VPN Remote Access Example

Article
07/03/2012

Applies To: Windows Server 2008, Windows Server 2008 R2

Remote access for Fabrikam, Inc. employees is deployed by using remote access VPN connections across the Internet based on the settings configured in the previous topic Common Configuration for the VPN Server, and the following additional settings.

The following illustration shows the Fabrikam, Inc. VPN server that provides remote access VPN connections.

Domain configuration

For each employee that is allowed VPN access:

The network access permission on the dial-in properties of the user account is set to Control access through NPS Network Policy.
The user account is added to the VPN_Users group in Active Directory.

Network policy configuration

To define the authentication and encryption settings for remote access VPN clients, the following remote access network policy is created in Network Policy Server (NPS):

Policy name: Remote Access VPN Clients
Conditions:
- NAS Port Type is set to Virtual (VPN)
- Windows Groups is set to VPN_Users
- Calling Station ID is set to 207.209.68.1
Permission is set to Grant access.

NPS policy settings:

On the Constraints tab, under Authentication Methods, for EAP Types select Microsoft: Smart Card or other certificate. Also enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2).

Security Note
If you have client computers that require it, you can also enable Microsoft Authentication (MS-CHAP). Because MS-CHAP is no longer considered secure, we recommend that you do not use it unless you must for compatibility reasons.

On the Settings tab, under Encryption, select Strongest encryption (MPPE 128-bit), and then clear the Strong encryption (MPPE 56-bit), Basic encryption (MPPE 40-bit) and No encryption selections.

Note

The Calling-Station-ID condition is set to the IP address of the “Internet Connection” interface for the VPN server. Only tunnels initiated from the Internet to the specified address are allowed. Tunnels initiated from within the Fabrikam, Inc. intranet are not permitted. Fabrikam, Inc. users that require Internet access from the Fabrikam, Inc. intranet must go through the Fabrikam, Inc. proxy server (not shown), where Internet access is controlled and monitored.

IKEv2-based remote access client configuration

The remote access computer logs on to the Fabrikam, Inc. domain using a LAN connection to the Fabrikam, Inc. intranet and receives a client authentication certificate through auto-enrollment. Then, the New Connection Wizard is used to create a VPN connection with the following setting:

Host name or IP address: vpn.fabrikam.com
On the Security tab, under Type of VPN, select IKEv2.

PPTP-based remote access client configuration

The New Connection Wizard is used on client computers to create a VPN connection with the following settings:

Host name or IP address: vpn.fabrikam.com
On the Security tab, under Type of VPN, select Point to Point Tunneling Protocol (PPTP).

L2TP/IPsec remote access client configuration

Host name or IP address: vpn.fabrikam.com

The VPN connection settings are modified as follows:

On the Networking tab, under Type of VPN, select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). The network administrator for Fabrikam, Inc. does not want remote access clients that are capable of establishing an L2TP connection to fall back to the PPTP connection.

SSTP-based remote access client configuration

The remote access computer logs on to the Fabrikam, Inc. domain using a LAN connection to the Fabrikam, Inc. intranet and receives an SSL certificate through auto-enrollment. Then, the New Connection Wizard is used to create a VPN connection with the following setting:

Host name or IP address: vpn.fabrikam.com
On the Security tab, under Type of VPN, select Secure Socket Tunneling Protocol (SSTP).