Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2004 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Cataloging-in-Publication Data Davies, Joe Deploying Virtual Private Networks with Microsoft Windows Server 2003 / Joe Davies, Elliot Lewis. p. cm. Includes index. ISBN 0-7356-1576-4 1. Extranets (Computer networks). 2. Microsoft Windows Server. I. Title. TK5105.875.E87W45 2003 004.6 dc21 2003042174 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 8 7 6 5 4 3 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to mspinput@microsoft.com. Active Directory, ActiveX, Microsoft, Microsoft Press, MSDN, MSN, Outlook, Visual Basic, Windows, the Windows logo, Windows Mobile, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Acquisitions Editor: Martin DelRe Project Editor: Valerie Woolley Technical Editor: Jim Johnson Body Part No. X08-68739 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com iii Contents Acknowledgments xiii Introduction xv PART I VPN Technology 1 The Business Case for Virtual Private Networks 3 Overview of VPNs 4 The World as It Was 4 The World as It Is Today 5 The World as It Will Be 7 The Need for Security and Control 8 VPN Technology 9 Summary 10 2 VPN Overview 11 Virtual Private Network Definitions 11 Common Uses of VPNs 13 Basic VPN Requirements 16 Tunneling Basics 17 Tunneling Protocols 19 Point-to-Point Protocol (PPP) 20 Point-to-Point Tunneling Protocol (PPTP) 23 Layer Two Tunneling Protocol (L2TP) 23 Tunnel Types 29 VPN Administration 30 Authorizing VPN Connections 31 Scalability 31 RADIUS 32 Connection Manager and Managed VPN Connections 32 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com iv | Table of Contents Accounting, Auditing, and Alarming 34 Summary 35 3 VPN Security 37 Basic Elements of Windows VPN Security 37 Authentication Security 38 Authorization Security 41 Encryption Security 41 Packet Filtering Security 43 Advanced VPN Security Features 44 EAP-TLS and Certificate-Based Authentication 44 Network Access Quarantine Control 46 Remote Access Account Lockout 47 Remote Access Policy Profile Packet Filtering 48 Summary 49 4 VPN Interoperability 51 VPN Technologies and Internet Standards 53 Remote Access VPN Requirements and IPSec-Based Implementations 54 User Authentication 54 Address Assignment 56 PPTP: An Alternative to IPSec-Based VPNs 56 Future Directions for Microsoft VPN Support 58 Issues Customers Should Examine 58 Recommendations to VPN Vendors 59 Summary 59 PART II VPN Deployment 5 Remote Access VPN Components and Design Points 63 VPN Clients 64 The Connection Manager System 66 Single Sign-On 69 Installing a Certificate on a Client Computer 69 Design Point: Configuring the VPN Client 70 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Table of Contents | v Internet Network Infrastructure 71 VPN Server Name Resolvability 71 VPN Server Reachability 72 Authentication Protocols 73 Design Point: Which Authentication Protocol To Use 74 VPN Tunneling Protocols Point-to-Point Tunneling Protocol Layer Two Tunneling Protocol with IPSec Design Point: PPTP or L2TP/IPSec? VPN Server Design Point: Configuring the VPN Server Intranet Network Infrastructure Name Resolution Routing Quarantine Resources AAA Infrastructure Remote Access Policies Preventing Traffic Routed from VPN Clients Windows Domain User Accounts and Groups Design Point: AAA Infrastructure Certificate Infrastructure Computer Certificates for L2TP/IPSec Certificate Infrastructure for Smart Cards Certificate Infrastructure for User Certificates Design Point: Certificate Infrastructure Summary 75 75 75 76 77 79 82 82 84 88 89 90 92 94 95 96 96 97 98 99 100 6 Deploying Remote Access VPNs 101 Deploying PPTP or L2TP/IPSec Remote Access 102 Deploying a Certificate Infrastructure 102 Installing Computer Certificates 103 Deploying Smart Cards 106 Installing User Certificates 107 Deploying an Internet Infrastructure 111 Placing VPN Servers in a Perimeter Network or on the Internet 111 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com vi | Table of Contents Installing Windows Server 2003 on the VPN Server and Configuring Internet Interfaces 111 Adding Address Records to Internet DNS Servers 112 Deploying an AAA Infrastructure 112 Configuring Active Directory for User Accounts and Groups 112 Configuring the Primary IAS Server Computer 113 Configuring IAS with RADIUS Clients 116 Configuring a VPN Remote Access Policy with Windows Server 2003 IAS 117 Configuring the Secondary IAS Server Computer 119 Deploying VPN Servers 120 Configuring the VPN Server’s Connection to the Intranet 120 Running the Routing And Remote Access Server Setup Wizard 120 Deploying an Intranet Infrastructure 121 Configuring Routing on the VPN Server 122 Verifying Name Resolution and Intranet Reachability from the VPN Server 122 Configuring Routing for Off-Subnet Address Ranges 122 Configuring Quarantine Resources 123 Deploying VPN Clients 123 Manually Configuring VPN clients 123 Configuring CM Packages with CMAK 124 Summary 124 7 Using Connection Manager for Quarantine Control and Certificate Provisioning 127 Deployment and Quarantine Control Using Connection Manager 128 Creating L2TP/IPSec Connections with Connection Manager 128 Deploying Network Access Quarantine Control with Connection Manager 128 Configuring the Initial Test Lab 130 DC1 132 CA1 134 Install IIS 134 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Table of Contents | vii Configure a shared folder 135 IIS1 136 VPN1 136 CLIENT1 139 Configuring and Testing Network Access Quarantine Control and Certificate Provisioning 140 DC1 140 Update Group Policy 151 Update Group Policy 154 VPN1 155 Summary 168 8 Site-to-Site VPN Components and Design Points 169 Demand-Dial Routing in Windows Server 2003 169 Demand-Dial Routing Updates 171 Introduction to Site-to-Site VPN Connections 172 Components of Windows Server 2003 Site-to-Site VPNs 176 VPN Routers Internet Network Infrastructure Authentication Protocols VPN Protocols Site Network Infrastructure AAA Infrastructure Certificate Infrastructure Summary 177 185 187 189 191 194 201 203 9 Deploying Site-to-Site VPNs 205 Deploying a Site-to-Site VPN Connection 205 Deploying the Certificate Infrastructure 206 Deploying the Internet Infrastructure 214 Deploying the Answering Router 215 Deploying the Calling Router 220 Deploying the AAA Infrastructure 222 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com viii | Table of Contents Deploying the Site Network Infrastructure 228 Deploying the Intersite Network Infrastructure 235 Summary 241 10 A VPN Deployment Example 243 Introducing Contoso, LTD 243 Common Configuration for the VPN Server 244 Network Configuration 244 Remote Access Policy Configuration 248 Domain Configuration 248 Security Configuration 249 VPN Remote Access for Employees 249 Domain Configuration 250 Remote Access Policy Configuration 250 PPTP-Based Remote Access Client Configuration 250 L2TP/IPSec-Based Remote Access Client Configuration 250 On-Demand Branch Office 251 Additional Configuration 252 PPTP-Based On-Demand Branch Office 253 L2TP/IPSec-Based On-Demand Branch Office 255 Persistent Branch Office 257 Additional Configuration 258 PPTP-Based Persistent Branch Office 260 L2TP/IPSec-Based Persistent Branch Office 263 Extranet for Business Partners 265 Additional Configuration 266 PPTP-Based Extranet for Business Partners 268 L2TP/IPSec-Based Extranet for Business Partners 269 Dial-Up and VPNs with RADIUS Authentication 270 Domain Configuration 271 RADIUS Configuration 272 Dial-Up Remote Access Client Configuration 272 Summary 273 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Table of Contents | ix PART III VPN Troubleshooting 11 Troubleshooting Remote Access VPN Connections 277 Troubleshooting Tools 278 TCP/IP Troubleshooting Tools 278 Authentication and Accounting Logging 278 Event Logging 279 IAS Event Logging 279 PPP Logging 280 Tracing 280 Oakley Logging 281 Network Monitor 282 Troubleshooting Remote Access VPNs 282 Unable to Connect 283 Unable to Reach Locations Beyond the VPN Server 292 Summary 293 12 Troubleshooting Site-to-Site VPN Connections 295 Troubleshooting Tools 295 Troubleshooting Site-to-Site VPN Connections 296 Unable to Connect 297 Unable to Reach Locations Beyond the VPN Routers 306 Unable To Reach the Virtual Interfaces of VPN Routers 308 On-Demand Connection Is Not Made Automatically 309 Summary 309 PART IV Appendixes A VPN Deployment Best Practices 313 Stick to the Standards 313 Choice of Tunneling Protocols 313 Choice of Authentication Protocols 314 Scalability 315 Use of IAS/RADIUS 315 VPN Privileges for Users 316 Packet Filters 316 Split Tunneling 317 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com x | Table of Contents Use of Quarantine—Being Realistic 317 Two-Factor Authorization: Smart Cards with Tokens or Biometrics 318 Connection Manager and Phone Book Administrator 318 Site-to-Site 319 Troubleshooting: Do It by the Book! 321 Summary 321 B Configuring Firewalls for VPN 323 VPN Server in Front of the Firewall 323 Packet Filters for PPTP 324 Packet Filters for L2TP/IPSec 325 VPN Server Behind the Firewall 326 Packet Filters for PPTP 327 Packet Filters for L2TP/IPSec 329 Filters on the Internet Interface 329 VPN Server Between Two Firewalls 331 C Deploying a Certificate Infrastructure 333 Certificate Revocation and EAP-TLS Authentication 334 Using Third-Party CAs for EAP-TLS Authentication 337 Certificates on the Authenticating Servers 337 Certificates on VPN Client Computers 337 Summary 338 D Setting Up Remote Access VPN Connections in a Test Lab 339 PPTP-Based Remote Access VPN Connections 339 DC1 341 IAS1 345 IIS1 348 VPN1 349 CLIENT1 351 L2TP/IPSec-Based Remote Access VPN Connections 354 DC1 354 VPN1 355 CLIENT1 356 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... Komar, Microsoft Windows Security Resource Kit, Microsoft Press, 2003 Deploying Virtual Private Networks with Microsoft Windows Server TM 2003 describes the combination of technologies in Windows that supports the strongest set of industry standards for VPN access that was available at the time of the writing of this book How This Book Is Structured Deploying Virtual Private Networks with Microsoft Windows. .. http://www.simpopdf.com xv Introduction Welcome to Deploying Virtual Private Networks with Microsoft Windows Server 2003, your complete source for the information you need to design and deploy Vir­ tual Private Networks (VPNs) using Windows Server 2003 and all of the Windows Client operating systems This book includes overview explanations of the various technologies involved in deploying both remote access and site-to-site... http://www .microsoft. com/ias • Active Directory: http://www .microsoft. com/ad • Windows 2000 Security Services: http://www .microsoft. com /windows2 000 /technologies/security/default.asp • Windows Server 2003 Security Services: http://www .microsoft. com /windowsserver2003/technologies/security/default.mspx For the latest information about support for VPNs in Windows, see the Microsoft VPN Web site at http://www .microsoft. com/vpn... 419 Frequently Asked Questions 421 Virtual Private Networks Defined Microsoft Support for VPNs VPN Standards and Interoperability VPN Deployment 421 422 424 430 Index 435 414 416 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com xiii Acknowledgments From the beginning, writing Deploying Virtual Private Networks with Microsoft Win­ dows Server 2003 was a labor of love for me As... http://www.simpopdf.com 3 Chapter 1 The Business Case for Virtual Private Networks Congratulations on purchasing this book! You have just taken a major step in bring­ ing the power of the Internet to your company’s arsenal of business tools This book will show you how to design, implement, and use virtual private networks (VPNs) that are based on Microsoft Windows Server 2003 and Microsoft client oper­ ating systems VPN... the business case for virtual private networks (VPNs) in the company’s communications solutions, it’s time to get into the nuts and bolts of how VPNs work and the various communications solutions VPNs can provide This chapter will cover the following topics: • An overview of virtual private networking and the VPN technologies supported by Microsoft Windows Server 2003 and Microsoft Windows XP Pro­ fessional... into the Windows Server 2003 family, and all Windows client operating systems have VPN client software built in as well If you are running Win­ dows servers and clients, you are capable of deploying VPN today with no extra software or hardware costs In this book, we’ll show you how to implement a fully functioning remote access solution based solely on Windows features you already own in the server and... included in the root folder of the Supplemental CD-ROM • Additional information and sample logs for troubleshooting L2TP, IPSec, PPTP, and other protocols Additional Resources Deploying Virtual Private Networks with Microsoft Windows Server 2003 is primarily a deployment book, not a technical reference It is designed to provide enough background information so that you can understand the basic workings of... includes complete step-bystep instructions for deploying a basic remote-access VPN solution using Windows Server 2003 as the VPN server and Windows XP or Windows 2000 Professional as the VPN client and all of the supporting services that go with VPN deployment, including Internet Authentication Service (a RADIUS server) , Certificate Services, and Active Directory • Chapter 7, “Using Connection Manager for... communicate with all your users while they are out of the office or to interconnect various office sites These Internet capabilities eliminate the need for modem pools, ISDN servers, and private leased WAN lines There is a problem, though The network within your walls is a private network that only your authorized users can access and work with, while the Internet is available for everyone’s use Without . Komar, Microsoft Windows Security Resource Kit, Microsoft Press, 2003. Deploying Virtual Private Networks with Microsoft Windows Server TM 2003 describes the combination of technologies in Windows. Welcome to Deploying Virtual Private Networks with Microsoft Windows Server 2003, your complete source for the information you need to design and deploy Vir- tual Private Networks (VPNs) using Windows. by any means without the written permission of the publisher. Library of Congress Cataloging-in-Publication Data Davies, Joe Deploying Virtual Private Networks with Microsoft Windows Server 2003 /