On-Demand Branch Office


Now that we have the remote access setups done on the VPN server and the remote access clients, let’s take a look at the site-to-site connections we need to create for the remote offices. The Portland and Dallas branch offices of Contoso, LTD. are connected to the corporate office by using on-demand site-to-site VPN connections. Both the Portland and Dallas offices contain a few dozen employees who need only occasional connectivity with the corporate office. (For anything fewer than 10 users at a site, the users should be left on remote access. This will allow the corporation to not have to support server-based services remotely at the branch office. For any more than 10 users, site-to-site connections with a dedicated server is the preferred model.) The Window Server 2003 routers in the Portland and Dallas offices are equipped with an Integrated Services Digital Network (ISDN) adapter that dials a local ISP to gain access to the Internet. When access is gained, a site-to-site VPN connection is made across the Internet. When the VPN connection is idle for five minutes, the routers at the branch offices terminate the VPN connection.

The Dallas branch office uses the IP network ID of 192.168.28.0 with a subnet mask of 255.255.255.0 (192.168.28.0/24). The Portland branch office uses the IP network ID of 192.168.4.0 with a subnet mask of 255.255.255.0 (192.168.4.0/24).

To simplify the configuration, the VPN connection is a one-way initiated connection that is always initiated by the branch office router. This is preferable to two-way initiated connection because the branch office does not have to use an always-on Internet connection and thus saves on costs. (In many cases these days, a branch office can use ADSL or cable modem for its connection and therefore maintain an always- on state, so see what options are available for your scenario and branch office connections. We will be setting up some two-way connections later on in this chapter.) For more background information, see Chapter 8.

Figure 10-3 shows the Contoso, LTD. VPN server that provides on-demand branch office connections.

click to expand
Figure 10-3: The Contoso, LTD. VPN server that provides on-demand branch office connections.

Additional Configuration

To deploy on-demand site-to-site VPN connections to connect the Portland and Dallas branch offices to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” section of this chapter, the following additional settings are configured.

Domain Configuration

For the VPN connection to the Dallas office, the user account VPN_Dallas is created with the following settings:

  • Password of nY7W{q8~=z3.

  • For the account properties of the VPN_Dallas account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.

  • For the dial-in properties on the VPN_Dallas account, the remote access permission is set to Control Access Through Remote Access Policy and the static route 192.168.28.0 with a subnet mask of 255.255.255.0 is added.

  • The VPN_Dallas account is added to the VPN_Routers group.

For the VPN connection to the Portland office, the user account VPN_Portland is created with the following settings:

  • Password of P*4s=wq!Gx1.

  • For the account properties of the VPN_Portland account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.

  • For the dial-in properties on the VPN_Portland account, the remote access permission is set to Control Access Through Remote Access Policy and the static route 192.168.4.0 with a subnet mask of 255.255.255.0 is added.

  • The VPN_Portland account is added to the VPN_Routers group.

Remote Access Policy Configuration

To define the authentication and encryption settings for the VPN routers, the following remote access policy is created:

  • Policy Name: VPN Routers

  • Access Method: VPN

  • User Or Group Access: Group, with the EXAMPLE\VPN_Routers group selected

  • Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected

  • Policy Encryption Level: Strong Encryption and Strongest Encryption selected

The following sections describe a PPTP-based on-demand branch office connection for the Dallas office and an L2TP/IPSec-based on-demand branch office connection for the Portland office. By describing this scenario, we can cover all bases for your own deployments. For the best security, L2TP/IPSec with certificates is the recommended solution for site-to-site connections. Many vendors suggest IPSec tunnel mode for this operation, but Microsoft does not support it because it has been rejected for security reasons by the Internet Engineering Task Force (IETF). See the sidebar in Chapter 8 for more details.

PPTP-Based On-Demand Branch Office

The Dallas branch office is a PPTP-based branch office that uses a Windows Server 2003 router to create an on-demand, site-to-site VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated.

To deploy a PPTP, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “On-Demand Branch Office” sections of this chapter, the following settings are configured on the Dallas router.

Demand-Dial Interface for the Connection to the ISP

To connect the Dallas office router to the Internet by using a local ISP, a demand- dial interface is created using the Demand-Dial Interface Wizard with the following settings:

  • Interface Name: ISP

  • Connection Type: Connect Using A Modem, ISDN Adapter, Or Other Physical Device

  • Select a Device: The appropriate ISDN device is specified.

  • Phone Number: Phone number of the ISP for the Dallas office.

  • Protocols And Security: The Route IP Packets On This Interface check box is selected.

  • Static Routes For Remote Networks

    To create the connection to the Dallas ISP when the site-to-site VPN connection needs to be made, the following static route is created:

    • Destination: 207.209.68.1

    • Network mask: 255.255.255.255

    • Metric: 1

  • Dial Out Credentials

    User name: Dallas office ISP account name

    Password: Dallas office ISP account password

    Confirm password: Dallas office ISP account password

To run the Demand-Dial Interface Wizard, right-click Network Interfaces in the Routing And Remote Access snap-in’s control tree, and then click New Demand- Dial Interface.

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Dallas office router to the VPN server by using a site-to-site VPN connection over the Internet, the New York office’s network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

  • Interface Name: CorpHQ

  • Connection Type: Connect Using Virtual Private Networking (VPN)

  • VPN Type: Point-to-Point Tunneling Protocol (PPTP)

  • Destination Address: 207.209.68.1

  • Protocols And Security: The Route IP Packets On This Interface check box is selected.

  • Static Routes For Remote Networks

    To make all locations on the corporate intranet reachable, the following static route is created:

    • Destination: 172.16.0.0

    • Network mask: 255.240.0.0

    • Metric: 1

    To make all locations on Contoso, LTD. branch offices reachable, the following static route is created:

    • Destination: 192.168.0.0

    • Network mask: 255.255.0.0

    • Metric: 1

  • Dial-Out Credentials

    User Name: VPN_Dallas

    Domain: contoso.example.com

    Password: nY7W{q8~=z3

    Confirm Password: nY7W{q8~=z3

L2TP/IPSec-Based On-Demand Branch Office

The Portland branch office is an L2TP/IPSec-based branch office that uses a Windows Server 2003 router to create an on-demand, site-to-site VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated.

To deploy an L2TP/IPSec, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “On-Demand Branch Office” sections of this chapter, the following settings are configured on the Portland router.

Certificate Configuration

The Portland router was configured by the Contoso, LTD. network administrator while it was physically connected to the Contoso, LTD. intranet. It was then shipped to the Portland site. While the Portland router was connected to the Contoso, LTD. intranet, a computer certificate was installed through auto-enrollment and the user name was created in Active Directory on the headquarters intranet. This point is important to remember, especially if you are going to do two-way initiated connections with separate Active Directory instances on each side of the link. Configure the remote router while it is still connected to the central intranet, synchronize the two Active Directory user entries on either one’s Active Directory domain controller, and then ship the VPN server to the remote site.

Demand-Dial Interface for the Connection to the ISP

To connect the Portland office router to the Internet by using a local ISP, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

  • Interface Name: ISP

  • Connection Type: Connect Using A Modem, ISDN Adapter, Or Other Physical Device

  • Select a Device: The appropriate ISDN device is specified.

  • Phone Number: Phone number of the ISP for the Portland office.

  • Protocols And Security: The Route IP Packets On This Interface check box is selected.

  • Static Routes For Remote Networks

    To create the connection to the Portland ISP when the site-to-site VPN connection needs to be made, the following static route is created:

    • Destination: 207.209.68.1

    • Network Mask: 255.255.255.255

    • Metric: 1

  • Dial-Out Credentials

    User Name: Portland office ISP account name

    Password: Portland office ISP account password

    Confirm Password: Portland office ISP account password

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Portland office router to the VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

  • Interface Name: CorpHQ

  • Connection Type: Connect Using Virtual Private Networking (VPN)

  • VPN Type: Layer 2 Tunneling Protocol (L2TP)

  • Destination Address: 207.209.68.1

  • Protocols And Security: The Route IP Packets On This Interface check box is selected.

  • Static Routes For Remote Networks

    To make all locations on the corporate intranet reachable, the following static route is created:

    • Destination: 172.16.0.0

    • Network Mask: 255.240.0.0

    • Metric: 1

    To make all locations on Contoso, LTD. branch offices reachable, the following static route is created:

    • Destination: 192.168.0.0

    • Network Mask: 255.255.0.0

    • Metric: 1

  • Dial-Out Credentials

    • User Name: VPN_Portland

    • Domain: contoso.example.com

    • Password: P*4s=wq!Gx1

    • Confirm Password: P*4s=wq!Gx1




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net