Deploying virtual private networks with Microsoft Windows Server 2003

PUBLISHED BY

Microsoft Press

A Division of Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052-6399

Copyright © 2004 by Microsoft Corporation

All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by

any means without the written permission of the publisher.

Library of Congress Cataloging-in-Publication Data

Davies, Joe

Deploying Virtual Private Networks with Microsoft Windows Server 2003 / Joe Davies, Elliot Lewis.

p. cm.

Includes index.

ISBN 0-7356-1576-4

1. Extranets (Computer networks). 2. Microsoft Windows Server. I. Title.

TK5105.875.E87W45 2003

004.6--dc21 2003042174

Printed and bound in the United States of America.

1 2 3 4 5 6 7 8 9 QWT 8 7 6 5 4 3

Distributed in Canada by H.B. Fenn and Company Ltd.

A CIP catalogue record for this book is available from the British Library.

Microsoft Press books are available through booksellers and distributors worldwide. For further information

about international editions, contact your local Microsoft Corporation office or contact Microsoft Press

International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send

comments to [email protected].

Active Directory, ActiveX, Microsoft, Microsoft Press, MSDN, MSN, Outlook, Visual Basic, Windows, the

Windows logo, Windows Mobile, Windows NT, and Windows Server are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries. Other product and

company names mentioned herein may be the trademarks of their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people,

places, and events depicted herein are fictitious. No association with any real company, organization,

product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Acquisitions Editor: Martin DelRe

Project Editor: Valerie Woolley

Technical Editor: Jim Johnson

Body Part No. X08-68739

iii

Contents

Acknowledgments xiii

Introduction xv

PART I VPN Technology

1 The Business Case for Virtual Private Networks 3

Overview of VPNs 4

The World as It Was 4

The World as It Is Today 5

The World as It Will Be 7

The Need for Security and Control 8

VPN Technology 9

Summary 10

2 VPN Overview 11

Virtual Private Network Definitions 11

Common Uses of VPNs 13

Basic VPN Requirements 16

Tunneling Basics 17

Tunneling Protocols 19

Point-to-Point Protocol (PPP) 20

Point-to-Point Tunneling Protocol (PPTP) 23

Layer Two Tunneling Protocol (L2TP) 23

Tunnel Types 29

VPN Administration 30

Authorizing VPN Connections 31

Scalability 31

RADIUS 32

Connection Manager and Managed VPN Connections 32

iv | Table of Contents

Accounting, Auditing, and Alarming 34

Summary 35

3 VPN Security 37

Basic Elements of Windows VPN Security 37

Authentication Security 38

Authorization Security 41

Encryption Security 41

Packet Filtering Security 43

Advanced VPN Security Features 44

EAP-TLS and Certificate-Based Authentication 44

Network Access Quarantine Control 46

Remote Access Account Lockout 47

Remote Access Policy Profile Packet Filtering 48

Summary 49

4 VPN Interoperability 51

VPN Technologies and Internet Standards 53

Remote Access VPN Requirements and IPSec-Based

Implementations 54

User Authentication 54

Address Assignment 56

PPTP: An Alternative to IPSec-Based VPNs 56

Future Directions for Microsoft VPN Support 58

Issues Customers Should Examine 58

Recommendations to VPN Vendors 59

Summary 59

PART II VPN Deployment

5 Remote Access VPN Components and Design Points 63

VPN Clients 64

The Connection Manager System 66

Single Sign-On 69

Installing a Certificate on a Client Computer 69

Design Point: Configuring the VPN Client 70

Table of Contents | v

Internet Network Infrastructure 71

VPN Server Name Resolvability 71

VPN Server Reachability 72

Authentication Protocols 73

Design Point: Which Authentication Protocol To Use 74

VPN Tunneling Protocols

Point-to-Point Tunneling Protocol

Layer Two Tunneling Protocol with IPSec

Design Point: PPTP or L2TP/IPSec?

VPN Server

Design Point: Configuring the VPN Server

Intranet Network Infrastructure

Name Resolution

Routing

Quarantine Resources

AAA Infrastructure

Remote Access Policies

Preventing Traffic Routed from VPN Clients

Windows Domain User Accounts and Groups

Design Point: AAA Infrastructure

Certificate Infrastructure

Computer Certificates for L2TP/IPSec

Certificate Infrastructure for Smart Cards

Certificate Infrastructure for User Certificates

Design Point: Certificate Infrastructure

Summary

75

75

75

76

77

79

82

82

84

88

89

90

92

94

95

96

96

97

98

99

100

6 Deploying Remote Access VPNs 101

Deploying PPTP or L2TP/IPSec Remote Access 102

Deploying a Certificate Infrastructure 102

Installing Computer Certificates 103

Deploying Smart Cards 106

Installing User Certificates 107

Deploying an Internet Infrastructure 111

Placing VPN Servers in a Perimeter Network or

on the Internet 111

vi | Table of Contents

Installing Windows Server 2003 on the VPN Server

and Configuring Internet Interfaces 111

Adding Address Records to Internet DNS Servers 112

Deploying an AAA Infrastructure 112

Configuring Active Directory for User Accounts and Groups 112

Configuring the Primary IAS Server Computer 113

Configuring IAS with RADIUS Clients 116

Configuring a VPN Remote Access Policy with

Windows Server 2003 IAS 117

Configuring the Secondary IAS Server Computer 119

Deploying VPN Servers 120

Configuring the VPN Server’s Connection to the Intranet 120

Running the Routing And Remote Access

Server Setup Wizard 120

Deploying an Intranet Infrastructure 121

Configuring Routing on the VPN Server 122

Verifying Name Resolution and Intranet Reachability

from the VPN Server 122

Configuring Routing for Off-Subnet Address Ranges 122

Configuring Quarantine Resources 123

Deploying VPN Clients 123

Manually Configuring VPN clients 123

Configuring CM Packages with CMAK 124

Summary 124

7 Using Connection Manager for Quarantine Control and

Certificate Provisioning 127

Deployment and Quarantine Control Using Connection

Manager 128

Creating L2TP/IPSec Connections with Connection

Manager 128

Deploying Network Access Quarantine Control with

Connection Manager 128

Configuring the Initial Test Lab 130

DC1 132

CA1 134

Install IIS 134

Table of Contents | vii

Configure a shared folder 135

IIS1 136

VPN1 136

CLIENT1 139

Configuring and Testing Network Access Quarantine

Control and Certificate Provisioning 140

DC1 140

Update Group Policy 151

Update Group Policy 154

VPN1 155

Summary 168

8 Site-to-Site VPN Components and Design Points 169

Demand-Dial Routing in Windows Server 2003 169

Demand-Dial Routing Updates 171

Introduction to Site-to-Site VPN Connections 172

Components of Windows Server 2003 Site-to-Site VPNs 176

VPN Routers

Internet Network Infrastructure

Authentication Protocols

VPN Protocols

Site Network Infrastructure

AAA Infrastructure

Certificate Infrastructure

Summary

177

185

187

189

191

194

201

203

9 Deploying Site-to-Site VPNs 205

Deploying a Site-to-Site VPN Connection 205

Deploying the Certificate Infrastructure 206

Deploying the Internet Infrastructure 214

Deploying the Answering Router 215

Deploying the Calling Router 220

Deploying the AAA Infrastructure 222

viii | Table of Contents

Deploying the Site Network Infrastructure 228

Deploying the Intersite Network Infrastructure 235

Summary 241

10 A VPN Deployment Example 243

Introducing Contoso, LTD 243

Common Configuration for the VPN Server 244

Network Configuration 244

Remote Access Policy Configuration 248

Domain Configuration 248

Security Configuration 249

VPN Remote Access for Employees 249

Domain Configuration 250

Remote Access Policy Configuration 250

PPTP-Based Remote Access Client Configuration 250

L2TP/IPSec-Based Remote Access Client Configuration 250

On-Demand Branch Office 251

Additional Configuration 252

PPTP-Based On-Demand Branch Office 253

L2TP/IPSec-Based On-Demand Branch Office 255

Persistent Branch Office 257

Additional Configuration 258

PPTP-Based Persistent Branch Office 260

L2TP/IPSec-Based Persistent Branch Office 263

Extranet for Business Partners 265

Additional Configuration 266

PPTP-Based Extranet for Business Partners 268

L2TP/IPSec-Based Extranet for Business Partners 269

Dial-Up and VPNs with RADIUS Authentication 270

Domain Configuration 271

RADIUS Configuration 272

Dial-Up Remote Access Client Configuration 272

Summary 273

Table of Contents | ix

PART III VPN Troubleshooting

11 Troubleshooting Remote Access VPN Connections 277

Troubleshooting Tools 278

TCP/IP Troubleshooting Tools 278

Authentication and Accounting Logging 278

Event Logging 279

IAS Event Logging 279

PPP Logging 280

Tracing 280

Oakley Logging 281

Network Monitor 282

Troubleshooting Remote Access VPNs 282

Unable to Connect 283

Unable to Reach Locations Beyond the VPN Server 292

Summary 293

12 Troubleshooting Site-to-Site VPN Connections 295

Troubleshooting Tools 295

Troubleshooting Site-to-Site VPN Connections 296

Unable to Connect 297

Unable to Reach Locations Beyond the VPN Routers 306

Unable To Reach the Virtual Interfaces of VPN Routers 308

On-Demand Connection Is Not Made Automatically 309

Summary 309

PART IV Appendixes

A VPN Deployment Best Practices 313

Stick to the Standards 313

Choice of Tunneling Protocols 313

Choice of Authentication Protocols 314

Scalability 315

Use of IAS/RADIUS 315

VPN Privileges for Users 316

Packet Filters 316

Split Tunneling 317

x | Table of Contents

Use of Quarantine—Being Realistic 317

Two-Factor Authorization: Smart Cards with

Tokens or Biometrics 318

Connection Manager and Phone Book Administrator 318

Site-to-Site 319

Troubleshooting: Do It by the Book! 321

Summary 321

B Configuring Firewalls for VPN 323

VPN Server in Front of the Firewall 323

Packet Filters for PPTP 324

Packet Filters for L2TP/IPSec 325

VPN Server Behind the Firewall 326

Packet Filters for PPTP 327

Packet Filters for L2TP/IPSec 329

Filters on the Internet Interface 329

VPN Server Between Two Firewalls 331

C Deploying a Certificate Infrastructure 333

Certificate Revocation and EAP-TLS Authentication 334

Using Third-Party CAs for EAP-TLS Authentication 337

Certificates on the Authenticating Servers 337

Certificates on VPN Client Computers 337

Summary 338

D Setting Up Remote Access VPN Connections in a Test Lab 339

PPTP-Based Remote Access VPN Connections 339

DC1 341

IAS1 345

IIS1 348

VPN1 349

CLIENT1 351

L2TP/IPSec-Based Remote Access VPN Connections 354

DC1 354

VPN1 355

CLIENT1 356

Table of Contents | xi

EAP-TLS-Based Remote Access VPN Connections 357

DC1 358

IAS1 362

CLIENT1 363

Summary 365

E Setting Up Connection Manager in a Test Lab 367

Configuring the Initial Test Lab 367

DC1 369

IAS1 371

IIS1 373

VPN1 373

CLIENT1 375

Configuring and Testing a Dial-Up Profile 376

DC1 376

IAS1 376

IIS1 377

VPN1 379

CLIENT1 385

Configuring and Testing a PPTP Profile 387

DC1 388

IAS1 388

IIS1 389

VPN1 389

CLIENT1 392

Configuring and Testing an L2TP/IPSec Profile 393

DC1 394

VPN1 396

IAS1 398

CLIENT1 398

Configuring and Testing an EAP Profile 399

DC1 399

IAS1 401

VPN1 401

CLIENT1 404

Summary 405

xii | Table of Contents

F Setting Up a PPTP-Based Site-to-Site

VPN Connection in a Test Lab 407

Setting Up the Test Lab 407

Configuration for CLIENT1 409

Configuration for CLIENT2 410

Computer Setup for the Answering and Calling Routers 410

Computer Setup for the Internet Router 411

Configuring a PPTP-Based Site-to-Site VPN Connection 412

Configuring VPN on the Answering Router 413

Configuring the Demand-Dial Interface

on the Answering Router 414

Configuring VPN on the Calling Router 416

Configuring the Demand-Dial Interface

on the Calling Router 417

Initiating the VPN Connection 418

Testing the VPN Connection 418

Summary 419

G Frequently Asked Questions 421

Virtual Private Networks Defined 421

Microsoft Support for VPNs 422

VPN Standards and Interoperability 424

VPN Deployment 430

Index 435

xiii

Acknowledgments

From the beginning, writing Deploying Virtual Private Networks with Microsoft Win￾dows Server 2003 was a labor of love for me. As the lead program manager for

Secure Network Access in Windows Networking, I have seen the VPN features of

Window Server 2003 deployed for many customers, and it is a matter of passion for

me to make sure that everyone and anyone who wants to use these awesome fea￾tures has the resources to do so. That’s why, when Microsoft Press came to ask me

to write this book, I immediately went to the very best technical author and domain

expert I knew to ask him for the privilege to partner on it. Thank goodness, Joseph

Davies honored me by accepting my request, and he helped lead the way to mak￾ing this book a reality. Joe, it has been a privilege—and an honor—to work with

the very best. Thank you!

Joe and I also want to thank Susan Ferrell and Douglas Goodwin, who assisted in

providing content, and Rany El Housieny, who provided key pieces of the technical

information for the CD. You guys are awesome—thanks for helping to bring this

book together.

The team at Microsoft Press is simply hands-down the best publishing group I have

ever worked with. Jean Trenary and Valerie Woolley were instrumental throughout

the writing process. They helped me stay on track and to get the tools I needed to

write this book; they crunched the schedules, kept us moving, and hounded me in

all the right ways. Completing and publishing the book wouldn’t have been possi￾ble without their help! Through tight schedules, changing staff, and all kinds adver￾sity, you two kept this machine moving. Well done—and thank you!

Any author will tell you that the most painful part of writing a book is not creating

the chapter content—it’s having the editorial staff tear through the work and bring

you back to reality on your writing skills. Jim Johnson was the technical editor for

the book, and I want to say that I have never had a better technical editor in any of

the writing projects I have done. Jim, you’re the best—thanks for keeping the bar

high! Roger LeBlanc was our copyeditor and an excellent technical resource, as

well. Roger, thank you for critiquing our work in all the right ways. Al Valvano, Jeff

Koch, and Martin DelRe, thank you for your help throughout this project and for

making this book a reality.

Most importantly, I want to thank my wife, Meg, and my sons, Zack, Ben, and

James, for all your patience and understanding. You sacrificed many months of per￾sonal time without me so that I could write this book, and you deserve all the credit

for making it happen. I love you very much.

And finally—my father, Mark Lewis, told me recently that it’s one of his great

dreams to see his name in print in a published book. My mother, Adrianne Yaffe, is

an aspiring author herself, and I’m sure that she will accomplish this feat on her

own. But for you, Dad, well, some wishes do come true. (Now, if only the New

York Giants could win another Super Bowl for us, J.) I love you both.

xv

Introduction

Welcome to Deploying Virtual Private Networks with Microsoft Windows Server

2003, your complete source for the information you need to design and deploy Vir￾tual Private Networks (VPNs) using Windows Server 2003 and all of the Windows

Client operating systems. This book includes overview explanations of the various

technologies involved in deploying both remote access and site-to-site VPNs over

the Internet and/or within a private network. It also includes step-by-step instruc￾tions on how to deploy basic remote access and site-to-site VPNs using various tun￾neling protocols and authentication methods, step-by-step instructions on advanced

features such as Connection Manager and Network Access Quarantine Control, and

detailed procedures on how to troubleshoot your VPN deployments.

Virtual private networking is all about ensuring privacy and security on the Internet

so that you can use the Internet as a communications network for your users and

remote offices. In today’s world of open communications and connectivity on the

Internet, you should remember the following quotation when thinking about security:

Security is not binary. It is not a switch or even a series of switches. It can￾not be expressed in absolute terms. Do not believe anyone who tries to con￾vince you otherwise. Security is relative—there is only more secure and

less secure. Furthermore, security is dynamic—people, process, and tech￾nology all change. The bottom line is that all of these factors make man￾aging security difficult.

—Ben Smith and Brian Komar, Microsoft Windows Security Resource Kit, Microsoft

Press, 2003.

Deploying Virtual Private Networks with Microsoft® Windows ServerTM 2003

describes the combination of technologies in Windows that supports the strongest

set of industry standards for VPN access that was available at the time of the writing

of this book.

How This Book Is Structured

Deploying Virtual Private Networks with Microsoft Windows is structured to pro￾vide a conceptual overview of not only VPNs, but also of all the other components

of the authentication infrastructure, such as Remote Authentication Dial-In User Ser￾vice (RADIUS), authentication protocols, certificate services, and Active Directory.

Many companies have not implemented some of these services, so this book takes

the time to explain them in a conceptually as they pertain to VPN technologies. We

cover the basic operations and setup of all necessary services, and as the issues go