Common Configuration for the VPN Server
Common Configuration for the VPN server
To deploy a VPN solution for Electronic, Inc., the network administrator performs an analysis and makes design decisions regarding:
The network configuration.
The remote access policy configuration.
The domain configuration.
The security configuration.
The key elements of the network configuration are:
The Electronic, Inc. corporate intranet uses the private networks of 172.16.0.0 with a subnet mask of 255.240.0.0 and 192.168.0.0 with a subnet mask of 255.255.0.0. The corporate campus network segments use subnets of 172.16.0.0 and the branch offices use subnets of 192.168.0.0.
The VPN server computer is directly attached to the Internet using a T3 (also known as a DS-3) dedicated WAN link.
The IP address of the WAN adapter on the Internet is 184.108.40.206 as allocated by the Internet service provider (ISP) for Electronic, Inc. The IP address of the WAN adapter is referred to on the Internet by the domain name vpn.electronic.microsoft.com.
The VPN server computer is directly attached to an intranet network segment that contains a router that connects to the rest of the Electronic, Inc. corporate campus intranet. The intranet network segment has the IP network ID of 172.31.0.0 with the subnet mask of 255.255.0.0.
The VPN server computer is configured with a static pool of IP addresses to allocate to remote access clients and calling routers that is a subset of the intranet network segment (an on-subnet address pool).
Figure 1 shows the network configuration of the Electronic, Inc. VPN server.
Figure 1: The network configuration of the Electronic, Inc. VPN server
Based on the network configuration of the Electronic, Inc. corporate campus intranet, the VPN server computer is configured as follows:
Install hardware on the VPN server.
The network adapter that is used to connect to the intranet segment and the WAN adapter that is used to connect to the Internet are installed according to the adapter manufacturer's instructions. Once drivers are installed and functioning, both adapters appear as local area connections in the Network and Dial-up Connections folder.
Configure TCP/IP on the LAN and WAN adapters. For the LAN adapter, an IP address of 172.31.0.1 with a subnet mask 255.255.0.0 is configured. For the WAN adapter, an IP address of 220.127.116.11 with a subnet mask 255.255.255.255 is configured. A default gateway is not configured for either adapter. DNS and WINS server addresses are also configured.
Install the Routing and Remote Access service. The Routing and Remote Access Server Setup wizard is run. In the wizard, the Manually configured server option is selected. For more information, see the "Enabling the Routing and Remote Access service" procedure in Appendix A.
After the wizard is complete, a static IP address pool with a starting IP address of 172.31.255.1 and an ending IP address of 172.31.255.254 is configured. This creates a static address pool for up to 253 VPN clients.
For more information, see the "Creating a Static IP Address Pool" procedure in Appendix A.
The default method of authenticating remote access and demand-dial connections is to use Windows authentication, which is appropriate in this configuration containing only one VPN server. For information on the use of RADIUS authentication for Electronic, Inc., see the "Dial-up and VPNs with RADIUS" section in this paper. For more information on the use of Windows and RADIUS authentication, see the topic titled "Authentication vs. Authorization" in the Windows 2000 Server Help.
Enable the EAP authentication method.
To enable the use of smart card-based remote access VPN clients and certificate-based calling routers, the network administrator enables the Extensible Authentication Protocol (EAP) on the VPN server.
For more information, see the "Enabling EAP" procedure in Appendix A.
Configure static routes on the VPN server to reach intranet and Internet locations.
To reach intranet locations, a static route is configured with the following settings:
Interface: The LAN adapter attached to the intranet
Network mask: 255.240.0.0
This static route simplifies routing by summarizing all destinations on the Electronic, Inc. intranet. This static route is used so that the VPN server does not need to be configured with a routing protocol such as RIP or OSPF. For more information on routing basics, see the "Unicast Routing Principles" white paper at http://www.microsoft.com/NTServer/commserv/techdetails/prodarch/unicast.asp and the Windows 2000 Server Help.
To reach Internet locations, a static route is configured with the following settings:
Interface: The WAN adapter attached to the Internet
Network mask: 0.0.0.0
This static route summarizes all destinations on the Internet. This route allows the VPN server to respond to a remote access client or demand-dial router VPN connection from anywhere on the Internet.
Note: Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.
Increase the number of PPTP and L2TP ports. By default, only five L2TP ports and five PPTP ports are enabled for VPN connections. The number of L2TP and PPTP ports is increased to 253. For more information, see the "Adding PPTP or L2TP Ports" procedure in Appendix A.
Configure PPTP and L2TP over IPSec packet filters. Both PPTP and L2TP over IPSec packet filters are configured on the WAN adapter that connects to the Internet. To secure the VPN server from sending or receiving any traffic on its Internet interface, except for PPTP or L2TP over IPSec traffic from branch office routers or remote access clients, PPTP and L2TP over IPSec input and output filters must be configured on the Internet interface. Because IP routing is enabled on the Internet interface, if you do not configure L2TP over IPSec and PPTP filters on the Internet interface of the VPN server, then any traffic received on the Internet interface is routed, potentially forwarding unwanted Internet traffic to the intranet. For more information, see the "Adding PPTP Packet Filters" and "Adding L2TP Packet Filters" procedures in Appendix A. For information on IP packet filtering, see Windows 2000 Server Help and the Microsoft Windows 2000 Server Resource Kit Internetworking Guide.
Setting the phone number for the PPTP and L2TP devices. To assist in the configuration of remote access policies that confine VPN connections from Internet users, the port properties for the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices are modified with the IP address of the VPN server's Internet interface in the Phone number for this device field. For more information, see the "Setting a Phone Number on a Device" procedure in Appendix A.
Configure a static route on the intranet router to reach all branch offices. To reach branch office locations from the intranet router, a static route is configured with the following settings:
Interface: The LAN adapter attached to the intranet
Network mask: 255.255.0.0
This static route simplifies routing by summarizing all destinations at Electronic, Inc. branch offices.
Remote Access Policy Configuration
Electronic, Inc. has migrated to a Windows 2000-based native-mode domain and the network administrator for Electronic, Inc. has decided on an access-by-policy administrative model. The remote access permission on all user accounts is set to Control access through Remote Access Policy. The granting of remote access permission to connection attempts is controlled by the remote access permission setting on the first matching remote access policy. Remote access policies are used to apply different VPN connection settings based on group membership, and the default remote access policy named Allow access if dial-in permission is enabled is deleted.
For more information, see the topic "Remote Access Policy Administrative Models" in Windows 2000 Server Help.
To take advantage of the ability to apply different connection settings to different types of VPN connections, the following Windows 2000 groups are created.
Used for remote access VPN connections
Used for router-to-router VPN connections from Electronic, Inc. branch offices
Used for router-to-router VPN connections from Electronic, Inc. business partners
Note: All users and groups in this scenario are created in the electronic.microsoft.com Active Directory™ domain.
To enable L2TP over IPSec connections and the use of smart cards by remote access clients, the Electronic, Inc. domain is configured to auto-enroll machine certificates to all domain members.
For more information, see the "Configuring Automatic Certificate Allocation" procedure in Appendix A.