Using the Connection Manager Administration Kit (CMAK) to Automate VPN Client Deployment

To assist administrators in the deployment of multiple VPN client configuration settings, Microsoft offers a tool called the Connection Manager Administration Kit (CMAK). This tool, installed as an option on a Windows Server 2003 system (or downloaded for older versions of the OS), allows for custom profiles to be generated and then easily distributed to VPN clients via an executable file.

For example, the CMAK allows administrators to configure complicated VPN connection settings, such as protocol support, VPN server IP address, encryption methods, and more advanced options, and easily distribute them via email or other methods to clients. This greatly simplifies the deployment of a VPN infrastructure that uses ISA Server.

NOTE

If L2TP/IPSec VPNs will be created, using the CMAK helps to automate the connection settings, but does not distribute necessary client certificates. Methods listed in previous sections of this chapter, such as web enrollment of certificates or, preferably, Active Directory autoenrollment, must be run in addition to the CMAK profiles, to allow clients to connect using L2TP/IPSec VPN tunnels.

Installing the Connection Manager Administration Kit (CMAK)

To setup CMAK, it must first be installed as a component on an internal server in the domain. It should not normally be set up on an ISA Server: It is not good practice to install unnecessary tools or services on an ISA Server itself. To install the CMAK, perform the following tasks on the internal member server.

1.	Click Start, Control Panel, Add or Remove Programs.
2.	Click Add/Remove Windows Components.
3.	Scroll down and select the Management and Monitoring Tools component by clicking on the text of the box. Do not check the box or it installs all subcomponents. After it is selected (highlighted), click the Details button.
4.	Check the box labeled Connection Manager Administration Kit, as shown in Figure 9.26. Click OK to continue. Figure 9.26. Installing the Connection Manager Administration Kit (CMAK).
5.	Click Next to continue.
6.	Insert the Windows Server 2003 CD if prompted and click OK.
7.	Click Finish to finalize the CMAK installation.

Creating CMAK Profiles for Client Deployment Automation

After the CMAK is installed on a member server, individual, unique CMAK profiles can be compiled by running through the steps of a CMAK wizard. The wizard allows for a wide variety of options, but this example focuses on setting up CMAK for a simple VPN connection.

1.	Open the CMAK (Start, Administrative Tools, Connection Manager Administra tion Kit).
2.	At the wizard start screen, click Next to continue.
3.	Select New Profile from the Service Profile Selection list and click Next to continue.
4.	Enter a name for the service, and a filename for the executable, such as what is shown in Figure 9.27. Click Next to continue. Figure 9.27. Creating a CMAK VPN profile.
5.	Under the Realm name, select Do Not Add a Realm Name to the User Name (a realm name is not normally required, unless multiple ISPs are used for access), and click Next to continue.
6.	Under Merging Profile Information, the opportunity to import access numbers and existing phone book information from other profiles is available. For a new profile, leave the fields blank and click Next to continue.

The subsequent dialog box, labeled VPN Support and shown in Figure 9.28, is critical. In it, the fully qualified domain name (FQDN) of the ISA Server or its public IP address can be entered and will be automatically set up when the profile is installed. In addition, an option to allow VPN users to choose from multiple servers is listed. This can prove valuable if setting up multiple VPN presences across different geographic areas, for example.

Figure 9.28. Entering VPN Support information into a CMAK Profile.

To continue with the CMAK VPN profile process, do the following:

1.	Check the box labeled Phone Book from this profile, and then enter the FQDN or public IP address of the ISA Server into the field labeled Always Use the Same VPN Server. Click Next to continue.
2.	Under the VPN Entries dialog box, press the New button to create a new entry.
3.	Enter a descriptive name for the entry under the General tab, and review the options under the TCP/IP Settings and Security tab.

The General tab of the New VPN Entry dialog box has two additional options. The Disable File and Printer Sharing option, which affects only Windows NT, 2000, and XP systems, restricts clients from sharing files or printers while they are connected, which may be desired in some cases. The Enable Clients to Log On to a Network option affects only down-level Windows 9x clients, and is normally left checked.

The Security tab of the VPN Entry dialog box, shown in Figure 9.29, is particularly important. This tab allows for the configuration of the type of protocol and encryption support the connection will utilize.

Figure 9.29. Examining the Security tab of the New VPN Entry dialog box.

Under the Security tab, the option to utilize advanced and/or basic settings for the VPN connection are listed. Advanced Security options are relevant only for Windows 2000, 2003, and XP Systems, and can be used by only them. Consequently, if the option for Use Advanced Security Settings is selected in the Security Settings drop-down box, only those types of clients can connect. The Basic security settings apply only to down-level clients, and selecting Use Basic Security Settings from the drop-down box allows for only settings that all clients can use. This effectively dilutes the security options available and is not recommended. Selecting Use Both Basic and Advanced from the drop-down box, however, enables the client OS to determine which settings to use.

Clicking on the Configure tab under the Basic Security Settings tab enables down-level OS protocol options to be specified, which are limited to basic PPTP and L2TP settings.

The Advanced security settings (click on the second Configure button) enable authentication methods to be selected. Take particular care to select only those forms of authentication that provide the greatest amount of security that can be supported by the clients themselves. Ideally, this involves forcing encryption using L2TP only, with MS-CHAP v2 as the only authentication method, as shown in Figure 9.30.

Figure 9.30. Viewing Advanced Security Settings for an ISA VPN entry in CMAK.

The TCP/IP Settings tab can be used to manually assign DNS and WINS servers to VPN clients. This is often handled by internal DHCP servers, so it is not always necessary to fill in these fields. The setting labeled Make This Connection the Client's Default Gateway is important because it can increase the security of your VPN client configuration by forcing the client to send all traffic through the ISA server. This limits the client's capabilities to circumvent organizational security by making sure it complies with all security policies and rules while it is connected to the internal network.

To continue with the configuration process, do the following:

1.	Using the options discussed as a guide, select the appropriate settings from the New Virtual Private Networking Entry dialog box and click OK when finished.
2.	Click Next to continue.
3.	The subsequent dialog box allows for the import of a phone book for dial-up. In this case, as a simple VPN connection profile without dial-up options is being created, uncheck the Automatically Download Phone Book Updates option and leave the remaining fields blank. Click Next to continue.
4.	The subsequent dialog box dictates the creation of a dial-up networking entry. This must be created, but will be disabled in later stages of this setup because it is not needed in the case of a simple VPN connection profile (one that does not require dialing into RAS servers first before tunneling in through VPN). Click the New button to create this.
5.	Enter a descriptive name, accept all defaults, and click OK. NOTE The CMAK requires this dial-up networking entry to be created because originally most VPNs were set up by remote users dialing in via modems to a modem pool at an organization. In today's modern infrastructure, however, it is more common to have VPN clients gain remote access directly over the Internet from high-speed or other ISP dial-up connections. It is important to keep this in mind because this example illustrates the latter scenario, and the dial-up networking entry that is created here is essentially discarded in later steps.
6.	Click Next at the Dial-up Networking Entries dialog box.
7.	Under the Routing Table Update dialog box, accept the default of Do Not Change the Routing Tables and click Next to continue.
8.	Under the Automatic Proxy Configuration dialog box, select the default Do Not Configure Proxy Settings and click Next to continue.

The Custom Actions dialog box, shown in Figure 9.31, allows for custom batch files, executables, and other content to be executed upon connection. This provides for a range of capabilities, such as the running of scripts to provide for VPN Quarantine, described in detail in the next section of this chapter.

Figure 9.31. Adding custom actions to a CMAK Profile.

To continue with the configuration, do the following:

1.	Click Next at the Custom Actions dialog box.
2.	Leave the default graphic as the one illustrated and click Next to continue.
3.	Leave the phone book graphic at the default and click Next to continue.
4.	Leave the default icons the same and click Next to continue.
5.	Notification area shortcuts provide for additional options to be added to the toolbar on the clients. Leave the default of no additional items and click Next.
6.	Use the default help file and click Next.
7.	For the Support Information field, enter information useful to the client, such as "For support, call 1-800-555-5555." Click Next to continue.
8.	The subsequent dialog box enables the Connection Manager client to be installed along with the profile. This may be necessary for some clients that do not have the updated software, so it is common to check this box. Click Next to continue.
9.	If a custom license agreement has been created, it can be entered in the subsequent dialog box. If not, click Next to continue.
10.	The Additional Files option allows for extra files to be included in the profile. These files may be necessary for certain functionality or login scripts to work properly, such as with VPN Quarantine scripts. Add any files as necessary, using the Add button as shown in Figure 9.32, and click Next to continue. Figure 9.32. Specifying additional files for a CMAK Profile.
11.	Check the Advanced Customization option on the next dialog box and click Next to continue.

As previously mentioned, this connection is for VPN access only, and is not being set up to dial any phone entries first. The Advanced Customization dialog box, shown in Figure 9.33, allows for this option to be set. To turn off the dial-up option, perform the following steps:

1.	Under file name, select `<nameofyourprofile>.cms`, where nameofyourprofile is the executable name that was originally entered at the start of the wizard.
2.	Under section name, choose Connection Manager.
3.	Under Key name, choose Dialup.
4.	Under Value, enter the number `0`.
5.	Click the Apply button to save the settings.
6.	Click Next to continue.
7.	Click Finish when the profile has been created and the Finish dialog box is displayed.

Figure 9.33. Customizing the Advanced options of the CMAK Profile.

At this point, the executable to automate the VPN connection settings has been generated and can be distributed to clients via email or other methods. If settings change, the wizard must be re-run and the profile executable redistributed to all clients.

Deploying the Custom CMAK Profile on a Windows XP Client

After the custom CMAK profile has been compiled into an executable and made available to clients (through email, ftp, web download, or removable media), it can be installed and utilized. Installation of the executable is simple and straightforward, and involves the following steps:

1.	From the client, and while logged in as a local administrator, double-click on the CMAK executable that was created by the CMAK.
2.	Click OK when asked if wanting to install the package.
3.	Select to make the connection available for My Use Only and click OK.
4.	After installing, the connection screen, shown in Figure 9.34, is displayed. Enter the appropriate information and click Connect. Figure 9.34. Connecting from a VPN Client configured with a CMAK Profile.

The connectoid should then connect the client via the settings that were established in the CMAK and on the ISA Server. At this point, the client is subject to any of the rules that have been setup to govern the VPN Clients network.

Installing the Connection Manager Administration Kit (CMAK)

Figure 9.26. Installing the Connection Manager Administration Kit (CMAK).