Implementing Virtual Private Networks (VPNs)


EXAM 70-293OBJECTIVE 2, 2.3

Traditionally, when you are setting up a private network that spans multiple locations, you use one or more private wide area network (WAN) links to connect the locations (for example, T1 lines). While this provides secure high-speed communication between the locations, it is also relatively expensive. A VPN eliminates the need for dedicated WAN links by taking advantage of readily available connections to the public Internet.

A VPN is defined as a private network that uses virtual links through a public network rather than dedicated WAN links. These virtual connections use a technology called tunneling to encrypt private data and encapsulate it in packets to be transmitted over the public network.

Windows Server 2003 includes VPN functionality as part of RRAS. You can configure a Windows Server 2003 machine to act as a VPN server, which manages the VPN connections between clients or networks.

Test Day Tip

One advantage of using a VPN connection, rather than a dedicated leased line, is that the VPN connection is flexible. For example, if you move a location, all that is required to reconnect to the VPN is an Internet connection of any type.

Internet-based VPNs

One common use for a VPN server is to allow clients to remotely access the network. For example, you might have employees who work from home or who need network access from their laptops while on the road. Traditionally, this would require a pool of modems and a dial-up RRAS server, or a dedicated WAN link. With a VPN, since remote clients often have Internet connectivity, you can configure a VPN server to accept connections from these clients over the Internet. This provides them with a secure connection to the network without the need for modems or phone lines, and it often saves money, since a client can use a low-cost ISP with a local phone number rather than making a long-distance call.

Note

Microsoft refers to a VPN connection used for remote access as an Internet-based VPN. This is also known as a client-server VPN connection. The other type is a router-to-router connection. Although both types use the Internet for connectivity, Internet-based VPN refers to client-server connections.

How Internet-based VPNs Work

Figure 5.7 shows how a typical Internet-based VPN works. The remote client connects to the public Internet and uses VPN client software to initiate a connection with the VPN server. Communications for the VPN are encrypted and encapsulated into packets sent over the Internet.

click to expand
Figure 5.7: Communications in an Internet-based VPN

Configuring Internet-based VPNs

RRAS supports the protocols needed for a VPN. You can configure these individually or use the RRAS Setup Wizard to configure a VPN server. Exercise 5.03 guides you through the process of configuring a VPN server using the Wizard.

Exercise 5.03: Configuring A VPN Server Using the Wizard

start example

If you have not yet configured RRAS on a server, you can use the Routing and Remote Access Server Setup Wizard to configure the server with the basic options for a VPN server.

Note

If you have previously configured the server to use RRAS, in order to perform this exercise you will need to first disable it. To do so, right-click the RRAS server name in the left console panel of the Routing and Remote Access MMC and select Disable Routing and Remote Access.

Follow these steps to configure the VPN server:

  1. Select Start | Programs | Administrative Tools | Routing and Remote Access to start the Routing and Remote Access MMC snap-in.

  2. Click the RRAS server name (usually the current machine) in the left column to highlight it.

  3. From the menu, select Action | Configure and Enable Routing and Remote Access.

  4. The Routing and Remote Access Server Setup Wizard displays a Welcome window. Click Next to continue.

  5. The Configuration window appears (see Figure 5.1, earlier in the chapter). Select Virtual Private Network (VPN) access and NAT from the list and click Next.

  6. The Wizard displays a final confirmation window, as shown in Figure 5.8. Click Finish to enable the RRAS and VPN features.

    click to expand
    Figure 5.8: Completing the Routing and Remote Access Server Setup Wizard

  7. A dialog box asks whether you wish to start the RRAS service at this time. Click Yes.

    Windows Server 2003 next starts the RRAS service and can accept VPN connections. You are returned to the Routing and Remote Access MMC snap-in, where you can customize the settings for the VPN server.

end example

Router-to-Router VPNs

While an Internet-based VPN provides easy remote access for individual clients, you can also configure a larger-scale VPN to connect two geographically separated LANs. A router-to-router VPN requires an Internet connection for each LAN, and it encapsulates traffic on the Internet to create a virtual WAN between the locations.

A router-to-router VPN can either use demand-dial connections, creating the VPN only when it is required for traffic between the networks, or persistent connections for an always-on

VPN. In either case, it can save money, since Internet connectivity is usually available at a lower cost than a dedicated WAN link between geographically separated sites. The longer the distance, the more money you are likely to save.

On Demand/Demand-Dial Connections

A demand-dial connection is often the most practical choice for small remote sites that only occasionally require VPN connectivity. RRAS supports one or more demand-dial connections. You can configure a connection using the Network Interfaces node in the RRAS MMC snap-in. Exercise 5.04 demonstrates how to add a new demand-dial interface.

Exercise 5.04: Configuring a Demand-Dial Interface

start example

You can add a new demand-dial interface on any RRAS computer that has RRAS configured. If you have not yet configured and enabled RRAS, see the instructions earlier in this chapter. Follow these steps to create a new demand-dial interface:

  1. From the Routing and Remote Access MMC snap-in, right-click the Network Interfaces item in the left column and select New Demand-dial Interface.

  2. The Demand-Dial Interface Wizard displays an introductory message. Click Next to continue.

  3. You are prompted for a name for the new interface, as shown in Figure 5.9. Enter the name and click Next.

    click to expand
    Figure 5.9: Enter a Name for the Demand-Dial Interface

  4. The Connection Type window appears. Select Connect using virtual private networking (VPN) and click Next.

  5. The VPN Type window is displayed. You can choose one of the VPN protocols (described in the “VPN Protocols” section later in this chapter). Select Automatic selection and click Next.

  6. You are prompted for the host name or IP address of the remote router. Enter an address or name and click Next.

  7. The Protocols and Security window is displayed, as shown in Figure 5.10. Enable the Route IP packets on this interface option and click Next.

    click to expand
    Figure 5.10: Choose Protocols and Security Options

  8. The Static Routes for Remote Networks window is displayed. Click Add to add a static route. Specify a destination address and subnet mask, and then click OK.

  9. Click Next to continue.

  10. The Dial Out Credentials window is displayed. Enter a username, domain name, and password to connect to the remote network, and then click Next.

  11. The Wizard displays a completion message. Click Finish to complete the configuration of the demand-dial interface.

    After you have completed this process, the new interface you created is listed in the Network Interfaces section of the Routing and Remote Access MMC snap-in. You can select this entry and open its Properties dialog box to change the configuration.

end example

One-Way versus Two-Way Initiation

You can configure a demand-dial VPN with either one-way or two-way initiation:

  • In one-way initiation, one VPN server is configured to accept demand-dial connections, and the other initiates the connection.

  • In two-way initiation, both VPN servers are configured to accept connections. Whenever a client of one server requires access to the VPN, it initiates a connection to the other server.

Persistent Connections

Instead of using a demand-dial connection, a VPN server can use a persistent (always-on) connection to the Internet, such as an existing Digital Subscriber Line (DSL) connection. If the computer you are using as the VPN server is configured to use this type of Internet connection, it can be made available to VPN clients. To create a new persistent connection, select Start | Control Panel | Network Connections | New Connection Wizard.

Remote-Access Policies

You can secure a demand-dial connection in the same way that you secure a connection for a remote user. The calling router requires a user account on the VPN server. You can configure this user account’s properties with the Allow Access option in the Dial-in properties section to explicitly allow access, or if access is controlled through a Remote Access Policy, the policy should grant the appropriate user remote access permissions. If you are using RADIUS authentication (explained in the “Using Internet Authentication Service (IAS)” section later in this chapter), the policy is configured on the RADIUS server rather than on the RRAS server.

Each remote-access policy is associated with a dial-in profile, which allows you to configure how the connection can be used. You can use the policy and profile settings to configure the authentication methods allowed, the hours in which dialing out is allowed, and other settings. These options are explained in detail in Chapter 7.

VPN Protocols

A VPN is created using a tunneling protocol. This is a standard communication protocol that creates a tunnel through the public network and transmits private data in encrypted form.

This is accomplished using encapsulation, a process that encrypts each VPN packet, combines it with a header to form a standard IP datagram, and sends it over the public network. Windows Server 2003 supports two standard tunneling protocols: the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).

PPTP

PPTP is the oldest and most common VPN protocol. PPTP is based on the Point-to-Point Protocol (PPP), which is typically used for dial-up connections. PPTP encapsulates PPP frames into IP packets, encrypts the data, and transmits them over the Internet.

PPTP in Windows Server 2003 is based on the existing PPP infrastructure and supports the same authentication methods as PPP, such as the Password Authentication Protocol (PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). When a higher-level authentication method is used, PPTP supports Microsoft Point-to-Point Encryption (MPPE), a strong method of encrypting VPN traffic before allowing it to traverse the public network.

L2TP

L2TP is a more recent tunneling protocol that offers additional features over PPTP. L2TP is a generic tunneling protocol that can encapsulate packets of many types for transmission over a network. Unlike PPTP, L2TP does not include encryption. Windows 2003 VPNs use the IP Security protocol (IPSec) to encrypt data sent over an L2TP tunnel. This provides end-to-end encryption and greater security than the MPPE encryption used with PPTP. Refer to Chapter 7 for more details on tunneling protocols.

VPN Security

A VPN combines encapsulation with encryption to create a connection between two systems. Depending on the VPN tunneling protocol you use, one of two encryption protocols is used to encrypt the data before it passes through the public network: MPPE or IPSec.

MPPE

MPPE is used with VPNs created by PPTP. MPPE provides encryption for the tunnel only; it does not provide end-to-end encryption from the client to the VPN server. MPPE requires that the client and server support either the MS-CHAP or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication method. These methods are described in detail in the “Authentication Methods” section later in this chapter.

IPSec

IPSec is an Internet standard for encrypted IP traffic. Since the L2TP tunneling protocol does not include encryption by itself, IPSec is used to encrypt the data before it is encapsulated across the tunnel. Unlike MPPE, IPSec does provide end-to-end encryption. You can use IPSec over an established PPTP link to add end-to-end encryption.

Test Day Tip

IPSec also supports tunnel mode, a built-in ability to create a VPN tunnel without the use of L2TP. This mode works only with router-to-router VPNs. It is an advanced feature and is only necessary to support certain hardware that does not support the standard PPTP or L2TP tunneling protocols.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net