Installing Windows Server 2003 as an IAS Server to Support the VPN Server

 <  Day Day Up  >  

When you implement a VPN server, it must have a way to authenticate incoming connection requests . This chapter assumes that most environments will have either a Windows 2000 or Windows Server 2003 AD, which you can build the RADIUS infrastructure on. It is possible to deploy the Internet Authentication Service (IAS) server for use with Windows NT 4.0 or other types of Lightweight Directory Access Protocol (LDAP) directory accounts, but it's generally easier to use the accounts through a trust to an AD. Additionally, it is possible to use a RADIUS service that is not based on IAS, but the deployment will be restricted to RFC-only capabilities and will lose some of the functionality that can be used for more robust VPN controls. Microsoft has done a good job of balancing between advanced functionality and vendor-specific capabilities. The end result is full vendor independence, yet still allowing additional support for the Network Access Servers (NAS) that support these capabilities where possible.

You can install the IAS service after a default Windows Server 2003 installation. You can do this either by modifying the unattended text file, or by simply going into Add/Remove programs, as shown in Figure 14.1. Some network architects install the IAS on all Global Catalogs (GCs) with a disabled setting. Then, when a specific location comes online and needs a local RADIUS server, all that needs to be done is enabling and configuring it.

Figure 14.1. The IAS can be installed from Add/Remove Programs in Control Panel.

In a Windows 2000/2003 AD, the server must be enabled in the directory before the service will start. This is done by adding the server to the RAS and IAS Servers security group under the Users group in a default directory, as shown in Figure 14.2.

Figure 14.2. The server hosting IAS must be added to the RAS and IAS Servers security group in AD environments.

The next step in configuring your IAS server is to define all the NASs that will be using RADIUS service by defining them in the Radius client list, as shown in Figures 14.3 and 14.4. The IAS server will not reply to unknown NASs, so each of them must be defined.

Figure 14.3. Define all NASs that will be using the RADIUS service as RADIUS Clients in the IAS snap-in.

Figure 14.4. Define the properties of the NAS in the RADIUS client dialog box.

In addition to defining the RADIUS, many Administrators define a shared secret in the IAS configuration. Also in this section, you are able to define the type of NAS device from several major vendors or the RADIUS Standard. Because we are configuring the IAS environment for a Windows Server 2003 VPN server, our selection should be Microsoft, as shown in Figure 14.5.

Figure 14.5. Select Microsoft as the vendor of the Remote Access Policy when configuring the RADIUS client.

RADIUS Accounting is very important so the Administrators are able to track logon and usage activities. Windows Server 2003 introduced the ability to link the logging data directly to a SQL database, which if you have the server is ideal because of the ease of handling the data. For our network, we are going to continue to trace all options in a standard text file, as shown in Figure 14.6.

Figure 14.6. Configuring the log data to a local file.


We now move to the real powerhouse of the IAS server ”the Remote Access Policy. This is where the connection criteria are defined. When you have multiple Remote Access Policies, the first policy that fits the connection request services the client's logon request, so the order is very important. The logs tell the Administrator which policy services the logon request. By default, IAS contains policies that will deny the logon requests. It's up to the Administrator to build a policy for the environment. Let's make one for our Windows Server 2003 VPN server.

1. Go to the Remote Access Policies menu option in the IAS snap-in, right-click, and select the option to make a new policy, as shown in Figure 14.7.

Figure 14.7. Create a new Remote Access Policy in the IAS snap-in.

2. In the ensuing screen, name the Remote Access Policy as shown in Figure 14.8.

Figure 14.8. Name the Remote Access Policy.

3. As shown in Figure 14.9, select the VPN option for Access Method.

Figure 14.9. Select the VPN option as the Access Method.

4. The network access is defined by the user rights, based on the rights on the user's account. Therefore, select the User option in the User or Group Access dialog box shown in Figure 14.10. Obviously, you could define a group for access rights.

Figure 14.10. Define User or Group for access rights. In this case, select User rights.

5. Select the authentication method. In our example, demonstrated in Figure 14.11, we will be allowing username/password authentication via MS-Chapv2. If your network requires PPTP, either because you need it for certain clients, or because the environment does not have a certificate infrastructure, it is strongly suggested that you do not support MS-Chapv1. MS-Chapv1 is where most of the PPTP security concerns come from, and it is very unlikely any environment really needs to support this authentication method.

Figure 14.11. It is highly recommended to select MS-CHAPv2 for the authentication method.

6. Next is the dialog box to select the Policy Encryption Levels to be supported for your clients, as shown in Figure 14.12. The network architect must consider the type of clients to be supported and select what is appropriate. Remember that if it isn't selected here, it will not be supported.

Figure 14.12. Select the appropriate Policy Encryption Levels to be supported for your clients.

You're finished with creating the basic policy! Notice in Figure 14.13, that the policy is placed at the top of the policy list. This means any logon request will be evaluated first.

Figure 14.13. The new policy is placed at the top of the policy list, giving it highest priority.

Now we need to edit the policy for some custom configuration. Make sure you state that if the client matches this policy, they will be granted access by enabling the Grant Remote Access Permission option in the policy properties, as shown in Figure 14.14.

Figure 14.14. Enable the Grant Remote Access Permission option in the policy properties.


After the wizard has walked through the basic creation of the Remote Access Policy, the Administrator is able to edit the profile and define granular settings that can do anything from defining idle timeouts to restricting the type of tunnels, as shown in Figure 14.15. The network architect must define what is required for the deployment for the corporation and set them as appropriate.

Figure 14.15. The Administrator can define very granular properties to give proper restrictions and definitions for client access.


The IAS configuration in Windows Server 2003 contains many features that support extremely complex environments, including RADIUS proxy, full certificate support, and authentication based on types of NAS. The IAS configuration must be designed with corporate needs in mind.

As you can see, the IAS configuration is the location where the criterion of the network access is defined. It is critical that the architect must work with all related groups to ensure that not only the clients are supported as appropriate, but also the security concerns and goals are achieved. IAS is extremely flexible and most all organizational needs ”however complex ”can be obtained.

 <  Day Day Up  >  


Windows Server 2003 on Proliants. Deployment Techniques and Management Tools for System Administrators
Windows Server 2003 on Proliants. Deployment Techniques and Management Tools for System Administrators
ISBN: B004C77T6A
EAN: N/A
Year: 2004
Pages: 214

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net