Lesson 3:Configuring Remote Access Clients

You can configure clients to connect to a remote access server in one of two ways: by using the network connection properties or by using the Connection Manager Administration Kit (CMAK). Manually configuring a connection by using network connection properties is convenient when you are using the default security settings or when you need to configure fewer than ten clients. However, it would not be possible to configure and maintain VPN or dial-up network connection configurations on hundreds or thousands of client computers.

The CMAK allows you to easily configure large numbers of clients by creating an executable file that you can distribute to your users. When your users run the file, it creates a dial-up or VPN connection with your customized security settings. If you later change authentication or encryption methods, you can re-run the CMAK and distribute a new executable file to overwrite the previous configuration. You can even automate the distribution of the CMAK executable file by distributing it with a Group Policy object.

After this lesson, you will be able to

• Manually create a dial-up or VPN connection.

• Customize the authentication and encryption protocols accepted by a client for a remote access connection.

• Use the CMAK wizard to create an executable file that a user can use to automatically create a remote access connection with customized security settings.

Estimated lesson time: 30 minutes

Configuring Client-Side Authentication Protocols

You create a remote access connection by using the New Connection Wizard, as described in Lesson 2, Exercise 2. However, the New Connection Wizard does not allow you to configure the acceptable authentication or encryption settings for the connection. To view or modify the authentication protocols enabled for a remote access connection on the client, open the properties dialog box of the dial-up or VPN connection on the client, and then click the Security tab.

Figure 12.10 shows the default settings on the Security tab. The Typical option is selected, and a secured password and data encryption are required. Automatically Use My Windows Logon Name And Password is not selected. This default setting is the more secure choice. If you choose to automatically use the current credentials, an intruder who takes over the active desktop of the client can successfully authenticate and connect to your internal network, potentially compromising far more than a single computer. When the option is cleared, the user must provide credentials each time a connection is made.

Figure 12.10: Default client authentication settings

To enable authentication with a smart card, in the Validate My Identity As Follows list, click Use Smart Card. When the user attempts to connect, the user will be prompted to insert a smart card. Once the smart card is detected, the certificate on the smart card will be used to authenticate the user to the remote access server.

The Typical setting, by default, requires a secured password and data encryption, but it does not give you any control over which specific protocols are used. To control these, click Advanced, and then click the Settings button. The Advanced Security Settings dialog box appears, as shown in Figure 12.11.

Figure 12.11: Advanced client authentication settings

This dialog box enables you to specify a minimum allowable encryption level by using the Data Encryption list. You can choose to allow encryption if available, require it, or require the highest encryption level. If the server is not capable of providing encryption, the VPN session will fail. You can also choose to disallow encryption. However, you should only use this setting for troubleshooting purposes.

The Advanced Security Settings dialog box also allows you to choose EAP authentication, which you will use when authenticating with a smart card or a public key certificate. Clicking the Properties button enables you to configure server validation and trusted root CAs. Alternatively, you can click Allow These Protocols and then select the acceptable authentication protocols.

There is one other configuration option on the network: the preshared key for L2TP/ IPsec VPN connections. To specify this preshared key, click the IPSec Settings button on the Security tab of the Network Connection Properties dialog box. Then select the Use Preshared Key For Authentication check box and type the preshared key.

CMAK Wizard

Manually configuring remote access connections on clients is straightforward, but configuring hundreds or thousands of clients would be impossible. Unfortunately, you cannot use Group Policy objects to directly control a user’s available network connections. However, you can use the CMAK to create an executable file that you can deploy to users. When users run this file, the CMAK adds a connection by using the settings you specified with the CMAK wizard.

Though most of the pages of the wizard do not involve security settings, there are several important pages that you can use to control the security settings on the resulting network connection. Specifically, the VPN Entries and Dial-Up Networking Entries pages allow you to restrict authentication and encryption on the client. The VPN Entries and Dial-Up Networking Entries pages are identical, except that the VPN settings allow you to choose between PPTP and L2TP.

Use the VPN Entries page, as shown in Figure 12.12, to add configuration information for your remote access servers. First, click the New button. On the General tab, in the Name box, type a name to identify the VPN server. Then click the Security tab to edit the authentication and encryption settings.

Figure 12.12: Configuring VPN servers and security settings

The Security tab allows you to configure either basic or advanced security settings. Basic settings are supported by any client, but advanced settings are supported only by Windows 2000, Windows XP, and Windows Server 2003 clients. If all remote access clients are using Windows 2000 or later, you should click the Security Settings list and then select Use Advanced Security Settings. Otherwise, leave the default setting of Use Both Basic And Advanced selected.

To configure the basic security settings for all clients, click the basic security settings Configure button. The Basic Security Settings dialog box appears, as shown in Figure 12.13. Selecting Require A Microsoft Secured Password causes the client to disconnect if the server does not support MS-CHAP v1 or MS-CHAP v2, and selecting the Require Data Encryption check box causes the client to disconnect if encryption is not available. By default, the client will always use PPTP. If you prefer L2TP/IPSec, click Use L2TP/IPSec If Available, and optionally specify that a preshared key should be used.

Figure 12.13: Editing basic VPN security settings by using the CMAK wizard

To configure the advanced security settings for Windows 2000, Windows XP, and Windows Server 2003 clients, click the advanced security settings Configure button. The Advanced Security Settings dialog box appears, as shown in Figure 12.14. By default, encryption is required and MS-CHAP v1 or MS-CHAP v2 authentication is used. Click the VPN Strategy list to choose whether the client prefers PPTP or L2TP connections.

Figure 12.14: Editing advanced VPN security settings by using the CMAK wizard

If you are using public key certificates or smart cards for authentication, click Use Extensible Authentication Protocol (EAP), and then select Smart Card Or Other Certificate. You can then click the Properties button to open the Smart Card Or Other Certificate Properties dialog box, as shown in Figure 12.15. This dialog box enables you to choose between smart cards and public key certificates and to configure server verification and trusted root CAs.

Figure 12.15: Editing EAP configuration settings

Additionally, the License Agreement page enables you to prompt the user to agree to a license agreement before connecting. Work with your organization’s legal team to create a license agreement that you can use to make it easier to enforce your organization’s remote access usage policies. This license agreement appears when the user clicks OK to begin the initial installation of your network connection profile. If the user accepts the license agreement, installation continues. If not, installation is cancelled. Although the license agreement probably won’t prevent users from misusing your network, it can be helpful when disciplining users after they are identified. Use a text- editor program such as Notepad to create your license agreement as a text (.txt) file. To avoid formatting problems, do not use hard returns (forced line breaks) at the end of lines. Line-wrapping for the license agreement is done automatically when the service profile is built.

Practice: Using the CMAK

In this practice, you will use the CMAK on Computer1 to configure a remote access network connection with minimal effort on Computer2.

Exercise 1: Creating a VPN file

In this exercise, you will create a VPN file containing the IP names and IP addresses of imaginary VPN servers on your network.

1. Log on to the cohowinery.com domain on Computer1 by using the Administrator account.

2. Click Start and then click Run. In the Open box, type Notepad. Click OK.

3. In the Untitled – Notepad window, type the following:

   [Settings] default=Coho Winery - Woburn UpdateURL=http://computer1.cohowinery.com/VPNfile.txt Message=Please select a server from the following list. Choose a server closes to your location or to your data.  [VPN Servers] Coho Winery - Woburn=computer1.cohowinery.com Coho Winery - Redmond=computer4.cohowinery.com Coho Winery - Pflugerville=computer5.cohowinery.com Coho Winery – San Francisco=computer6.cohowinery.com

4. On the File menu, click Save.

5. In the File Name box, type C:\Inetpub\Wwwroot\VPNfile.txt. Click Save.

   Notice that the UpdateURL line in the file is set to http://computer1.cohowinery.com/VPNfile.txt. This URL relates to C:\Inetpub\Wwwroot\VPNfile.txt. Therefore, you can later update the VPN file and clients will automatically receive the updates.

6. Close Notepad.

Exercise 2: Installing the Connection Manager Administration Kit

In this exercise, you will install the CMAK.

1. Log on to the cohowinery.com domain on Computer1 by using the Administrator account.

2. Click Start, point to Control Panel, and then click Add Or Remove Programs.

3. Click Add/Remove Windows Components.

4. Click Management And Monitoring Tools, and then click the Details button.

5. Select the Connection Manager Administration Kit and Connection Point Services check boxes. Click OK.

6. Click Next. When the Optional Network Components dialog box appears, click Yes. Click Finish.

Exercise 3: Creating a service profile

In this exercise, you will create a service profile with the CMAK.

1. Start the CMAK Wizard by clicking Start, pointing to Administrative Tools, and then clicking Connection Manager Administration Kit.

   The CMAK Wizard appears.

2. Click Next. On the Service Profile Selection page, click New Profile, and then click Next.

3. On the Service And File Names page, type Coho Winery VPN in the Service Name box.

   The service name will appear in several places, including in the title bar of the logon dialog box, in the Connection Manager installation dialog boxes, and as the name of the network connection.

4. Type Coho-VPN in the File Name box. Click Next.

5. On the Realm Name page, accept the default setting of Do Not Add A Realm Name To The User Name, and then click Next.

   You only need to specify a realm name for dial-up access. This would be useful, for example, if users were connecting through an ISP but were being authenticated by your RADIUS server.

6. On the Merging Profile Information page, click Next.

7. On the VPN Support page, select the Phone Book From This Profile check box. Click Allow The User To Choose A VPN Server Before Connecting. Click the Browse button. In the File Name box, type C:\Inetpub\Wwwroot\VPNfile.txt. Click Open, and then click Next.

8. On the VPN Entries page, click Coho Winery VPN Tunnel, and then click Edit. Click the TCP/IP Settings tab.

   Notice that, by default, the Make This Connection The Client’s Default Gateway check box is selected. This causes clients to route all traffic through your VPN server to your private network, even if the traffic is destined for the public Internet. In other words, when this check box is selected, traffic destined for the public Internet will travel through the VPN tunnel to your VPN server and then through your private network and back onto the Internet. This causes Internet access to seem very slow for the end user but allows you to route the client’s traffic through your firewall, which might reduce the likelihood of the client being infected by a worm or virus on the Internet and then spreading that worm or virus to your internal network.

9. Click the Security tab. In the Security Settings list, click Use Advanced Security Settings.

   In this exercise, there are no Windows NT 4.0, Windows 95, Windows 98, or Windows ME clients. Therefore, you can choose to use only the advanced security settings without causing problems for any previous versions of Windows.

10. Click the Advanced Security Settings Configure button. Verify that Require Encryption is selected in the Data Encryption list.

    Note that you can choose to not use encryption. This would reduce the processing time required to maintain the VPN connection, but your data could be subject to eavesdropping.

11. Verify that Authentication Methods is selected.

    If you wanted to authenticate by using a smart card or a public key certificate, you would select Use Extensible Authentication Protocol (EAP) and then select Smart Card Or Other Certificate. You could then click the Properties button to configure a user certificate, in a manner similar to the way you configure certificates for authenticating wireless connections.

    Notice that MS-CHAP and MS-CHAP v2 are enabled by default. If you know that all your clients will use a single authentication method, you should clear the other check boxes. If you have non-Microsoft clients that must use PAP, SPAP, or CHAP, you will need to enable those authentication methods in this dialog box.

    See Also

    For information on using certificates to authenticate wireless connections, refer to Chapter 10.

12. In the VPN Strategy list, click Try Layer Two Tunneling Protocol First. Click OK twice, and then click Next.

    Notice that, by default, PPTP will be tried first. You can improve the security of your VPN servers by limiting the VPN strategy to either L2TP or PPTP. This practice reduces the potential attack surface. In other words, if a vulnerability is later discovered in either the L2TP or PPTP services, you will not be vulnerable if you do not allow incoming connections with that protocol.

13. On the Phone Book page, clear the Automatically Download Phone Book Updates check box, and then click Next.

14. On the Dial-Up Networking Entries page, click Next. On the Routing Table Update page, click Next.

    Notice that you have the option of manually configuring routing updates that will be applied when a client connects. Earlier in this exercise, you left the Make This Connection The Client’s Default Gateway check box selected. If you had cleared this check box, you would need to specify a route file that contained a list of internal networks so that the client would direct traffic destined for those networks across the VPN instead of to the public Internet.

15. Click Next to accept the default settings on the Automatic Proxy Configuration, Custom Actions, Logon Bitmap, and Help File pages.

16. On the Support Information page, in the Support Information box, type For technical support, contact IT at 555-0199. Click Next.

17. On the Connection Manager Software page, click Next. On the License Agreement page, click Next. On the Additional Files page, click Next. On the Ready To Build The Service Profile page, click Next.

    The CMAK Wizard creates your service profile.

18. Note the location of your service profile, which should be C:\Program Files\Cmak\Profiles\Coho-VPN\Coho-VPN.exe. Click Finish.

Exercise 4: Installing the service profile

In this exercise, you will install the service profile on Computer2 and verify that Computer2 can connect to the VPN.

1. Log on to the cohowinery.com domain on Computer2 by using the Administrator account.

2. Copy the Coho-VPN.exe file from Computer1 to C:\Coho-VPN.exe on Computer2.

3. Click Start, and then click Run. In the Open box, type C:\Coho-VPN.exe. Click OK.

4. In the Coho Winery VPN dialog box, click Yes.

   Notice that the name of the dialog box is the name you specified in Exercise 3.

5. Click My Use Only, and then click OK.

6. The logon dialog box appears. Click the Properties button.

   Notice that the message For technical support, contact IT at 555-0199, which was specified in Exercise 3, appears on the dialog box.

7. In the Coho Winery VPN Properties dialog box, click VPN.

8. Click the VPN Destination list.

   As shown in Figure 12.16, the listing of destinations provided in the VPN file created in Exercise 1 appears. Coho Winery – Woburn appears as the default because it is specified by the default key in the [Settings] section of the VPN file.

   
   Figure 12.16: VPN destinations as specified in the VPN file

9. Click OK.

10. In the User Name box, type User1. In the Password box, type the complex password you created in the exercise in Lesson 2. Click Connect.

    The connection establishes successfully. Notice how simple the process of configuring the client is after you create the service profile by using the CMAK.

11. Right-click the Coho Winery VPN icon for the network connection in the notification area on the taskbar, and then click Status.

12. Click the Details tab. As shown in Figure 12.17, the connection was established by using L2TP, authenticated by using MS-CHAP v2, and encrypted by using IPSec ESP 3DES. Click Close.

    
    Figure 12.17: VPN connection details confirming security configuration

13. Open a command prompt, and run the command ping 192.168.4.1. Computer1 will respond, indicating that the VPN connection is successful.

Lesson Review

The following question is intended to reinforce key information presented in this lesson. If you are unable to answer the question, review the lesson materials and try the question again. You can find answers to the question in the “Questions and Answers” section at the end of this chapter.

1. Which tools can you use to configure authentication and encryption methods for remote access connections on clients? (Choose all that apply.)

   1. The Group Policy Object Editor snap-in

   2. The CMAK Wizard

   3. The network connections properties dialog box

   4. The remote desktops console

Lesson Summary

• You can manually configure remote access authentication and encryption settings on individual client computers by editing the properties of the network connection.

• Use the CMAK Wizard to create executable files that create preconfigured remote access connections on client computers.