Virtual Private Networking with Windows Server 2003: An Example Deployment

[patris1]

Introduction to Virtual Private Networking with Windows Server 2003: An Example Deployment
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This white paper describes how to configure common virtual private network connections for a fictional company using the Windows Server 2003 and the Windows XP operating systems. Although your network configuration may be different than those described here, you can still apply the basic concepts of virtual private networking in your network environment.
The use of both public and private networks to create a network connection is called a virtual private network (VPN). A VPN is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.
To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection.
Electronic, Inc. is a fictional electronics design and manufacturing company with a main corporate campus in New York and branch offices and distribution business partners throughout the United States. Electronic, Inc. has implemented a VPN solution by using Windows Server 2003 to connect remote access users, branch offices, and business partners.
The VPN server at the corporate office provides both remote access and site-to-site (also known as router-to-router) Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) VPN connections. In addition, the VPN server provides the routing of packets to intranet and Internet locations.
Based on the common configuration of the VPN server, the following VPN configurations are described:

• VPN remote access for employees.
• On-demand branch office access.
• Persistent branch office access.
• Extranet for business partners.
• Dial-up and VPNs with RADIUS authentication.

---

موضوعات مشابه:

• Deploy XP Images in the Computer Lab with Windows Deployment Services on Server 2003
• Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs
• Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNs

---

[patris1]

Common Configuration for the VPN Server (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To deploy a VPN solution for Electronic, Inc., the network administrator performs an analysis and makes design decisions regarding:

• The network configuration.
• The remote access policy configuration.
• The domain configuration.
• The security configuration.

Network Configuration

The key elements of the network configuration are:

• The Electronic, Inc. corporate intranet uses the private networks of 172.16.0.0 with a subnet mask of 255.240.0.0 (172.16.0.0/12) and 192.168.0.0 with a subnet mask of 255.255.0.0 (192.168.0.0/16). The corporate campus network segments use subnets of 172.16.0.0 and the branch offices use subnets of 192.168.0.0.
• The VPN server computer is directly attached to the Internet using a T3 (also known as a DS-3) dedicated WAN link.
• The IP address of the WAN adapter on the Internet is 207.46.130.1 as allocated by the Internet service provider (ISP) for Electronic, Inc. The IP address of the WAN adapter is referred to on the Internet by the domain name vpn.electronic.example.com.
• The VPN server computer is directly attached to an intranet network segment that contains a router that connects to the rest of the Electronic, Inc. corporate campus intranet. The intranet network segment has the IP network ID of 172.31.0.0 with the subnet mask of 255.255.0.0.
• The VPN server computer is configured with a static pool of IP addresses to allocate to remote access clients and calling routers that is a subset of the intranet network segment (an on-subnet address pool).

Figure 1 shows the network configuration of the Electronic, Inc. VPN server.
Figure 1: The network configuration of the Electronic, Inc. VPN server
Based on the network configuration of the Electronic, Inc. corporate campus intranet, the VPN server computer is configured as follows:

1. Install hardware on the VPN server.
   
   The network adapter that is used to connect to the intranet segment and the WAN adapter that is used to connect to the Internet are installed according to the adapter manufacturer's instructions. Once drivers are installed and functioning, both adapters appear as local area connections in Network Connections.
2. Configure TCP/IP on the LAN and WAN adapters.
   
   For the LAN adapter, an IP address of 172.31.0.1 with a subnet mask 255.255.0.0 is configured. For the WAN adapter, an IP address of 207.46.130.1 with a subnet mask 255.255.255.255 is configured. A default gateway is not configured for either adapter. Domain Name System (DNS) and Windows Internet Name Service (WINS) server addresses are also configured.
3. Configure the Routing and Remote Access service.
   
   The Routing and Remote Access service is initially configured with the Routing and Remote Access Server Setup Wizard. To run the Wizard, right-click the name of the server in the Routing and Remote Access snap-in, and then click Configure and Enable Routing and Remote Access. Configure the VPN server using the following settings:
   
   Configuration: Remote access (dial-up or VPN)
   
   Remote Access: VPN
   
   VPN Connection: Click the connection that corresponds to the interface connected to the Internet
   
   IP Address Assignment: Click From a specified range of addresses and create a single range from 172.31.255.1 to 172.31.255.254. This creates a static address pool for up to 253 VPN clients.
   
   Managing Multiple Remote Access Servers: Click No, use Routing and Remote Access to authenticate connection requests
   
   The default method of authenticating remote access and demand-dial connections is to use Windows authentication, which is appropriate in this configuration containing only one VPN server. For information about the use of Remote Authentication Dial-In User Service (RADIUS) authentication for Electronic, Inc., see the Dial-up and VPNs with RADIUS section in this paper. For more information about the use of Windows and RADIUS authentication, see the topic titled Authentication vs. Authorization in Windows Server 2003 Help and Support.
4. Configure the DHCP Relay Agent.
   
   In the console tree, navigate to IP Routing\DHCP Relay Agent. Right-click DHCP Relay Agent, and then click Properties. In the DHCP Relay Agent Properties dialog box, type the IP address of an intranet Dynamic Host Configuration Protocol (DHCP) server in Server address. Click Add, and then click OK. By configuring the DHCP Relay Agent routing protocol component, VPN remote access clients can receive the correct DNS domain name, DNS server addresses, and WINS server addresses when connecting to the intranet.
5. Configure static routes on the VPN server to reach intranet and Internet locations.
   
   To reach intranet locations, a static route is configured with the following settings:
   
   • Interface: The LAN adapter attached to the intranet
   • Destination: 172.16.0.0
   • Network mask: 255.240.0.0
   • Gateway: 172.31.0.2
   • Metric: 1
   
   This static route simplifies routing by summarizing all destinations on the Electronic, Inc. intranet. This static route is used so that the VPN server does not need to be configured with a routing protocol.
   
   To reach Internet locations, a static route is configured with the following settings:
   
   
   
   • Interface: The WAN adapter attached to the Internet
   • Destination: 0.0.0.0
   • Network mask: 0.0.0.0
   • Gateway: 0.0.0.0
   • Metric: 1
   
   This static route summarizes all destinations on the Internet. This route allows the VPN server to respond to a remote access client or demand-dial router from anywhere on the Internet.
   
   Note Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.
6. Configure a static route on the intranet router to reach all branch offices.
   
   To reach branch office locations from the intranet router, a static route is configured with the following settings:
   
   • Interface: The LAN adapter attached to the intranet
   • Destination: 192.168.0.0
   • Network mask: 255.255.0.0
   • Gateway: 172.31.0.1
   • Metric: 1
   
   This static route simplifies routing by summarizing all destinations at Electronic, Inc. branch offices. The intranet router advertises this static route to its neighboring routers so that a route to the branch office locations exists on each router of the intranet.
   

Remote Access Policy Configuration

Electronic, Inc. is using a native-mode Active Directory domain and the network administrator for Electronic, Inc. has decided on an access-by-group administrative model. The remote access permission on all user accounts is set to Control access through Remote Access Policy. The granting of remote access permission to connection attempts is controlled by the remote access permission setting on the first matching remote access policy. Remote access policies are used to apply different VPN connection settings based on group membership.
For more information, see the topic Introduction to remote access policies in Windows Server 2003 Help and Support.

Domain Configuration

To take advantage of the ability to apply different connection settings to different types of VPN connections, the following Active Directory groups are created:

• VPN_Users
  
  Used for remote access VPN connections
• VPN_Routers
  
  Used for site-to-site VPN connections from Electronic, Inc. branch offices
• VPN_Partners
  
  Used for site-to-site VPN connections from Electronic, Inc. business partners

Note All users and groups in this example deployment are created in the electronic.example.com Active Directory domain.



Security Configuration

To enable L2TP/IPSec connections, the use of smart cards by remote access clients, and the use of EAP-TLS by routers, the Electronic, Inc. domain is configured to autoenroll computer certificates to all domain members.
For more information, see the topic titled "Checklist: Configuring certificate autoenrollment" in Windows Server 2003 Help and Support.

[patris1]

VPN Remote Access for Employees (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Remote access for Electronic, Inc. employees is deployed by using remote access VPN connections across the Internet based on the settings configured in the Common Configuration for the VPN Server section of this paper and the following additional settings.
Figure 2 shows the Electronic, Inc. VPN server that provides remote access VPN connections.
Figure 2: The Electronic, Inc. VPN server that provides remote access VPN connections
Domain Configuration

For each employee that is allowed VPN access:

• The remote access permission on the dial-in properties of the user account is set to Control access through Remote Access Policy.
• The user account is added to the VPN_Users Active Directory group.

Remote Access Policy Configuration

To define the authentication and encryption settings for remote access VPN clients, the following common remote access policy is created:
Policy name: Remote Access VPN Connections
Access method: VPN
User or Group Access: Group with the EXAMPLE\VPN_Users group selected
Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type, Microsoft Encrypted Authentication version 2 (MS-CHAP v2), and Microsoft Encrypted Authentication (MS-CHAP) selected
Policy Encryption Level: Strong encryption and Strongest encryption selected

PPTP-based Remote Access Client Configuration

On the Windows XP remote access client computers, the New Connection Wizard is used to create a VPN connection with the following settings:
Network Connection Type: Connect to the network at my workplace
Network Connection: Virtual Private Network connection
Connection Name: Electronic, Inc.
VPN Server Selection: vpn.electronic.example.com
Connection Availability: Anyone's use

L2TP/IPSec-based Remote Access Client Configuration

The remote access computer logs on to the Electronic, Inc. domain using a local area network (LAN) connection to the Electronic, Inc. intranet and receives a computer certificate through autoenrollment. Then, the New Connection Wizard is used to create VPN connection with the following setting:
Network Connection Type: Connect to the network at my workplace
Network Connection: Virtual Private Network connection
Connection Name: Electronic, Inc.
VPN Server Selection: vpn.electronic.example.com
Connection Availability: Anyone's use
From the Connect Electronic, Inc. dialog box, click Properties, and then click the Networking tab.
On the Networking tab, Type of VPN is set to L2TP/IPSec VPN. When Type of VPN is set to Automatic, a PPTP connection is tried first. In this case, the network administrator for Electronic, Inc. does not want remote access clients that are capable of establishing an L2TP/IPSec connection to use PPTP.

[patris1]

On-Demand Branch Office (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The Portland and Dallas branch offices of Electronic, Inc. are connected to the corporate office by using on-demand site-to-site VPN connections. Both the Portland and Dallas offices contain a small number of employees who only need occasional connectivity with the corporate office. The Windows Server 2003 routers in the Portland and Dallas offices are equipped with an ISDN adapter that dials a local Internet service provider to gain access to the Internet, and then a site-to-site VPN connection is made across the Internet. When the VPN connection is idle for five minutes, the routers at the branch offices terminate the VPN connection.
The Dallas branch office uses the IP network ID of 192.168.28.0 with a subnet mask of 255.255.255.0 (192.168.28.0/24). The Portland branch office uses the IP network ID of 192.168.4.0 with a subnet mask of 255.255.255.0 (192.168.4.0/24).
To simplify the configuration, the VPN connection is a one-way initiated connection that is always initiated by the branch office router. For more information, see the topic titled One-way Initiated Demand-Dial Connections in Windows Server 2003 Help and Support.
Figure 3 shows the Electronic, Inc. VPN server that provides on-demand branch office connections.
Figure 3: The Electronic, Inc. VPN server that provides on-demand branch office connections
To deploy on-demand site-to-site VPN connections to connect the Portland and Dallas branch offices to the corporate office based on the settings configured in the Common Configuration for the VPN server section of this paper, the following additional settings are configured.
Domain Configuration

For the VPN connection to the Dallas office, the user account VPN_Dallas is created with the following settings:

• Password of nY7W{q8~=z3.
• For the account properties of the VPN_Dallas account, the User must change password at next logon option is cleared and Password never expires option is selected.
• For the dial-in properties on the VPN_Dallas account, the remote access permission is set to Control access through Remote Access Policy and the static route 192.168.28.0 with a subnet mask of 255.255.255.0 is added.
• The VPN_Dallas account is added to the VPN_Routers group.

For the VPN connection to the Portland office, the user account VPN_Portland is created with the following settings:

• Password of P*4s=wq!Gx1.
• For the account properties of the VPN_Portland account, the User must change password at next logon option is cleared and Password never expires option is selected.
• For the dial-in properties on the VPN_Portland account, the remote access permission is set to Control access through Remote Access Policy and the static route 192.168.4.0 with a subnet mask of 255.255.255.0 is added.
• The VPN_Portland account is added to the VPN_Routers group.

Remote Access Policy Configuration

To define the authentication and encryption settings for the VPN routers, the following remote access policy is created:
Policy name: VPN Routers
Access method: VPN
User or Group Access: Group with the EXAMPLE\VPN_Routers group selected
Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected
Policy Encryption Level: Strong encryption and Strongest encryption selected
The following sections describe a PPTP-based on-demand branch office connection for the Dallas office and an L2TP/IPSec-based on-demand branch office connection for the Portland office.

PPTP-based On-Demand Branch Office

The Dallas branch office is a PPTP-based branch office that uses a Windows Server 2003 router to create an on-demand, site-to-site VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated.
To deploy a PPTP, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and On-Demand Branch Office sections of this paper, the following settings are configured on the Dallas router.

Demand-Dial Interface for the Connection to the ISP

To connect the Dallas office router to the Internet by using a local ISP, a demand-dial interface is created using the Demand-Dial Interface wizard with the following settings:

• Interface Name: ISP
• Connection Type: Connect using a modem, ISDN adapter, or other physical device
• Select a Device: The appropriate ISDN device is selected.
• Phone Number: Phone number of the ISP for the Dallas office.
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To create the connection to the Dallas ISP when the site-to-site VPN connection needs to be made, the following static route is configured:
  
  Destination: 207.46.130.1
  
  Network mask: 255.255.255.255
  
  Metric: 1
• Dial Out Credentials
  
  User name: Dallas office ISP account name
  
  Password: Dallas office ISP account password
  
  Confirm password: Dallas office ISP account password

To run the Demand-Dial Interface wizard, right-click Network Interfaces, and then click New Demand-Dial Interface.

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Dallas office router to the VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: CorpHQ
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Point to Point Tunneling Protocol (PPTP)
• Destination Address: 207.46.130.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the corporate intranet reachable, the following static route is configured:
  
  Destination: 172.16.0.0
  
  Network mask: 255.240.0.0
  
  Metric: 1
  
  To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:
  
  Destination: 192.168.0.0
  
  Network mask: 255.255.0.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: VPN_Dallas
  
  Domain: electronic.example.com
  
  Password: nY7W{q8~=z3
  
  Confirm password: nY7W{q8~=z3

L2TP/IPSec-based On-Demand Branch Office

The Portland branch office is an L2TP/IPSec-based branch office that uses a Windows Server 2003 router to create an on-demand, site-to-site VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated.
To deploy an L2TP/IPSec, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and On-Demand Branch Office sections of this paper, the following settings are configured on the Portland router:
Certificate Configuration

The Portland router was configured by the Electronic, Inc. network administrator while it was physically connected to the Electronic, Inc. intranet and then shipped to the Portland site. While the Portland router was connected to the Electronic, Inc. intranet, a computer certificate was installed through autoenrollment.


Demand-Dial Interface for the Connection to the ISP

To connect the Portland office router to the Internet by using a local ISP, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: ISP
• Connection Type: Connect using a modem, ISDN adapter, or other physical device
• Select a Device: The appropriate ISDN device is selected.
• Phone Number: Phone number of the ISP for the Portland office.
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To create the connection to the Portland ISP when the site-to-site VPN connection needs to be made, the following static route is configured:
  
  Destination: 207.46.130.1
  
  Network mask: 255.255.255.255
  
  Metric: 1
• Dial Out Credentials
  
  User name: Portland office ISP account name
  
  Password: Portland office ISP account password
  
  Confirm password: Portland office ISP account password

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Portland office router to the VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: CorpHQ
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Layer 2 Tunneling Protocol (L2TP)
• Destination Address: 207.46.130.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the corporate intranet reachable, the following static route is configured:
  
  Destination: 172.16.0.0
  
  Network mask: 255.240.0.0
  
  Metric: 1
  
  To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:
  
  Destination: 192.168.0.0
  
  Network mask: 255.255.0.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: VPN_Portland
  
  Domain: electronic.example.com
  
  Password: P*4s=wq!Gx1
  
  Confirm password: P*4s=wq!Gx1

[patris1]

Persistent Branch Office (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The Chicago and Phoenix branch offices of Electronic, Inc. are connected to the corporate office by using persistent site-to-site VPN connections that stay connected 24 hours a day. The Windows Server 2003 routers in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local Internet service provider to gain access to the Internet.
The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0 (192.168.9.0/24). The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0 (192.168.14.0/24). The Phoenix branch office router uses the public IP address of 159.60.0.1 for its Internet interface.
The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the VPN server. Two-way initiated connections require the creation of demand-dial interfaces, remote access policies, IP address pools, and packet filters on the routers on both sides of the connection.
Figure 4 shows the Electronic, Inc. VPN server that provides persistent branch office connections.
Figure 4: The Electronic, Inc. VPN server that provides persistent branch office connections
To deploy persistent site-to-site VPN connections to connect the Chicago and Phoenix branch offices to the corporate office based on the settings configured in the Common Configuration for the VPN Server section of this paper, the following additional settings are configured.
Domain Configuration

For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings:

• Password of U9!j5dP(%q1.
• For the account properties of the VPN_Chicago account, the User must change password at next logon option is cleared and Password never expires option is selected.
• For the dial-in properties on the VPN_Chicago account, the remote access permission is set to Control access through Remote Access Policy.
• The VPN_Chicago account is added to the VPN_Routers group.

For the Phoenix office VPN connection that is initiated by the Phoenix router, the user account VPN_Phoenix is created with the following settings:

• Password of z2F%s)bW$4f.
• For the account properties of the VPN_Phoenix account, the User must change password at next logon option is cleared and Password never expires option is selected.
• For the dial-in properties on the VPN_Phoenix account, the remote access permission is set to Control access through Remote Access Policy.
• The VPN_Phoenix account is added to the VPN_Routers group.

For the Chicago office VPN connection and the Phoenix office VPN connection that are initiated by the VPN server, the user account VPN_CorpHQ is created with the following settings:

• Password of o3\Dn6@`-J4.
• For the dial-in properties on the VPN_CorpHQ account, the remote access permission is set to Control access through Remote Access Policy.
• The VPN_CorpHQ account is added to the VPN_Routers group.

Remote Access Policy Configuration

Remote access policies must be configured at the VPN server, the Chicago router, and the Phoenix router.
Remote Access Policy Configuration at the VPN Server

The remote access policy configuration for the VPN server is the same as described in the On-Demand Branch Office section of this paper.

Remote Access Policy Configuration at the Chicago Router

To define the authentication and encryption settings for the VPN connections, the default policy named Allow access if dial-in permission is enabled is deleted and the following remote access policy is created:

• Policy name: VPN Routers
• Access method: VPN
• User or Group Access: Group with the VPN_Routers group selected
• Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected
• Policy Encryption Level: Strong encryption and Strongest encryption selected

Remote Access Policy Configuration at the Phoenix Router

To define the authentication and encryption settings for the VPN connections, the default policy named Allow access if dial-in permission is enabled is deleted and the following remote access policy is created:

• Policy name: VPN Routers
• Access method: VPN
• User or Group Access: Group with the VPN_Routers group selected
• Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected
• Policy Encryption Level: Strong encryption and Strongest encryption selected

IP Address Pool Configuration

IP address pools must be configured at the VPN server, the Chicago router, and the Phoenix router.
IP Address Pool Configuration at the VPN Server

The IP address pool configuration for the VPN server is the same as described in the Common Configuration for the VPN Server section of this paper.

IP Address Pool Configuration at the Chicago Router

A static IP address pool with an IP address of 192.168.9.248 and an ending IP address of 192.168.9.253 is configured. This creates a static address pool for up to five VPN clients.
For more information, see the topic titled Creating a Static IP Address Pool in Windows Server 2003 Help and Support.

IP Address Pool Configuration at the Phoenix Router

A static IP address pool with a starting IP address of 192.168.14.248 and an ending IP address of 192.168.14.253 is configured. This creates a static address pool for up to five VPN clients.
For more information, see the topic titled Creating a Static IP Address Pool in Windows Server 2003 Help and Support.
The following sections describe a PPTP-based persistent branch office connection for the Chicago office and an L2TP/IPSec-based persistent branch office connection for the Phoenix office.


PPTP-based Persistent Branch Office

The Chicago branch office is a PPTP-based branch office that uses a Windows Server 2003 VPN router to create a persistent, site-to-site VPN connection with the VPN server in New York. The connection is never terminated, even when idle.
To deploy a PPTP, two-way initiated, persistent, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and Persistent Branch Office sections of this paper, the following settings are configured on the VPN server and Chicago router.
VPN Server Configuration

The VPN server is configured with a demand-dial interface, static routes, and PPTP packet filters.
Demand-Dial Interface for Site-to-Site VPN Connection

To connect the VPN server to the Chicago router by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: VPN_Chicago
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Point to Point Tunneling Protocol (PPTP)
• Destination Address: 131.107.0.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the Chicago network reachable, the following static route is configured:
  
  Destination: 192.168.9.0
  
  Network mask: 255.255.255.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: VPN_CorpHQ
  
  Domain: electronic.example.com
  
  Password: o3\Dn6@`-J4
  
  Confirm password: o3\Dn6@`-J4

Once the demand-dial interface is created, the following change is made:

• For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected.

Chicago Router Configuration

The Chicago router is configured with a demand-dial interface and static routes.
Demand-dial interface for site-to-site VPN connection

To connect the Chicago office router to the VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: VPN_CorpHQ
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Layer 2 Tunneling Protocol (L2TP)
• Destination Address: 207.46.130.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the corporate intranet reachable, the following static route is configured:
  
  Destination: 172.16.0.0
  
  Network mask: 255.240.0.0
  
  Metric: 1
  
  To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:
  
  Destination: 192.168.0.0
  
  Network mask: 255.255.0.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: VPN_Chicago
  
  Domain: electronic.example.com
  
  Password: U9!j5dP(%q1
  
  Confirm password: U9!j5dP(%q1

Once the demand-dial interface is created, the following change is made:

• For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected.

Static route for the Electronic, Inc. VPN server

To make the Electronic, Inc. VPN server on the Internet reachable, the following static route is configured:

• Interface: The WAN adapter attached to the Internet
• Destination: 207.46.130.1
• Network mask: 255.255.255.255
• Gateway: 0.0.0.0
• Metric: 1

Note Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.





L2TP/IPSec-based Persistent Branch Office

The Phoenix branch office is an L2TP/IPSec-based branch office that uses a Windows Server 2003 router to create a persistent, site-to-site VPN connection with the VPN server in New York. The connection is never terminated, even when idle.
To deploy an L2TP/IPSec, two-way initiated, persistent, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and Persistent Branch Office sections of this paper, the following settings are configured on the VPN server and Phoenix router.
VPN Server Configuration

The VPN server is configured with a demand-dial interface and a static route.
Demand-Dial Interface for Site-to-Site VPN Connection

To connect the VPN server to the Phoenix router by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: VPN_Phoenix
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Layer 2 Tunneling Protocol (L2TP)
• Destination Address: 159.60.0.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the Phoenix network reachable, the following static route is configured:
  
  Destination: 192.168.14.0
  
  Network mask: 255.255.255.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: VPN_CorpHQ
  
  Domain: electronic.example.com
  
  Password: o3\Dn6@`-J4
  
  Confirm password: o3\Dn6@`-J4

After the demand-dial interface is created, the following change is made:

• For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected.

Phoenix Router Configuration

The Phoenix router was configured by the Electronic, Inc. network administrator while connected to the Electronic, Inc. intranet and then shipped to the Phoenix site. While the Phoenix router was connected to the Electronic, Inc. intranet, a computer certificate was installed through autoenrollment. Additionally, the Phoenix router computer was configured with a demand-dial interface and a static route.
Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Phoenix office router to the VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: VPN_CorpHQ
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Layer 2 Tunneling Protocol (L2TP)
• Destination Address: 207.46.130.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the corporate intranet reachable, the following static route is configured:
  
  Destination: 172.16.0.0
  
  Network mask: 255.240.0.0
  
  Metric: 1
  
  To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:
  
  Destination: 192.168.0.0
  
  Network mask: 255.255.0.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: VPN_Phoenix
  
  Domain: electronic.example.com
  
  Password: z2F%s)bW$4f
  
  Confirm password: z2F%s)bW$4f

Once the demand-dial interface is created, the following change is made:

• For the properties of the demand-dial interface, on the Options tab, under Connection type, Persistent connection is selected.

Static Route for the Electronic, Inc. VPN Server

To make the Electronic, Inc. VPN server on the Internet reachable, the following static route is configured:
Interface: The WAN adapter attached to the Internet
Destination: 207.46.130.1
Network mask: 255.255.255.255
Gateway: 0.0.0.0
Metric: 1
Note Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.

[patris1]

Extranet for Business Partners (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The network administrator for Electronic, Inc. has created an extranet, a portion of the Electronic, Inc. private network that is available to business partners through secured VPN connections. The Electronic, Inc. extranet is the network attached to the Electronic, Inc. VPN server and contains a file server and a Web server. Parts distributors Tasmanian Traders and Parnell Aerospace are Electronic, Inc. business partners and connect to the Electronic, Inc. extranet by using on-demand, site-to-site VPN connections. An additional remote access policy is used to ensure that the business partners can only access the extranet file server and Web server.
The file server on the Electronic, Inc. extranet is configured with an IP address of 172.31.0.10 and the Web server is configured with an IP address of 172.31.0.11. Tasmanian Traders uses the public network ID of 131.107.254.0 with a subnet mask of 255.255.255.0. Parnell Aerospace uses the public network ID of 131.107.250.0 with a subnet mask of 255.255.255.0. To ensure that the extranet Web server and file server can reach the business partners, static routes are configured on the file server and Web server for each of the business partner networks that use the gateway address of 172.31.0.1
To simplify configuration, the VPN connection is a one-way initiated connection. The business partner's router always initiates the connection. For more information, see the topic titled One-Way Initiated Demand-Dial Connections in Windows Server 2003 Help and Support.
Figure 5 shows the Electronic, Inc. VPN server that provides extranet connections for business partners.
Figure 5: The Electronic, Inc. VPN server that provides extranet connections for business partners
To deploy business partner, on-demand, one-way initiated, site-to-site VPN connections to connect Tasmanian Traders and Parnell Aerospace to the Electronic, Inc. extranet based on the settings configured in the Common Configuration for the VPN Server section of this paper, the following additional settings are configured.
Domain Configuration

For the VPN connection to Tasmanian Traders, the user account PTR_Tasmanian is created with the following settings:

• Password of Y8#-vR7?]fI.
• For the account properties of the PTR_Tasmanian account, the User must change password at next logon option is cleared and Password never expires option is selected.
• For the dial-in properties on the PTR_Tasmanian account, the remote access permission is set to Control access through Remote Access Policy and the static route 131.107.254.0 with a subnet mask 255.255.255.0 is added.
• The PTR_Tasmanian account is added to the VPN_Partners group.

For the VPN connection to Parnell Aerospace, the user account PTR_Parnell is created with the following settings:

• Password of W@8c^4r-;2\.
• For the account properties of the PTR_Parnell account, the User must change password at next logon option is cleared and Password never expires option is selected.
• For the dial-in properties on the PTR_Parnell account, the remote access permission is set to Control access through Remote Access Policy and the static route 131.107.250.0 with a subnet mask 255.255.255.0 is added.
• The PTR_Parnell account is added to the VPN_Partners group.

Remote Access Policy Configuration

To define the authentication and encryption settings for business partner VPN connections, the following remote access policy is created:

• Policy name: VPN Partners
• Access method: VPN
• User or Group Access: Group with the EXAMPLE\VPN_Partners group selected
• Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected
• Policy Encryption Level: Strong encryption and Strongest encryption selected

After the remote access policy is created, it configuration is modified in the following way:

• On the IP tab of the profile settings, the following TCP/IP packet filters are configured:

Input Filters:

• Filter action: Deny all traffic except those listed below
• Filter 1: Destination network IP address of 172.31.0.10 and subnet mask of 255.255.255.255
• Filter 2: Destination network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

Output Filters:

• Filter action: Deny all traffic except those listed below
• Filter 1: Source network IP address of 172.31.0.10 and subnet mask of 255.255.255.255
• Filter 2: Source network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

The following sections describe a PPTP-based extranet for the business partner Tasmanian Traders and an L2TP/IPSec-based extranet for the business partner Parnell Aerospace.

PPTP-based Extranet for Business Partners

Tasmanian Traders is a business partner that uses a Windows Server 2003 router to create an on-demand, PPTP-based, site-to-site VPN connection with the Electronic, Inc. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Tasmanian Traders router is connected to the Internet by using a permanent WAN connection.
To deploy a PPTP, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and Extranet for Business Partners sections of this paper, the following settings are configured on the Tasmanian Traders router.
Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Tasmanian Traders router to the Electronic, Inc. VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: Electronic
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Point to Point Tunneling Protocol (PPTP)
• Destination Address: 207.46.130.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the Electronic, Inc. extranet reachable, the following static route is configured:
  
  Destination: 172.31.0.0
  
  Network mask: 255.255.0.0
  
  Metric: 1
• Dial Out Credentials
  
  User name: PTR_Tasmanian
  
  Domain: electronic.example.com
  
  Password: Y8#-vR7?]fI
  
  Confirm password: Y8#-vR7?]fI

L2TP/IPSec-based Extranet for Business Partners

Parnell Aerospace is a business partner that uses a Windows Server 2003 router to create an on-demand, L2TP/IPSec-based, site-to-site VPN connection with the Electronic, Inc. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Parnell Aerospace router is connected to the Internet by using a permanent WAN connection.
To deploy an L2TP/IPSec, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and Extranet for Business Partners sections of this paper, the following settings are configured on the Parnell Aerospace router:
Certificate Configuration

The Parnell Aerospace router was configured by the Electronic, Inc. network administrator while physically connected to the Electronic, Inc. intranet and then shipped to the network administrator at Parnell Aerospace. While the Parnell Aerospace router was connected to the Electronic, Inc. intranet, a computer certificate was installed through auto-enrollment.
Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Parnell Aerospace router to the Electronic, Inc. VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

• Interface Name: Electronic
• Connection Type: Connect using virtual private networking (VPN)
• VPN Type: Layer 2 Tunneling Protocol (L2TP)
• Destination Address: 207.46.130.1
• Protocols and Security: The Route IP packets on this interface check box is selected.
• Static Routes for Remote Networks
  
  To make all locations on the Electronic, Inc. extranet reachable, the following static route is configured:
  
  Destination: 172.31.0.0
  
  Network mask: 255.255.0.0
  
  Metric: 1
• Dial Out Credentials:
  
  User name: PTR_Parnell
  
  Domain: electronic.example.com
  
  Password: W@8c^4r-;2\
  
  Confirm password: W@8c^4r-;2\

[patris1]

Dial-up and VPNs with RADIUS Authentication (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In addition to VPN-based remote access, the network administrator for Electronic, Inc. wants to provide modem-based dial-up remote access for employees of the New York office. All employees of the New York office belong to an Active Directory group called NY_Employees. A separate remote access server running Windows Server 2003 provides dial-up remote access at the phone number 555-0111. Rather than administer the remote access policies of both the VPN server and the remote access server separately, the network administrator is using a computer running Windows Server 2003 with the Internet Authentication Service (IAS) as a RADIUS server. The IAS server has an IP address of 172.31.0.9 on the Electronic, Inc. extranet and provides centralized remote access authentication, authorization, and accounting for both the remote access server and the VPN server.
Figure 6 shows the Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server.
Figure 6: The Electronic, Inc. RADIUS server that provides authentication and accounting for the VPN server and the remote access server
Domain Configuration

For each New York office employee that is allowed dial-up access, the remote access permission for the dial-in properties of the user account is set to Control access through Remote Access Policy.
Remote Access Policy Configuration

Remote access policies must be modified in two ways:

1. The existing remote access policies that are configured on the VPN server must be copied to the IAS server.
2. A new remote access policy is added for dial-up remote access clients on the IAS server.

Copying the Remote Access Policies

Once the VPN server is configured to use RADIUS authentication, the remote access policies stored on the VPN server are no longer used. Instead, the remote access policies stored on the IAS server are used. Therefore, the current set of remote access policies is copied to the IAS server.
For more information, see the topic titled Copying the IAS Configuration to Another Server in Windows Server 2003 Help and Support.

Creating a New Remote Access Policy for Dial-up Remote Access Clients

To define the authentication and encryption settings for dial-up connections by employees of the New York office, the following remote access policy is created on the RADIUS server computer:

• Policy name: Dial-Up for New York Employees
• Access method: Dial-up
• User or Group Access: Group with the EXAMPLE\NY_Employees group selected
• Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type, Microsoft Encrypted Authentication (MS-CHAP), and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) are selected
• Policy Encryption Level: All options selected

RADIUS Configuration

To configure RADIUS authentication and accounting, the network administrator for Electronic, Inc. configures the following:

• The RADIUS server is a computer running Windows Server 2003 with the Internet Authentication Service networking component installed. The Internet Authentication Service is configured for two RADIUS clients: the remote access server and the VPN server. For more information, see the topic titled Registering RADIUS Clients in Windows Server 2003 Help and Support.
• The remote access server is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret. For more information, see the topics titled Configuring RADIUS authentication and Configuring RADIUS accounting in Windows Server 2003 Help and Support.
• The VPN server is configured to use RADIUS authentication and accounting at the IP address of 172.31.0.9 and a shared secret.

Dial-up Remote Access Client Configuration

On the Windows XP remote access client computers, the New Connection Wizard is used to create a dial-up connection with the following settings:
Network Connection Type: Connect to the network at my workplace
Network Connection: Dial-up connection
Connection Name: Electronic, Inc.
Phone Number: 555-0111
Connection Availability: Anyone's use

[patris1]

Summary (VPN with Windows Server 2003)
Updated: January 1, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Electronic, Inc. used VPN technologies included with Windows Server 2003 and Windows XP to leverage the connectivity of the Internet to connect remote users, branch offices, and business partners. Electronic, Inc.'s Windows Server 2003 VPN and dial-up remote access servers, used in conjunction with the Internet Authentication Service, provide centralized authentication, authorization, accounting, and administration of remote access policies for a VPN and dial-up remote access solution.