Deploying VPN and Dial-up Services


Deploying VPN and Dial-up services is a fairly straightforward task that most any administrator can handle. There are several factors that should be taken into consideration when designing a remote access system:

  • Corporate security policies

  • Number of simultaneous users

  • Client support

  • WAN connectivity

  • Telco resources

  • National versus worldwide access

  • Quality of Service requirements

  • User -to-port ratios

  • Accounting requirements

  • Logging requirements

Leveraging the Microsoft Connection Manager

The Microsoft Connection Manager (CM) is a client dialer for connecting to network resources on a public network or to private networks over the Internet. CM sits on top of Dial-Up Networking (DUN) and simplifies the network access experience for end users. This dialer client can be preconfigured for the users by the Administrator by using the Connection Manager Administration Kit (CMAK).

The Connection Manager Administration Kit is a step-by-step wizard that creates custom service profiles and enables you to append applications. The Service Profile is a collection of connection information tailored to specific employees . This connection information is combined with applications and Connect Actions to create an Installation Package.

When installed, the Service Profile merges with the resident Connection Manager dialer to enable employees to easily connect to a public or private network. Through the use of the CMAK, you can standardize and simplify the configuration of remote connectivity and improve the end users' connection experiences.

The CMAK can preconfigure any of a variety of items for each Service Profile within an Installation Package.

Desktop and Tray Icons

CMAK supports the customization of both a desktop icon and a taskbar tray icon. The tray icon can be configured as an interface to additional applications distributed by the company.

Animated Dialer Logon Screen

Support for animation in the dialer interface and keys for integration with the connection status enable you to communicate to the client with connection status or network status information.

Phone Book

The Connection Manager Phone Book stores POP and RAS (dedicated line) access numbers with an easily navigable user interface. Employees can always have a local phone number for network access at their fingertips. Each phone number can also be configured as a PPTP connection, making encrypted connections transparent to the client.

Interface Support for Multiple Service Types

Specification of multiple service types enables you to support different levels of services for different user types. This is especially useful in ensuring that VIP users receive priority connectivity.

Connect Actions

Connect Actions are client events that are preconfigured by the administrator. These events are keyed upon the onset or termination of network secession and are used like login or logoff scripts.

Automated Phone Book Updates

Automated updates of the client's resident POP/RAS phone book is a Connect Action. The update downloads new POP/RAS information (incrementally) upon termination of the logon session as needed. In this way, you can rest assured that each client will always have the latest version of a phone book and access to the latest local POPs.

Auto-applications

Auto-applications are Connect Actions configured to automatically launch or close resident applications upon the start or termination of a connection. This enables you to facilitate the use of your services by launching a browser or other resident application (e-mail client) and closing that application upon termination of the connection.

License Agreement

In an increasingly litigious society, it's necessary for you to insulate yourself from the legal and financial risks you might incur in the provision of virtual private networking services. Corporations need to inform employees of the responsibilities, duties , and obligations of the corporation regarding confidentiality of information. For this reason, and because you might want to append your own proprietary application to custom service profiles, the CMAK supports the appending and distribution of custom contracts to the client. In this manner, you can defer legal exposure to an informed client and protect your software investments.

Connection Status

The CM interface can be configured to keep the client apprised of the connection status with specific terminology. This feature can be coupled with the animation support to keep each client informed of the connection status at all times.

Support Phone Number

Quality of service and support is critical to employee productivity and subscriber satisfaction. The CMAK configures the CM interface with a support phone number at the logon screen.

Custom Help File

The CMAK allows for the inclusion of a custom help file in the service profile. This custom help file can help reduce support costs through the inclusion of targeted frequently asked questions. In addition, this help file can let corporate customers make business policy regarding remote network use explicit to their employees. Custom help files reduce support costs by making clients more self-sufficient and can reduce the risk of inappropriate online behavior.

Language Support

The CMAK also provides for the simple, efficient editing of service profiles. Service profiles can be easily created in multiple languages including English, French, German, Spanish, and Japanese.

Automatic Password

You can use the CMAK to specify whether end-user passwords can be saved for Internet access or access to the corporate network. This facility can be enabled or disabled depending on your security policy. Forgetting passwords is a large support issue that can be addressed and reduced directly through this facility.

Realm Name Prefix and Suffix

Many service providers require the appending of some very specific syntax to log on to their servers. Non-intuitive logon script results in end-user frustration and support calls. The CMAK tool enables you to preconfigure realm name (@companyabc.com) as well as the prefix or suffix extensions, facilitating the provision of basic Internet access and VPN services.

Assign Encrypted Connections

Key to the provisioning of Virtual Private Networks is network security. One popular means of providing security is through encryption of the transmitted data. The CMAK enables you to associate with each POP phone number a PPTP configuration status.

Append an Application

The CMAK enables network administrators to append applications to the custom Service Profile information during the creation of an Installation Package. This enables you to ensure that the clients at the receiving end have all the software and information they need to immediately engage in VPN activity.

Edit Existing Service Profiles

To facilitate the creation of service profiles for different departments within an organization or subscriber base, with the CMAK, you can edit pre-existing service profiles so that you don't need to re-enter all data when making minor service profile changes.

The Connection Manager Administration Kit is installed as a Windows component in the Management and Monitoring Tools area.

Leveraging Softmodems

As companies scale the number of supported users they often replace banks of modems with dedicated hardware such as routers with multiple asynchronous interface cards. This enables you to bring in T-1 lines and create 23 dial-up connections rather than bringing in hundreds of analog lines. This concept scales well but eventually even it becomes unrealistic . For companies that must support huge numbers of dial-up connections there are Softmodems.

A Softmodem is a device that enables you to connect a large circuit connection, like a T-3 or an OC-3, and create a very large number of dial-up connections. Rather than have dedicated circuitry for each modem device, a Softmodem leverages a central processor to effectively create multiple virtual modems. This technology is scalable well into the ISP class of service.

Consolidating Lines with Larger Circuits

As companies grow past a few modems and a few analog lines connected to a RAS device it makes sense to compare prices and costs against aggregating those connections into a larger circuit.

Racks of modems take up valuable space in a corporate data center. Racks of modems can be replaced by routers with asynchronous cards and Telco circuits to save space and improve performance. Consolidated devices are often more reliable than common off-the-shelf modems.

Let's say, for example, that analog phone lines cost a company $40/month. Let's say a T-1 line in the same location costs $600/month. A T-1 line provides the equivalent of 23 analog phone lines. After the company breaks 15 analog lines, the T-1 line is less expensive. Lines 16 “23 effectively become savings that would apply against any additional costs of the consolidation device versus the costs of the old style modems. In some cases, the consolidation device will be less expensive than the RAS device and the modems would have been.

These consolidation devices usually support RADIUS for authentication and auditing as well as SNMP for management and monitoring. Between the savings in monthly costs and the reduction in space used in the data center, these solutions can be very viable for companies with even modest RAS needs.

Leveraging RADIUS

RADIUS, or Remote Authentication Dial-in User Service, is the de facto standard for authenticating and tracking remote access users. RADIUS is used for dial-up, VPN, and even wireless connections. Microsoft's IAS is its implementation of RADIUS.

A RADIUS remote access environment has three primary components : Users, Remote Access Servers, and the RADIUS server. Each user connection is a client of a Remote Access Server, which, in turn , is a client of the RADIUS server.

The user is the person who is trying to gain remote access to the corporate network from home or from the road. Usually, the user has a PPP or perhaps SLIP dialer that enables him to dial into a Remote Access Server at the corporate office and become a remote node on the network, with IP or IPX access to network resources.

The Remote Access Server (or RAS) is a device that does the following:

  • Accepts remote connections such as SLIP or PPP dial-in calls, authenticates each user via the RADIUS or some other authentication server, and then routes or bridges that user onto the network.

  • Accepts direct connections to the network through a firewall, authenticates the user via the RADIUS or other authentication server, and then grants network access to specific resources.

  • Accepts VPN connections, authenticates the user via the RADIUS or some other authentication server, and routes that user onto the network.

  • Forwards requests from another RAS device using Proxy Radius. This is similar to call-forwarding , where an external RAS service can direct all authentication and accounting transactions to a company's RADIUS server.

Because most RAS devices can handle multiple connections at once, a corporate network might include a single RAS or multiple RASes working in tandem to handle the traffic.

The RADIUS server is the device that accepts authentication requests from one or more Remote Access Servers, performs the authentication, and responds with the result. This result is either an accept or a reject. The RADIUS server also provides Accounting services that not only allow a network to handle "charge back" to departments that use the remote access system, but also provides for logging and auditing functions.

Typical installation of RADIUS will include a single RADIUS server to handle all the Remote Access Servers. An additional RADIUS could be added to increase redundancy. It is always preferable to not have a single point of failure in an enterprise RAS system. Some companies will have Remote Access Servers at multiple sites and could elect to have a separate RADIUS server at each site. If the various sites are sufficiently linked over a WAN of reasonable speed or over the Internet, a single RADIUS server can be used to handle multiple Remote Access Servers at multiple sites. This allows a single pair of RADIUS servers to be leveraged enterprisewide.

It is useful to understand the steps involved in a typical transaction in which a user is successfully authenticated via RADIUS:

  1. A user dials in to a Remote Access Server and PPP negotiation begins.

  2. The RAS device passes authentication information, specifically the username and password, to the RADIUS server.

  3. If the RADIUS server is able to authenticate the user, it will issue an accept response to the RAS device. The RAS device will also send the profile information required by the RAS to set up the connection. This usually includes IP address, maximum connect time, hours for valid access, and the like.

  4. If the RADIUS server is unable to authenticate the user, it issues a reject response to the RAS device, along with a message indicating the reason for denial of access.

  5. With this information, the RAS device completes PPP negotiation with the user. If the RAS received an accept response, it can now enable the user to begin accessing the network. If the RAS device received a reject response, it terminates the user's connection. Optionally, the RAS device will display the reason for terminating the connection at the user's terminal.

In an authentication transaction, there is password information that is transmitted between the RADIUS server and the RAS device. The password information is encrypted via secret key that is entered at both the RAS device and the RADIUS server.

This password information originates from the user, usually as part of PPP negotiations. In a sense, the RAS device is just an intermediary device. It is easier to think of the authentication process as being a transaction between the user and the RADIUS server.

There are a few types of authentication transactions used between a remote access user and RAS that are supported by the Windows Server 2003 implementation of RADIUS:

  • PAP (Password Authentication Protocol)

  • CHAP (Challenge Handshake Authentication Protocol)

  • EAP (Extensible Authentication Protocol)

Password Authentication Protocol is a fairly simple protocol. The user sends her password to the RADIUS server, and the RADIUS server validates it. This validation is performed either against RADIUS' own database or against Active Directory. One of the drawbacks to PAP is that the password is initially sent unencrypted. RAS encrypts the password before forwarding it to the RADIUS server and the RADIUS server decrypts it using a shared secret key. Ultimately, the RADIUS server has the password in clear text form and is able to make use of it directly for authentication.

Challenge Handshake Authentication Protocol is much more secure in that it never sends passwords in clear text over any communication link. With CHAP, the RAS device generates a random number (the challenge) and sends it to the user. The user's PPP client creates a digest, which is a one-way encryption, of the password concatenated with the challenge. This digest is sent to the RAS device. Because the digest is a one-way encryption, the RADIUS server cannot recover the password from the digest. It doesn't need to recover the password. Instead it can perform the identical digest operation using its own copy of the user's password stored in its database. If the two digests match, the user is authenticated successfully.

Extensible Authentication Protocol is an extension to the Point-to-Point Protocol (PPP). EAP supports arbitrary authentication methods using credential and information exchanges of arbitrary lengths. EAP was developed as a result of an increasing demand for authentication methods that leveraged third-party security devices and provide an industry-standard architecture to support additional authentication methods within PPP.

Managing Remote Users with GPOs

One of the most compelling benefits of Active Directory was the ability to manage users and their computers via Group Policy Objects. System settings, services, applications, and many other items could be controlled on a per-user or per-computer basis. One of the classic issues faced by administrators was how to manage remote users so that they were not impacted by their relatively slow connection speed. Publishing full applications to remote users would be a very slow and intrusive process. Taking users and computers in and out of OUs would be nearly impossible to manage to try to reflect their status of local or remote. The easy solution to this issue is to take advantage of the fact that RRAS can hand out its own block of IP addresses. You can pretty safely assume that if a client machine has an IP address that is handed out by the RRAS system, that client is either dialed in or connecting via VPN. By creating a site within Active Directory that contains the subnets owned by the RRAS server, specific GPOs can be applied to that site that take into account the reduced bandwidth.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net