VPN Administration | Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)

In selecting a VPN technology, it is important to consider administrative issues. Large networks need to store per-user directory information in a centralized data store, or directory service, so that administrators and applications can add to, modify, or query this information. Each access or tunnel server could maintain its own internal database of per-user properties, such as names, passwords, and dial-in permission attributes. However, because it is administratively prohibitive to maintain multiple user accounts on multiple servers and keep them simultaneously current, most administrators set up an account database at the directory server or primary domain controller, or on a RADIUS server. By using the Microsoft Active Directory as your account database, Windows Server 2003 VPNs become part of a single sign- on solution: the same set of credentials are used for both VPN connections to log on to the organization’s domain. Although Active Directory is the preferred method for authentication and authorization because of all the advanced policy and quarantine features that become available with the use of Active Directory, Microsoft VPN solutions are not required to use Active Directory. Windows VPN servers can use standards-based RADIUS as well to perform authentication for Microsoft VPNs. The methods in this book will focus on the use of Active Directory as the directory service solution because we’ll be showing and enabling all the advanced VPN features that come with the use of Active Directory.

Authorizing VPN Connections

To provide authorization for VPN connections and to provide a method of enforcing connection restraints, Windows Server 2003 VPN connections use a combination of the dial-in properties of user accounts in a local or domain account database and remote access policies.

Remote access policies are an ordered set of rules that define how connections are either accepted or rejected. For connections that are accepted, remote access policies can also define connection restrictions. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. Connection attempts are evaluated against the remote access policies in order, trying to determine whether the connection attempt matches all the conditions of each policy. If the connection attempt does not match all the conditions of any policy, the connection attempt is rejected.

If a connection matches all the conditions of a remote access policy and is granted remote access permission, the remote access policy profile specifies a set of connection restrictions. The dial-in properties of the user account also provide a set of restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions. Remote access policy profile restrictions include connection settings (such as maximum connection time or an idle timeout), IP packet filtering, required authentication protocols, and required encryption strengths.

Scalability

Redundancy and load balancing are accomplished using either Domain Name System (DNS) or Network Load Balancing (NLB):

Round-robin DNS is used to split requests among a number of VPN servers that share a common security perimeter. A security perimeter has one external DNS name—for example, microsoft.com—but several IP addresses, and loads are randomly distributed across all the IP addresses.
With NLB, a cluster of VPN server computers can provide high availability and load balancing for both PPTP and L2TP/IPSec connections. NLB is available only with the Enterprise Edition or the Datacenter Edition of Windows Server 2003. NLB is not available on Windows Server 2003 Standard Edition or Web Edition.

RADIUS

The RADIUS protocol is a popular method for managing remote user authentication and authorization. RADIUS is a lightweight, UDP-based protocol. RADIUS servers can be located anywhere on the Internet and provide authentication (including PPP PAP, CHAP, MS-CHAP, MS-CHAPv2, and EAP) and authorization for access servers such as NASes and VPN servers.

In addition, RADIUS servers can provide a proxy service to forward authentication requests to distant RADIUS servers. For example, many ISPs have agreements to allow roaming subscribers to use local services from the nearest ISP for dial-up access to the Internet. These roaming alliances take advantage of the RADIUS proxy service. If an ISP recognizes a user name as being a subscriber to a remote network, the ISP uses a RADIUS proxy to forward the access request to the appropriate network.

Windows Server 2003 includes a RADIUS server and proxy with IAS, which is an optional Windows networking component installed using Control Panel>Add Or Remove Programs> Add/Remove Windows Components, click on Networking Services, click Details, and then select Internet Authentication Service.

Connection Manager and Managed VPN Connections

To deploy the configuration of a large number of VPN remote access clients for enterprise or outsourced dial scenarios, use Connection Manager (CM). CM will be covered in full detail in Chapter 7, “Using Connection Manager for Quarantine Control and Certificate Provisioning”. CM is a set of components included with Windows Server 2003 that consists of the following:

Connection Manager (CM) client dialer
Connection Manager Administration Kit (CMAK)
Connection Point Services (CPS)

Connection Manager Client Dialer

The CM client dialer is software that can be installed on each VPN client. It includes advanced features that make it a superset of basic remote access networking. At the same time, CM presents a simplified dialing experience to the user. It limits the number of configuration options that a user can change, ensuring that the user can always connect successfully. For example, with the CM client dialer, a user can:

Select from a list of phone numbers to use, based on physical location (for an outsourced VPN solution)
Use customized graphics, icons, messages, and help
Automatically create a dial-up connection before the VPN connection is made
Run custom actions during various parts of the connection process, such as pre-connect and post-connect actions (executed before or after the dial-up or VPN connection is completed)

A customized CM client dialer package, also known as a profile, is a self-extracting executable file that is created by a network administrator with the CMAK. The CM profile is distributed to VPN users via CD-ROM, e-mail, Web site, or file share. When the user runs the CM profile, it automatically configures the appropriate dial-up and VPN connections. The CM profile does not require a specific version of Windows. It will configure connections for computers running Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows Me, and Windows 98.

Connection Manager Administration Kit

The CMAK is an optional management tool installed from:

Add Or Remove Programs (in Control Panel) on a computer running Windows Server 2003. You must specify Connection Manager Administration Kit in the Management And Monitoring Tools category of Windows components.
Windows Server 2003 Administration Tools on a computer running Windows XP. You must run the Adminpak.msi file from the \I386 folder on a Windows Server 2003 CD-ROM. After it is installed, you can run CMAK from Administrative Tools.

CMAK is a wizard that guides you through a variety of options when configuring a CM profile and creates the profile to distribute to your VPN users.

Connection Point Services

CPS allows you to create, distribute, and update custom phone books. Phone books contain one or more Point of Presence (POP) entries. Each POP has a telephone number used to access a dial-up network or the Internet. Phone books give users complete POP information, so when they travel they can connect to different organization or Internet access points based on location, rather than having to use a toll-free or long-distance number.

Without the ability to update phone books, users would not only have to contact their organization’s technical support staff to obtain changes in POP information, they would also have to reconfigure their client dialer software.

CPS is a combination of:

Phone Book Administrator.A tool used to both create and maintain phone book files and publish new or updated phone book files on the phone book server.
Phone Book Server.A computer running Windows Server 2003 and Internet Information Services (IIS) (including the FTP Publishing Service) and an Internet Server Application Programming Interface (ISAPI) extension that processes phone book update requests from CM clients.

The Phone Book Administrator is a tool that is installed by running Pbainst.exe from the Valueadd\Msft\Mgmt\Pba folder on the Windows Server 2003 product CD-ROM. Once it is installed, you can run Phone Book Administrator from Start>All Programs>Administrative Tools. You are not required to run the Phone Book Administrator on the phone book server.

You can use the Phone Book Administrator to create phone book entries and regions and publish them in the SystemRoot\Program Files\PBA\PhoneBookFileName folder of the phone book server.

After the phone book is configured and published, the CM profile is created with CMAK and configured with:

Automatically downloaded phone book updates
The phone book file
The name of the phone book server