Professional Documents
Culture Documents
You can use the remote access and security technologies in the Microsoft® Windows® Server 2003 operating
systems to provide remote users with secure and reliable access to your network resources. By using the
Routing and Remote Access service in Windows Server 2003, you can design and deploy a dial-up solution
or you can take advantage of the Internet by deploying a virtual private network (VPN) solution.
In This Chapter
Overview of Deploying Dial-up and VPN Remote Access Servers......................124
Process for Deploying Dial-up and VPN Remote Access Servers........................125
Choosing Dial-up or VPN................................................................................... .126
Designing a Remote Access Server Solution.....................................................130
Deploying a VPN Remote Access Server Solution................................ ..............156
Deploying a Dial-up Remote Access Server Solution.........................................176
Additional Resources........................................................................ .................179
Related Information
• For information about designing and deploying a public key infrastructure (PKI), see
“Designing a Public Key Infrastructure” in Designing and Deploying Directory and Security
Services of this kit.
• For more information about deploying smart cards, see “Planning a Smart Card
Deployment” in Designing and Deploying Directory and Security Services of this kit.
• For information about designing and deploying Internet Authentication Service (IAS), see
“Deploying IAS” in this book.
124 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Each method for providing remote access has advantages and disadvantages that you must weigh based on
the needs of your organization. A dial-up networking solution provides a secure data path over a circuit-
switched connection, and it provides the convenience of direct dial-up connectivity to your network for
mobile users. In contrast, a VPN solution, by using the Internet as a connection medium, saves the cost of
long-distance phone service and hardware costs. To mitigate the public nature of the Internet, VPNs use a
variety of security technologies, including tunneling, encryption, and authentication.
Note
Regardless of the approach that you choose, you can increase
manageability of your remote access server solution by using IAS to
centralize VPN or dial-up networking authentication, authorization, and
accounting. For the Microsoft® Windows® 2000 Server family, IAS is a
RADIUS server; for the Windows Server 2003 family, IAS is a RADIUS
server and proxy. For information about designing and deploying IAS,
see “Deploying IAS” in this book.
CPU Requirements
Use the following guidelines when determining CPU requirements for your VPN design:
• Processing inbound and outbound packets requires CPU cycles. By increasing the available
processing power, you can increase throughput.
• Doubling the speed of a single processor is more effective than doubling the number of
processors.
• In the case of multiprocessor platforms, binding one CPU to each network adapter can
increase the efficiency of interrupt handling, freeing cycles and shrinking the performance
gap between the use of a large number of less powerful CPUs and a few faster, more
expensive CPUs.
RAM Requirements
Use the following guidelines when determining the RAM needed for VPN servers:
• Each active connection consumes a small block of nonpageable memory (approximately
40 KB). If you do not need to handle more than 1,000 concurrent calls from remote access
users, 512 MB of RAM is adequate.
• If you require the capacity to handle more than 1,000 concurrent calls, for every 1,000
concurrent calls provide an extra 128 MB of RAM over recommended RAM capacity for the
server, plus a base of 128 MB more for remote access and related services.
For example, for a dedicated remote access server that will support as many as 2,000
simultaneous VPN calls, if the recommended RAM capacity for Windows Server 2003 is
256 MB, provide 768 MB of RAM:
256 MB + (128 MB * 2) + (128 MB * 2)
If you are designing a VPN remote access solution, choose between two options for server placement, each
with different design requirements:
• VPN server behind the firewall. The firewall is attached to the Internet, with the VPN
server between the firewall and the intranet. This is the placement used in a perimeter
network configuration, in which one firewall is positioned between the VPN server and the
intranet, with another between the VPN server and the Internet.
• VPN server in front of the firewall. The VPN server is connected to the Internet, with the
firewall between the VPN server and the intranet.
Note
To enable access to services running on the VPN server, make sure
that the network BIOS (NetBIOS) and DNS names of the VPN server’s
Internet interface are not registered in the intranet namespaces. This is
the default behavior for Windows Server 2003 VPN servers.
136 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
To work around this problem, instead of having the client create a new default route when a connection is
made, you can configure the client’s routing table with specific routes that direct packets to the organization’s
network over the VPN connection. While connected to the intranet, the client can obtain Internet access using
the existing default route over the connection to the ISP. This configuration is known as split tunneling.
Note
You can increase the security and manageability of your remote access
server solution by using IAS to centralize VPN or dial-up networking
authentication, authorization, and accounting. In operating systems in
the Windows 2000 Server family, IAS is an implementation of a
RADIUS server; in Windows Server 2003, IAS is an implementation of
a RADIUS server and proxy. For information about designing and
deploying Internet Authentication Service (IAS), see “Deploying IAS” in
this book.
PPTP
PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft Point-to-Point
Encryption (MPPE) to encrypt IP traffic. When used with MS-CHAP v2 for password-based authentication
and strong passwords, PPTP is a secure VPN technology. For stronger authentication for PPTP connections,
you can implement a PKI using smart cards or certificates and Extensible Authentication Protocol —
Transport Level Security (EAP-TLS).
PPTP is widely supported and easily deployed, and it works with most network address translators (NATs).
L2TP/IPSec
The more secure of the two VPN protocols, L2TP/IPSec uses PPP user authentication methods and IPSec
encryption to encrypt IP traffic. This combination uses certificate-based computer identity authentication to
create IPSec security associations in addition to PPP-based user authentication. L2TP/IPSec provides data
integrity, data origin authentication, data confidentiality, and replay protection for each packet.
Support for L2TP/IPSec is provided with Windows Server 2003, as well as with Windows 2000 and
Windows XP. To use L2TP/IPSec with the Microsoft® Windows® 98, Windows® Millennium Edition
(Windows Me), or Windows NT® Workstation 4.0 operating system, download and install Microsoft
L2TP/IPSec VPN Client (Mls2tp.exe). For information about Mls2tp.exe, see the Microsoft L2TP/IPSec
VPN Client link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Table 8.1 summarizes the advantages and constraints associated with the use of the PPTP and L2TP/IPSec
protocols.
Table 8.1 Advantages and Constraints of the PPTP and L2TP/IPSec VPN Protocols
L2TP/IPSec
PPTP Advantages
Factor Advantages and
and Constraints
Constraints
Client operating Supported on clients running Natively supported on
systems Windows 2000, Windows XP, clients running
supported Windows Server 2003, Windows 2000,
Windows NT Workstation 4.0, Windows XP, or Windows
Windows Me, or Windows 98. Server 2003.
With Mls2tp.exe installed,
supported on clients
running Windows 98,
Windows Me, or
Windows NT
Workstation 4.0.
(continued)
140 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Table 8.1 Advantages and Constraints of the PPTP and L2TP/IPSec VPN Protocols
(continued)
L2TP/IPSec
PPTP Advantages
Factor Advantages and
and Constraints
Constraints
Certificate For EAP-TLS authentication to To issue computer
support issue computer certificates to certificates to the VPN
the authenticating server and server and all VPN clients,
user certificates to all VPN L2TP/IPSec requires a
clients or to issue smart cards certificate infrastructure or
to all users, PPTP requires a a preshared key (PSK).
certificate infrastructure.
Security Provides data confidentiality. Offers the highest level of
(Captured packets cannot be security, providing data
interpreted without the confidentiality, data
encryption key.) integrity, data origin
Does not provide data integrity authentication, and replay
(proof that the data was not protection.
modified in transit) or data
origin authentication (proof
that the data was sent by the
authorized user).
To increase security, use
MS-CHAP v2 as the
authentication protocol with
strong passwords.
Performance A VPN server supports more Because IPSec encryption
PPTP connections than is processing intensive, a
L2TP/IPSec connections. VPN server supports fewer
L2TP connections than
PPTP connections. To
support additional L2TP
connections, increase CPU
processing power or use
offload network adapters.
NAT support PPTP-based VPN clients can If you locate L2TP/IPSec–
be located behind a NAT if the based clients or servers
NAT includes an editor that behind a NAT, both client
can translate PPTP. and server must support
IPSec NAT traversal
(NAT-T).
Additional Resources 141
The NAT can act as a simplified DHCP server that allocates an IP address, a subnet mask, a default gateway,
and the IP address of a DNS server. The NAT can become the DNS proxy for the computers on the private
network. When the NAT receives name resolution requests from a computer on the private network, it
forwards the request to a specified Internet-based DNS server and returns a response to the requesting
computer on the private network.
Using a NAT with PPTP connections If a VPN client that uses a PPTP connection is behind a
NAT, the NAT must include a NAT editor that can translate PPTP traffic. The NAT editor is required, because
PPTP tunneled data has a Generic Routing Encapsulation (GRE) header rather than a TCP header or a UDP
header. The NAT editor uses the Call ID field in the GRE header to identify the PPTP data stream and
translate IP addresses and call IDs for PPTP data packets that are forwarded between a private network and
the Internet.
The NAT/Basic Firewall routing protocol component of the Routing and Remote Access service includes a
NAT editor for PPTP traffic.
Using a NAT with L2TP connections IPSec NAT Traversal (NAT-T) enables IPSec peers to
communicate when behind a NAT. IPSec NAT-T provides UDP encapsulation of IPSec packets to enable
Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP)–protected traffic to pass through
a NAT. IKE automatically detects that a NAT is present and uses User Datagram Protocol — Encapsulating
Security Payload (UDP-ESP) encapsulation to enable ESP-protected IPSec traffic to pass through the NAT.
To use NAT-T, both the remote access VPN client and the remote access server must support IPSec NAT–T.
IPSec NAT-T is supported by Windows Server 2003 and Microsoft L2TP/IPSec VPN Client.
Note
If you must use a password-based authentication protocol,
enforce the use of strong passwords on your network. A strong
password has more than eight characters and a random mixture
of uppercase and lowercase letters, numbers, and punctuation
marks. For example, “f3L*q02~>xR3w#4o” is a strong password.
In an Active Directory domain, use Group Policy settings to
enforce strong user passwords.
EAP The EAP-TLS authentication protocol is designed for use with a certificate infrastructure
and either certificates or smart cards. With EAP-TLS, the VPN client sends its user certificate for
authentication, and the authenticating server for the VPN server sends a computer certificate for
authentication. This is the strongest authentication method, because it does not rely on passwords. For more
information about EAP-TLS authentication, see “Connecting Remote Sites” in this book.
You can use Certificate Services in Windows Server 2003 as the CA for your organization, or you can use a
third-party CA when you deploy EAP-TLS as your authentication method. For information about certificate
requirements with Certificate Services, see “Network access authentication and certificates” in Help and
Support Center for Windows Server 2003.
Using a third-party CA requires the following setup:
• The certificate in the computer store of the authenticating server must contain the Server
Authentication certificate purpose in Enhanced Key Usage (EKU) extensions. A certificate
purpose is identified with an object identifier (OID). The object identifier for Server
Authentication is 1.3.6.1.5.5.7.3.1.
• The Subject Alternative Name property of the computer certificate must contain the fully
qualified domain name (FQDN) of the computer account of the authenticating server.
• The cryptographic service provider for the computer certificates on the authenticating server
must support the secure channel (Schannel) security package. Without support for Schannel,
the authenticating server cannot use the certificate, and the certificate will not be available
for use in the remote access policy.
• The certificate installed on a remote access client that is running Windows Server 2003 must
contain the Client Authentication certificate purpose (OID 1.3.6.1.5.5.7.3.2).
• The Subject Alternative Name property of the user certificate must contain the FQDN of the
user account of the VPN client.
• Both the certificate in the computer store of the authenticating server and the user certificate
of the remote access client must contain a private key.
144 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Note
Nonencrypted PPTP connections (over which the PPP frame is sent in
plaintext) and nonencrypted non-IPSec-based L2TP connections (over
which the PPP frame is sent in plaintext) are not secure, and they are
not recommended for VPN connections over the Internet.
To ensure successful encryption and decryption, the sender and the receiver must use a common encryption
key. The length of the encryption key is an important security parameter, especially over public networks. To
ensure the highest level of encryption, use the largest key size.
Additional Resources 145
Data encryption for L2TP connections relies on IPSec, which does not require any specific authentication
protocol. IPSec enforces the encryption; if the server declines data encryption, the connection is denied.
The strength of link encryption is set through the remote access policies that govern PPTP and L2TP
connections on the server. A remote access policy is a collection of conditions and settings that define
authorization and access privileges for connection attempts. For IAS servers and servers running Routing and
Remote Access, remote access policies are used to determine whether a connection attempt is accepted or
rejected.
146 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Table 8.3 shows the encryption support provided for PPTP and L2TP/IPSec connections by each level of
encryption that is set in a remote access policy.
Table 8.3 Encryption Required at Each Encryption Level for PPTP and L2TP/IPSec
Connections
Encryption Level PPTP Encryption Required L2TP Encryption Required
No Encryption No encryption required. No encryption required.
Basic MPPE 40-bit data IPSec 56-bit Data
encryption Encryption Standard (DES)
Strong MPPE 56-bit data IPSec 56-bit DES
encryption
Strongest MPPE 128-bit encryption IPSec 168-bit Triple DES
(3DES)
For a procedure for setting the encryption level in a remote access policy, see “Configuring authentication
and data encryption” in Help and Support Center for Windows Server 2003. For more information about
using Windows Server 2003 remote access policies, see “Introduction to remote access policies” in Help and
Support Center for Windows Server 2003.
Table 8.4 Certificate Infrastructures Required for Remote Access Client Authentication
VPN/Authentication Protocol Required Certificate Infrastructure
L2TP/IPSec-based VPN connection • Install a computer certificate on the VPN
server.
• Install a computer certificate on each
VPN client.
PPTP-based VPN connection using • Install a computer certificate on the
smart cards and EAP-TLS authenticating server for the VPN server.
• Install a user certificate on each smart
card.
PPTP-based VPN connection using • Install a computer certificate on the
registry-based user certificates and authenticating server for the VPN server.
EAP-TLS • Install a user certificate on each VPN
client.
If your PPTP-based VPN connections require a certificate infrastructure, install a computer certificate on the
authenticating server for the VPN server. If you are using smart cards, install a user certificate on each smart
card distributed to a VPN client user. If you are using registry-based user certificates with EAP-TLS
authentication, install a user certificate on each VPN client.
For an L2TP/IPSec-based VPN connection, install a computer certificate on all VPN clients and on the VPN
server. A certificate infrastructure is also required when you are using either smart cards or certificates and
EAP-TLS for user authentication.
For more information about certificate requirements, see “Network access authentication and certificates” in
Help and Support Center for Windows Server 2003.
For more information about deploying certificate services to support L2TP/IPSec, see “Designing a Public
Key Infrastructure” in Designing and Deploying Directory and Security Services of this kit.
When a remote access client initiates a connection to a remote access server, the user is authenticated, and the
remote access client is assigned an IP address. If Network Access Quarantine Control is in use, the
connection is placed in quarantine mode until a client-side script is run on the remote access client and the
configuration of the remote access client is validated against current network policies. While the remote
access connection is in quarantine mode, network access is limited. When the remote access server is notified
that the configuration of the remote access client is validated against current network policies, quarantine
mode is removed, and the remote access client is granted normal remote access.
The components for Network Access Quarantine Control are included in the Microsoft® Windows®
Server 2003 Resource Kit. For instructions on setting up Network Access Quarantine Control, see
“Configuring Network Access Quarantine Control” later in this chapter.
Note
Network Access Quarantine Control is designed to prevent clients with
unsafe configurations from attaching to a private network. It does not
protect a private network from malicious users who have obtained a
valid set of credentials.
Note
The process described in this section incorporates the use of both the
MS-Quarantine-IPFilter attribute and the MS-Quarantine-Session-
Timeout attribute. Both attributes are optional.
The Connection Manager profile initiates a post-connect action, which runs the embedded client-side script.
The script verifies that the remote access computer’s configuration complies with network policy
requirements. If the script runs successfully, the script runs the notification component, Rqc.exe, which
notifies the remote access server that the remote access client complies with network policy.
The listener component on the remote access server, known as the Remote Access Quarantine Agent service
(Rqs.exe), receives the notification. Routing and Remote Access removes the MS-Quarantine-IP Filter and
MS-Quarantine-Session-Timeout settings from the connection, giving the remote access client normal access
to the intranet.
Accounts database
For Windows Server 2003-based networks, the Active Directory service is used as the accounts database to
store user accounts and their dial-in properties.
Quarantine remote access policy
For Network Access Quarantine Control, you must configure a quarantine remote access policy with the
appropriate conditions for remote access connections, and with profile settings that specify the
MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes (configured on the Advanced tab of
the profile).
• The MS-Quarantine-IPFilter attribute is used to configure inbound and outbound packet
filters to allow only the traffic generated by the notifier component. If you are using
Rqc.exe, configure a single inbound packet filter to only allow traffic from TCP port 7250
and to TCP port 7250 (the default TCP port for Rqc.exe), and specify that all other traffic be
discarded. Additional packet filters are needed in order for the quarantined remote access
client to access the quarantine resources. These include filters that allow the remote access
client to access DNS servers, file shares, and Web servers.
The packet filters configured for the MS-Quarantine-IPFilter attribute provide the
quarantine, or isolation, of the traffic of the remote access client until the notifier component
on the remote access client indicates that the computer is in compliance with network
policies.
• The MS-Quarantine-Session-Timeout attribute specifies how long the remote access server
waits to receive the notification that the script has executed successfully before terminating
the connection.
Remote access account lockout is configured in the registry in Windows Server 2003. It is not related to the
account lockout policy for domain or local user accounts.
To enable remote access account lockout, modify the following subkey in the registry on the server that
authenticates remote access requests:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
\Parameters\AccountLockout
If the remote access server is configured for Windows authentication, modify the registry on that server. If
the remote access server is configured for RADIUS authentication, and you are using IAS, modify the
registry on the IAS server.
For more information about modifying the AccountLockout subkey, see “Configuring Remote Access
Account Lockout for a VPN Solution” later in this chapter.
Caution
Do not edit the registry unless you have no alternative. The registry
editor bypasses standard safeguards, allowing settings that can
damage your system, or even require you to reinstall Windows. If you
must edit the registry, back it up first and see the Registry Referenceon
the Microsoft® Windows® Server 2003 Deployment Kit companion CD
or at http://www.microsoft.com/reskit.
If your organization is using smart cards, the smart card manufacturer controls account lockout for personal
identification numbers (PINs) that are not valid. Recovery from account lockout as a result of an invalid PIN
might require smart card replacement.
For more information about remote access account lockout, see the Internetworking Guide of the Windows
Server 2003 Resource Kit (or see the Internetworking Guide on the Web at http://www.microsoft.com/reskit).
154 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Important
The procedures for deploying a VPN remote access server solution
assume that you have deployed Active Directory on the server, have a
PKI in place, and have deployed an IAS server.
For information about designing and deploying a PKI, see “Designing a
Public Key Infrastructure” in Designing and Deploying Directory and
Security Services of this kit. For information about designing and
deploying IAS, see “Deploying IAS” in this book. For more information
about Active Directory, see “Designing the Active Directory Logical
Structure” in Designing and Deploying Directory and Security Services
of this kit.
Note
Because of routing issues related to configuring TCP/IP automatically,
it is recommended that you not configure a VPN server as a DHCP
client. Instead, manually configure TCP/IP on the intranet interfaces of
a VPN server. For a full discussion of the routing options for a VPN
server, see “Configuring Routing on a VPN Server” later in this chapter.
Manually configure the Internet or perimeter network interface of the VPN server with a default gateway.
Configure the TCP/IP settings with a public IP address, a subnet mask, and the default gateway of either the
firewall (if the VPN server is connected to a perimeter network) or an ISP router (if the VPN server is
connected directly to the Internet).
To configure TCP/IP for the Internet or perimeter network interface
1. In Control Panel, double-click Network Connections, and then double-click the network
adapter for the Internet or perimeter network interface.
2. In the network adapter status dialog box (for example, Local Area Connection Status),
click Properties.
3. Select Internet Protocol (TCP/IP), and then click Properties.
4. On the General tab, configure the IP address, subnet mask, and default gateway.
The IP address must be a public IP address assigned by an ISP. As an option, you can
configure the VPN server with a private IP address but assign it a published static IP address
by which it is known on the Internet. When packets are sent to and from the VPN server, a
NAT that is positioned between the Internet and the VPN server translates the published IP
address to the private IP address.
When you configure a VPN connection, give your VPN servers names that can be resolved
to IP addresses using DNS.
5. Click Advanced to display the Advanced TCP/IP Settings dialog box.
6. To prevent the VPN server from dynamically registering the public IP address of its Internet
interface with an intranet DNS server, on the DNS tab, clear the Register this connection’s
addresses in DNS check box. This check box is cleared by default.
7. To prevent the VPN server from registering the public IP address of its Internet interface
with intranet WINS servers, on the WINS tab, select the Disable NetBIOS over TCP/IP
check box. This check box is selected by default.
When you configure TCP/IP for the VPN server’s intranet interface, do not configure the default gateway on
the intranet connection. This will prevent default route conflicts with the default route pointing to the
Internet.
To configure TCP/IP for the intranet interface
1. In Control Panel, double-click Network Connections, and then double-click the network
adapter for intranet interface.
Additional Resources 159
2. In the network adapter status dialog box (for example, Local Area Connection 2 Status),
click Properties.
3. Select Internet Protocol (TCP/IP), and then click Properties.
160 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
4. On the General tab, configure the IP address, subnet mask, and DNS server address.
To prevent default route conflicts with the default route pointing to the Internet, do not
configure the default gateway on the intranet connection.
5. Click Advanced to display the Advanced TCP/IP Settings dialog box.
6. On the WINS tab, configure the IP addresses of your WINS servers.
Internet interface of the firewallOn the firewall’s Internet interface, configure the inbound and
outbound filters in Table 8.5, specifying that all packets are dropped except those that are selected by the
filters.
Table 8.5 VPN Server Behind a Firewall: PPTP Filters on the Firewall’s Internet Interface
Filter Action
Destination IP address = Allows PPTP tunnel maintenance
Perimeter network interface of traffic from the PPTP client to the
VPN server PPTP server.
TCP destination port = 1723
(0x6BB)
Destination IP address = Allows PPTP tunneled data from
Perimeter network interface of the PPTP client to the PPTP
VPN server server.
IP Protocol ID = 47 (0x2F)
Destination IP address = Required only when the VPN
Inbound Perimeter network interface of server is acting as a VPN client (a
VPN server calling router) in a site-to-site
TCP source port = 1723 (also known as router-to-router)
(0x6BB) VPN connection. If you allow all
traffic to the VPN server from TCP
port 1723, network attacks can
emanate from sources on the
Internet that use this port. You
should only use this filter in
conjunction with the PPTP filters
that are also configured on the
VPN server.
162 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Perimeter network interface of the firewall On the firewall’s perimeter network interface,
configure the inbound and outbound filters in Table 8.6, specifying that all packets are dropped except those
that are specified by the filters.
Table 8.6 VPN Server Behind a Firewall: PPTP Filters on the Perimeter Network Interface
Filter Action
Source IP address = Perimeter Allows PPTP tunnel maintenance
network interface of VPN server traffic from the VPN server to the
TCP source port = 1723 (0x6BB) VPN client.
L2TP/IPSec connections
For an L2TP/IPSec connection, configure the following packet filters on the Internet and perimeter network
interfaces of the firewall.
164 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Internet interface of the firewallOn the firewall’s Internet interface, configure the inbound and
outbound filters in Table 8.7, specifying that all packets are dropped except those that are specified by the
filters.
Table 8.7 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall’s Internet
Interface
Filter Action
Destination IP address = Allows IKE traffic to the VPN
Perimeter network interface of server.
VPN server
UDP destination port = 500
(0x1F4)
Destination IP address = Allows IPSec NAT-T traffic to the
Perimeter network interface of VPN server.
Inbound VPN server
UDP destination port = 4500
(0x1194)
Destination IP address = Allows IPSec ESP traffic to the
Perimeter network interface of VPN server.
VPN server
IP Protocol ID = 50 (0x32)
Source IP address = Perimeter Allows IKE traffic from the VPN
network interface of VPN server server.
UDP source port = 500 (0x1F4)
Source IP address = Perimeter Allows IPSec NAT-T traffic from
network interface of VPN server the VPN server.
Outbound
UDP source port = 4500
(0x1194)
Source IP address = Perimeter Allows IPSec ESP traffic from the
network interface of VPN server VPN server.
IP Protocol ID = 50 (0x32)
No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall, including tunnel
maintenance and tunneled data, is encrypted as an IPSec ESP payload.
Perimeter network interface of the firewall On the firewall’s perimeter network interface,
configure the inbound and outbound filters in Table 8.8, specifying that all packets are dropped except those
that are selected by the filters.
Additional Resources 165
Table 8.8 VPN Server Behind a Firewall: L2TP/IPSec Filters on the Firewall’s Perimeter
Network Interface
Filter Action
Source IP address = Perimeter Allows IKE traffic from the VPN
network interface of VPN server server.
UDP source port = 500 (0x1F4)
Source IP address = Perimeter Allows IPSec NAT-T traffic from
network interface of VPN server the VPN server.
Inbound
UDP source port = 4500
(0x1194)
Source IP address = Perimeter Allows IPSec ESP traffic from the
network interface of VPN server VPN server.
IP Protocol ID = 50 (0x32)
Destination IP address = Allows IKE traffic to the VPN
Perimeter network interface of server.
VPN server
UDP destination port = 500
(0x1F4)
Destination IP address = Allows IPSec NAT-T traffic to the
Perimeter network interface of VPN server.
Outbound VPN server
UDP destination port = 4500
(0x1194)
Destination IP address = Allows IPSec ESP traffic to the
Perimeter network interface of VPN server.
VPN server
IP Protocol ID = 50 (0x32)
PPTP connections
For a PPTP connection, configure the VPN server with the inbound and outbound filters in Table 8.9,
specifying that all packets be dropped except those that are specified by the filters. These filters are
automatically configured when you:
• Rrun the Routing and Remote Access Server Setup Wizard and choose the Remote access
(dial-up or VPN) option.
• Select the correct interface.
• Select the Enable security on the selected interface by setting up packet filters option on
the VPN Connection page. This setting is enabled by default.
Table 8.9 VPN Server in Front of a Firewall: Packet Filters for PPTP
Filter Action
Destination IP address = Internet Allows PPTP tunnel maintenance
interface of VPN server to the VPN server.
Subnet mask = 255.255.255.255
TCP destination port = 1723
Destination IP address = Internet Allows PPTP tunneled data to the
interface of VPN server VPN server.
Inbound Subnet mask = 255.255.255.255
IP Protocol ID = 47
Destination IP address = Internet Required only when the VPN
interface of VPN server server is acting as a VPN client (a
Subnet mask = 255.255.255.255 calling router) in a site-to-site
VPN connection. Accepts TCP
TCP (established) source port =
traffic only when a VPN server
1723
initiates the TCP connection.
Source IP address = Internet Allows PPTP tunnel maintenance
interface of VPN server traffic from the VPN server.
Subnet mask = 255.255.255.255
TCP source port = 1723
Source IP address = Internet Allows PPTP tunneled data from
interface of VPN server the VPN server.
Outbound Subnet mask = 255.255.255.255
IP Protocol ID = 47
Source IP address = Internet Required only when the VPN
interface of VPN server server is acting as a VPN client (a
Subnet mask = 255.255.255.255 calling router) in a site-to-site
VPN connection. Sends TCP
TCP (established) destination
traffic only when a VPN server
port = 1723
initiates the TCP connection.
Additional Resources 167
L2TP/IPSec connections
For an L2TP/IPSec connection, configure the VPN server with the inbound and outbound filters in
Table 8.10, specifying that all packets be dropped except those that are specified by the filters.
Table 8.10 VPN Server in Front of a Firewall: Packet Filters for L2TP/IPSec
Filter Action
Destination IP address = Internet Allows IKE traffic to the VPN
interface of VPN server server.
Subnet mask = 255.255.255.255
UDP destination port = 500
Destination IP address = Internet Allows L2TP traffic from the VPN
interface of VPN server client to the VPN server.
Inbound
Subnet mask = 255.255.255.255
UDP destination port = 1701
Destination IP address = Internet Allows IPSec NAT-T traffic from
interface of VPN server the VPN client to the VPN server.
Subnet mask = 255.255.255.255
UDP destination port = 4500
Source IP address = Internet Allows IKE traffic from the VPN
interface of VPN server server.
Subnet mask = 255.255.255.255
UDP source port = 500
Source IP address = Internet Allows L2TP traffic from the VPN
interface of VPN server server to the VPN client.
Outbound
Subnet mask = 255.255.255.255
UDP source port = 1701
Source IP address = Internet Allows IPSec NAT-T traffic from
interface of VPN server the VPN server to the VPN client
Subnet mask = 255.255.255.255
UDP source port = 4500
168 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Note
Rqs.exe and Rqc.exe use TCP port 7250 by default. When you create
the quarantine policy, you must configure quarantine inbound filters to
allow network traffic on TCP port 7250. Otherwise, Rqc.exe, which runs
on client computers, cannot notify Rqs.exe that the client-side script
has run successfully. If you specify another TCP port for Rqc.exe and
Rqs.exe, you must configure the filter to allow traffic on that TCP port.
5. Create a quarantine Connection Manager profile, to be installed on all remote access clients
that access servers participating in Network Access Quarantine Control. Only those remote
access clients that have the quarantine Connection Manager profile installed can obtain a
full-access connection.
Use the Windows Server 2003 Connection Manager Administration Kit (CMAK) to create a
profile with the following elements:
• Specify a post-connect action to run the client-side script with the appropriate
parameters.
• Embed the client-side script and the notification component within the profile.
For information about creating a Connection Manager profile using CMAK, see “Deploying
Remote Access Clients Using Connection Manager” in this book.
Additional Resources 169
6. Install the Quarantine Connection Manager profile on all remote access clients that access
servers participating in Network Access Quarantine Control.
7. Use the New Remote Access Policy Wizard to create a quarantine remote access policy that
restricts a remote access client’s access while the client computer’s configuration is verified
against network policy requirements. The quarantine remote access policy can contain the
following attributes:
• MS-Quarantine-IPFilter, to restrict a quarantined remote access client’s access to only
quarantine resources and the port designated for notification traffic.
• MS-Quarantine-Session-Timeout, to restrict the length of time during which a client can
remain connected in quarantine mode before being disconnected.
To be quarantine-compatible, a remote access server must be running Windows Server 2003 and the Routing
and Remote Access service. Routing and Remote Access with Windows Server 2003 supports the use of a
listener component and the RADIUS vendor-specific attributes (VSAs) MS-Quarantine-IP Filter and
MS-Quarantine-Session-Timeout, which are used to specify quarantine settings.
Note
For an overview of Network Access Quarantine Control, see “Planning
for Network Access Quarantine Control” earlier in this chapter.
Whether the default route is acceptable for the VPN connection depends on your remote access clients’ needs
(whether they need simultaneous access to both the intranet and the Internet) and security issues. For a full
discussion of the routing options for VPN remote access clients, see “Determining Routing for VPN Remote
Access Clients” earlier in this chapter.
Based on your design, implement one of the following routing options on the VPN client:
• If the remote access user does not require concurrent access to intranet and Internet
resources, use the default gateway for the VPN connection.
• If the remote access user requires concurrent access to intranet and Internet resources over a
VPN connection, choose one of the following options:
• If you want to allow Internet access through the organization’s intranet, use the default
gateway for your VPN connection.
Internet traffic between the VPN client and Internet hosts passes though firewalls or
proxy servers as though the VPN client were physically connected to the organization’s
intranet. This method can affect performance, but it enables an organization to filter and
monitor Internet access according to its network policies while the VPN client is
connected to the organization network.
• If the addressing within your intranet is based on a single class-based network ID, and
the addresses assigned to VPN clients are from that single class-based network ID,
prevent the use of the default gateway for your VPN connection.
• If the addressing within your intranet is not based on a single class-based network ID,
prevent the use of the default gateway for your VPN connection. Then, use one of the
split tunneling methods described in “Determining Routing for VPN Remote Access
Clients” earlier in this chapter.
To prevent the VPN client from creating a new default route during a VPN
connection
1. In Control Panel, double-click Network Connections, and then double-click the name of the
VPN connection.
2. In the Connect dialog box, click Properties.
3. In the properties dialog box for the VPN connection, click the Networking tab.
4. Select Internet Protocol (TCP/IP), and then click Properties.
5. On the General tab, click Advanced to display the Advanced TCP/IP Settings dialog box.
6. To prevent a default route from being created during a VPN connection, on the General tab,
clear the Use default gateway on remote network check box.
No default route will be created for the connection. However, a route corresponding to the
Internet address class of the assigned IP address will be created. For example, if the IP
address assigned during the connection process is 10.0.12.119, the Windows Server 2003–
based or Windows XP–based VPN client creates a route for the class-based network ID
10.0.0.0 with the subnet mask 255.0.0.0.
172 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
3. Click Create and submit a request to this CA to display a Web form for entering
certificate information.
4. Enter the required information on the Web form, and then click Submit.
5. Click Install this certificate.
For information about:
• Using the Certificates snap-in to install a certificate, see “Using certificates” in Help and
Support Center for Windows Server 2003.
• Using certificate autoenrollment to install a certificate, see “Certificate autoenrollment” in
Help and Support Center for Windows Server 2003.
• Deploying smart cards, see “Planning a Smart Card Deployment” in Designing and
Deploying Directory and Security Services of this kit.
Note
The No Encryption level, which allows connections that do not use
data encryption, is not recommended.
For more information about using Windows Server 2003 remote access policies, see “Introduction to remote
access policies” in Help and Support Center for Windows Server 2003.
174 Chapter 8 Deploying Dial-up and VPN Remote Access Servers
Caution
Do not edit the registry unless you have no alternative. The registry
editor bypasses standard safeguards, allowing settings that can
damage your system, or even require you to reinstall Windows. If you
must edit the registry, back it up first and see the Registry Reference
on the Windows Server 2003 Deployment Kit companion CD or at
http://www.microsoft.com/reskit.
Note
You can optionally implement Network Access Quarantine Control to
quarantine each new remote access connection until the configuration
of the client computer can be verified against network policy
restrictions. For more information, see “Planning for Network Access
Quarantine Control” and “Configuring Network Access Quarantine
Control” earlier in this chapter.
With Routing and Remote Access enabled, configure the properties of a dial-up remote access server by
using the Routing and Remote Access snap-in.
To configure a server for dial-up remote access
1. Open the Routing and Remote Access snap-in.
2. In the console tree, right-click the server name, and then click Properties.
3. On the General tab of the Server Properties dialog box, verify that the Remote access
server check box is selected.
4. On the Security tab, set up authentication for dial-up remote access clients:
a. Click Authentication Methods, and in the dialog box select the authentication
methods that the server will accept for dial-up connections.
b. Under Authentication Provider on the Security tab, select the authentication provider
to use for dial-up networking clients.
c. Under Accounting Provider, select and configure the accounting provider to use for
recording dial-up connection accounting information.
Additional Resources 177
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Designing a Public Key Infrastructure” in Designing and Deploying Directory and Security
Services of this kit.
• “Deploying Smart Cards” in Designing and Deploying Directory and Security Services of
this kit.
• “Deploying IAS” in this book.
• “Deploying Remote Access Clients Using Connection Manager” in this book.
• The Internetworking Guide of the Windows Server 2003 Resource Kit (or see the
Internetworking Guide on the Web at http://www.microsoft.com/reskit) for more information
about Routing and Remote Access.
Additional Resources 179