To assist administrators in the deployment of multiple VPN client configuration settings, Microsoft offers a tool called the Connection Manager Administration Kit (CMAK). This tool, installed as an option on a Windows Server 2003 system (or downloaded for older versions of the OS), allows for custom profiles to be generated and then easily distributed to VPN clients via an executable file.
For example, the CMAK allows administrators to configure complicated VPN connection settings, such as protocol support, VPN server IP address, encryption methods, and more advanced options, and easily distribute them via email or other methods to clients. This greatly simplifies the deployment of a VPN infrastructure that uses ISA Server.
If L2TP/IPSec VPNs will be created, using the CMAK helps to automate the connection settings, but does not distribute necessary client certificates. Methods listed in previous sections of this chapter, such as web enrollment of certificates or, preferably, Active Directory autoenrollment, must be run in addition to the CMAK profiles, to allow clients to connect using L2TP/IPSec VPN tunnels.
Installing the Connection Manager Administration Kit (CMAK)
To setup CMAK, it must first be installed as a component on an internal server in the domain. It should not normally be set up on an ISA Server: It is not good practice to install unnecessary tools or services on an ISA Server itself. To install the CMAK, perform the following tasks on the internal member server.
Creating CMAK Profiles for Client Deployment Automation
After the CMAK is installed on a member server, individual, unique CMAK profiles can be compiled by running through the steps of a CMAK wizard. The wizard allows for a wide variety of options, but this example focuses on setting up CMAK for a simple VPN connection.
The subsequent dialog box, labeled VPN Support and shown in Figure 9.28, is critical. In it, the fully qualified domain name (FQDN) of the ISA Server or its public IP address can be entered and will be automatically set up when the profile is installed. In addition, an option to allow VPN users to choose from multiple servers is listed. This can prove valuable if setting up multiple VPN presences across different geographic areas, for example.
Figure 9.28. Entering VPN Support information into a CMAK Profile.
To continue with the CMAK VPN profile process, do the following:
The General tab of the New VPN Entry dialog box has two additional options. The Disable File and Printer Sharing option, which affects only Windows NT, 2000, and XP systems, restricts clients from sharing files or printers while they are connected, which may be desired in some cases. The Enable Clients to Log On to a Network option affects only down-level Windows 9x clients, and is normally left checked.
The Security tab of the VPN Entry dialog box, shown in Figure 9.29, is particularly important. This tab allows for the configuration of the type of protocol and encryption support the connection will utilize.
Figure 9.29. Examining the Security tab of the New VPN Entry dialog box.
Under the Security tab, the option to utilize advanced and/or basic settings for the VPN connection are listed. Advanced Security options are relevant only for Windows 2000, 2003, and XP Systems, and can be used by only them. Consequently, if the option for Use Advanced Security Settings is selected in the Security Settings drop-down box, only those types of clients can connect. The Basic security settings apply only to down-level clients, and selecting Use Basic Security Settings from the drop-down box allows for only settings that all clients can use. This effectively dilutes the security options available and is not recommended. Selecting Use Both Basic and Advanced from the drop-down box, however, enables the client OS to determine which settings to use.
Clicking on the Configure tab under the Basic Security Settings tab enables down-level OS protocol options to be specified, which are limited to basic PPTP and L2TP settings.
The Advanced security settings (click on the second Configure button) enable authentication methods to be selected. Take particular care to select only those forms of authentication that provide the greatest amount of security that can be supported by the clients themselves. Ideally, this involves forcing encryption using L2TP only, with MS-CHAP v2 as the only authentication method, as shown in Figure 9.30.
Figure 9.30. Viewing Advanced Security Settings for an ISA VPN entry in CMAK.
The TCP/IP Settings tab can be used to manually assign DNS and WINS servers to VPN clients. This is often handled by internal DHCP servers, so it is not always necessary to fill in these fields. The setting labeled Make This Connection the Client's Default Gateway is important because it can increase the security of your VPN client configuration by forcing the client to send all traffic through the ISA server. This limits the client's capabilities to circumvent organizational security by making sure it complies with all security policies and rules while it is connected to the internal network.
To continue with the configuration process, do the following:
The Custom Actions dialog box, shown in Figure 9.31, allows for custom batch files, executables, and other content to be executed upon connection. This provides for a range of capabilities, such as the running of scripts to provide for VPN Quarantine, described in detail in the next section of this chapter.
Figure 9.31. Adding custom actions to a CMAK Profile.
To continue with the configuration, do the following:
As previously mentioned, this connection is for VPN access only, and is not being set up to dial any phone entries first. The Advanced Customization dialog box, shown in Figure 9.33, allows for this option to be set. To turn off the dial-up option, perform the following steps:
Figure 9.33. Customizing the Advanced options of the CMAK Profile.
At this point, the executable to automate the VPN connection settings has been generated and can be distributed to clients via email or other methods. If settings change, the wizard must be re-run and the profile executable redistributed to all clients.
Deploying the Custom CMAK Profile on a Windows XP Client
After the custom CMAK profile has been compiled into an executable and made available to clients (through email, ftp, web download, or removable media), it can be installed and utilized. Installation of the executable is simple and straightforward, and involves the following steps:
The connectoid should then connect the client via the settings that were established in the CMAK and on the ISA Server. At this point, the client is subject to any of the rules that have been setup to govern the VPN Clients network.