The VPN client can be any computer or device that is capable of creating a Point- to-Point Tunneling Protocol (PPTP) connection using Microsoft Point-to-Point Encryption (MPPE) or creating a Layer Two Tunneling Protocol (L2TP) connection using Internet Protocol Security (IPSec) encryption, identified as L2TP/IPSec. A Microsoft mantra is to enable software communications “anywhere, anytime, on ANY device.” This means all clients, large and small, should have some remote access capabilities. The device list is immense, starting with support by the high- end client operating system Windows XP and going down to the smallest and most compact versions of the Windows family—versions such as Windows XP Embedded and Windows Mobile 2003, which is used on the Pocket PC class of computers. Table 5-1 lists the VPN-capable Microsoft operating systems.
VPN Tunneling Protocol
Microsoft Operating System
Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium Edition (Me), Windows 98, Windows CE version 3.0, Pocket PC 2002 and Windows XP Embedded.
Windows Server 2003, Windows XP, Windows 2000, Pocket PC 2003, and Windows Mobile 2003. Microsoft L2TP/IPSec VPN Client, Windows NT 4.0 Workstation, Windows Me, and Windows 98 are also supported. Windows CE 2003 (soon to be released) will also be supported.
VPN clients come in all shapes, forms, and sizes. Some typical VPN clients widely used today are:
Laptop and Pocket PC users who connect to an organization’s intranet to access e-mail and other resources while traveling
Telecommuters who use the Internet to access an organization’s resources from home
Remote administrators who use the Internet to connect to an organization’s network and configure network or application services
Many other users who take advantage of the practical industrial capabilities of remote access solutions, such as wireless access solutions, remote control systems, communications networks, and so forth
For the purposes of this book and to focus on the largest sector of VPN clients, we will discuss only Microsoft client operating systems of Windows XP (and the down- level members of the Windows family) that are commonly used for remote access to corporate data and resources. By focusing on this breed of VPN client, you can easily use the information in this book to enable all the types of clients in the preceding list. For specific information on enabling the various VPN clients Microsoft offers—such as Windows CE on Pocket PC or particular scenarios involving VPN for wireless access control—you should refer to the www.microsoft.com/vpn Web site, which has links and documentation for all kinds of VPN implementations.
For the remainder of the book, we’ll use “Microsoft VPN clients” to refer to Windows XP and Windows 2000 client operating systems.
Microsoft VPN clients can configure VPN connections manually by creating VPN connections on the operating system, or a system administrator can simplify a user’s VPN experience by using the Connection Manager components available in Windows Server 2003 to configure the connections automatically. Connections are the term used to describe logical network adapters that are created in the networking folder of a client or server. The process of manual configuration varies according to operating system as follows:
To manually configure a Windows 2000 VPN client, use Make New Connection in the Control Panel’s Network And Dial-Up Connections folder to create a VPN connection to the IP address or DNS name of the VPN server on the Internet.
To manually configure a Windows XP VPN client, use the New Connection Wizard in the Control Panel’s Network Connections folder to create a VPN connection to the IP address or DNS name of the VPN server on the Internet.
The typical corporate laptop user is skilled at basic computer and application operations, but remote access, networking, and especially Internet connectivity operations are beyond this user’s level of expertise. When scaling the configuration of VPN connections for an enterprise, you must keep in mind the following issues:
The exact procedure for configuring a VPN connection varies depending on the version of Windows running on the client computer. This issue becomes prevalent for a corporation that is using more than one operating system on its laptops, and it becomes especially prevalent when users are using VPNs from their home computers to access company resources.
To prevent configuration errors, the information technology (IT) staff, rather than end users, should configure the VPN connection. Taking this approach can drastically reduce the support costs of a VPN deployment.
A configuration method must be able to scale to hundreds or thousands of client computers in a large organization. When a change in the computing environment occurs, all clients might need to be updated—a daunting and often frightening prospect for the administrators if scalability hasn’t been previously addressed.
A VPN connection might need a double-dial configuration, where a user must dial into the Internet first before creating a VPN connection with the organization’s intranet. To be clear, double-dialing is a solution that allows a remote user to access the same VPN system, while using numerous different points of access to the Internet to get to the VPN. Example: Joe is in New York on Monday; he dials a local access number to get to the Internet and then launches his VPN connection. On Tuesday, Joe is in London, so he dials a different access number to the Internet, but uses the same VPN connection as he did in New York. This need for double-dial is very common if the company has road warriors who are constantly connecting to the Internet using whatever method is available to them at the time. The VPN configuration might be consistent, but the Internet connection to make that VPN connection can easily vary.
The tool for resolving configuration issues when implementing VPN connections across an enterprise is Connection Manager. Connection Manager (CM) consists of the following:
Connection Manager Profile. The component that is installed on the client computer and handles the VPN client operations
Connection Manager Administration Kit. The component that is installed on the VPN server (or other server resource), and manages and controls dispersal and change control for the CM profiles that are on the client computers
Connection Point Services. Phone-book services that provide access methods to the Internet per company policy
CM is a client dialer, included in Windows Server 2003 and designed to be deployed and run on remote access clients, whose advanced features make it a superset of basic dial-up networking. Windows Server 2003 includes a set of tools that enables a network administrator to deliver preconfigured connection profiles and scripts to network users in a user-friendly, easy-to-use, graphically driven interface. These administration tools are the Connection Manager Administration Kit (CMAK) and Connection Point Services (CPS).
CM provides phone-book support for local and remote connections to your remote access service using a network of dial-up remote access points, such as those available worldwide through Internet service providers (ISPs). If your service requires secure connections beyond basic dial-up over the Internet, you can also use CM to establish VPN connections to your service by having it launch an L2TP/IPSec or PPTP connection over the Internet connection. Other optional solutions that can be provided by CM are:
Quarantine control of remote clients so that configurations that can affect corporate safety—such as virus scanners, routing controls, and personal firewall—can be checked prior to allowing their use
Client-side scripting and connection actions you might want to perform on any clients accessing your remote access services
Quarantine and connection actions will be covered in the “Quarantine Resources” section later in this chapter and in more detail in Chapter 6, “Deploying Remote Access VPNs.”
A network administrator can tailor the appearance and behavior of a connection made with CM by using the Connection Manager Administration Kit (CMAK). With CMAK, an administrator can develop client dialer and connection software that allows users to connect to the network by using only the connection features the administrator defines for them. CM supports a variety of features that both simplify and enhance implementation of connection support for administrators and users, most of which can be incorporated using the Connection Manager Administration Kit Wizard.
CMAK allows you to build profiles customizing the CM installation package you deliver to your customers so that CM reflects the identity of your organization. It allows you to determine which functions and features you want to include and how CM appears to your customers. You can do this by using the Connection Manager Administration Kit Wizard to build custom service profiles.
For more information about CMAK and the configuration of CM service profiles, see Chapter 7, “Using Connection Manager for Quarantine Control and Certificate Provisioning.”
Connection Point Services (CPS) enables you to automatically distribute and update custom phone books. These phone books contain one or more Point of Presence (POP) entries, with each POP supplying a telephone number that provides dial-up access to an Internet access point. The phone books give users complete POP information, so when they travel they can connect to different Internet access points rather than being restricted to a single POP.
Without the ability to update phone books (a task CPS handles automatically), users would have to contact their organization’s technical support staff to be informed of changes in POP information and to reconfigure their client dialer software. This is just one example of why CMAK can save on the support costs of a VPN solution.
CPS has two components:
Phone Book Administrator (PBA)—A tool used to create and maintain the phone book database and to publish new phone-book information to the Phone Book Service.
Phone Book Service (PBS)—A Microsoft Internet Information Services (IIS) extension that runs on Windows NT Server 4.0 or later (with IIS). Phone Book Service automatically checks subscribers’ or corporate employees’ current phone books and, if necessary, downloads a phone-book update.
For more information about CPS and the configuration of phone books, see Chapter 7.
Single sign-on is the capability that allows a remote access user to create a remote access connection to an organization and log on to the organization’s domain by using the same set of credentials. This is a critical function for security administrators of a large company. By providing single sign-on capabilities, the company keeps the remote access solution and user experience easy to control, and additionally, simplifies security operations for the company. By using single sign-on, security access logging and control is consolidated, security auditing is consolidated down to one central system, and users can use strong password methods more easily because they have to remember only one password to access all resources they might need. For a domain-based infrastructure, the user name and password or smart card is used for both authenticating and authorizing a remote access connection and for authenticating and logging on to a Windows domain.
In the case of remote access in particular, single sign-on can be used to simplify logging on and accessing corporate resources. Upon startup of the operating system, a user can choose to use the Dial-Up Networking option on the Windows XP and Windows 2000 logon dialog box and then select a dial-up or VPN connection to use to connect to the organization’s network.
For VPN connections, the user must first connect to the Internet before creating a VPN connection. After the Internet connection is made, the VPN connection and logon to the domain can be accomplished. The process for doing this is as follows:
If the user has a broadband connection, then they will have an “always-on” scenario for Internet connectivity and will not need a second connection for connecting to the Internet.
If the user uses a separate ISP account that requires sign-on credentials to connect to the Internet, you can create a dial-up connection with the ISP credentials already configured.
Configure your VPN connection to use the dial-up connection to dial the ISP connection before attempting the VPN connection.
In this configuration, the user will never have to type the ISP credentials when logging on to the domain. This association between the VPN connection and the ISP connection can be configured manually by the user, a process which many users might find confusing if they are not computer savvy, or by using CM to do it all automatically for them.
If your Windows 2000 or Windows XP VPN clients are either making L2TP/IPSec connections or using certificates for user-level authentication to various corporate resources, you must install certificates on the VPN client computer. For L2TP/IPSec connections, you must install a computer certificate on the VPN client computer to provide authentication for establishing an IPSec security association (SA). For user- level authentication using the Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS) authentication protocol, you can use either a user certificate or a smart card. You can use another method for L2TP/IPSec authentication known as a preshared key, which can be used in place of certificates if certificate services are not available, but this method is only minimally supported by Microsoft operating systems because of security issues inherent with preshared keys. Microsoft recommends the use of certificates for all IPSec-enabled communications including L2TP/IPSec.
For user certificate-based authentication, if a company has not deployed the Microsoft Active Directory directory service, the computer user must request a user certificate from a Windows Server 2003 certificate authority (CA) on the company intranet. If the company has a deployment of Active Directory on Windows Server 2003, users can be automatically configured with certificates upon logon to the system by using the new auto-enrollment CA features of Windows Server 2003. For smart card–based authentication, a network administrator must configure an enrollment station and issue smart cards with certificates that are mapped to individual user accounts. The use of smart cards is an excellent idea if you want to have two- factor authentication for all users. By using two-factor authentication, you can maintain security much more easily because a hacker cannot break in if he discovers one of the factors. The hacker would need to have the smart card and the personal identification number (PIN) to activate the smart card. Only the actual user in physical possession of the smart card can provide both of those items.
For more information about installing certificates on VPN client computers, see the “Certificate Infrastructure” section in this chapter.
If the following criteria match your situation, we can make certain recommendations for the deployment of your VPN clients. When configuring your VPN clients for remote access VPN connections, consider the following:
If you have a small number of VPN clients, perform manual configuration of VPN connections on each computer. Although CM is a valuable tool, administrative and other resources are required to create, troubleshoot and maintain the CMAK and PBS systems. If there are only a few clients, manual configuration will likely consume fewer resources.
If you have a large number of VPN clients or the clients are running different versions of Microsoft operating systems, use the CM components of Windows Server 2003 to create the custom VPN connection profile for distribution and to maintain the phone-book database for your POPs. Doing this will allow you to maintain the clients with CMAK rather than maintaining support for each individual operating system that is being used. The same CM profiles will operate across all supported operating systems.
If you are using Windows XP, Windows 2000, or Microsoft L2TP/IPSec VPN Client to make L2TP/IPSec connections, you must install a computer certificate on the VPN client computer. Therefore, make sure to properly plan and test for a Certificate Services installation and, if possible, use Active Directory on Windows Server 2003 to take advantage of the auto-enrollment CA feature.
If you are using Windows XP or Windows 2000 VPN clients and user-level certificate authentication with EAP-TLS, you must install either a user certificate on the VPN client computer or a user certificate on the smart card used by the VPN client computer. Again, if possible, use Active Directory on Windows Server 2003—the proper certificate will be installed for each user when they log on.