Extranet for Business Partners


Now that we have all the company’s users connected and working and the remote offices are communicating, Contoso, LTD. has to do business with the rest of the world. The network administrator for Contoso, LTD. has created an extranet, a portion of the Contoso, LTD. private network that is available to business partners through secured VPN connections. The Contoso, LTD. extranet is the network attached to the Contoso, LTD. VPN server and contains a file server and a Web server, which contain all the information they need to directly access. Access to internal resources from these utilities can be accomplished via Web proxy and terminal services, thus protecting the corporate resources from direct contact by noncorporate clients. IPSec policies can be used between the extranet resources and the intranet resources to ensure resources are not compromised. Parts distributors Fabrikam, Inc., and Blue Yonder Airlines are Contoso, LTD. business partners. They connect to the Contoso, LTD. extranet by using on-demand, site-to-site VPN connections. An additional remote access policy is used to ensure that the business partners can access only the extranet file server and Web server.

The file server on the Contoso, LTD. extranet is configured with an IP address of 172.31.0.10, and the Web server is configured with an IP address of 172.31.0.11. Fabrikam, Inc., uses the public network ID of 131.107.254.0 with a subnet mask of 255.255.255.0 (131.107.254.0/24). Blue Yonder Airlines uses the public network ID of 131.107.250.0 with a subnet mask of 255.255.255.0 (131.107.250.0/24). To ensure that the extranet Web server and file server can reach the business partners, static routes are configured on the file server and Web server for each of the business partner networks that use the gateway address of 172.31.0.1.

To simplify configuration, the VPN connection is a one-way initiated connection. The business partner’s router always initiates the connection.

Figure 10-5 shows the Contoso, LTD. VPN server that provides extranet connections for business partners.

click to expand
Figure 10-5: The Contoso, LTD. VPN server that provides extranet connections for business partners.

Additional Configuration

To deploy business partner, on-demand, one-way initiated, site-to-site VPN connections to connect Fabrikam, Inc., and Blue Yonder Airlines to the Contoso, LTD. extranet based on the settings configured in the “Common Configuration for the VPN Server” section of this chapter, the following additional settings are configured.

Domain Configuration

For the VPN connection to Fabrikam, Inc., the user account Fabrikam, Inc. is created with the following settings:

  • Password of Y8#-vR7?]fI.

  • For the account properties of the Fabrikam, Inc. account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.

  • For the dial-in properties on the Fabrikam, Inc. account, the remote access permission is set to Control Access Through Remote Access Policy and the static route 131.107.254.0 with a subnet mask 255.255.255.0 is added.

  • The Fabrikam, Inc. account is added to the VPN_Partners group.

For the VPN connection to Blue Yonder Airlines, the user account Blue Yonder Airlines is created with the following settings:

  • Password of W@8c^4r-;2\.

  • For the account properties of the Blue Yonder Airlines account, the User Must Change Password At Next Logon option is cleared and the Password Never Expires option is selected.

  • For the dial-in properties on the Blue Yonder Airlines account, the remote access permission is set to Control Access Through Remote Access Policy and the static route 131.107.250.0 with a subnet mask 255.255.255.0 is added.

  • The Blue Yonder Airlines account is added to the VPN_Partners group.

Remote Access Policy Configuration

To define the authentication and encryption settings for business partner VPN connections, the following remote access policy is created:

  • Policy Name: VPN Partners

  • Access Method: VPN

  • User Or Group Access: Group, with the EXAMPLE\VPN_Partners group selected

  • Authentication Methods: Extensible Authentication Protocol (EAP), with the Smart Card Or Other Certificate type, and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected

  • Policy Encryption Level: Strong Encryption and Strongest Encryption selected

After the remote access policy is created, its configuration is modified in the following way:

  • On the IP tab of the profile settings, the following TCP/IP packet filters are configured:

    Inbound Filters:

    • Filter 1: Destination Network IP Address of 172.31.0.10 and Subnet Mask of 255.255.255.255

    • Filter 2: Destination Network IP Address of 172.31.0.11 and Subnet Mask of 255.255.255.255

    • Filter Action: Permit Only The Packets Listed Below

    Outbound Filters:

    • Filter 1: Source Network IP Address of 172.31.0.10 and Subnet Mask of 255.255.255.255

    • Filter 2: Source Network IP Address of 172.31.0.11 and Subnet Mask of 255.255.255.255

    • Filter Action: Permit Only The Packets Listed Below

The following sections describe a PPTP-based extranet for the business partner Fabrikam, Inc., and an L2TP/IPSec-based extranet for the business partner Blue Yonder Airlines.

PPTP-Based Extranet for Business Partners

Fabrikam, Inc., is a business partner that uses a Windows Server 2003 router to create an on-demand, PPTP-based, site-to-site VPN connection with the Contoso, LTD. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Fabrikam, Inc., router is connected to the Internet with a permanent WAN connection.

To deploy a PPTP, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “Extranet for Business Partners” sections of this chapter, the following settings are configured on the Fabrikam, Inc., router.

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Fabrikam, Inc., router to the Contoso, LTD. VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

  • Interface Name: Contoso

  • Connection Type: Connect Using Virtual Private Networking (VPN)

  • VPN Type: Point-to-Point Tunneling Protocol (PPTP)

  • Destination Address: 207.209.68.1

  • Protocols And Security: The Route IP Packets On This Interface check box is selected.

  • Static Routes For Remote Networks

    To make all locations on the Contoso, LTD. extranet reachable, the following static route is created:

    • Destination: 172.31.0.0

    • Network Mask: 255.255.0.0

    • Metric: 1

  • Dial-Out Credentials

    • User Name: Fabrikam, Inc.

    • Domain: contoso.example.com

    • Password: Y8#-vR7?]fI

    • Confirm Password: Y8#-vR7?]fI

L2TP/IPSec-Based Extranet for Business Partners

Blue Yonder Airlines is a business partner that uses a Windows Server 2003 router to create an on-demand, L2TP/IPSec-based, site-to-site VPN connection with the Contoso, LTD. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Blue Yonder Airlines router is connected to the Internet by using a permanent WAN connection.

To deploy an L2TP/IPSec, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the “Common Configuration for the VPN Server” and “Extranet for Business Partners” sections of this chapter, the following settings are configured on the Blue Yonder Airlines router.

Certificate Configuration

The Blue Yonder Airlines router was configured by the Contoso, LTD. network administrator while it was physically connected to the Contoso, LTD. intranet. It was then shipped to the network administrator at Blue Yonder Airlines. While the Blue Yonder Airlines router was connected to the Contoso, LTD. intranet, a computer certificate was installed through auto-enrollment.

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Blue Yonder Airlines router to the Contoso, LTD. VPN server by using a site-to-site VPN connection over the Internet, the network administrator created a demand-dial interface using the Demand-Dial Interface Wizard with the following settings:

  • Interface Name: Contoso

  • Connection Type: Connect Using Virtual Private Networking (VPN)

  • VPN Type: Layer 2 Tunneling Protocol (L2TP)

  • Destination Address: 207.209.68.1

  • Protocols And Security: The Route IP Packets On This Interface check box is selected.

  • Static Routes For Remote Networks

    To make all locations on the Contoso, LTD. extranet reachable, the following static route is created:

    • Destination: 172.31.0.0

    • Network Mask: 255.255.0.0

    • Metric: 1

  • Dial-Out Credentials:

    • User Name: Blue Yonder Airlines

    • Domain: contoso.example.com

    • Password: W@8c^4r-;2\

    • Confirm Password: W@8c^4r-;2\




Deploying Virtual Private Networks With Microsoft Windows Server 2003
Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
ISBN: 0735615764
EAN: 2147483647
Year: 2006
Pages: 128

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net