Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)

Along with deciding on an authentication protocol, you need to decide which VPN tunneling protocol to use for your deployment. Windows Server 2003 includes support for two remote access VPN tunneling protocols:

1. Point-to-Point Tunneling Protocol

2. Layer Two Tunneling Protocol with IPSec

Point-to-Point Tunneling Protocol

Introduced in Windows NT 4.0, PPTP leverages Point-to-Point Protocol (PPP) user authentication and Microsoft Point-to-Point Encryption (MPPE) to encapsulate and encrypt IP traffic. When MS-CHAP v2 is used with strong passwords, PPTP is a secure VPN technology. For nonpassword-based authentication, EAP-TLS can be used to support smart cards. PPTP is widely supported, easily deployed, and can be used across most NATs.

Layer Two Tunneling Protocol with IPSec

L2TP leverages PPP user authentication and IPSec encryption to encapsulate and encrypt IP traffic. This combination, known as L2TP/IPSec, uses certificate-based computer identity authentication to create the IPSec session in addition to PPP- based user authentication. L2TP/IPSec provides data integrity and data origin

authentication for each packet. However, L2TP/IPSec requires a certificate infrastructure to allocate computer certificates or preshared keys and is supported by Windows Server 2003, Windows XP, Windows 2000, and other L2TP clients running Microsoft L2TP/IPSec VPN Client.

Design Point: PPTP or L2TP/IPSec?

Consider the following when deciding between PPTP and L2TP/IPSec for remote access VPN connections:

• PPTP can be used with a variety of Microsoft clients, including Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows Me, and Windows 98. PPTP does not require a certificate infrastructure to issue computer certificates.

• PPTP-based VPN connections provide data confidentiality (because captured packets cannot be interpreted without the encryption key). PPTP VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).

• PPTP-based VPN clients can be located behind a NAT if the NAT includes a NAT editor that knows how to properly translate PPTP tunneled data. For example, both the Internet connection sharing (ICS) feature of the Network Connections folder and the NAT/Basic Firewall routing protocol component of the Routing And Remote Access service include a NAT editor that translates PPTP traffic to and from PPTP clients located behind the NAT. VPN servers cannot be behind a NAT unless either:

  • There are multiple public IP addresses, and there is a one-to-one mapping of a public IP address to the private IP address of the VPN server

  or

  • There is only one public IP address, and the NAT is configured to translate and forward the PPTP tunneled data to the VPN server

  With regard to the second situation, most NATs using a single public IP address—including ICS and the NAT/Basic Firewall routing protocol component—can be configured to allow inbound traffic based on IP addresses and TCP and UDP ports. However, PPTP tunneled data does not use TCP or UDP headers. Therefore, a VPN server cannot be located behind a NAT or a computer using ICS when using a single IP address.

• L2TP/IPSec-based VPN clients or servers cannot be behind a NAT unless both the client and server support IPSec NAT-T. IPSec NAT-T is supported by Microsoft L2TP/IPSec VPN Client for Windows 98, Windows 98 SE, Windows

• Me, and Windows NT 4.0 Workstation. NAT-T is also supported on Windows XP and Windows 2000 Professional with the proper hotfixes from Windows Update (available May 2003 for Windows 2000, and in July 2003 for Windows XP, and to be incorporated into Windows XP SP2 and Windows 2000 SP5), and Windows Server 2003.

• L2TP/IPSec can be used with Windows Server 2003, Windows XP, Windows 2000, and clients running Microsoft L2TP/IPSec VPN Client. L2TP/IPSec supports computer certificates as the recommended authentication method for IPSec. Computer certificate authentication requires a certificate infrastructure to issue computer certificates to the VPN server computer and all VPN client computers.

• By using IPSec, L2TP/IPSec-based VPN connections provide data confidentiality, data integrity, data origin authentication, and replay protection.

• PPTP and L2TP/IPSec is not an either/or choice—both can be utilized on the same server. By default, a Windows Server 2003 VPN server supports both PPTP and L2TP/IPSec connections simultaneously. You can use PPTP for some remote access VPN connections (from VPN clients that are not running Windows XP or Windows 2000 and do not have an installed computer certificate) and L2TP/IPSec for other remote access VPN connections (from VPN clients running Windows XP, Windows 2000, or Microsoft L2TP/IPSec VPN Client and have an installed computer certificate or a preshared key).

  If you are using both PPTP and L2TP/IPSec, you can create separate remote access policies that define different connection parameters for PPTP and L2TP/IPSec connections.

VPN Server

A VPN server is a computer running Windows Server 2003 and the Routing And Remote Access service. This server is the heart of the entire VPN operation. The VPN server does the following:

• Listens for PPTP connection attempts and IPSec SA negotiations for L2TP connection attempts

• Authenticates and authorizes VPN connections before allowing data to flow

• Acts as a router forwarding data between VPN clients and resources on the intranet

• Acts as an endpoint of the VPN tunnel from the tunnel client (typically the VPN client)

• Acts as the endpoint of the VPN connection from the VPN client

The VPN server typically has two or more installed network adapters, with a combination of one or more network adapters connected to the Internet and one or more network adapters connected to the intranet.

With Microsoft Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1000 PPTP ports, and up to 1000 L2TP ports. However, Windows Server 2003, Web Edition, can accept only one VPN connection at a time. Windows Server 2003, Standard Edition, can accept up to 1000 concurrent VPN connections. If 1000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1000. Windows Server 2003 Enterprise Edition and Datacenter Edition have no connection limits and therefore can support unlimited connections.

When you configure and enable the Routing And Remote Access service, the Routing And Remote Access Server Setup Wizard prompts you to select the role that the computer will fulfill. For VPN servers, you should select the Remote Access (Dial- Up Or VPN) configuration option.

With the Remote Access (Dial-Up Or VPN) option, the Routing And Remote Access server operates in the role of a dial-up or VPN server that supports remote access VPN connections. For remote access VPN connections, users run VPN client software, which is part of the native operating system for all Windows clients, and initiate a remote access connection to the server.

PPTP is supported natively for all Windows VPN clients. L2TP/IPSec native support is part of Windows XP and Windows 2000, and it is also available via download of the L2TP/IPSec Client for earlier client operating systems.

When you select the Remote Access (Dial-Up Or VPN) option in the Routing And Remote Access Server Setup Wizard:

1. You are first prompted to specify whether VPN, dial-up, or both types of access are needed.

2. Next, you are prompted to select the interface that is connected to the Internet. The interface you select will be automatically configured with packet filters that allow only PPTP- and L2TP/IPSec-related traffic (unless you clear the Enable Security On The Selected Interface By Setting Up Static Packet Filters check box). All other traffic is silently discarded. For example, you will no longer be able to ping the Internet interface of the VPN server.

3. Next, if you have multiple network adapters that are connected to the intranet, you are prompted to select an interface over which Dynamic Host Configuration Protocol (DHCP), DNS, and Windows Internet Name Service (WINS) configuration data is obtained.

4. Next, you are prompted to determine whether you want to obtain IP addresses to assign to remote access clients by using either DHCP or a specified range of addresses. If you select a specified range of addresses, you are prompted to add one or more address ranges.

5. Next, you are prompted to specify whether you want to use Remote Authentication Dial-In User Service (RADIUS) as your authentication provider. If you select RADIUS, you are prompted to configure primary and alternate RADIUS servers and the shared secret.

When you select the Remote Access (Dial-Up Or VPN) option in the Routing And Remote Access Server Setup Wizard, the results are as follows:

1. The Routing And Remote Access service is enabled as both a remote access server and a LAN and demand-dial router, with Windows as the authentication and accounting provider (unless RADIUS was chosen and configured). If there is only one network adapter connected to the intranet, that network adapter is automatically selected as the IP interface from which to obtain DHCP, DNS, and WINS configuration data. Otherwise, the network adapter specified in the wizard is selected to obtain DHCP, DNS, and WINS configuration data. If specified, the static IP address ranges are configured.

2. Exactly 128 PPTP ports and 128 L2TP ports are created. All of them are enabled for both inbound remote access connections and inbound and outbound demand-dial connections.

3. The selected Internet interface is configured with input and output IP packet filters that allow only PPTP and L2TP/IPSec traffic.

4. The DHCP Relay Agent component is added with the Internal interface. The Internal interface is a logical interface that is used to represent the connection to VPN clients as opposed to the physical interface corresponding to an installed network adapter. If the VPN server is a DHCP client at the time the wizard is run, the DHCP Relay Agent is automatically configured with the IP address of a DHCP server. Otherwise, you must manually configure the properties of the DHCP Relay Agent with an IP address of a DHCP server on your intranet. The DHCP Relay Agent forwards DHCPInform packets between VPN remote access clients and an intranet DHCP server.

5. The Internet Group Management Protocol (IGMP) component is added. The Internal interface is configured for IGMP router mode. All other LAN interfaces are configured for IGMP proxy mode. This allows VPN remote access clients to send and receive multicasting group membership information for IP multicast traffic. It is important to note that IGMP is not a multicast routing protocol in its own right—it simply enables multicast forwarding to work across the VPN server.

Design Point: Configuring the VPN Server

Consider the following before running the Routing And Remote Access Server Setup Wizard:

• Which connection of the VPN server is connected to the Internet? Typical Internet-connected VPN servers have at least two LAN connections: one connected to the Internet (either directly or connected to a perimeter network) and one connected to the organization intranet. To make this distinction easier to see during the Routing And Remote Access Server Setup Wizard, rename the connections with their purpose or role by using the Network Connections folder. For example, if the connection connected to the Internet has the default name “Local Area Connection 2”, rename that connection to “Internet”.

• Can the VPN server be a DHCP client? The VPN server must have a manual TCP/IP configuration for its Intranet interface. While it’s technically possible to have the Internet interface be dynamically assigned, the use of an external DNS dynamic update service is required to maintain the DNS relationship between the VPN server’s fully qualified domain name and the dynamically assigned IP address. Therefore, it is not recommended that the VPN server be a DHCP client for its intranet interfaces. Because of the routing requirements of the VPN server, you should manually configure an IP address, a subnet mask, a DNS server or servers, and a WINS server or servers, but do not configure a default gateway on the intranet interfaces. Also, the DNS and WINS servers settings on all interfaces should be pointed to the internal servers on the intranet so that name resolution for internal resources will happen in a timely manner. The internal DNS server can be configured to reference an external DNS server for lookups.

  Note that the VPN server can have a manual TCP/IP configuration and still use DHCP to obtain IP addresses for VPN clients.

• How will IP addresses be allocated to remote access VPN clients? The VPN server can be configured to obtain IP addresses from DHCP or from a manually configured set of address ranges. Using DHCP to obtain IP addresses simplifies the configuration; however, you must ensure that the DHCP scope for the subnet to which the intranet connection of the VPN server is attached has enough addresses for all the computers physically connected to the subnet and the maximum number of PPTP and L2TP ports. For example, if the subnet to which the intranet connection of the VPN server is attached contains 50 DHCP clients, then, for the default configuration of the VPN server, the scope must contain at least 307 addresses (50 computers + 128 PPTP clients + 128 L2TP clients + 1 address for the VPN server). If there are not enough IP addresses in the scope, VPN clients that connect after all the addresses in the scope are allocated will be unable to access intranet resources.

  If you are configuring a static pool of addresses, you might need to address additional routing considerations. For more information, see the “Intranet Network Infrastructure” section later in this chapter.

• What is the authentication and accounting provider? The VPN server can use RADIUS as its authentication or accounting provider. IAS is an optional service supplied with Windows Server 2003, and it can act as a RADIUS server and proxy.

  When Windows is the authentication and accounting provider, the VPN server uses Windows mechanisms to validate the credentials of the VPN client and access the VPN client’s user account dial-in properties. Locally configured remote access policies authorize the VPN connection and locally written accounting log files log VPN connection accounting information.

  When RADIUS is the authentication and accounting provider, the VPN server uses a configured RADIUS server to validate the credentials of the VPN client, authorize the connection attempt, and store VPN connection accounting information. If there is another RADIUS server or a third-party RADIUS server supplying authentication services, the IAS server can be used as a RADIUS proxy to pass authentication requests to the main RADIUS server.

• Will there be multiple VPN servers? If there are multiple VPN servers, create multiple DNS Address (A) records to resolve the same name of the VPN server (for example, vpn.example.microsoft.com) to the different IP addresses of the separate VPN servers. DNS round robin will distribute the VPN connections across the VPN servers.

  Note

  When working with Windows VPN services, the server will grab a pool of 10 DHCP addresses at a time when using DHCP to hand out addressing. Although this should be transparent to the users, administrators should keep this in mind so that they do not under-allocate the DHCP scopes assigned to the VPN server and they aren’t surprised to see 10 addresses grabbed at a time. Once the VPN server has allocated all 10 addresses from the pool, it will retrieve another set of 10 and so on.

Consider the following when changing the default configuration of the VPN server for remote access VPN connections:

• Do you need additional PPTP or L2TP ports? By default, the Routing And Remote Access Server Setup Wizard configures 128 PPTP ports and 128 L2TP ports, allowing 128 simultaneous PPTP connections and 128 simultaneous L2TP connections. If this is not sufficient for the maximum number of PPTP or L2TP connections, you can change the number of PPTP and L2TP ports by configuring the WAN Miniport (PPTP) and WAN Miniport (L2TP) devices from the properties of the Ports object in the Routing And Remote Access snap-in.

• Do you need to install a computer certificate? If the VPN server is configured with the Windows authentication provider and is supporting L2TP/IPSec connections or is authenticating connections by using the EAP- TLS authentication protocol, you must install a computer certificate on the VPN server that can be validated by the VPN client and a root certificate that is used to validate the VPN client.

• Do you need custom remote access policies for VPN connections? If you configure the VPN server for Windows authentication or for RADIUS authentication and the RADIUS server is a computer running IAS, the default remote access policy rejects all types of connection attempts unless the remote access permission of the user account’s dial-in properties is set to Allow Access. If you want to manage authorization and connection parameters by group or by type of connection, you must configure custom remote access policies. For more information, see the “Remote Access Policies” section later in this chapter.

• Do you want separate authentication and accounting providers? The Routing And Remote Access Server Setup Wizard configures both authentication and accounting providers to be the same. After the Wizard is complete, however, you can configure the authentication and accounting providers separately (for example, if you want to use Windows authentication and RADIUS accounting). You can configure authentication and accounting providers on the Security tab from the properties of the VPN server in the Routing And Remote Access snap-in.