When putting together the VPN solutions, the most important thing to remember is to take the setup and testing one step at a time. Do not cut corners or rush through any steps—this can be a very complex operation, especially in a diverse environment with multiple issues to deal with. Any given step can break the deployment. Remember to use checklists and keep good notes for every step. You should also use milestones for each section to make sure you have accomplished your tasks.
To deploy a VPN solution for Contoso, LTD. the network administrator needs to perform an analysis and make design decisions regarding:
The network configuration
The remote access policy configuration
The domain configuration
The security configuration
The network configuration determines all the core communications information, such as network and node addressing, routing, subnetting, and other wide area network (WAN) information. The key elements of the network configuration are:
The Contoso, LTD. corporate intranet uses the private networks of 172.16.0.0 with a subnet mask of 255.240.0.0 (172.16.0.0/12) and 192.168.0.0 with a subnet mask of 255.255.0.0 (192.168.0.0/16). The corporate campus network segments use subnets of 172.16.0.0/12, and the branch offices use subnets of 192.168.0.0/16.
The VPN server computer is directly attached to the Internet using a 44.763 megabit per second T3 (also known as a Digital Services-3 [DS-3]) dedicated WAN link. The number of concurrent connections Contoso, LTD. supports and the amount of traffic that will be passing over the VPN systems will determine how much bandwidth they need. The main site VPN router must accommodate all remote access and site-to-site connections concurrently, so Contoso, LTD. chose a DS-3 link for the main site by adding up all connections that can happen and giving the circuit some breathing room from there.
The Internet Protocol (IP) address of the WAN adapter on the Internet is 220.127.116.11, as allocated by the Internet service provider (ISP) for Contoso, LTD. The IP address of the WAN adapter is referred to on the Internet by the domain name vpn.contoso.example.com.
The VPN server computer is directly attached to an intranet network segment that contains a router that connects to the rest of the Contoso, LTD. corporate campus intranet. The intranet network segment has the IP network ID of 172.31.0.0 with the subnet mask of 255.255.0.0 (172.31.0.0/16).
The VPN server computer is configured with a static pool of IP addresses to allocate to remote access clients and calling routers that is a subset of the intranet network segment (an on-subnet address pool).
Figure 10-1 shows the network configuration of the Contoso, LTD. VPN server.
Figure 10-1: The network configuration of the Contoso, LTD. VPN server.
The first step in deploying VPN is setting up the physical and logical configuration of the VPN server. Based on the network configuration of the Contoso, LTD. corporate campus intranet, the VPN server computer is configured as follows:
Install hardware on the VPN server.
The network adapter that is used to connect to the intranet segment and the adapter that is used to connect to the Internet are installed according to the adapter manufacturer’s instructions. Once drivers are installed and functioning, both adapters appear as local area connections in Network Connections. In most cases, the Internet adapter is an Ethernet-based network adapter, which is attached to an external routing device that terminates the WAN connection. However, in some cases, it can be a WAN interface adapter such as a T1/T3 or Asynchronous Transfer Mode (ATM) adapter. These connection types are all supported on Windows Server 2003. For simplicity’s sake, we are going to assume the T3 is attached directly to the VPN server using a T3 adapter for this deployment. We will refer to it as the WAN adapter for the remainder of this chapter.
Configure Transmission Control Protocol/Internet Protocol (TCP/IP) on the LAN and WAN adapters.
For the LAN adapter, an IP address of 172.31.0.1 with a subnet mask 255.255.0.0 is configured. For the WAN adapter, an IP address of 18.104.22.168 with a subnet mask 255.255.255.255 is configured. A default gateway is not configured for either adapter. Domain Name System (DNS) and Windows Internet Name Service (WINS) server addresses are also configured, and they should all point to the internal DNS and WINS services of the company. Any external address resolution should be forwarded by the internal DNS/WINS servers to an outside authority.
Configure the Routing And Remote Access service.
The Routing And Remote Access service is initially configured with the Routing And Remote Access Server Setup Wizard. To run the wizard, right-click the name of the server in the Routing And Remote Access snap-in, and then click Configure And Enable Routing And Remote Access. Configure the VPN server using the following settings:
Configuration: Remote Access (Dial-Up Or VPN)
Remote Access: VPN
VPN Connection: Click the connection that corresponds to the interface connected to the Internet.
IP Address Assignment: Click From A Specified Range Of Addresses, and create a single range from 172.31.255.1 to 172.31.255.254. This creates a static address pool for up to 254 VPN clients. This means that we will not be using Dynamic Host Configuration Protocol (DHCP) to obtain IP addresses for remote access clients. If you want to use DHCP for all addressing, make sure to follow the guidance in Chapter 5 and Chapter 8.
Managing Multiple Remote Access Servers: Click No, Use Routing And Remote Access To Authenticate Connection Requests.
The default method of authenticating remote access and demand-dial connections is to use Windows authentication, which is appropriate in this configuration, since it contains only one VPN server. If you were to use multiple server points for VPN access, or if you want to use multiple communications technologies—such as 802.1x for wired or wireless and VPN—in the same environment, it is recommended that you use RADIUS. For information on the use of RADIUS authentication for Contoso, LTD. see the “Dial-Up and VPNs with RADIUS Authentication” section later in this chapter.
Configure the DHCP Relay Agent.
In the console tree of the Routing And Remote Access snap-in, navigate to IP Routing\DHCP Relay Agent. Right-click DHCP Relay Agent, and then click Properties. In the DHCP Relay Agent Properties dialog box, type the IP address of an intranet DHCP server in Server Address. Click Add, and then click OK. By configuring the DHCP Relay Agent routing protocol component, VPN remote access clients can receive the correct DNS domain name, DNS server addresses, and WINS server addresses when connecting to the intranet by using DHCP Inform requests to the local DHCP server. Without the DHCP Relay Agent, the only DHCP servers that can be accessed will be those on the same subnet as the intranet interface of the VPN server. By using the DHCP Relay Agent, the DHCP requests can use a DHCP server on any subnet identified in the DHCP Relay Agent’s configuration.
Configure static routes on the VPN server to reach intranet and Internet locations.
Without the static route entries, only the local subnet will be known to the VPN clients. The VPN server needs to know about all subnets that the clients might need to reach and therefore requires the static route entries. To reach intranet locations, a static route is created with the following settings:
Interface: The LAN adapter attached to the intranet
Network Mask: 255.240.0.0
This static route simplifies routing by summarizing all destinations on the Contoso, LTD. intranet. This technique is known as route summarization. This static route is used so that the VPN server does not need to be configured with a routing protocol.
To reach Internet locations, a static route is created with the following settings:
Interface: The WAN adapter attached to the Internet
Network Mask: 0.0.0.0
This static route summarizes all destinations on the Internet and will let the VPN server send any “unknown” destinations requested out to the Internet for resolution. This route allows the VPN server to respond to a remote access client or demand-dial router from anywhere on the Internet. Using the static routes instead of the Default Gateway setting on the interfaces, which we stated earlier should be left blank, simplifies the routing configuration. Static routes will not be overridden by any automatic configurations that might occur.
Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. (0.0.0.0 is known as the unspecified IP address.)
Configure a static route on the intranet router to reach all branch offices.
To reach branch office locations from the intranet router, a static route is created with the following settings:
Interface: The LAN adapter attached to the intranet
Network Mask: 255.255.0.0
This static route simplifies routing by summarizing all destinations at Contoso, LTD. branch offices. The intranet router advertises this static route to its neighboring routers so that a route to the branch office locations exists on each router of the intranet. This is how all internal resources will know how to find the remote offices. By advertising this route, the VPN server can control all traffic to the remote offices.
Contoso, LTD. is using a native-mode Active Directory directory service domain, and the network administrator for Contoso, LTD. has decided on an access-by- group administrative model. The remote access permission on all user accounts is set to Control Access Through Remote Access Policy. The granting of remote access permission to connection attempts is controlled by the remote access permission setting on the first matching remote access policy. Remote access policies are used to apply different VPN connection settings based on group membership.
To take advantage of the ability to apply different connection settings to different types of VPN connections, the following Active Directory groups are created:
VPN_Users Used for remote access VPN connections
VPN_Routers Used for site-to-site VPN connections from Contoso, LTD. branch offices
VPN_Partners Used for site-to-site VPN connections from Contoso, LTD. business partners
All users and groups in this sample deployment are created in the contoso.example.com Active Directory domain.
To enable L2TP/IPSec connections, the use of smart cards by remote access clients, and the use of Extensible Authentication Protocol-Transport Layer Security (EAP- TLS) by routers, the Contoso, LTD. domain is configured to autoenroll computer certificates to all domain members via Active Directory on Windows Server 2003.
For more information about configuring auto-enrollment, see Chapter 6.