Addressing VPN Design Considerations | MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System

EXAM 70-293 OBJECTIVE 3.3, 3

Rather than using individual modem or ISDN ports for remote access, you can configure a VPN (virtual private network) and enable any number of connections through the Internet. A VPN uses an encrypted tunnel to create a secure virtual connection and transmit private data over the public network.

Although using a VPN for remote access does not require any special hardware beyond an Internet connection for clients and the RRAS server, there are still a number of choices you must make when planning a VPN strategy. These include the VPN protocols you will support, the need for machine certificates, IP filtering, and remote access policies.

Selecting VPN Protocols

A VPN connection is created through the use of a tunneling protocol, (sometimes called a VPN protocol), supported by both the client and the server. Windows Server 2003 supports two tunneling protocols:

PPTP (point-to-point Tunneling protocol) is an Internet standard for VPN connections based on PPP (point-to-point protocol). PPTP uses the MPPE (Microsoft Point-to-Point Encryption) system to encrypt data.
L2TP (layer 2 Tunneling protocol) is a newer standard for a tunneling protocol, developed in cooperation between Microsoft and Cisco. L2TP is used with IPSec (IP Security) to provide encryption.

You can support one or both of these VPN protocols in your remote access strategy. Which protocols you support depends on the needs of clients, the requirements for public-key security, and whether you need the higher-security features of L2TP. These considerations are discussed in the following sections.

Client Support

Of course, a major factor in deciding which tunneling protocols you should support is the protocols supported by the client machines. The following is a summary of the VPN tunneling protocol support of Windows clients:

PPTP is supported by Windows 95, Windows 98, Windows ME, Windows NT 4.0 and later, Windows 2000, Windows XP, and Windows Server 2003.
L2TP is supported by Windows 2000, Windows XP, and Windows Server 2003.

If you are supporting non-Windows clients, you should determine which VPN protocols they support. The easiest way to support a wide variety of clients is to enable both VPN protocols at the server level; clients that support L2TP will use it, and other clients will use PPTP.

Data Integrity and Sender Authentication

The IPSec encryption used with L2TP supports two features that are not available with PPTP and MPPE encryption, along with the data confidentiality that is provided by both encryption protocols. You should make sure your network supports L2TP if you require either of the following:

Data integrity L2TP over IPSec verifies the integrity of data by using hash algorithms (checksums).
Sender authentication IPSec provides mutual authentication for the client computer and VPN server. This authentication is based by PKI (Public Key Infrastructure) certificates and is in addition to the user authentication handled by protocols such as MS-CHAP v2 and EAP-TLS.

PKI Requirements

To support L2TP over IPSec for VPN connections, you need to install computer certificates at both the VPN server and the clients. If you do not have an existing certificate server configured on the network, this might require additional planning and configuration. PPTP does not require a PKI at all and is the only choice if you do not wish to install certificates.

Installing Machine Certificates

To use IPSec with L2TP, you need to install computer certificates at each client for encryption. Windows 2000 and Windows Server 2003 support auto-enrollment, a feature that automatically distributes certificates to computers the first time they connect to the network. If you are not using auto-enrollment, you can manually request a certificate for the computer. You can do this using the Certificates MMC snap-in or by connecting to the certificate server with a Web browser.

Test Day Tip

IPSec also supports user certificates. To complete a VPN connection with L2TP over IPSec, you will need a computer certificate and either a user certificate or smart card. Smart cards are described later in this chapter. Windows Server 2003 supports auto-enrollment for user certificates, unlike Windows 2000.

If you do not have a certification authority (CA) on the network, you can install Certificate Services on a domain controller. Exercise 7.03 explains how to set up the Certificates MMC snap-in and request a certificate.

Exercise 7.03: Requesting a Computer Certificate

Follow these steps to configure the Certificates MMC snap-in and request a certificate.

Type mmc in the Run dialog box to start the management console.
An empty console is displayed. Select File | Add/Remove Snap-in from the menu.
Click Add and select Certificates from the list of snap-ins. Click Add.
A dialog box prompts you to choose whether the console will manage user or computer certificates. Select Computer account and click Next.
The Select Computer dialog box is displayed. Select Local Computer and click Finish.
Click Close and then OK to return to MMC.
Click the + icon next to Certificates (Local computer) to expand it. The certificate categories are now listed as folders, as shown in Figure 7.4.

Figure 7.4: Certificates MMC Snap-In
Select Personal in the left column, and then select Action | All Tasks | Request New Certificate from the menu.
The Certificate Request Wizard displays an introductory dialog box. Click Next to continue.
You are prompted for the type of certificate to request. Select Computer and click Next.
The Certificate Friendly Name and Description dialog box is displayed, as shown in Figure 7.5. Enter a name and description and click Next.

Figure 7.5: Certificate Friendly Name and Description
A completion message is displayed. Click Finish to exit.

Configuring Firewall Filters

Because a VPN server is connected to the Internet, it is often used in conjunction with a software or hardware firewall to prevent unauthorized traffic from the Internet from reaching the internal network. You can arrange the firewall and VPN server in one of two ways:

The VPN server is directly connected to the Internet and the firewall separates it from the internal network.
The firewall is connected to the Internet and the VPN server is behind the firewall.

Figure 7.6 shows these two configurations.

click to expand
Figure 7.6: Firewall Configurations

The more common of the two arrangements is to connect the firewall to the Internet and keep the VPN server behind the firewall. In this scenario, you set up packet filters to allow all VPN traffic through the firewall. Since the VPN connection between the client and server handles authentication and security itself, this does not represent a security risk.

Creating Access Policies

After you have configured a VPN server and the required certificates, you can use Remote Access Policies to control access to the VPN. This enables you to restrict access by user or group, restrict the authentication methods allowed, control the encryption methods that can be used, and a variety of other settings. Remote Access Policies are explained in detail later in this chapter.