploying WINS 204

routers in remote site-to-site connections 526

securing IAS 360

securing TCP/IP networks 31–32

securing using ISA Server 233–235

permanent connections 481–482, 537

Permit IPSec filter action 276

persistent connections 481–482, 537

PFS (perfect forward secrecy) 251

Phone Book Administrator See PBA (Phone Book Administrator)

Phone Book Service (PBS) 432, 438

phone book support, Connection Manager

creating phone books 436

hosting phone books on PBS servers 438

installing PBA 436

outsourcing phone books 437

overview 434

POPs (Points of Presence) 436

publishing phone books 436

regions 436

updating phone books 437

planning Active Directory integration 510–512

planning CIDR (classless interdomain routing) 22–23

planning classless IP addressing 16–18

planning classless routing 18–20

planning IAS 346–347

planning IP addresses for remote site connectivity

accessing services on VPN routers using name resolution 509

assigning IP addresses for clients 507

assigning IP addresses for logical interfaces 508

avoiding name resolution issues 509

numbered connections 508

overview 507

unnumbered connections 509

planning IP configuration strategy

DHCP integration with DNS and WINS 27

DHCP, APIPA, and IP address allocation 27–28

overview 26

planning IP multicast-enabled routers 38–39

planning IP multicasting

configuring client computers 42

configuring IGMP 40

configuring IP multicast scopes 41

MADCAP 37–38

overview 35–37

routers 38–39

planning IP-based infrastructure

access tier 8

core tier 9

distribution tier 9

overview 7

planning IPv6 addressing

address types 49

addresses assigned to hosts and routers 54

anycast addresses 54

IPv4 vs. IPv6 55

multicast addresses 53

multicast solicited node addresses 54

overview 48–49

unicast 6to4 addresses 52

unicast global addresses 50

unicast ISATAP addresses 52

unicast link-local addresses 51

unicast loopback addresses 51

unicast site-local addresses 51

unicast unspecified address 51

planning MADCAP servers 37–38

planning name resolution for remote site connectivity

accessing services on VPN routers 509

assigning IP addresses for clients 507

assigning IP addresses for logical interfaces 508

avoiding name resolution issues using IP addresses 509

numbered connections 508

overview 507

unnumbered connections 509

planning TCP/IP network security

IPSec 30–31

overview 28

perimeter networks 31–32

planning VLSM (variable length subnet mask) 21–22

planning VPN security

account lockout 402–403

authentication protocols for L2TP/IPSec connections 394

authentication protocols for PPTP connections 392–393

certificates to support client authentication 396–397

components of Network Access Quarantine Control 399

connection attempts in quarantine mode 398

EAP-TLS authentication protocol 393

encryption scope and level 394–396

end-to-end encryption 395–396

guidelines for selecting authentication protocols 394

L2TP/IPSec 390

link encryption 395

MS-CHAP and MS-CHAPv2 393

mutual authentication 393

NAT requirements for VPN protocols 391–392

NAT-T (IPSec NAT Traversal) 392

Network Access Quarantine Control overview 397

overview 389

PPTP 390

quarantine-compatible access clients 400

quarantine-compatible access servers 401

quarantine-compatible RADIUS servers 401

selecting authentication protocols 392–394

selecting VPN protocols 389–392

planning wireless AP deployments 568–569

Points of Presence (POPs) 436

Point-to-Point Protocol (PPP) 329, 390

Point-to-Point Tunneling Protocol See PPTP (Point-to-Point Tunneling Protocol)

policies, IPSec See designing IPSec policies

policy types for remote access 500–501

POPs (Points of Presence) 436

PortProxy 64

ports for remote site-to-site connections 544

PPP (Point-to-Point Protocol) 329, 390

PPTP (Point-to-Point Tunneling Protocol)

authentication protocols for VPN connections 392–393

configuring filters for VPN servers behind firewalls 409

configuring filters for VPN servers in front of firewalls 414

connecting remote sites 478–480

described 390

IAS design planning 329

Internet interface of firewalls for VPN servers 410

NAT requirements for VPN protocols 392

perimeter network interface of firewalls for VPN servers 411

remote site connectivity overview 472

precedence, IPSec policies 297

Preparation for Running the CMAK Wizard worksheet 453–463

preshared keys

computer-level authentication for remote site connectivity 491

IPSec authentication 294

primary DNS server 119

primary IAS proxy 368

primary IAS server 365

primary DNS zones 148

private vs. public addresses 23–25

Protected Extensible Authentication Protocol (PEAP) 328, 335, 355

protocols, IPSec 283–284

Proxy Server 2.0 214, 241

proxy servers 32

public key certificate IPSec authentication 286

public space WLAN 572–575

public vs. private addresses 23–25