Welcome to Deploying Virtual Private Networks with Microsoft Windows Server 2003, your complete source for the information you need to design and deploy Virtual Private Networks (VPNs) using Windows Server 2003 and all of the Windows Client operating systems. This book includes overview explanations of the various technologies involved in deploying both remote access and site-to-site VPNs over the Internet and/or within a private network. It also includes step-by-step instructions on how to deploy basic remote access and site-to-site VPNs using various tunneling protocols and authentication methods, step-by-step instructions on advanced features such as Connection Manager and Network Access Quarantine Control, and detailed procedures on how to troubleshoot your VPN deployments.
Virtual private networking is all about ensuring privacy and security on the Internet so that you can use the Internet as a communications network for your users and remote offices. In today’s world of open communications and connectivity on the Internet, you should remember the following quotation when thinking about security:
Security is not binary. It is not a switch or even a series of switches. It cannot be expressed in absolute terms. Do not believe anyone who tries to convince you otherwise. Security is relative—there is only more secure and less secure. Furthermore, security is dynamic—people, process, and technology all change. The bottom line is that all of these factors make managing security difficult.
—Ben Smith and Brian Komar, Microsoft Windows Security Resource Kit, Microsoft Press, 2003.
Deploying Virtual Private Networks with Microsoft Windows ServerTM 2003 describes the combination of technologies in Windows that supports the strongest set of industry standards for VPN access that was available at the time of the writing of this book.
Deploying Virtual Private Networks with Microsoft Windows is structured to provide a conceptual overview of not only VPNs, but also of all the other components of the authentication infrastructure, such as Remote Authentication Dial-In User Service (RADIUS), authentication protocols, certificate services, and Active Directory. Many companies have not implemented some of these services, so this book takes the time to explain them in a conceptually as they pertain to VPN technologies. We cover the basic operations and setup of all necessary services, and as the issues go into deeper detail, we point you toward the appropriate resources external to this book. We start off with conceptual overviews of all of the pertinent services and components, and then we go into describing the steps of deploying both remote access VPNs for many users to access corporate resources. From there, we cover site-to-site VPNs to connect remote offices to each other over the Internet. Finally, this book describes how to troubleshoot the full architecture of VPN deployments, with both remote access and site-to-site configurations.
Part I, “VPN Technology,” provides an introduction to the business case of VPNs, an overview of the two types of VPN connections—remote access and site-to-site— an overview of VPN security issues, and a discussion of interoperability issues with VPN technologies from other vendors. Part I includes the following chapters:
Chapter 1, “The Business Case for Virtual Private Networks,” presents the case for deploying VPN services and mobile computing in today’s businesses. The world of the Internet has changed the way that corporations do business with mobile computers of all kinds, and VPN technology keeps all of the transmissions and communications secure on the Internet. We address the issues that every business owner needs to be aware of when building out a VPN solution on the Internet, and we also describe how integral a good VPN solution is to businesses of all sizes today.
Chapter 2, “VPN Overview,” describes the basic concepts of VPN solutions, such as remote access for individual users and site-to-site for remote office connectivity. We then cover the technologies that comprise a VPN, such as tunneling protocols, authentication protocols, and the server and client computing components to the VPN solutions built into Windows operating systems.
Chapter 3, “VPN Security,” presents the basics of VPN security, from the use of certificates versus preshared keys, the various authentication protocols, and the pros and cons of each, to the differences between Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPSec). We make recommendations regarding your choices for secure VPN connections and for the options you need to consider when designing your VPN deployment.
Chapter 4, “VPN Interoperability,” examines interoperability issues with third-party VPN providers. We go over the protocol interoperations and authentication protocol issues that you need to know to mesh Microsoft VPN technologies with your existing solutions.
Part II, “VPN Deployment,” provides you with the information you need to plan and deploy your remote access or site-to-site VPN solutions. To understand how to deploy and troubleshoot VPNs, you must have an understanding of the underlying technologies and how they work. These technologies include VPN gateway services, VPN client services, authentications services and protocols (including RADIUS, and Certificate Services), Connection Manager, and Network Access Quarantine Control. Part II includes the following chapters:
Chapter 5, “Remote Access VPN Components and Design Points,” presents the components for remote access VPN connections, which is the technology you use to connect individual users to a private network by using tunneling protocols over the Internet. We cover design points that you will need to consider prior to deployment, as well as an in-depth overview of each related service and the options to consider when deploying those services for remote access VPNs.
Chapter 6, “Deploying Remote Access VPNs,” includes complete step-by- step instructions for deploying a basic remote-access VPN solution using Windows Server 2003 as the VPN server and Windows XP or Windows 2000 Professional as the VPN client and all of the supporting services that go with VPN deployment, including Internet Authentication Service (a RADIUS server), Certificate Services, and Active Directory.
Chapter 7, “Using Connection Manager for Quarantine Control and Certificate Provisioning,” describes the advanced features you need to make the client VPN experience secure and seamless for the users. We cover creating Connection Manager profiles with Network Access Quarantine Control activated, and we run you through how to set up a test lab to use Connection Manager and quarantine to deploy certificates for secure access for your users. You can use the basic setup for Connection Manager and quarantine in this test lab to deploy a completely customized quarantine solution to ensure the configurations of your VPN clients conform to network policy requirements.
Chapter 8, “Site-to-Site VPN Components and Design Points,” discusses the components for site-to-site VPN connections, which is the technology you use to connect remote offices to each other by using tunneling protocols over the Internet. We cover design points that you will need to consider prior to deployment, as well as providing an in-depth overview of each related service and the options to consider when deploying those services for site-to-site VPN.
Chapter 9, “Deploying Site-to-Site VPNs,” provides complete step-by-step instructions on deploying a basic site-to-site VPN solution using Windows Server 2003 as the VPN routers, and all of the support services that go with the deployment, including Internet Authentication Service, Certificate Services, and Active Directory.
Chapter 10, “A VPN Deployment Example,” pulls together all of the material from the previous nine chapters to show you a complete solution with remote access and site-to-site VPN solutions deployed for a typical business. You will see all of the services and components functioning together. You can use this chapter to review a typical VPN deployment, which will allow you to plan your deployment with various options in mind.
Part III, “VPN Troubleshooting,” provides you with troubleshooting information and advice.
VPN deployment involves the mutual operations of many different services, components, and Internet connectivity solutions, so you will need to have a defined procedure for troubleshooting the environment that enables you to identify problems quickly and easily.
Chapter 11, “Troubleshooting Remote Access VPN Connections,” steps through detailed testing and troubleshooting solutions for your remote access VPN deployment. By following the procedures in the order in which they are delivered in the chapter, you should be able to find and resolve most of the problems that you are experiencing with your remote access VPN connections.
Chapter 12, “Troubleshooting Site-to-Site VPN Connections,” steps you through detailed testing and troubleshooting solutions for your site-to-site VPN deployment. By following the procedures in the order in which they are delivered in the chapter, you should be able to find and resolve most of the problems that you are experiencing with your site-to-site VPN connections.
Part IV, “Appendixes,” includes the following:
Appendix A, “VPN Deployment Best Practices,” is a collection of all the best practices from the entire book for deploying VPN solutions, for your quick reference. By referring to this section, you will be able to make the best decisions for your VPN deployment.
Appendix B, “Configuring Firewalls for VPN,” is a comprehensive overview of the ports and protocols for packet filters that you will need to configure on your firewall in order for VPN solutions to function across firewall boundaries.
Appendix C, “Deploying a Certificate Infrastructure,” describes the design elements of deploying a certificate infrastructure, also known as a public key infrastructure (PKI), using Windows Server 2003 and certificate requirements for third-party certification authorities.
Appendix D, “Setting Up Remote Access VPN Connections in a Test Lab,” provides step-by-step instructions for the setup of a test lab for remote access VPN connections.
Appendix E, “Setting Up Connection Manager in a Test Lab,” provides step- by-step instructions for the setup of a test lab for Connection Manager Administration Kit and Phone Book Services.
Appendix F, “Setting Up a PPTP-Based Site-to-Site VPN Connections in a Test Lab,” provides step-by-step instructions for the setup of a test lab for PPTP- based site-to-site VPN connections.
Appendix G, “Frequently Asked Questions,” is a comprehensive list of frequently asked questions for Windows VPN deployments.