P. 1


|Views: 354|Likes:
Published by Milton Reyes

More info:

Published by: Milton Reyes on Feb 24, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





READ THIS AGREEMENT BEFORE USING THIS TECHREPUBLIC RESOURCE CD-ROM DISK (“CD”) FROM TECHREPUBLIC. BY USING THE CD YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, IMMEDIATELY RETURN THE UNUSED CD FOR A FULL REFUND OF MONIES PAID, IF ANY. The articles, forms, tools, templates, programs, and other materials included on this CD and their compilation (the ‘Collection’) are licensed to you subject to the terms and conditions of this Agreement by TechRepublic, having a place of business at 1630 Lyndon Farm Court, Louisville, KY 40223 (‘TechRepublic’). By using the Collection, in whole or in part, you agree to be bound by the terms and conditions of this Agreement. TechRepublic owns the title to the Collection and to all intellectual property rights therein, except in so far as it contains materials that are proprietary to third-party suppliers. All rights in the Collection except those expressly granted to you in this Agreement are reserved to TechRepublic and such suppliers, as their respective interests may appear. 1. Limited License TechRepublic grants you a limited, nonexclusive, nontransferable license to use the Collection on a single dedicated computer. This Agreement and your rights hereunder shall automatically terminate if you fail to comply with any provision of this Agreement. Upon such termination, you agree to destroy the CD and all copies of the CD, whether or not lawful, that are in your possession or under your control. 2. Additional Restrictions A. You shall not (and shall not permit other persons or entities to) directly or indirectly, by electronic or other means, copy or reproduce (except for archival purposes as permitted by law), publish, distribute, rent, lease, sell, sublicense, assign, or otherwise transfer the Collection or any part thereof or this Agreement, and neither the CD nor its contents can be shared over a network for access by multiple users without a separate site license agreement. Any attempt to do so shall be void and of no effect. B. You shall not (and shall not permit other persons or entities to) reverse-engineer, decompile, disassemble, merge, modify, create derivative works of, or translate the Collection or use the Collection for any purpose. C. You shall not (and shall not permit other persons or entities to) remove or obscure TechRepublic’s or its suppliers’ copyright, trademark, or other proprietary notices or legends from any portion of the Collection or any related materials. 3. Limited Warranty and Limited Liability A. THE ONLY WARRANTY MADE BY TECHREPUBLIC IS THAT THE ORIGINAL CD IN WHICH THE COLLECTION IS EMBODIED AND WHICH IS DISTRIBUTED BY TECHREPUBLIC SHALL BE FREE OF DEFECTS IN MATERIALS AND WORKMANSHIP FOR A PERIOD OF NINETY (90) DAYS AFTER DELIVERY TO YOU. TECHREPUBLIC’S AND ITS SUPPLIERS’ ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY SHALL BE LIMITED TO THE REPLACEMENT OF THE ORIGINAL CD, IF DEFECTIVE, WITHIN A REASONABLE PERIOD OF TIME. B. EXCEPT AS SPECIFICALLY PROVIDED ABOVE, THE COLLECTION IS PROVIDED ‘AS IS’ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE RESULTS AND PERFORMANCE OF THE SOFTWARE AND OTHER MATERIAL THAT IS PART OF THE COLLECTION IS ASSUMED BY YOU, AND TECHREPUBLIC AND ITS SUPPLIERS ASSUME NO RESPONSIBILITY FOR THE ACCURACY ON APPLICATION OF OR ERRORS OR OMISSIONS IN THE COLLECTION. IN NO EVENT SHALL TECHREPUBLIC OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE COLLECTION, EVEN IF TECHREPUBLIC OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE LIKELIHOOD OF SUCH DAMAGES OCCURRING. TECHREPUBLIC AND ITS SUPPLIERS SHALL NOT BE LIABLE FOR ANY LOSS, DAMAGES, OR COSTS ARISING OUT OF, BUT NOT LIMITED TO, LOST PROFITS OR REVENUE; LOSS OF USE OF THE COLLECTION; LOSS OF DATA OR EQUIPMENT; COST OF RECOVERING SOFTWARE, DATA, OR THE MATERIALS IN THE COLLECTION; THE COST OF SUBSTITUTE SOFTWARE, DATA OR MATERIALS IN THE COLLECTION; CLAIMS BY THIRD PARTIES; OR OTHER SIMILAR COSTS. C. THE WARRANTIES AND REMEDIES SET FORTH HEREIN ARE EXCLUSIVE AND IN LIEU OF ALL OTHERS, ORAL OR WRITTEN, EXPRESSED OR IMPLIED. NO TECHREPUBLIC AGENT OR EMPLOYEE OR THIRD PARTY IS AUTHORIZED TO MAKE ANY MODIFICATION OR ADDITION TO THIS WARRANTY. D. SOME STATES DO NOT ALLOW EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES OR LIMITATION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. 4. U.S. Government Restricted Rights The Collection is licensed subject to RESTRICTED RIGHTS. Use, duplication, or disclosure by the U.S. Government or any person or entity acting on its behalf is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at DFARS (48 CFR 252.227-7013) for DoD contracts, in paragraphs (c)(1) and (2) of the Commercial Computer Software and the Restricted Rights clause in the FAR (48 CER 52.227-19) for civilian agencies or in other comparable agency clauses. The contractor, manufacturer, is TechRepublic. 5. General Provision Nothing in this Agreement constitutes a waiver of TechRepublic’s or its suppliers’ rights under U.S. copyright laws or any other federal, state, local, or foreign law. You are responsible for installation, management, and operation of the Collection. This Agreement shall be construed, interpreted, and governed under California law. CD-ROM Requirements The TechRepublic Resource CD requires: • Windows 98/98SE/ME/NT4/2000 or XP • Internet Explorer 5.0 or later • 16 MB of RAM or more • 10 MB of free disk space or more • Windows-compatible CD-ROM drive

® ®

Administrator's Guide to VPN and Remote Access, Second Edition

TechRepublic Credits and Copyrights
Managing Editor, Ancillaries
Janice Conard

Content Resources Manager
Marilyn Bryan

Track Editors
John Sheesley, Jack Wallen, Jr., Jim Wells

Promotions Manager, Membership
Megan Hancock

Community Editors
Paul Baldwin, Toni Bowers, Bill Detwiler, Jason Hiner, Judy Mottl

Membership Director
Dan Scofield

Senior Review Editor
Rich Crossett

Director of Community Content
Veronica Combs

Review Editors
Kachina Dunn, Jody Gilbert, Kim Mays, Geri Perkins, Dennis Ryan

Editor in Chief, TechProGuild and Ancillaries
Erik Eckel

Editor in Chief, TechRepublic
Lisa Kiava

Copy Editors
Susan Craig, Selena Frye, Susan Mitchell, Lauren Mosko, Julie Tonini, Linda Watkins

Vice President, Membership
Jon Pyles

Editorial Intern
Lindsay Puckett

Vice President, TechRepublic
Bob Artner

Product Manager, Content Management
Travis Frazier

9900 Corporate Campus Drive Suite 1500 Louisville, KY 40223 E-mail: customerservice@techrepublic.com www.techrepublic.com

Graphic Artists
Natalie Strange, Kimberly Wright

© 1995-2002 by CNET Networks, Inc. All rights reserved. TechRepublic and its logo are trademarks of CNET Networks, Inc. All other product names or services identified throughout this book are trademarks or registered trademarks of their respective companies. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. CNET Networks, Inc. disclaims all warranties as to the accuracy, completeness, or adequacy of such information. CNET Networks, Inc. shall have no liability for errors, omissions, or inadequacies in the information contained herein or for the interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. ISBN 1-931490-43-0

VPN technology lets users take advantage of high-speed Internet access while minimizing the Internet’s attendant security risks. being able to check e-mail from anywhere in the world. including two pieces on TechRepublic’s own VPN implementation. As you know. Troubleshoot TCP/IP and other data transfer protocol issues. look no further than TechRepublic’s Administrator’s Guide to VPN and Remote Access. you’ll find expert information and advice to help you: Determine how to provide remote access without compromising data security. please e-mail us at trproducts@techrepublic. Identify and evaluate a wide range of remote access solutions. and Linux networks. I . How do you reconcile the need to provide remote access to sensitive corporate data with the greater need to safeguard it? The solution for many IT organizations is to create a secure tunnel for data transfer via a virtual private network (VPN). To more thoroughly understand the ins and outs of VPN implementation in today’s enterprise computing environments.Foreword ncreasingly.com. Configure VPN connections with firewalls. Optimize VPN and remote access connections. As an added bonus. However. say. Set up and administer VPNs within Windows. In this updated version of one of our most popular titles. Second Edition. If you have suggestions or comments regarding this product. leaders throughout the enterprise are recognizing the business benefits of providing authorized users remote access to electronic data. NetWare. the searchable CD-ROM includes a special chapter of case studies by in-thetrenches IT professionals. as an IT professional. you know that the risks associated with transferring data across the Internet far outweigh the benefits of.

...........................................................................................................................................................159 Protocols..........................23 Security ...............................................................................1 Administration.......................Quick Reference Introduction to VPN and Remote Access ..................................................................................................177 Solutions ....................................................207 Case Studies ....................................CD-ROM ....................................................................

.........15 Telecommuting: Balancing the need for speed and security ...........................................................................................................................................................................34 Making the connection with Windows 2000 Professional Dial-Up Networking ...........53 Issues surrounding a Windows 2000 VPN implementation ...............................26 Controlling the dial-up bandwidth on your VPN ................................................................................................................................................................................63 Configuring Routing and Remote Access on your Windows 2000 server ....78 ...........................................................................................................68 Configuring Windows 2000 as a remote access server ...35 Understanding demand dial connections in Windows 2000 .................................................................................................................................................................................................................................................................43 Configuring Windows 2000 for demand dial connections .............13 Understand your organization’s needs before selecting VPN hardware .......................14 Cost benefit of VPN appliances vs.......................................5 Going beyond the buzz to understand VPN technology ....................................11 How can using a VPN benefit your company? ............60 Introducing Windows 2000 Routing and Remote Access ............................................................................................................................................ VPN servers .................................................................................... increase productivity ................................................1 Understanding virtual private networking ......................................................................................................................................................................................................................................Administrator's Guide to VPN and Remote Access........58 Setting up a Windows 2000 virtual private network..............75 Increasing Windows 2000 RRAS security ............................23 Understanding and troubleshooting virtual private networking ........................................................................... Second Edition Introduction to VPN and Remote Access Virtual private networks: The current state ..........17 Access your home PC from the office ............................................................................................................................50 Setting up a VPN with Windows 2000 .............................................8 Virtual private networks save money...............19 Administration Managing remote access to your network ....46 How to configure Win2K client VPN connections ...............................................................

.............143 Setting up client-to-site VPN in BorderManager 3...........................................................132 Enabling Web access of Exchange accounts using Outlook Web Access ............................................................159 Securing the Edge: Windows 2000 Firewall/VPN and beyond: The firewall ......................................................99 Learn why NAT can cause VPN connection problems ...................................102 Create a gateway-to-gateway VPN with ISA Server 2000 .........................................................................91 Optimal VPN server configuration and management .............................................................162 Securing the Edge: Windows 2000 Firewall/VPN and beyond: Tuning the security...................................................x .......................................148 Serving up NetWare’s Web Manager............................x ..........................................................................................................................................124 The Win9x VPN client connection guide .................................................................................119 Monitoring and troubleshooting VPN connections in WinNT .....155 Security Configuring VPN connections with firewalls ...................141 Implementing site-to-site VPN with BorderManager 3..........................................................108 Configure Windows XP Professional to be a VPN server ...........................................................137 Enhance Exchange 2000 OWA using front-end servers ................................................118 Configure Windows NT to support VPN connections....................................................................85 VPN networking services built for speed.....................................................................................................170 Protect your VPN by keeping a tight rein on passwords ......................................................165 Making the most of OpenSSH ......................................................................................................................................................................................95 Troubleshoot Windows RAS and VPN connections with these tips .173 ........................................................................164 Secure Shell: Protecting data in transit ..................104 Troubleshoot ISA Server VPN connections ........................................................................................................................................Routing and remote access on Windows 2000 Advanced Server ........82 Optimize inbound client connections for your Windows 2000 VPN servers ..............................................................113 How to configure Windows XP client VPN connections......................................................................................................................................................................................................127 Understanding Exchange 2000 Server’s Outlook Web Access........153 Believe it or not: A Linux VPN without kernel recompilation ....................................................................

........................................................230 More options for secure collaboration ...........................................207 Eight commonly overlooked troubleshooting tips for the Cisco PIX VPN ..................215 Who said you can’t afford your own router? ...........CD-ROM International VPN can have its challenges ......................................213 The D-Link DI-704 cable/DSL gateway .210 SonicWALL PRO-VX provides fast.............................................177 Troubleshoot your network errors with TechRepublic’s TCP/IP checklist ....................................................................................................................................................................Protocols TechRepublic’s TCP/IP primer ............................CD-ROM A VPN case study: A creative solution for a VPN-based WAN ..228 High marks for Mangosoft’s VPN alternative.............................................199 The Windows NT 4................................................................180 Troubleshoot Novell TCP/IP network errors with TechRepublic’s checklist ..CD-ROM A TechRepublic member shares his VPN success story ...................................202 Solutions VPN services on a Cisco PIX firewall ......................CD-ROM Case Studies Dealing with the growing pains of a site-to-site VPN ..............................................................................................................................................................224 Check Point offers integrated firewall and VPN on Linux ....................................................CD-ROM How to resolve two common VPN problems.................................................222 Share small office broadband pipes using a Linksys router and Win2K Pro......................................................186 Configuring certificates for an L2TP/IPSec VPN .......................................................................................................................CD-ROM Free VPN solution had a major impact on this company ..............................................................................................191 Customize the security of L2TP/IPSec connections ................... simple firewall and VPN solution ...............................................................................................................................................................................................................................................................................................................................................183 Putting the “private” in virtual private networking......0 PPTP VPN client connection guide ...............................................................................................................................................CD-ROM Admin finds low-cost VPN solution using Linux................................196 Troubleshooting L2TP/IPSec VPN connections in Win2K .........................................................................................................220 Sharing Internet access with just one IP address ..............CD-ROM ...............

.........13 Understand your organization’s needs before selecting VPN hardware .. and some of the issues that must be considered when planning a VPN implementation.. increase productivity....................................................................................................................................15 Telecommuting: Balancing the need for speed and security ..........................19 Introduction to VPN and Remote Access ...................................................... VPN servers.8 Virtual private networks save money............................................................................5 Going beyond the buzz to understand VPN technology ........... the technology that makes it possible......................................14 Cost benefit of VPN appliances vs................17 Access your home PC from the office........................................................................11 How can using a VPN benefit your company? ...................Introduction to VPN and Remote Access This opening chapter provides an overview of the benefits of virtual private networking.......................................................................................... Virtual private networks: The current state......................................................................1 Understanding virtual private networking ................................................................................

This private network connects through public data lines and uses a tunneling protocol and encryption by individuals or machines for whom the data and/or resource is intended. if not many. ISDN. Generally. networking executives. Something about the promise of having secure access to a corporate network from darn near anywhere in the world is tremendously appealing—not to mention the convenience and relatively low expense associated with setting up and maintaining a highly available global network. And VPNs may be the answer for many companies. budgetary constraints. Realistically. please e-mail me and I will forward you a résumé. Cost seems to drive and control many projects in the networking industry. Technologies are available to provide almost any desired or required result. Each of these connectivity options requires some piece of unique hardware. I’ll discuss the benefits of deploying a VPN and examine the design and technology behind it. The only way to truly reap the benefit is to dig into the technology and its foundation. CIOs. other data lines and remote-access mediums. Frame Relay. and its capabilities. It seems that in a world of nonstandard standards and rapidly changing technologies. Introduction to VPN and Remote Access 1 . (If you’re a hiring manager and your company’s projects don’t have any monetary or budgetary constraints. its services. and secure network to which you could potentially connect (with the right tools) from a thatched hut in the Himalayas. These benefits are not all that exist. A fast connection to the Internet via an Internet service provider (ISP) could take the place of many. Every company that can possibly justify instituting a VPN solution is chomping at the bit to do so. On the surface. 2000 By Scott Lape A virtual private network (VPN) by definition is quite simply secure access to data and/or resources via a private network. alike have only begun to scratch the surface of the potential of virtual private networking. nor do they apply to every organization and circumstance. a better way to reach a similar end equals—whether directly or indirectly—less expensive. Better can mean faster or more reliable. One small fact to keep in mind: Understanding the benefits and the technologies of a VPN and how it works is very different than knowing you need one. VPN has become one of the most-used acronyms in the history of the networking industry. and analog modems. reliable. Your actual results and benefits may vary. One of the most-known benefits of VPNs is access to resources from any point on the Internet. every member of every technology team faces some. Many of the above-mentioned professionals and others It is only appropriate to touch on the benefits of deploying a VPN prior to delving into its technologies. A single high-speed line could replace the function of multiple point-to-point connections. CEOs. the high-level benefit of a VPN seems great. This access could potentially provide companies that currently manage multiple network points of entry with the ability to maintain a single point of entry. assuming that a company’s pockets are deep enough. Over the past few years.) Members of information technology departments and their managers are paid to find and implement better ways to reach an end.Virtual private networks: The current state May 4. if not all. In this article. which in turn requires unique management and expense. The single link could transport all required traffic to and from remote users and remote sites. a VPN (which is largely standards-based) is the path of least resistance to a highly available. and even the managers below them have become very well read in the area of VPNs. secure. or available. VPN from the clouds The path of least resistance They (you know—all of those “experts” out there who know everything) say that VPNs and related services will have a market of greater than $10 billion by 2001.

how high your level of redundancy and planning. In problems. listed. security policy servers. high-speed Internet access available to many PPTP (Point-to-Point Tunneling Protocol) 2 Administrator’s Guide to VPN and Remote Access. network performance. one state. VPNs make telecommuttion in the number of entry points to a corpo. security. A properly written the ability to move outside their local labor service-level agreement with an ISP could market to hire individuals who live virtually potentially offload some responsibility and anywhere. ance and security were world can’t protect and certificate authorities. dollars. advantage of the inherent redundancy that’s Telecommuting via VPNs affords companies built into the Internet. Catastrophic failstandard protocol of ures are just that. Another benefit is the ability to take tory.The most apparent benefits from the reduc. neither security nor reliable performthese are rare. intended recipient. and availability All the resources saved usually equate to required of a secure VPN. These tunnels are always an exception. VPNs have the Remain confidential until it meets its potential to save many companies money. Standards have been multiple point-to-point connections is a fairly introduced to provide the ability to ensure the safe way to save those resources. you can’t guarantee that a VPN technology worker repairing a phone line in Anywhere. This is facilitated by the use of the over the Internet and accomplish the goals I’ve standards-based Internet Protocol (IP). Common wisinformation over public or shared lines are dom pegs intranational remote-access savings familiar to most IT managers.individuals’ homes. The rate network are fewer potential points of labor market is the tightest it has been in hisfailure and reduced hardware and administration costs. Luckily. the two major concerns that many wrong fiber-optic cable and drop one or all of face are performance the core backbones of and security. close to 90 percent over that of conventional remote-access solutions. No matter expenses. In the world of technology. Second Edition . without incurring relocation accountability for network uptime. Site connectivity savBe tamper-resistant. estimates are very generalized. the early days of the though. Data transmitestimates in the area of 50 percent. Four of these protocol suites are: With the recent explosion of low-cost. Protocol suites have been develan Internet-based VPN in terms of global oped that provide the ability to form VPNs availability. These savings unauthorized parties. performthe precaution in the gateways. won’t accidentally slice through the company. to say that implementing a VPN will VPNs accomplish this by creating tunnels save every company money would be a misalong the Internet from the data’s point of oristatement.secure paths through which encrypted data can travel without being intercepted by unauthoment holds true: Nothing can currently touch rized parties. So. using a VPN to reduce your ance was mandated. All of three pieces: security the Internet. ings are estimated to be an equally impressive Be protected from duplication from 70 percent over point-to-point. While IP the Internet to its was designed to be the …an Internet-based VPN consists knees. however. While potential savings may vary.ing not only an employment alternative but also a selling point to potential employees. Internated via a VPN must: tional estimates of savings are thought to be Maintain its integrity. not necessarily facagainst these types of tored into its design. Exactly how many dollars the savings The major obstacles of transmitting private will turn into is up to debate. Employers are having a hard time finding qualified individuals to fill needed positions. situations like Internet. Assuming that a VPN is a viable solution for a USA. there’s gin to the point of delivery. However.

they must incorporate special TCP/IP stacks that have been designed to include the IPSec protocols. and in a service pack for Windows 95. There are two different methods of using IPSec. it doesn’t provide a secure tunnel. and a Microsoft Windows NT variation that uses MS-CHAP (Microsoft Challenge Handshake Authentication Protocol). It supports the transfer of protocols other than IP and is used primarily in remote-access scenarios. IPSec functions at the network layer (Layer 3) of the OSI model. Support for IPSec headers is optional in IPv4 but mandatory in IPv6. however. This encapsulation allows other protocols. it supports TACACS (Terminal Access Controller Access System) and RADIUS (Remote Authentication Dial-in User Service). Unlike PPTP. IPSec is widely considered to be the best solution for the implementation of a secure VPN. it facilitates authentication of both the user and the connection. PPP packets are encapsulated by using a modified version of GRE (Generic Routing Encapsulation) Protocol. PPTP relies on PAP (Password Authentication Protocol). In contrast. and authentication. IPSec affords the sender of IP packets the ability to authenticate and/or encrypt data at the packet level. IPSec uses: Diffie-Hellman key exchanges to deliver secret keys between peers on a public net Public key cryptography for signing Diffie-Hellman exchanges. data integrity. For security. IPv6. L2TP was designed to take over where L2F and PPTP left off and become a standard approved by the IETF (Internet Engineering Task Force). CHAP (Challenge Handshake Authentication Protocol). interception. This is one of the main attractions of PPTP. L2TP must incorporate IPSec. IPSec is built around a number of standardized cryptographic technologies to provide confidentiality. The different modes are referred to as transport mode and tunnel mode. The main weaknesses of PPTP are its lack of support of token-based authentication and the inability to provide strong encryption. It is a Layer 2 tunneling protocol that combines the best of both L2F and PPTP. L2F uses PPP for remote user authentication. By design. Tunnel mode authenticates or encrypts the entire packet. IPSec was originally developed to plug the security inadequacies of Ipv4 in the next generation of IP protocols. It allows the use of unregistered IP addresses by hiding the IP address of the remote user from Internet users. including IPX and NetBEUI. For example. and the current need for securing IP packets is great. to guarantee Introduction to VPN and Remote Access 3 . PPTP uses PPP (Point-to-Point Protocol) to provide remote-access services across the Internet via a tunnel. to be utilized by PPTP. which provides even more protection against unauthorized access. Adoption of IPv6 has been slow. with RRAS for NT4. Where PPTP allows only single connections to be made across tunnels.L2F (Layer-2 Forwarding) L2TP (Layer-2 Tunneling Protocol) IPSec (Internet Protocol Security) PPTP is a proposed standard that Microsoft has included with Windows 98. In transport mode. NT domain-level security for authentication. the transport layer is the only segment that is authenticated or encrypted. L2F has the ability to work directly with Frame Relay and ATM (Asynchronous Transfer Mode). or attack. L2F supports multiple connections. Since it functions at the Data Link layer (Layer 2) of the OSI model. IPSec is a Layer 3 security protocol from the IETF that provides authentication and/or encryption for IP traffic for transport across the Internet. L2F is a tunneling protocol that encapsulates PPP packets within IP packets. These two facts played a large role in the modification of IPSec to make it compatible with IPv4 in an attempt to accommodate the security needs of the current version of IP. Although many believe L2TP to be a security-based protocol. In order for current networking applications to use IPSec. L2F also provides the flexibility of being able to handle protocols other than IP. allowing for transmission of protocols other than IP. Like L2F. which were brought about by the ability to separate authentication and encryption application to each packet. it functions at the Data Link layer (Layer 2) of the Open Systems Interconnection (OSI) model.

The latter provides the best method of key verification in cases where corporations make use of extranets. VPN hardware. This governing body can be a database residing inside the private network or can be outsourced to a third party. with the Oakley Protocol. security policy servers. The Internet is the foundation and groundwork of a VPN. It ensures from the beginning of the exchange that you’re communicating with the intended party. the benefit of IKE is easy to see. While IPSec is 4 designed to handle only IP packets. It includes the strong security that the other protocol suites lack: encryption. In many cases. Certificate authorities are the governing body of key verification. Basic questions that should be answered before settling on the best VPN solution (if any) for your company include the following: How many users are at each site? What are the bandwidth requirements for each needed connection? Does the connection need to be permanent or on-demand (dial-up)? How much traffic will the site generate? Are there times when traffic is higher than others? What are the service-level requirements? Are there any problems existing in your company that will be solved by the implementation of a VPN? VPN design Administrator’s Guide to VPN and Remote Access. The security policy server contains the accesslist information. and certificate authorities. This access list can reside in many places: a router. along with which algorithms and keys to use.the identities of the two parties and avoid man-in-the-middle attacks Data encryption standard (DES) and other bulk-encryption algorithms for encrypting data Keyed hash algorithms (HMAC. VPN encompassing a larger number of users and/or supporting many remote-access users will benefit from the automation provided by the use of IKE. SHA) for authenticating packets Digital certificates for validating public keys IPSec relies on the exchange of secret keys to allow different IPSec parties secure communications. It can consist of routers. IPSec is currently viewed as the best solution to support an IP-based environment. an Internet-based VPN consists of three pieces: security gateways. firewalls. IKE is designed to provide the following capabilities: It provides the means for protocol agreement between parties. also referred to as IKE (Internet Key Exchange). authentication. A VPN with a small number of sites can use manual keying effectively. Both manual keying and IKE are mandatory requirements of IPSec. which describes various modes of key exchange. and AppleTalk. It manages the keys that are agreed on. all or most of these functions are provided by the gateway. which dictates what and who to allow and disallow access to resources. which serves as the framework for authentication and key exchange. Aside from the Internet. A security gateway is the gatekeeper of the private network. Key management is a “key” ingredient of IPSec. PPTP and L2TP are better suited to environments requiring transmission of IPX. IKE provides the automation of key management and is the result of the combining ISAKMP (Internet Security Association and Key Management Protocol). MD5. or vice versa. VPN hardware. As with any other management automation tools. NetBEUI. and/or software. It provides security against unauthorized access to the information on the inside. or RADIUS server. It ensures that the key exchanges are handled completely and safely. firewall. and usage of keys and their management. There are two ways to handle these key exchanges and management within the architecture of IPSec: manual keying and the ISAKMP/Oakley scheme. It provides the large pipes for traversal by the small tunnels created by a VPN. Second Edition .

D sists of two computers that must communicate and a medium. The best solutions are always based on knowledge. However. In the case of a VPN. Introducing the Point-to-Point Tunneling Protocol What is a VPN? A traditional network consists of two computers that must communicate with each other. this route is called a tunnel. you can access your corporate network from anywhere that you have access to an Internet connection. I’ll explain how VPNs work with Windows 98. as with any relatively new technology. Understanding virtual private networking June 15. If your company is in need of a VPN. or even an airport? Unfortunately. The Windows 98 implementation of virtual private networking relies on a protocol Introduction to VPN and Remote Access 5 . such as the government. However. A VPN works on the same principle. there are numerous questions to be asked and much studying to be done. it’s possible to establish a route through the Internet between the two computers. think scalable. this concept is taken a step further. there’s a solution that’s right for you—just make sure you’re very aware of the requirements today and. Also. some geared toward small business. In this article. It con- As you’re probably aware. such as an Ethernet connection. Make sure your choice is as scalable as you think you’ll need. Even if your company does have a RAS. The two computers are connected by a physical medium. Often the medium is the Internet. In the case of a VPN. 2000 By Talainia Posey o you have traveling users on your network who wish they could connect to your corporate network from home. some toward much larger.Why is a VPN better than the next competing alternative? Should the VPN be outsourced or built in-house? VPN last word Tremendous advantages accompany the implementation of a VPN for many companies. However. many companies don’t have a remote access server (RAS) in place to make this possible. A protocol is the language computers use to communicate over the connection medium. look to the future. what are the chances that the line will be busy when you call? The reasons I’ve just listed have all made doing business on the road difficult. In many cases. a hotel room. this medium isn’t dedicated to the network in question. A number of options are available. computers use the TCP/IP protocol over a PPP (Point-to-Point Protocol) connection. pay particularly close attention to any other regulations or requirements that are mandated by much larger bodies. by setting up a virtual private network (VPN). as always. Because both computers are connected to the Internet. For a standard Internet connection. If a VPN is for you. a network connection requires the computers on the network to share a common protocol. there are also tremendous savings associated with VPN that could make the project sponsor a corporate hero—not to mention the fact that a VPN and a fast Internet connection at a user’s home are a telecommuter’s dream. unlike with traditional networks.

when the company loads the VPN services. As you can see. Under normal circumstances. As far as anything on the Internet knows. It’s not until the VPN server disassembles the packets that they’re passed on to their true final destination. such as NetBEUI and IPX/SPX. the packet can be passed from the VPN server to the destination computer residing on the private network. in the case of virtual private networking. this dial-up session uses TCP/IP and PPP to communicate with the ISP. suppose your corporate network normally uses Internetwork Package Exchange/ Sequenced Package Exchange (IPX/SPX). you can use it regardless of the communications protocol your corporate network normally uses. When a VPN server receives a packet from across the Internet. For example. it disassembles the packet. the remote user is automatically assigned an IP address by a Dynamic Host Configuration Protocol (DHCP) server at the ISP’s office. After all. PPTP is simply an extension of the PPP protocol. The second connection actually creates the VPN. This is because when you send packets from the remote computer. For example. the VPN server is as far as those packets must travel. only the VPN server needs a valid globally accessible DNS name (with a static IP address). Because the packet already resides at the Administrator’s Guide to VPN and Remote Access. From this packet. Virtual private networking over the Internet Now that you’re familiar with some of the basic concepts and terminology associated with VPNs. The first connection is to the user’s Internet service provider (ISP) by way of a dial-up session. For the remainder of this article. It uses some of the Windows 98 code that’s normally associated with dial-up networking to establish this connection over the existing PPP connection. you may be wondering about the general DNS requirements. name resolutions by way of a Windows Internet Naming Service (WINS) server or a Domain Name Service (DNS) server will function just as if the remote host were directly plugged into the local network. I’ll assume that a remote user dialing into the Internet is making the VPN connection. the VPN server functions similarly to a gateway. Once this information has been extracted into a usable form. the company’s firewall prevents PPP packets from entering the network. it can enable certain firewall ports that provide a route across the firewall (or router) and allow Internet users who meet specific security criteria to access the private network from across the Internet. Because name resolution continues to function. it can derive the name of the computer the packet was intended for. However. This means the private network is inaccessible to Internet users. Because of the way PPTP works.called PPTP (Point-to-Point Tunneling Protocol). The first step in having a secure environment is to have strong passwords. The packet also contains the underlying protocols. Second Edition . PPTP provides a tunnel through the logical connection medium that allows the two computers to communicate. Packets are sent across the second connection in the form of 6 IP datagrams containing encapsulated PPP packets. addressing a computer by name across the Internet normally requires the name to be registered and globally accessible. At the time the connection is made. As you might have guessed by the name. As I mentioned earlier. However. the remote user must make two connections. You can set up IPX/SPX on your remote computer and communicate with your corporate network using IPX/SPX packets traveling across PPTP. Because you can imbed standard networking protocols into a packet that’s sent across a VPN. all standard networking features continue to work. When establishing a VPN connection over the Internet. let’s look at how virtual private networking works in a little more detail. the VPN server is the packet’s final destination. when a remote user tries to access a corporate network via the Internet.

Fortunately. Once you do. For example. Once a user has been authenticated into a Windows NT domain. Instead. you won’t be able to use Windows 98 to route packets between the two networks. As a matter of fact. When you dial into your ISP. After all. as well as the VPN server. e-mail. you may be able to do so in some cases by using Windows 98’s Route command. In this section. you don’t want someone to steal your packets as they flow freely across the Internet. Now suppose you establish a VPN session to a corporate enterprise network. or 3. the remote client and the VPN server generate a 40-bit encryption key that can be used to encrypt and decrypt packets. This is your usual Windows NT (or Windows 2000) domain password. Once you’re connected to the Internet. I’ll discuss some of the aspects of VPN security that you need to be aware of. For example. VPN security Virtual private networking and routing As I mentioned earlier. First. Firewalls I mentioned earlier that you should always place your VPN server behind a firewall. the corporate enterprise network will be accessible but your workgroup won’t. 2. there are a couple of side effects you should know about. You should place all local nodes on your network. The Route command can be used to make Windows 98 aware of other IP networks that you’re connected to without the aid of a router. If you’re using Windows NT Server with Service Pack 1. If the remote network doesn’t provide access to the Internet. users in the United States and Canada may use 128-bit encryption as opposed to the standard 40-bit encryption. To further enhance security. when you launch the VPN session. Consequently. Given the insecure nature of the Internet. all the usual security mechanisms continue to apply. However. all NTFS permissions and share permissions apply to a user who’s connected through a VPN just as if the user were connected to a network locally. you can’t surf the Web or check your e-mail at the same time you’re connected to a VPN. connecting to a VPN involves using two dial-up networking sessions. it’s a bad idea from a security standpoint to make the name of that computer accessible via the Internet. An added level security comes from encryption. The first session establishes your Internet connection. Microsoft CHAP (MSCHAP). The password is authenticated using the same method that a RAS server uses. or Password Authentication Protocol (PAP) to authenticate Windows NT passwords. The reason for these routing limitations is because of the way the PPTP protocol affects Windows 98’s local routing tables. suppose you’re part of a ten-user workgroup. Once a user has specified his or her password. If you’re using Service Pack 4 or above. or to both at the same time you’re connected to a VPN. You can use Challenge Handshake Authentication Protocol (CHAP).local level at the time of disassembly. the Internet requires absolutely no knowledge of the name of the computer that’s the true final destination of the packet. However. this password grants you only an Internet connection—it has absolutely nothing to do with your VPN access. If you absolutely have to connect to the Internet. and so forth) unless the network you’re connecting to can also get to the Internet. And you don’t want your corporate network to be compromised. you can establish the VPN connection via the second dial-up networking connection. when you establish the VPN session. behind a firewall for protection. the Windows 98 implementation of virtual private networking is designed to be secure. it typically asks for a password. to a local network. The first step in having a secure environment is to have strong passwords. security is a big concern with VPNs. the Internet is no longer accessible for standard access (Web browsing. A 7 Introduction to VPN and Remote Access . Second. you’ll be prompted for a second password. the encryption key changes with every packet. this encryption key changes with every 256 packets. you should know that establishing a VPN session kills your connection to any local networks you might be attached to.

CHAP. you’ll have to enable the ports that are used by virtual private networking before the VPN server will be accessible from across the Internet. I’ve discussed VPNs as they apply to Windows 98. The confusion and misinformation that swirls around VPN (virtual private network) may be the reason for this perception. including the basics about how it works and the definitions of some of the buzzwords that surround this new technology. 2000 By Jason Hiner. How does it work? VPN essentially takes two systems. GRE. L2TP. How VPN works So what can VPN really do for you? It can provide low-cost. VPN has also received its fair share of exaggeration about its merits. and I discussed some configuration issues you may encounter when setting up a VPN through Windows 98. In this article. all VPN traffic will be stopped at the firewall and will never even reach your VPN server. VPN also uses authentication and routing to further increase security and functionality. I’ve explained a bit about the infrastructure behind a VPN. PPTP uses TCP port 1723 and ID number 47. and secure connec8 Sorting out VPN terminology A VPN has its own subset of buzzwords. you must enable port 1723 and ID 47 (in some cases listed as Protocol 47) before you can use virtual private networking. The computer then dials up an ISP to connect to the Internet and creates a logical connection to the corporate VPN server. reliable.firewall is designed to block all IP ports that are unused. we’ll focus on VPN. Therefore. CCNA PN is one of those acronyms that describes a revolutionary technology few people appear to be using. VPN is a new way to connect your users to your network. a remote client requests a resource from its corporate LAN. Administrator’s Guide to VPN and Remote Access. connected to the Internet and creates a secure connection using encapsulation and encryption. When using a client-to-server VPN (see the sidebar article). MCSE. Going beyond the buzz to understand VPN technology Oct 5. such as tunnels. and other proven connections. or networks. This VPN server authenticates the client and manages encapsulation and encryption on the communications between the client and the resources on the corporate LAN. On the flip side. IPSec. PPTP. frame-relay circuits. not to mention the rest of your network. including claims that it is destined to replace all dedicated T1s. The technology has drawn a good deal of speculation and criticism about its security and reliability. This prevents attacks on your network by malicious Internet users. If these addresses aren’t enabled. If you already have a firewall in place. Remember that virtual private networking relies on the PPTP Protocol. Conclusion In this article. Another function of a firewall is to hide the computer names and IP addresses used on your private network from Internet users. V tions to your local area network (LAN) for commuters and remote office users. Second Edition .

VPN servers often sit behind a firewall and are part of the corporate network’s “Demilitarized Zone.THE BASICS OF VPN Figure A depicts a client-to-server VPN where a remote user connects to a corporate VPN server using Point-to-Point Tunneling Protocol (PPTP). By using IPSec Figure A VPN tunnel (logical connection) Remote client Internet VPN server Corporate LAN Figure B VPN tunnel (logical connection) VPN server Remote office Internet VPN server Corporate LAN Introduction to VPN and Remote Access 9 . For more on VPN with Windows products. and the result was L2TP. dedicated path of electrons directly crossing the Internet from one spot to another. and there are others. Like PPTP. Figure B depicts a basic server-to-server VPN. however. In a UNIX or Linux environment SSH can be used for VPN. PPTP can use the same authentication protocols as PPP.asp) or read Nortel’s VPN Tutorial at www.iec. While PPTP provides link encryption via MPPE. It also provides mutual computer authentication. the packets are simply a jumbled mess of characters.microsoft. It accesses TCP port 1723 for communication and encapsulates PPP frames for tunneling using GRE. But we will focus on PPTP and L2TP for Windows networks. For authentication. and data integrity.org/tutorials/vpn. however. which in turn allows for link encryption via MPPE. Using this type of interconnection. the most comprehensive Windows platform for VPN. Cisco created its own L2F protocol for VPN. A VPN tunnel is a logical concept for illustrating the transfer of private data packets on the Internet. L2TP provides user authentication and data encryption. The tunnel is simply the route taken by encapsulated packets between the two networks. Microsoft and Cisco collaborated to produce a single VPN tunneling protocol. VPN tunneling is made possible by one of two protocols— PPTP or L2TP. For encryption purposes. and other concepts. L2TP provides more secure end-toend encryption with IPSec. such as CHAP. Around the same time that Microsoft created PPTP. The use of PPTP allows enterprises to extend their own corporate network through private “tunnels” over the public Internet. you can go to Microsoft’s site on virtual private networking (www.” Setting up a VPN usually involves some trial and error on the part of both the clients and the server. Cisco has a VPN protocol called L2F. Remember that tunneling encapsulation occurs at the Data Link Layer (Layer 2) of the OSI reference model. a company no longer needs to lease its own lines for wide-area communication.com/ISN/ind_solutions/virtual_private_networking. Once VPN is up and running. In reality. without your encryption key. Both of these diagrams show very simplified solutions. it is typically reliable if you have a dependable Internet connection on both ends. with an emphasis on Windows 2000. In a Windows environment. Hackers can still intercept the packets in your tunnel. But. A tunnel is not a private. it is best to use MS-CHAP. How do they fit into the VPN picture? Let’s start with the most confusing concept—tunneling. data authentication. Instead. which is mostly full of packets anyone can open and read quite easily. enterprises can securely use the public networks because the communication packets are encrypted before they are sent through the tunnel. PPTP provides user authentication and data encryption following a protocol that has been used in Windows NT networks for several years. PAP. and SPAP.

Although L2TP is still a virgin technology and Microsoft just began supporting it with the release of Windows 2000. there are a few more core concepts you should understand about setting up a VPN. it does allow companies to be faster and more fluid in setting up remote access when a new need arises. VPN servers on both ends of the Internet connection authenticate each other. A serverto-server VPN allows remote office networks to connect to corporate LAN resources.org/rfc/rfc2661.both the computer and the user are authenticated.. Whether you use PPTP or L2TP. remote access users and offices can change very rapidly. With the dynamic nature of organizations these days. Summing it all up VPN can offer some great advantages over traditional remote access and dedicated lines. keep in mind that the encapsulation and encryption process can add around 30 percent in protocol overhead. This means that slow dial-up connections will be even a little slower. ISDN and frame-relay circuits). KEY TO ACRONYMS PPTP—Point-to-Point Tunneling Protocol L2TP—Layer-2 Tunneling Protocol TCP—Transfer Control Protocol GRE—Generic Routing Encapsulation SSH—Secure Shell L2F—Layer-2 Forwarding CHAP—Challenge Handshake Authentication Protocol PAP—Password Authentication Protocol SPAP—Shiva Password Authentication Protocol MPPE—Microsoft Point-to-Point Encryption IPSec—Internet Protocol Security VPN—virtual private network DSL—digital subscriber line XML—Extensible Markup Language ASP—application service provider RAS—remote access services ISDN—Integrated Service Digital Network 10 Administrator’s Guide to VPN and Remote Access.txt. for those who are counting. all of this can result in saving some serious money.e.ietf. However. And. create the tunnel between the two networks. You can set up a VPN using two general configurations: client-to-server and server-to-server. and allow a secure exchange between the networks. they will still function reliably for file transfer and other basic remote access functions. a company can increase the bandwidth of its corporate Internet connection and dynamically support remote VPN servers and clients on an as-needed basis. While this may not be the ideal solution in every case. it is clear that the future of VPN is moving in this direction. For more detailed information on this new standard see Request For Comment 2661 at http://www. Rather than investing in expensive RAS ports and expensive dedicated lines (i. It also allows for a better use of resources since different users and connections can connect at different times and thus share the same infrastructure rather than requiring separate infrastructures. Nevertheless. Second Edition .

What follows is a case study in favor of VPN technology. we continued down the RRAS path. and thus allow no room for data transmission. but the jury is still out on the success of the change. Applying the VPN concept Choosing VPN over frame relay The new strategy for this client was to upgrade the remote access user to today’s desktop solutions and interface this desktop via the Internet to the home office mainframe via one of two means: Frame relay Virtual private network The frame relay was ideal. Microsoft recommended that a dual-channel ISDN line would make a better connection. With approximately 120 ports. By utilizing Microsoft changed the way it handles VPNs with the advent of NT 4. but there were other issues to be addressed. Eventually. Since one of our main strategy objectives was to maximize our cost. the one-time cost for the remote and local hardware was prohibitive. the VPN alternative was adopted. we went ahead and stepped up to a burstable T1.000 the client had been paying. The user would have an ADDS dumb terminal located at each branch. In our effort to install the VPN. we found that the dial-up connection into an ISDN pipe via the Internet was fine for clients but not for remote network connections. The client’s strategy in the past was to give remote branch offices access to a mainframe system that would give users online access and transaction process capability. The encryption code and RRAS code take up most of the data line on a 64k ISDN connection. An interface card must be installed Introduction to VPN and Remote Access 11 . This change was designed to enhance the VPN connectivity and reliability. RRAS comes with routing built in the software and therefore eliminates the need for a router. However. but they are somewhat costly. Thus. but the content seems to be a little short. network connections do not work nearly as well. The strategy consisted of bundling as much technology into the upgrade so that the company would be able to maximize the financial leverage of the VPN strategy over three to five years.000 a month in long distance data line costs and felt that a strategy change could reduce this price tag considerably as well as upgrade the data throughput capability. We felt like a change in strategy for the company would address a need to upgrade the remote office dumb terminals with Pentium personal computers and take advantage of the Internet with the use of a virtual private network (VPN). we worked closely with Microsoft’s technical support staff. increase productivity Aug 21. This would provide a little growing room for the client and remote network connections. This may sound like a no-brainer.0 when it added routing and remote access service (RRAS). especially since the technology is supposed to be resident in RRAS. The company did not think they could justify the one-time cost. the client installed remote and local modems and a T1 fractionated into 64k segments for each branch. We received good response.Virtual private networks save money. There are ample products on the market that make VPN connections a breeze. the Internet. the company could reduce its long distance data cost to $20 or $30 per port each month. however. 2000 By L. The cost of the installation and PC purchases would be recouped through the long distance savings on the data lines. Pepper Morton M y firm had a client that had been paying about $20.600 a month versus the $20. especially if there was a lower cost alternative. Thus. We also did quite a bit of research and discovery. We found that client dial-up connections worked with little or no problem. this comes to around $3. however.

and Microsoft has extended Windows NT to support it.300. Courtesy of whatis. The remote desktop users responded by increasing their individual productivity. Second Edition . variable: approximately $3. maintaining privacy through the use of a tunneling protocol and security procedures. the client has enhanced remote users’ ability to use the system and cut the monthly cost to operate by $13.com 12 Administrator’s Guide to VPN and Remote Access. This client had a large margin to work with. A VPN makes it possible to have the same secure sharing of public resources for data. Total cost monthly.000 per month. The idea of the VPN is to give the company the same capabilities at much lower cost by using the shared public infrastructure rather than a private one.700 Total cost monthly. VPN implementation brings cost savings. the savings can be added back to the bottom line. fixed: $3. the client now can accomplish: Transaction processing Desktop word processing and spreadsheets Network e-mail The savings that result from this implementation are considerable: T1 burstable connection to local provider WHAT’S A VPN? A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure. The large margin of cost savings will allow the client to pay for the desktop Pentium computers and other miscellaneous equipment in about six months.in the NT server that connects to the ISP incoming T1. increased productivity We implemented these technologies for the client: T1 interface 36 remote network connections 80 dial-up client connections As a result. Microsoft. After six months. A VPN can be contrasted with a system of owned or leased lines that can be used by only one company. 3Com. The burstable T1 ended up costing a little more than originally anticipated. and several other companies have developed the Point-to-Point Tunneling Protocol. HOW DO VPNS WORK? Using a VPN involves encrypting data before sending it through the public network and decrypting it at the receiving end. We are amazed at the number of clients who are afraid of VPN technology and therefore have not adopted this off-the-shelf technology. Companies today are looking at using a private virtual network for both extranet and widearea intranet.700 per month. VPNs are getting easier to install and debug. An additional level of security involves encrypting not only the data but also the originating and receiving network addresses. for a total cost of $6. and branch managers reported a noted positive attitude change. but it was still somewhat less than the original cost of $20. and the VPN was a winning choice.000 So. VPN software is typically installed as part of a company’s firewall server. Phone companies have provided secure shared resources for voice messages.

as well as call-trafficking equipment (e. DSL.. cable lines. how it works. and so on). checking e-mail. Introduction to VPN and Remote Access 13 . as most national or global ISPs usually have local numbers for almost anywhere in the world. With this configuration. A company must also consider the cost of these toll calls and the time their users stay connected. Does VPN technology live up to its own hype? How can a VPN improve your company? This article takes a look at what a VPN is. tunnel securely to the office network. What exactly is a VPN? A VPN is essentially a private data network that uses existing telecommunications infrastructures (regular phone lines. or VPNs. remote users can connect to an ISP with a local phone number and from there. modems) to handle the incoming calls. have become a major networking technology within just the past few years. These individuals need frequent access to the company network for file sharing. Toll calls and 800 numbers are also no longer an issue. A+ V irtual private networks. While the implementation of toll-free 800 numbers can alleviate some of this cost. traditional dial-in access Figure A Connecting to office network dial-in access Connecting remote users via the traditional dial-in method can be costly. and how it can benefit your company. remote PC dial-in server direct dial-in line Connecting to office network with VPN Internet ISP server corporate network remote PC VPN server corporate network VPN for telecommuters With more people working from home. or other tasks that depend on connectivity. With VPN vs. By using a VPN. VPN enables this employee to have access to the company network and the vital resources he or she needs from a remote location. In order for employees to dial in to the network. Imagine finding the perfect hire for a position. VPN for road warriors One of the greatest benefits a VPN offers is to individuals who travel extensively. but that individual can’t relocate. Privacy is achieved through the use of a tunneling protocol and security procedures. however. Users are then able to authenticate into their company’s network and browse as if they were in the office. the only equipment needed is a VPN server. VPN technology enables company offices or individuals in different locations to securely access a central network without having to dial directly in to the company network.g. 2000 By Ed Engelking II. T1 lines. the company needs a leased telephone line for multiple users to dial in on. eliminating the need for leased lines and call-trafficking equipment. remote-access VPNs have become an invalu- This diagram illustrates the difference between a dial-in connection and a connection with a VPN.How can using a VPN benefit your company? Nov 17. Users simply dial in to a local Internet service provider (ISP) and then establish a secure tunnel (with the VPN) to the office network. there is still a significant fee for having an 800 number. able tool for many organizations. as shown in Figure A.

I discussed the basics of virtual private networks (VPNs) and how they could be used in traditional company networks. I’ll focus on some questions to ask before choosing a VPN hardware solution. the hardware that you purchase needs to be able to connect multiple remote users at one time. New York. these road warriors can connect to the company network from anywhere there’s a phone line. All that’s needed is an Internet connection. each network can connect to the main office’s network and then to the other branch offices. however. and global ISP. and Chicago? While each branch has its own separate network. it may pay for your organization to Questions to ask before investing in VPN hardware As with any network solution. How many users will be connecting at the same time? Will 10 or 100 users be connecting simultaneously? Knowing your user base is essential for selecting the appropriate hardware. VPN offices around the country What if your company’s main office is located in Miami. 14 Administrator’s Guide to VPN and Remote Access. Maintaining access for remote offices can be the difference between life and death for your company. You wouldn’t want to purchase VPN hardware that supports a maximum of only 20 simultaneous users when you need one that supports 50. Will remote offices connect to your hardware? Connecting entire remote offices and connecting individual remote users are two entirely different challenges. Second Edition . How can your employees at your organization’s remote offices work properly if they can’t access the home network? What kind of uptime does your organization desire? Not all VPN hardware is created equal. a VPN server for each location. With a VPN. A+ I n “How can using a VPN benefit your company?” (page 13). Ask yourself the following questions before buying any piece of hardware: How many remote access users will be connecting? Do you have the infrastructure to support multiple remote access accounts? If your organization has a lot of users who travel and/or work from home. I also discussed the differences between general and remote access virtual private networks.a laptop. and an IP address to authenticate to. there aren’t many realistic ways to directly connect each office unless fiber were run between the locations. VPN. and this would be very expensive. Understand your organization’s needs before selecting VPN hardware Nov 22. while your branch offices are located in Los Angeles. In this article. 2000 By Ed Engelking II. VPN hardware should be chosen based on the needs of your organization. While some hardware may be cheaper than others.

you can find a list of links to several other vendors at InternetWeek (http://www. A select few of these vendors are listed below: Cost benefit of VPN appliances vs. all equipment in every organization’s network would be top of the line. however. Cisco’s products can be a bit pricey if you have a limited budget. Without a stable OS. IBM OS/400 VPN solution for the AS/400 server IBM offers a VPN solution in its OS/400 operating system. if you want additional solution options. and other users to the corporate network. 2002 By Del Smith. Many vendors offer VPN solutions Now that you know what to consider when purchasing VPN hardware.internetwk. it is important that you purchase the equipment that meets your budget. leased-line. What kind of budget does your organization have to purchase hardware? Ideally. However.invest in the more costly hardware. Don’t cut corners to add other services. your choices can often be limited. Keep in mind. VPN servers May 21. MCSE A n increasing number of organizations are using VPNs to connect branch offices. These cost savings are the catalyst driving IT managers and administrators to develop end-to-end secure VPN solutions for their organizations. CCNA. The vendors listed here are by far the most popular and will give you the best value for your investment. CCA. due to budgeting restrictions.com/VPN/links. However. Despite this. However. or Frame Relay connections. siteto-site. what equipment is available on the market that meets your needs? There are several different vendors that offer VPN solutions. A superior alternative to long-distance dial-in. business partners. telecommuting workers. designed specifically for its AS/400 server. VPNs can be used to securely carry information at a fraction of the cost. Cisco is your vendor of choice. that the operating system shares a large role in uptime as well. 3Com VPN Solutions 3Com offers software solutions for your organization’s existing server hardware. Cisco VPN If you want top-of-the-line VPN hardware and software solutions. With a clear understanding of what your organization needs in a VPN solution. these professionals Introduction to VPN and Remote Access 15 . Know what you need to offer your organization’s employees and make sure that it is available. htm). You can also find products for mobile users. as the uptime may be generally better. you won’t be able to maintain much of an uptime. Specifically. and secure extranet VPN systems. you should be able to find what you need from at least one of these vendors.

capacity. including Cisco’s access and modular routers. Integrated appliance When we take a look at the VPN appliances offered today. we find our first and possibly most important cost benefit. and throughput is not without its costs. From this. Client computers or sites that run current Microsoft operating systems will not encounter proprietary VPN issues or require an install of separate VPN client software. Expect to pay several times more for an enterprise-level VPN concentrator with these capabilities. and possibly ISA Server. sometimes referred to as VPN concentrators. The issues of security. UNIX. Currently. There should be no surprise that a hardware-based VPN solution brings a greater degree of reliability and security than one built around a server operating system such as Microsoft. Since most VPN appliances do not integrate well with existing networks. the ability to have an integrated VPN appliance can save thousands in simplified security policy administration. The same is true in the case of firewalls and routers.are asking the question. and scalability that is unmatched by any integrated appliance or VPN server. Stand-alone VPN appliances. Novell. it would seem the question of whether to choose a VPN appliance or build a VPN server would be a rather simple one to answer. The integration of VPN services into the operating system means that IT professionals who work with these operating systems are already familiar with how to navigate these systems and do not have to worry about learning a new product. Since a discussion on VPNs falls within a comprehensive network security policy. and smart cards. The increase in reliability. and VPN gateways are required. which solution provides the greatest cost benefit?” Here is a look at those options and a third: managed service providers. particularly in environments where multiple firewalls. and Linux are all capable of providing VPN services (granted. particularly in the area of authentication. and cost stand out when evaluating a server-based VPN solution. we notice two different flavors: stand-alone VPN appliances and integrated VPN appliances such as VPN-enabled firewalls and routers. “VPN appliance or VPN server. certificates. however. and Watchguard Firebox include optional VPN capabilities out of the box. AS400. let’s take a 16 closer look at the option of building and using a VPN server(s) for secure Internet communications. To determine if this scenario is true. primarily find a place in organizations where simultaneous VPN connections need to number in the thousands. using servers for VPN services often means greater integration with the network. Getting VPN services going in this scenario often means making just a few configuration changes in the firewall or router itself. Microsoft. reliability. This can be a tremendous cost benefit to organizations that do not have an existing firewall or router with VPN capabilities. Microsoft-centric organizations can take advantage of the seamless integration Windows 2000. we have heard how integrated VPN appliances offer impressive cost benefits. Here’s where the cost benefits of using a VPN server stop. Nokia Checkpoint Firewall. routers. The managed option Traditionally. Additionally. has to offer when creating VPNs in conjunction with Active Directory. Chances are you run one of these common operating systems in your organization today and are very familiar with them. VPN servers So far. high performance. The cost associated with this solution is often included in the firewall or router. VPN solutions could be categorized in one of only two areas: VPN appliances Administrator’s Guide to VPN and Remote Access. With the integrated VPN appliance. Virtually all routers. some are better than others). the cost of building a VPN server solution can run in excess of $2. The cost associated with maintaining security patches and basic server administration add up on a monthly basis. deployed hardware firewalls such as the Cisco PIX. They provide high availability. Second Edition .500 once the costs of hardware and software are added (although Linux does offer some exceptions). also include VPN support.

” Pultz said. the introduction of managed service providers has created a third possible solution. and a cable modem gateway. and satellite. Today. cable. But organizations can’t always rely on a telecommuter’s expertise to protect the business. a business technology advisor based in Stamford. CT. server. Here’s how Pultz recommends addressing those issues. 2000 By Mike Walton J ay Pultz sits at the center of a home office that hums with computers. Telecommuting carries with it a number of security. Pricing varies but generally starts around $200 per month. “It’s harder if you Introduction to VPN and Remote Access 17 . Pultz can assure Gartner that his powerful home office isn’t a security threat to the corporation. and even international managed VPN services. Implementing and maintaining VPNs requires choosing the right solution and having an in-depth understanding of public network security issues. Quest. VPNs are permitting organizations to establish secure. He urges organizations to consider three key issues when dealing with broadband telecommuters: The need to limit the number of ISPs that provide your employees broadband access. end-to-end. or managed service provider. Most managed VPN providers will monitor your organization’s VPN connections 24/7 to ensure they are available at the times when your remote users may need it most. per loca- tion and often includes managed firewall services and service level agreements as well. The technologies that fall under his definition are DSL.or VPN servers. Telecommuting: Balancing the need for speed and security Nov 17. Pultz works for Gartner. In his view. This service allows companies to have an enterprisewide VPN solution without a heavy investment in infrastructure or personnel. Broadband access: Got to love it Pultz said he stretches the definition of broadband when he talks about it in relation to telecommuting. printers. Well-known vendors such as WorldCom. connectivity. He limits the discussion to DSL and cable because they are most commonly used. Because of his background working with high-speed access issues. and AT&T are now offering regional. Whether you are looking at a VPN appliance. Without a broadband connection. “I view broadband as an enabler of telecommuting. nationwide. private network connections over the Internet while reducing communication costs. wireless. The number of control issues your IT department can expect to face and how to limit those issues. broadband is any access that involves a connection faster than what a user can achieve via a normal telephone connection and a dial-up modem. performing proper cost/benefit analyses can be the most important step in a successful VPN solution. The unique set of security concerns that come with broadband access. telecommuters face substantial productivity challenges. and productivity issues.

“This gets into age-old questions like. “If you are a corporate teleworker.” Security for the telecommuter is complicated by how you separate the home office environment from whatever else is going on in the home.” he said. always a danger The second broadband telecommuting issue is the security concerns created because cable and DSL are essentially always online.” Pultz said. “If an enterprise is reasonably large. for a hacker to target the user. when you look at both DSL and cable. When telecommuters are using dial-up services to access the corporate VPN.” Pultz said. Limit the impact on your help desk One of the most important decisions companies can make involves the way telecommuters interact with IT staff for support. covertly. including: Northpoint WorldCom Verizon Finding a single provider for an entire company will still be difficult. but it’s not stuff you want on a home machine. and that’s a hard environment for the IT department in the average company to run.’ which might be of interest if you are of the hacker persuasion.” he said. Each may have a different provider.” “Another problem is that your telecommuters throughout the United States may not be able to get broadband of any kind because neither cable nor DSL have been fully rolled out. it is likely that you will have some interesting information or software on your PC. but they have to be configured. others in different parts of the country may have DSL. then it is less of an issue.” Always on. however. “The problem is. and the user has to not subvert them. On the plus side. “For purchase power reasons. they may be online for only a few hours. “You don’t know if that is a trusted machine.” “You can get into really messy issues [with] confidential information.” he said. Continuous connections made by cable and DSL hookups make it easier for hackers to attack the system. It may not be Los Alamos information. a limited number of suppliers [is beneficial] so companies can maximize the volume discount they can get for these kinds of services. “They are both very nice. “You probably have a file labeled.” “Or you may have software on your machine that is server-like so a hacker can get access to your machine as a corporate server and from that machine. a number of companies are starting to provide nationwide service.have to get access to a number of corporate resources and the Web to do your work with a 56Kbps modem compared to someone working on the LAN with the same resources.” Pultz said. “If you are a smaller company and your users are all within a local area or within the footprint of a single provider. “You can easily end up with a situation where you have multiple technologies and multiple service providers.’ and just turn off the firewall. ‘Can you use your home PC for teleworking?’ and that’s something we advise against. but there are good reasons to try.” “Companies such as Norton and BlackICE offer software firewalls that can protect your telecommuter machines. Second Edition .” “Broadband access shrinks the disparity between telecommuters and workers on the company’s LAN. they can get to corporate resources. ‘passwords. “Unfortunately. The corporate network assumes this is a trusted machine. it is easy for the user to look at the firewall technology and say. It is difficult. under those ephemeral circumstances. Pultz said. providing teleworkers throughout the United States with broadband access is an issue. they are both kind of localoriented technologies that weren’t originally designed with telecommuting in mind. they have to be in place.” While cable access might be available for some telecommuters in a company.” Pultz said. You don’t know where that machine has been.” he said. ‘I want to do something the firewall is blocking now. but it has actually been infiltrated by a hacker…[who] can use that machine as a backdoor to get into the corporate network. 18 Administrator’s Guide to VPN and Remote Access.” Pultz said.

This is how most organizations set up their systems. Access your home PC from the office Sep 28. 2000 By Brien M. a VPN via the Internet makes the most sense. Unless you live only a few minutes from the office. The costs would have to be weighed against the productivity of the worker. One argument you might hear could be: “I got a bad performance [review]. which can still Introduction to VPN and Remote Access 19 . I’ll show you some techniques that you can use to remotely access your home PC from the office. In this case. If the teleworker is handling transaction processing or production work. MCSE H ow many times have you been at the office and wished that you could get a file from your home PC? Unfortunately. you have to buy a copy of pcAnywhere. the primary remote access method that most administrators have been trained for involves using a Windows NT Server running the Remote Access Service. Fortunately. however. but I didn’t have a good connection so my performance suffered because you couldn’t provide me a good service compared to my counterpart. “I’d still call this kind of an experimental phase for broadband telecommuting. who has high-speed service. “but the problem is that when those teleworkers have a problem. as far as what form of access that worker requires. there’s a solution. but simply running pcAnywhere has its downside. “Worker performance also is a gateway to some potential legal issues with telecommuting. First. with the exception of a couple of very large corporations. such as Symantec’s pcAnywhere. In this article. such as providing a company computer that has the corporate hard disk image and settings installed. setting up remote access to a home PC has been too expensive for most adminis- trators. The options In the past. the commute time just cuts too deeply into your hectic workday. Posey. Doing so may be the easiest method of remote access. One alternative is to set up a copy of a remote access software package.” Pultz said.” Pultz said. A worker who needs the Internet for communication and research is already defined. then a faster and more secure connection such as an ISDN or T1 connection may be needed. After all.” Pultz said.A typical telecommuting scheme is for the company to provide a VPN for telecommuters and then have the worker provide their own modem and cable or DSL service. how the user is accessing the VPN. there are alternatives. such as which kind of network access is most appropriate for the kind of work the telecommuter does. Decide what type of access is appropriate IT managers need to make other decisions that will affect support and performance. they call the IT help desk.” Pultz said.” There are some workarounds to these concerns. or what type of cable modem they are using. adding that the help desk is handcuffed because they don’t know how the home PC is configured. Fortunately. at home so that you can dial in to your PC and control it from the office. driving home usually isn’t an option for network administrators. A copy of Windows NT Server can be on the pricey side. “It’s very difficult to guarantee a teleworker any level of service.

you also can’t use it as a virtual private network (VPN) router. In addition to downloading files. You can connect to other PCs on a home network as long as the PC at your office. The Windows NT Remote Access Service allows up to 256 remote dial-in connections. Because TCP/IP isn’t supported as a gateway protocol. the dial-up server at home. When you see the Add/Remove Programs Properties sheet. The protocol in use must be either NetBEUI or IPX/SPX. would lose a lot of money if you could do the exact same thing with Windows 98 that you could do with Windows NT Server. but with significant restrictions. you’ll actually see the screen of your computer at home. such power comes at a price. while Windows 98 has been limited to a single remote access connection. the more pixel information must be transmitted across the modem. All you need is a computer with a modem and a dedicated phone line. Windows 98 will now copy the necessary files from your Windows 98 CD. In essence. although not nearly as expensive as a copy of Windows NT Server. all of the information about what’s on the screen has to be transmitted over the modem. What makes it worse is that the higher the screen resolution you’re using on your home PC. But the biggest negative in using pcAnywhere for remote access is the performance issue— pcAnywhere is true remote access software. Windows 98 has much less power than Windows NT Server. This arrangement works very similarly to the Remote Access Service that comes with Windows NT Server. the worse the remote access performance will be. the higher the screen resolution at home. open Control Panel and double-click the Add/Remove Programs icon. This means that from your terminal at the office. so there’s no extra software to buy. Select the Communications option from the list and click the Details button. What makes this service so nice is that although you can’t use it to control your home PC remotely. Installing a Windows 98 dial-up server The skinny on Windows 98 as a dial-up server Although Windows 98 running as a dial-up server functions similarly to a Windows NT Server running Remote Access Service. this results in a very slow computing experience. Because you’re seeing the actual screen image from your home PC. select the Dial Up Server check box and click OK twice. there are some important differences. Perhaps the biggest difference between the two is that the Windows NT Server Remote Access Service can be used as a gateway to the underlying network. Another important difference is the number of allowed connections. while Windows 98 was designed for basic home use. don’t plan on being able to connect to the Internet by dialing into your home PC. Unlike Windows NT. Likewise. Windows NT Server was designed to support entire businesses. There is a happy medium. In addition to the fact that you can’t use Windows 98 as an IP router. Even with a 56Kbps modem. As you can imagine. and the other PCs on the home network that you want to access are all running the same protocol. For example. After all. For example. you can actually run programs on your home PC. In the resulting dialog box.be a bit pricey. select the Windows Setup tab. the Windows 98 dial-up services can be used as a gateway only to networks running NetBEUI or IPX/SPX. Windows 98 offers this capability. Administrator’s Guide to VPN and Remote Access. Microsoft 20 To set up your Windows 98 workstation as a dial-up server. you can do things like map network drives and upload and download files. Second Edition . Unfortunately. The other nice thing about using this service is that it’s included with Windows 98. you can treat your home PC as if it were a network server. The Windows Setup tab contains a list of available Windows 98 components. users can dial in to the remote access server and use the connection as a gateway from which to connect to any other server on the network. though. A littleknown component in Windows 98 lets you set up a Windows 98 machine as a remote access server.

As you can see in the figure. Figure A Setting up share-level security To set the remote access password. make sure that File And Print Sharing is installed in Control Panel’s Network section. depending on the password. as shown in Figure A. the reason that it is more secure is that it borrows some of its security infrastructure from a Windows NT Server. go to the Dial-Up Networking folder and select the Dial-Up Server command from the Connections menu. as you can imagine. Most home computer environments are better suited to using share-level security. you’re connected to the dial-up server. If you want to require the password to be encrypted. When you see the Dial-Up Server dialog box. There are two basic types of security under Windows 98: user-level security and share-level security. During this time. click the Server Type button. Once you’ve installed File And Print Sharing. You can change the share to allow full access by checking the appropriate radio button. Introduction to VPN and Remote Access 21 . I simply shared the root directory on each drive. Windows 98 prompts you for a password. Use the Sharing page to set up read-only access. I had to temporarily set up a dial-up server. a user with the appropriate access could remotely access all the files in the Windows directory and all the subdirectories beneath it. by default. rather than user-specific. security becomes a concern. But. you can also set a password to the share point. The Server Type dialog box contains a check box that you can use to make the dialup server require an encrypted password from the client. such as a folder and its subfolders. the directory structure will display only shared directories and the subdirectories beneath them. userlevel security really isn’t an option. The biggest thing that you need to remember about share-level security is that as you create each share. select Allow Caller Access and then use the Change Password option to set the password that the remote access server requires the client to enter upon the initial connection. full access. About a year ago. any idiot who owns a computer and who knows your phone number could have unlimited access to your home computer or to your home network. without some security in place. there’s nothing to installing the dial-up server module. For example. user-level security is much more secure. When you dial in to your server. Share-level security allows you to specify general. By doing so.Dial-up server security As you can see. after you’ve installed the dial-up server. the share is readonly. you can use Windows Explorer or My Computer to explore the allowed shares on the remote server. As you browse the remote computer. unless you happen to have a Windows NT Server in your basement. if you shared the Windows directory. any time dial-up clients try to access the share point. From there. such as the System directory or the Fonts directory. or either. access to each share point on the machine. Unfortunately. Of these two types. After you enter the password. Therefore. This allowed me to have unlimited access to every file on the system by going into a share associated with the root directory of the hard disk that contained the files that I needed to access. they will be prompted for a password. After all.

I’ve discussed two ways to establish remote access for the home PC running Windows 98. you’d see both share points. Watch for overlapping security When you create share points. you’d just have read-only access. having a remote access link can save a lot of time and trouble. In this article. Each share point functions as a separate entity. you’d be able to navigate to the \Windows\System directory and gain full access to that directory. If you attempted to directly access the share associated with \Windows\System. if you set the Windows directory to allow full control and the \Windows\System directory to allow read-only access. you must also remember that the security that you apply is specific to each one. Conclusion When you need to access a file on your home PC during the course of the workday.You can even set one password for read-only access and another password for full control. Therefore. For example. when you browse the remote system. as you’d expect. Notes 22 Administrator’s Guide to VPN and Remote Access. you must be very careful not to overlap shares if you’re trying to restrict a remote user to read-only access. The level of access that a remote user gets will depend on the password entered. you went into the share associated with the Windows directory. If on the other hand. Second Edition .

..................................................................................................148 Serving up NetWare’s Web Manager ..................................26 Controlling the dial-up bandwidth on your VPN .........................................................141 Implementing site-to-site VPN with BorderManager 3...............35 Understanding demand dial connections in Windows 2000 .........................................99 Learn why NAT can cause VPN connection problems .........................46 How to configure Win2K client VPN connections .................119 Monitoring and troubleshooting VPN connections in WinNT .........................................x................................................................................................................................................................................................................................Administration In this chapter you’ll find the expert guidance you need to install......................................................................68 Configuring Windows 2000 as a remote access server ...............................................................................155 Administration .......82 Optimize inbound client connections for your Windows 2000 VPN servers .............118 Configure Windows NT to support VPN connections .........................................63 Configuring Routing and Remote Access on your Windows 2000 server........................... and administer VPN solutions within Windows......................................................................................................................................143 Setting up client-to-site VPN in BorderManager 3................... Managing remote access to your network ....34 Making the connection with Windows 2000 Professional Dial-Up Networking ...........78 Routing and remote access on Windows 2000 Advanced Server ..........53 Issues surrounding a Windows 2000 VPN implementation .........................................113 How to configure Windows XP client VPN connections ............104 Troubleshoot ISA Server VPN connections ...................................................................................................................................132 Enabling Web access of Exchange accounts using Outlook Web Access ........................................................60 Introducing Windows 2000 Routing and Remote Access ......................................................................x ..................... and Linux networks....................................................50 Setting up a VPN with Windows 2000 ..............................................................................91 Optimal VPN server configuration and management ....................124 The Win9x VPN client connection guide ..........58 Setting up a Windows 2000 virtual private network .....................43 Configuring Windows 2000 for demand dial connections ...................................................................75 Increasing Windows 2000 RRAS security ............................................................. configure.........................................................................137 Enhance Exchange 2000 OWA using front-end servers ........................................................................................102 Create a gateway-to-gateway VPN with ISA Server 2000 .............153 Believe it or not: A Linux VPN without kernel recompilation .................................................................................................................................95 Troubleshoot Windows RAS and VPN connections with these tips ...........................23 Understanding and troubleshooting virtual private networking .................85 VPN networking services built for speed ...........................................................................127 Understanding Exchange 2000 Server’s Outlook Web Access ...................................................................................................108 Configure Windows XP Professional to be a VPN server ................................................................................................... NetWare.............................................................

and you can use an already encrypted digital connection to get a link to your network from just about anywhere that the PCS provider’s network is available. you may hear terms like SDSL.000 feet away from the CO. I’ll discuss a host of ideas that should serve as a starting point for implementing remote access. you’re dealing with a connection that’s always on and ready to go. you have such options as xDSL (Digital Subscriber Line). and then. The advantage to this option is that it can be faster than its DSL counterpart and just Choosing the right type of remote access as economical. CNE. HDSL. ASE A re you getting more and more requests for remote access to your network? As I’m sure you’re aware. With recent changes in technology. In this article. MCSE. you send the command you want to execute (for instance. You should give this number only to those who have to dial in to the network directly—and then probably only with a manager’s approval. You then add some software. You’ll need to look at all the options I present here and decide where they’ll fit into your overall scheme. Cable modem Internet service isn’t as prevalent in certain parts of the country because of the infrastructure requirements placed on cable companies to provide the service. using software provided with the DirecPC dish. the number you use for remote access should be kept a fairly close secret. satellite connectivity is an option worth considering. or ADSL. the higher the speed of service. The only thing that can disrupt the satellite service is a snowstorm or heavy rain. The only bad decision you can make is to not make any decision at all. Depending on the Administration 23 . connecting to a particular Web site). although that may not be a good long-term solution. This means that your users will spend less time dialing up and dealing with modem-related problems. With both DSL and cable modem. you won’t be able to get DSL. For example. With services such as DirecPC and others (DISH Network has announced that it will offer twoway satellite Internet service this fall). you can now consider using satellite when options such as DSL and cable modem aren’t available. The CO and your location must obtain the service via copper wire. The results can be 10 to 20 times faster than you’d experience using only a dial-up connection. your house) and can’t be moved easily. PCS (Personal Communications Service). Don’t publish the number If you’re using a dial-in connection. The closer you are to a CO. the way DirecPC works is that you dial up a conventional ISP (Internet service provider). cable modem.4 and 19. The current speed runs between 14. depending on how close you are to a tower. The disadvantage to both options is that the services are good only to a fixed location (for example. 2000 By Ron Nutter.Managing remote access to your network May 26.2. In addition to using a POTS (Plain Old Telephone Service) line to connect to your network. Satellite connectivity was once thought to be very expensive and difficult to set up. you have several options to choose from. Don’t be confused—this is a way of identifying the specific type of DSL service and how far away you can be from the CO (central office) that provides the service. The main requirements for DSL are: You must be less than 18. and even satellite. There’s no single solution for protecting your network and the valuable data it contains. If you’re receiving your service via a fiber-optic connection. Another option is to use a PCS phone. Depending on the phone company in your area. You have to add a small cable that connects to the base of the phone and then to the serial port on your computer. Unless you live in an area with heavy or frequent storms. granting these requests means a greater risk that unwelcome visitors will access your network.

This means that you are no longer tied to one or more banks of modems. You can divide the VPN solutions into two camps—hardware. on a national or even international level. The problem with dial-back systems is that they require the user to be at a predetermined number unless the system is configured to allow the user to specify the number. you don’t have to worry about a bunch of individual phone lines for all your remote users. is that it integrates with your existing network infrastructure and minimizes multiple points of administration. the user hangs up and waits for a return call. That in itself somewhat defeats the purpose of a dialback system by allowing the call to be redirected. such as Novell’s BorderManager. you gain more security while delaying access to information. Depending on the type of PBX you have. After properly authenticating to the system that answered the phone. given enough time and resources. users can enter something as simple as their e-mail addresses. you may need to change this number occasionally to help discourage ex-employees from causing problems on your network. in many cases. users may not be where you think they are. An advantage of software-based solutions. a software-based solution won’t be able to carry as much because you’re multitasking an existing network operating system (NetWare. you remove that layer of management and allow remote access to your network to be controlled from one point (your network) instead of both your and your ISP’s networks. have the incoming DID trunk terminate directly into a digital modem pool. you may want to consider using DID (Direct Inward Dial) numbers for controlling remote access. Using RADIUS Using a dial-back connection system Years ago. provides an additional layer of authentication. With Guardian. Therefore.and software-based. the communications can be unencrypted. With each step up the encryption ladder. When the call comes. Hardware solutions such as Cisco’s Secure PIX firewall can carry a huge amount of VPN-based communications. This could be an especially expensive proposition if you implement a digital modem pool that channelizes a T1 into multiple logical modems. in this case). you can track usage for department billing purposes. In addition.frequency of staff turnover. the software answers the call from Guardian. and then allows the session to continue. the user dials in to a predetermined number. When connecting to the ISP’s modem pool for authentication. Instead. The only problem with using an ISP as a modem pool is that you now have an additional layer of management—a user account for each user who will be remotely connecting to your network. IBM implemented a system called Guardian that was designed for users needing remote access to corporate information. Second Edition . If you need additional levels of authentication (sometimes known as strong Administrator’s Guide to VPN and Remote Access. With call forwarding fairly common. You must determine what type of barrier can prevent hackers from gaining access to your corporate data. This way. you can concentrate on having enough T1 or T3 capacity to handle the number of remote users needing to access the network. With DID. The advantage of a dial-back system is that you can avoid extra long-distance charges when calling from a hotel or using an inbound 800 number. Keep in mind that regardless of any VPN (virtual private network) solution you choose to implement. However. 24 There are varying levels of encryption. Most large ISPs have modem pools in more than one city and. you can easily busy out a phone number when a remote user doesn’t need it any longer. By using RADIUS (Remote Authentication Dial-In User Service). Consider VPN for secure communications Letting the ISP be the modem pool The biggest hassle of offering remote access to your network is managing what could become a fairly substantial modem pool.

I’ve discussed using a VPN link for an encrypted connection to your corporate network and a personal firewall to protect the remote PC. Symantec offers a bundled solution in Norton Internet Security. Using Citrix or Windows Terminal Server If you’re concerned about rolling out remote access options to “computer-challenged” 25 Administration . if you’re using BorderManager as your VPN solution. to mention just a few candidates. such as Norton Internet Security and BlackICE. Running with outdated signatures is almost as bad as not using any antivirus solution at all. upgrade the tools you’re using to protect access. The advantage of a bundled solution is that if there’s a problem. You still have one point of vulnerability: computer viruses from an e-mail attachment or a file download. Mandate antivirus protection for all remote users Using a personal firewall While VPNs give you an encrypted link from a remote user into your network. Just as with the personal firewall option I discussed earlier. As with any solution of this nature. Symantec. that can provide firewalls on your personal workstation or home network. When designing a secure network solution such as a VPN. For example. This is a method used by the @Home NOC (Network Operation Center) to ensure no one is running a Usenet server. and CAI. Nevertheless. So far. having more than one VPN access device running is a good idea. in turn. You may want to consider learning how hackers access networks and doing the same things in a test lab so that you can continue to evaluate new tools as they become available. Running a Usenet server is a violation of the user agreement for the @Home network. More and more corporate networks are running some type of antivirus solution at network entry points.) This approach ensures that if one device fails. You can now find a host of products. The numbers change at periodic intervals based on a mathematical formula. you’ll want to have some type of subscription service available. Firewalls were once used only to protect access in and out of corporate networks. you have one less company to talk to for technical support. remote users using the @Home Internet cable service to access the corporate network will It has been said that any solution is only as good as the weakest link in the chain. They can then jump onto the encrypted link and go right into your network with little or no challenge. the possibility still exists that hackers can work their way into a remote PC connected to your network. has realized that you may want a solution that involves both a personal firewall and an antivirus software program. you may choose to run the service on another system so that if the firewall is down.authentication). you won’t lose all your remote access. don’t immediately assume any potential “threats” that are identified are actually threats. Symantec. you must. you want to avoid having a single point of failure. As hackers find new tools to gain access to your network. There are several good solutions—McAfee. As you’re testing both the prospective solutions and connectivity options. probably see periodic port probes looking for the NNTP service running on the computer they’ve attached to the cable modem. you can require that tokens be used that constantly generate a series of numbers. While existing firewall products can also provide VPN service. Depending on the number of remote users you’ll support. running an antivirus package on the remote PC introduces yet one more safeguard for your network— and one more hurdle that a potential virus must clear. (For example. your remote VPN users can still gain access to your network. In addition. make sure your remote users understand that they need to periodically check for updated virus signatures (or you can configure their workstation to perform that step for them). you may want to have more than one BorderManager server running the VPN service. At least one vendor. you’ll want to have some type of subscription service to help keep the product current.

MCSE I t’s easy to understand why virtual private networking (VPN) is steadily increasing in popularity—VPNs are flexible and secure. Users never know they’re using a different server each time they authenticate to the network.) Conclusion You’ll need to continually evaluate your network to ensure that you have the level of protection you need. or ISDN access. it has become more and more important for workers to be able to connect to their company networks even when at home.0. including flexibility. NT 4. however. neither the application nor the data that’s being accessed actually leaves your network—only screens and keystrokes are passing back and forth. You can think of these products as the equivalent of a computer running PCAnywhere on steroids. Me. 98. Consider having a second box that users can access to get to your network. All modern Microsoft operating systems— Windows 95 (with the Dial-up Networking 1. in some cases) to access your network remotely without having to beef up the hardware in the field. Just take things one step at a time. An added advantage is that if a user has a problem logging on or running a particular application. and don’t try to implement the whole solution at once. Understanding and troubleshooting virtual private networking Mar 5. cost-effectiveness. Don’t ever be content that you have done everything that can be done to protect your network and the access to it. you may be able to use a fairly inexpensive computer (even an XT. This can be accomplished in three basic ways: A direct dedicated connection A dial-up remote access connection A VPN connection The last is an attractive alternative for several reasons. (Citrix offers a server farm option that allows multiple servers to be disguised as a single logical server.3 upgrade).users. The disadvantage is that you potentially will have a single box with two or more processors with more than 256 MB of RAM in your computer room to support the incoming user sessions. That way. You may also be able to get away with using a regular dial-up connection without making the additional investment in cable modem. you can “shadow” the session in question and walk the user through the problem. you’re getting access to a session on the computer running either WinFrame or Terminal Server and not controlling the whole system. In this article. I’ll explain how VPNs work and how to troubleshoot common client-side configuration and connection problems. Depending on your configuration. DSL. Second Edition . 2001 By Debra Littlejohn Shinder. Three ways to connect from the road Over the past few years. With this type of solution. security. and ease of implementation. or on location at 26 Administrator’s Guide to VPN and Remote Access. on the road. you may want to consider using either Citrix WinFrame or Microsoft’s Windows Terminal Server. and 2000—include built-in support for virtual private networking. clients’ sites.

creating the element of privacy. A VPN connection is made by “tunneling” through a public network (typically the Internet) to reach a private network. establishing and using a VPN connection can still be a little tricky. There are two tunneling protocols supported by Microsoft for VPN connections: the Point-to-Point Tunneling Protocol (PPTP) Table A: Tunneling protocols supported by Microsoft operating systems Operating system Windows 95 with Dial-up Networking 1. There are three basic components involved: Encapsulation Encryption Authentication Authentication Authentication protocols supported by all Microsoft VPN clients include: Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Additionally. Encapsulation is performed by a tunneling protocol. not virtual private networking. including NetBEUI. Only Windows Encapsulation The link between the client and the private network emulates a point-to-point connection by encapsulating. Tunneling protocols and VPN client functionality can be installed from the Windows installation CD. Encryption Encapsulation makes it possible for the packets to travel across the public network. or wrapping. Windows 2000. IPX/SPX. The availability of encryption depends on the user-level authentication method used for the connection. even providing wizards in the latest versions of Windows. Windows 95 with the Dial-up Networking 1. VPN overview Before you can effectively diagnose and correct VPN problems. Although Microsoft has made VPN configuration as simple as possible. depending on the operating system (see Table A).3 upgrade. and Windows NT with Service Pack 4 or later support MS-CHAP version 2. It is possible to send unencrypted data through a tunnel. Encryption is performed by: Microsoft Point-to-Point Encryption (MPPE) protocol—with a PPTP tunnel IPSecurity (IPSec) protocol—with an L2TP tunnel VPN data encryption is between the VPN client and VPN server.as will the yet-to-be-released Windows XP (code name “Whistler”). but this would be virtual networking. and Layer 2 Tunneling Protocol (L2TP). or TCP/IP) inside a header that contains information for routing across the public TCP/IP network. the data packet (which can use any network transport protocol supported on the private network.3 upgrade Windows 98 Windows NT 4. making a computer running any of these operating systems function as a VPN client. you need a basic understanding of how a VPN works.0 Windows 2000 Windows Me Supports PPTP Yes Yes Yes Yes Yes Supports L2TP No No No Yes No Administration 27 . Windows 98 with Service Pack 1 or later. Encryption provides confidentiality for the contents.

This error occurs because there are no ports on the server configured to answer for the specified tunneling protocol. the problem may lie in one of the other categories. you will see an Error 678 message (No answer). it is one to be aware of if your credentials are rejected by the VPN server). When you use the Network And Dial-Up Connections Wizard to create a Win2K VPN Figure A You may get an Error 678 message if the VPN server does not answer. you have three options: PPTP. Tunneling protocol configuration problems If the VPN server does not support the tunneling protocol with which the client is attempting to connect. Second Edition . If your VPN client is configured to use a different tunneling protocol from that supported by the VPN server. The client connection can be either via a direct dedicated connection or a dial-up connection to the client user’s ISP. when you configure a Windows 2000 client. as shown in Figure A. then try PPTP). but if you are unable to detect a reason for the problem on the client side. You may also get this message if all the PPTP or L2TP ports on the VPN server are already in use. Most VPN users will be running the Windows 9x/Me. If you are able to do so. if applicable). L2TP. I’ll look at configuration of Windows 2000 clients and then point out differences (where they exist) in other Microsoft operating systems. Otherwise. or Windows 2000 Professional operating system on the client computer. Your user account must be set on the server to allow remote access (although this is a server configuration problem. The most common VPN connection problems fall generally into one of the following categories: Problems related to the Internet connectivity on one or both sides Problems related to VPN server configuration Problems related to VPN client configuration This article focuses on the last category. Basic considerations are the same. so it is important to ensure that the client is properly connected to the ISP. Attempt to ping an Internet host. Troubleshooting common VPN problems A VPN connection requires that both the client and the VPN server be connected to the Internet. Invalid credentials (logon failure) You must have a valid username and password that will allow you to connect to the VPN server. The last is the default (in which case the client will try to establish an L2TP connection first. NT 4. contact the network administrator or check the settings on the Dial-in tab of the user account properties sheet on the server. although there are some differences in configuration dialog boxes. If you’re sure the credentials you entered are correct. or Automatic. The dial-up connection presents the first point of failure. 28 Administrator’s Guide to VPN and Remote Access. the connection will fail. you will receive this message: Your credentials have failed remote network authentication You will be prompted to re-enter your username and password (and logon domain. Ensure that you are entering the proper account name and password.0 Workstation. Windows 9x/Me/NT clients support only PPTP as the tunneling protocol. As with any troubleshooting situation. you should first consider the most basic (and easiest to correct) possibilities. you have a connection to the ISP.2000 supports the Extensible Authentication Protocol (EAP). However. you will need to troubleshoot your modem configuration and/or Dial-up Networking. First. Do this by checking the status of the dial-up connection. If not.

as shown in Figure B. as shown in Figure C. Again. only PPTP is supported. In Windows 98.0. If the VPN server supports only L2TP connections. Another possibility. Making a VPN connection requires using two connections: a dial-up connection to the Internet and a PPTP connection to the private network. tion. You configure the VPN connection with the Make New Connection Wizard by selecting Microsoft VPN Adapter as the connection device instead of a modem. Note that in Windows NT 4. Authentication method configuration problems In addition to a common tunneling protocol. you can select a specific tunneling protocol. is that the server is filtering GRE packets. You may also see the same No Answer error message presented above if PPTP filtering is enabled in the server’s RAS configura- Figure B In Windows 2000. and you must install PPTP as a new protocol in the Select Network Protocol dialog box. if you are able to ping the server by name and address but you cannot establish a VPN connection. If the client is not configured to use an authentication method that Figure C Figure D If there is no common authentication protocol. you will not be able to establish a VPN with a Windows 9x/Me or Windows NT client. and change it to Automatic or to the protocol setting for which the server is configured to correct this problem. you should check the protocol configuration in the Properties box for the VPN connection. Administration 29 . you will get an Error 919 message. However.0. you add Virtual Private Networking as a Communications component from Add/Remove Programs in the Control Panel. both client and server must support a common authentication method. this is a server configuration problem that cannot be corrected from the client side.connection. You then create a dial-up networking entry to connect to the PPTP server. Automatic will be set as the server type (the wizard does not offer you a chance to select). The VPN connection is configured by adding a VPN adapter device from the Port box in the RAS Setup dialog box. PPTP must be installed as a network protocol in Windows NT 4.

or Require Encryption. accessed via the Security tab of the VPN connection properties sheet. Encryption type mismatch Another reason your VPN connection may fail is a mismatch between data encryption requirements on the client and server. Second Edition . as shown in Figure G. Because the default setting is to Require Encryption. you can choose one of the following: No Encryption Allowed (Server Will Disconnect If It Requires Encryption) Optional Encryption (Connect Even If No Encryption) Require Encryption (Disconnect If Server Declines) A mismatch will result in an Error 742 message. Note that the Windows 2000 client can be configured to use EAP or to allow any or all of the standard authentication methods supported by other Microsoft operating systems. shown in Figure D. If you have chosen to use EAP. Optional Encryption. shown in Figure F. you will see an Error 919 message. you can choose either Smart Card Or Other Certificate-Based Authentication or MD-5 Challenge. You can select No Encryption. 30 Administrator’s Guide to VPN and Remote Access. the client is able to contact the VPN server but is Figure G The client must use an authentication protocol that is allowed by the server. Windows 2000 encryption settings are changed via the Advanced Security Settings property sheet. In the Windows 2000 client’s Advanced Security Settings. Remote access policies on the VPN server can also be responsible for this error message. Figure F An encryption type mismatch will result in an Error 742 message. As with authentication protocols. check the authentication protocols allowed by the client in Advanced Security Settings (Figure E). you should always check out the possibility that the VPN server is set not to allow encryption. In Windows 2000.the VPN server supports. Figure E “Unreachable Destination” problems In all of the problems discussed above. if you get this error message.

Figure J Connection status is shown in the Status column of the Network And Dial-Up Connections window. Figure I You can determine whether traffic is moving across the VPN connection by checking its Status sheet. You will not be able to connect by IP address unless you know the server’s currently assigned address. it is likely that the ISP will assign it a different IP address each time an Internet connection is established.unable to negotiate a VPN connection because of configuration settings that do not meet the server’s criteria. You should attempt to ping the server to ascertain whether it is online. you will get an Error 769 message. There may be a name resolution problem if you are trying to connect by server name. Sometimes. a VPN server will have a permanent (static) address and a dedicated full-time Internet connection. shown in Figure H. You should recheck the entry and ensure you have the proper name or IP address entered. More commonly. There can be three causes of this error: The VPN server may be offline. You may have entered the wrong server name or IP address for the VPN server in the client configuration properties. you’ll see the Error 769 message (The specified destination is not reachable). this means that either the server does not have a registered domain name or the DNS server on the network is down or not functioning correctly. You should try connecting by IP address instead of server name. Figure H If the destination VPN server cannot be contacted. TIP: ISPS AND MULTIPLE IP ADDRESSES Note that if the VPN server has a dial-up connection to the Internet. If you can ping the server by IP address but not by name. Administration 31 .

you can check the status of the connection in several ways. as shown in Figure K. including VPN connections. Although you may be unable to correct these problems from the client side. you should be aware that The netstat command will show you all active connections. If you are unable to browse. Undesired disconnections If you are able to establish the VPN connection. even if active. as shown in Figure J. note changes in the number of bytes sent and received to confirm that traffic is going across the VPN connection.net. ensure that the workgroup name in the Network Identification properties is the same as the domain name.starblazer. run netstat. At the command prompt. but the link is prematurely disconnected. If your connection is established and you can access the VPN server. but you are unable to access resources on the server or LAN. If you receive an Error 53 message.com and one to Exeter. but you cannot browse the LAN or access resources on other computers. Figure K Firewall and proxy problems The firewalls and proxy servers that often protect our networks from unauthorized access can complicate VPN connectivity. This will show a list of active connections. access resources. 32 Administrator’s Guide to VPN and Remote Access. Ensure that the client has a WINS server assigned. or to never hang up (the default). there can be several reasons for the problem: The VPN server must be configured to allow access to the entire LAN. In the Foreign Address column. and browse the network. In addition. As shown in Figure L. attempt to connect to the network shares on computers inside the LAN using the UNC path (\\servername\sharename).tzo. A Windows 9x/Me/2000 client will have an icon in the system tray for each remote access connection. If you are using Windows 9x clients to log on to a domain. not just to the VPN server computer. you can set this value from one minute to 24 hours. This is a server configuration that cannot be corrected from the client side. In the Activity section. the status for the VPN connection should show as Connected in the Network And Dial-Up Connections window. Second Edition . Check this setting first if you are getting disconnected at a regular interval of time. Your ISP may have idle time limitation rules or connect time limitation rules that automatically disconnect you after a specified period of idle time or a specified period of time online. (Network path was not found) this may be because the client cannot resolve NetBIOS names. This can be done manually in the client’s TCP/IP properties or via DHCP. You will see a status box similar to that in Figure I. right-click the VPN connection and select Status. Your account may not have the proper permissions to access the resources on the server. you can recognize VPN connections by the appearance of the type of tunneling protocol (PPTP or L2TP) following the foreign address. Again.Problems after connecting If it appears that the VPN has connected successfully. Note the two active VPN connections in Figure K—one to a VPN server named Mail.tacteam. Right-click the icon and click Status. The same properties box can be accessed via Start | Settings | Network And Dial-Up Connections. check the following possibilities: You may have the VPN connection configured on the client to hang up after a specified number of minutes of idle time.

see www. Administration 33 . can be established. the network administrator needs to open UDP ports 137 and 138 and TCP port 139. However.ISAserver. it may be due to firewall or proxy restrictions or packet filtering rules on the router. ISA clients running the Firewall client software cannot establish a VPN because outbound PPTP is not supported. I showed you techniques for troubleshooting and correcting common client-side VPN connectivity problems.if your client configuration appears to be correct and you are unable to establish a VPN connection. In this article. because the Winsock client immediately redirects data to the proxy server before it can be processed as necessary by the VPN. For example.org. Conclusion Virtual private networking provides a costeffective way to take advantage of today’s almost universal Internet connectivity to create a private “tunnel” to a company LAN or other network from a remote location. If you have an active Winsock Proxy client. Figure L Disconnections can be caused by an idle time hang-up setting in the Virtual Private Connection Properties dialog box. VPN connection failures and other problems are often easy to correct by modifying the client configuration. Also. you will not be able to establish an L2TP/IPSec VPN from behind the proxy server. Microsoft’s Proxy Server does not support outbound PPTP requests from internal clients (behind the proxy). TIP For more information about Microsoft’s ISA Server. You will have to disable the Winsock Proxy client. the Winsock Proxy client is called the Firewall client. because IPSec does not work with address translation (which is the way Proxy Server provides Internet access to its clients via a single public IP address). you will not be able to create a VPN. in which the proxy server is the VPN client. you may be unable to browse the LAN if NetBIOS packets are being filtered by the firewall or router. Gateway-to-gateway VPNs. In this case. In Microsoft’s new ISA Server. ISA clients that are configured as Secure NAT (SNAT) clients can be VPN clients. You cannot reach a VPN server behind a firewall at all unless port 1723 is open and protocol 47 (GRE) is allowed.

VPN 34 Administrator’s Guide to VPN and Remote Access. DEFINITION: QUALITY OF SERVICE In networking. voiceover IP. 2001 By Ed Engelking II. Two ways to maintain this control are packet classification and bandwidth management: Packet classification Packet classification groups data by importance. and the better handling it receives at the expense of other. applications using large amounts of a data stream. the higher its classification. Previously. Second Edition . will have their bandwidth decreased in order to provide fair access to other employees. Controlling bandwidth will continue to challenge administrators Network administrators must control virtual private networking and the resources that are required for it to operate successfully in an organization. The more important the data. Quality of Service for all Improved firewalls and routers. a VPN administrator can police the incoming and outgoing data from a network and allow certain amounts of bandwidth to be available for differing packet classifications. Bandwidth management By using bandwidth management. via the Internet using connections that consumed only a small amount of bandwidth. Because telecommuters and remote offices are here to stay. however. With QoS integrated within a VPN. and money transactions. which in turn increases acceptable performance for each employee outside of the office. both inside and outside of the network. such as MP3s. or VPN. This causes the bandwidth in use to fall below the allowed allocation. an administrator gains full control over the data flowing through the network. A+ M anaging available bandwidth via dialup connectivity was once a relatively easy task for network administrators. Guaranteed delivery Guaranteed delivery reserves a section of bandwidth for specific services within a network. no matter the connection speed. enable the limitation of bandwidth for incoming and outgoing data. Quality of Service (QoS) is a term that indicates a guaranteed bandwidth level. With the onset of broadband communications such as cable and DSL within SOHO environments. less important data on the same network. most users connected to a virtual private network. administrators now face the challenge of controlling available bandwidth on VPNs. there are additional ways of controlling the amount of available bandwidth: Traffic shaping Traffic shaping comes into play when a service provider detects Internet traffic congestion. such as video teleconferencing. incorporating Quality of Service (QoS). The amount of incoming and outgoing data streams is then lowered via queuing. If your telecommuters are burning bandwidth by using broadband connectivity. Other forms of bandwidth control Depending on the needs of the network administrator. Fair bandwidth Fair bandwidth allows all users on a network to obtain equal access to Internet bandwidth. With fair bandwidth enabled. how can you address this problem? Here are some solutions available to network administrators that can help limit and control the amount of bandwidth used.Controlling the dial-up bandwidth on your VPN Jan 26. It determines which services are high priority and allocates bandwidth accordingly.

0 Workstation RAS client and server.0 Workstation had built-in RAS client and RAS server capabilities? It you didn’t. 2001 By Dr. Access VPNs for the Enterprise—Cisco Systems. The RAS server feature is also improved.ashleylaurent. Thus.com/warp/public/ cc/so/neso/vpn/vpnsp/justify/avpnn_bc. The configuration interface is wizard-driven. this feature is available right out of the box. serial. Setting up Windows NT 4. Thomas Shinder. The Windows 2000 Professional Dial-Up Networking client now allows you to call a VPN server on the intranet or Internet. the machine can actually handle multiple inbound sessions. there were multiple interfaces you had to slog through to access the configuration dialog boxes and get things set up correctly. However. htm) Article resources The following resources were used in the creation of this article: Ashley Laurent Security Newsletter— Volume 1. Unlike in Windows NT 4. A Windows 2000 Professional machine can support a single dial-in session from a remote user per interface. ISDN. then you’re a member of a very large club. Windows 2000 Professional includes all the features of the Windows NT 4. and there are no complex protocol and interface configurations to make. Issue 2. parallel. As was typical in Windows NT 4. the incorporation of new technologies intended to supplement QoS will help network administrators manage this problem. 7/3/000 (http://www. These features can be broken down into two major categories: Outbound access Inbound access Once you understand the features and functionality of outbound and inbound RAS access on a Windows 2000 Professional computer. In this article. VPN. it’s almost impossible to make a mistake. we’ll look at the dial-up networking features available in Windows 2000 Professional. and a lot more. When you eventually found your way to the correct interface. you’ll never want to get near a Windows NT 4.com/ newsletter/03-03-00.com/TERM/ Q/QoS.0. MCSE D id you know Windows NT 4.administrators will continue to have issues with maintaining bandwidth.0.html) Making the connection with Windows 2000 Professional Dial-Up Networking Jun 28.cisco. the operating system also supports analog. However.0 workstation again! Administration 35 .internet.0 Workstation to be a RAS client or server was not an easy thing to accomplish.cisco. 8/28/00 (http://www. the configuration was far from intuitive.htm) QoS definition by Webopedia (http://webopedia.htm) Quality of Service for Virtual Private Networks—Cisco Systems. 3/3/00 (http://www.com/warp/public/ cc/so/neso/vpn/vpne/qsvpn_wp. and infrared interfaces.

For security reasons. The Network Connection Type page appears (Figure B). or you can enable the Use Dialing Rules check box and select the area code from the Area Code drop-down list box. Windows 2000 Professional supports several types of outbound remote access. the connectoid should be available only to the user who creates it. he or she will not even need to enter credentials to access network shares and other network resources. The Phone Number To Dial (Figure C) page The connectoid is an icon located in the Network And Dial-up Connections window. This opens the Welcome To The Network Connection Wizard page. Click Next.Windows 2000 Professional outbound remote access Creating a corporate RAS Dial-Up client When a remote user establishes a dial-up connection to the corporate network. If the user dials in using the option in the logon dialog box for remote access. Figure A 2. To create a connectoid to connect to the corporate RAS server. 6. Second Edition . There are several connectoids seen in Figure A. Click Next to continue. the object the wizard creates is called a connectoid. The Completing The Network Connection Wizard dialog box appears and asks you to name the connectoid. it is used to invoke a particular type of connection. Therefore. Choose the Dial-up To Private Network option on the Network Connection Type page. double-click the Make New Connection icon. 4. The Connection Availability page allows you to make the connectoid available for all users or only for yourself. When you create a connection to a particular location. Many users decide to save their dial-up password in the connectoid. Open the Control Panel and double-click on the Network And Dial-up Connections icon. The VPN client can access the same resources and print to the same printers as the locally attached machines. his or her computer is a participant on the network in exactly the same way as a machine attached via the local Ethernet. you do not want it to be available to other users who might access the machine. After entering the phone number. 36 Administrator’s Guide to VPN and Remote Access. You can enter the entire phone number in the Phone Number text box. click Next. Click Finish (Figure D). Figure B allows you to enter the phone number for the corporate RAS server. perform the following steps: 1. In the Network And Dial-up Connections window. 3. 5. These include: Corporate dial-up RAS client calls ISP dial-up calls VPN client calls A wizard guides you through creating each type of connection. Select the Dial-up To Private Network option and click Next.

Configure the phone number to dial. double-click the Make New Connection icon. Beware of the security implications of saving the password with the connectoid. 4. You have three choices: Figure D Figure E Put a check mark in the check box for Add A Shortcut To My Desktop to make access to the connectoid much easier. as seen in Figure E. he or she can manually enter it here. In the Network And Dial-up Connections windows. The phone number to dial is automatically included. If the user needs to log on with another name. This opens the Welcome To The Network Connection Wizard page. as is the location. The Network Connection Type page will appear. Creating an ISP dial-up connectoid is similar to creating the corporate RAS client connectoid. 2. launch the RAS connection. Figure C Creating an ISP dial-up and local network Internet connection Your company may decide not to allow direct dial-up connections to a corporate RAS server. The Welcome To The Internet Connection Wizard (Figure F) appears. 3. The logged-on user’s name will appear automatically in the User Name text box. Open the Control Panel and double-click on the Network And Dial-up Connections icon. Perform the following steps to create the ISP dial-up connectoid: 1. Click Next to continue. Make the connection in this dialog box. The Save Password check box allows the password to be saved with the connectoid. Select Dial-up To The Internet and click Next. A more cost-effective solution is to allow users to dial up an Internet connection and then create a virtual private network (VPN) connection to a corporate VPN server via the dial-up Internet connection. Direct dial-up RAS servers can be expensive to implement and maintain. Administration 37 . You will see the Connect Corporate RAS Server dialog box.From the connectoid’s icon on the desktop.

38 Administrator’s Guide to VPN and Remote Access. Second Edition . even though you already have an existing one... The I Want To Transfer My Existing Internet Account To This Computer. subsequent pages will ask you for a username and password. The Use Automatic Configuration Script option allows the client to take advantage of Connect to the Internet through the LAN. In this example. Since your company will have provided its users with an account. except for the mail account step.. The Setting Up Your Internet Connection page (Figure G) allows you to connect to the Internet using a phone line and modem or via a local area network (LAN) connection. Microsoft provides a list of ISPs. and whether you want to create a mail account. All these steps. Even if the user does not have an ISP account. If you choose the I Connect Through A Phone Line And A Modem option. there is no reason for a user to select this option. The Local Area Network Internet Configuration page appears next (Figure H). The I Want To Set Up My Internet Connection Manually.. option allows the user to create a new dial-up account with an ISP. The Automatic Discovery Of Proxy Server (Recommended) option allows the client to use a wpad entry contained on either a DNS or DHCP server. are the same as when you created a direct dial-up connection to the corporate RAS server. This option provides you the most flexibility when setting up the connection. Figure G 6. The I Connect Through A Local Area Network (LAN) option allows a machine on a network with a centrally routed or proxied connection to the Internet to connect to Internet resources. If such an entry is not made on the internal network..The I Want To Sign Up For A New Internet Account. he can do better by researching local or national ISPs. Click Next to continue. the phone number of the ISP. Select the third option and click Next to continue. 5. Avoid this option unless you want to transfer to a new ISP.. this option should be left blank. option is the preferred option if you already have an ISP account. we’ll select this option. the name of the connection. A large proportion of remote employees have small home networks. Figure F Select the third option from the Internet Connection Wizard. option gives you the opportunity to sign up for a new account.

0 Workstation. 2. The Set Up Your Internal Mail Account page offers the user an opportunity to create a new mail account. the ISP automatically before establishing the VPN link. double-click the Make New 39 Administration . When you configure the dial-up VPN connection. Since it’s unlikely that a user will have an enterprise array on his home network. Figure H 7. On the last page of the wizard. a connectoid similar to the corporate RAS client connection would be created.Microsoft Proxy Server 2. The machine is now able to connect to the Internet through the proxy or NAT server. Click Next to continue. Configure the LAN-connected Internet client to use a proxy server. 9. you need a dial-up connectoid configured on the machine. you do not need to install a PPTP VPN adapter and go through a circuitous configuration procedure. 8. Therefore. Select this option and click Next.0 or ISA Server 2000 caching arrays. If you had created a dial-up connection to the Internet. Click Next. Windows 2000 Professional will offer to dial up Select the type of public network connection. The third Local Area Network Internet Configuration page allows you to configure addresses on the local network that will bypass the proxy server. Most home network users will have a single proxy or NAT server. To create a dial-up VPN link. Enter the IP address of the internal interface of the proxy server and place a check mark in the Use The Same Proxy Server For All Protocols check box. it will need to dial up an ISP before establishing the VPN link. If the machine is not connecting to the VPN server through a LAN connection. Select No on this page and click Next. Open the Control Panel and double-click on the Network And Dial-up Connections icon. The Manual Proxy Server option is the preferred option for a home network. The second Local Area Network Internet Configuration page allows you to configure the IP address of the proxy server. Unlike in Windows NT 4. Creating a VPN client connection Windows 2000 Professional supports outbound VPN client connections through both dial-up and LAN interfaces. perform the following steps: 1. A wizard walks you through the process of creating the VPN client connection. Figure I 10. this option should also be disabled. In the Network And Dial-up Connections window. click Finish to complete the Internet connection.

and click Next. the client must be able to resolve the address by using a public DNS server. you choose whether to connect to the VPN server via a LAN connection or through a dial-up connection. In this example. On the Devices For Incoming Connections page (Figure K). click the down arrow under the Automatically Dial This Initial Connection option and select your ISP connection. 2. a Windows 2000 Professional machine can accept only a single inbound connection per RAS interface. Click Next to continue. After the Internet connection is established. For security reasons. a dialog box will appear asking if you would like to establish a link with the ISP before connecting to the VPN server. 6. Click Next to continue. In the Network And Dial-up Connections windows. perform the following steps: 1. Click Next to continue. a second dialog box will appear asking for credentials to establish the VPN connection to the VPN server. 3. infrared.Connection icon. Note that we can select and receive calls on all devices. Windows 2000 Professional can also accept inbound calls. Inbound calls can be accepted via serial. 40 Administrator’s Guide to VPN and Remote Access. your best option is to make the connection available only for the user who creates it. Unlike Windows 2000 Server machines. 4. choose to make the connection available for all users or only for yourself. Select the Connect To A Private Network Through The Internet option and click Next. Open the Control Panel and double-click on the Network And Dial-up Connections icon. and VPN interfaces. On the final page of the wizard. The connectoid for the VPN link will appear in the Network And Dial-up Connections window. type in the name of the connectoid and click Finish. On the Destination Address page (Figure J). When you double-click the connectoid. On the Incoming Virtual Private Connection page (Figure L). type in the Fully Qualified Domain Name (FQDN) or IP address of the VPN server. the machine If you type in a FQDN. This opens the Welcome To The Network Connection Wizard page. select the device on which you want to accept inbound connections. After making the selection. 4. Windows 2000 Professional inbound remote access connections 5. double-click the Make New Connection icon. On the Public Network page (Figure I). click Next. parallel. Click Next to continue. If you wish to make VPN connections to the Windows 2000 Professional computer. To configure the Windows 2000 Professional computer to accept inbound calls. To create the initial ISP link. 7. Second Edition . This opens the Welcome To The Network Connection Wizard page. The Network Connection Type page will appear. Select the Accept Incoming Connections option and click Next. On the Connection Availability page. you tell the wizard whether you want to accept VPN connections on this interface. We’ll select both interfaces. Figure J 3. 5. we can accept calls on a modem and an LPT (parallel) port.

Figure M 8. If you try to put the same address in both boxes. Place a check mark in the Allow Callers To Access My Local Area Network check box if you want RAS clients to be able to access the internal network behind the Windows 2000 Professional machine. Click Next. However. ISDN. we’ll select the Administrator account and click Next. Allow Administrator inbound access. In this example. you must be sure you have a DHCP server on the internal network on the same network ID as the internal interface of the Windows 2000 Professional computer. If this check box is not checked. If you choose to use DHCP.Figure K Figure L Select a device for inbound connections. The Networking Components page (Figure N) displays the network protocols and services used for this connection. you will get an error. and cable modem connections. should have a dedicated connection to the Internet. you can get dial-up modem accounts that allow for dedicated connections with true unlimited access. You must include at least two addresses. On the Allowed Users page (Figure M). the user will be able to access resources only on the Windows 2000 Professional machine itself. choose whether you want to assign addresses via DHCP or from a static pool of IP addresses. Click on the Internet Protocol (TCP/IP) entry and then click the Properties button. Administration 41 . We will allow inbound VPN connections. The Incoming TCP/IP Properties page (Figure O) allows you to configure how IP addresses are assigned to inbound callers. Note that the modem will still allow inbound direct dial-up connections with this configuration. 7. Typical dedicated connections are xDSL. you will have to configure a From and a To address. In the TCP/IP address assignment frame. 6. If you choose to use a static pool of addresses. you select which users you want to allow permission to make inbound calls.

If the client tries to use an IP address that is already in use on the network. 9. it can receive a single inbound call on each RAS-enabled interface.The Allow Calling Computer To Specify Its Own IP Address option will allow the caller to configure his or her own IP address in the VPN client connection interface. After you complete the wizard. Second Edition . RAS connections are easy to set up because all inbound and outbound connections are created using a wizard. As a RAS client. Figure O Figure P Configure client IP addressing parameters. 42 Administrator’s Guide to VPN and Remote Access. users can begin to make inbound calls to the Windows 2000 Professional computer. the connection will fail. On the final page of the wizard (Figure P). it can make direct dial-up and VPN connections. you are informed that the connection will be named Incoming Connections. As a RAS server. Click OK and click Next. You do not need to restart the computer. Figure N Conclusion You can also configure the properties of the other components here. Windows 2000 Professional supports the roles of RAS server and RAS client. Be careful with this option. The Windows 2000 Professional computer supports inbound calls to just the Windows 2000 Professional machine itself. or to the entire network to which the Windows 2000 Professional machine is attached. All inbound connections will be accessed through this connection.

In such a situation. Administration 43 . Figure A illustrates a situation in which demand dial routing would be useful. if you support a remote office that needs to be fed data from your local servers only once or twice a day. you have two options for establishing connections with other routers or networks: dedicated or demand dial connections. the connection remains persistent. For example. and the connection is metered and incurs charges based on connection duration. After the data is transmitted and an appropriate idle time has passed. The alternative is a persistent connection. a dedicated connection might not make sense. on-demand routing is generally the best solution. Demand dial routing (also called ondemand routing) forwards packets across a nonpersistent Point-to-Point Protocol (PPP) connection. a demand dial connection. Dedicated connections typically use connections such as T1 and frame relay. whether those connections are persistent or not.Understanding demand dial connections in Windows 2000 Dec 25. such as a long-distance POTS call or metered ISDN service. but you need to remember that demand dial routing isn’t simply geared toward Figure A Internet Demand Dial Connection Main Office Router Satellite Office Router A demand dial connection can serve a satellite office. The previous example of the remote office is a good example of a scenario where an on-demand connection would be the best solution. An ondemand connection is nonpersistent and remains connected only when packets need to be forwarded through the demand dial interface. In general. you can think of demand dial connections as those routing connections that connect via dial-up means. Any time you have a metered connection. At first blush. persistent connections might seem illogical in the context of demand dial routing. 2000 By Jim Boyce hen you configure a Windows 2000 router. Windows 2000 drops the connection. Except on rare occasions when a hardware failure occurs. makes more sense and could save the company W a small bundle in connectivity charges. which gets used only when data actually needs to be transmitted. On-demand versus persistent There are two types of demand dial connections: on-demand and persistent.

the initial TCP retransmission timeout is set by the registry value HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\Tcpip\Parameters\InitialRtt. the registry setting MaxConnectRetries specifies the number of times TCP will attempt a connection. If increasing the timeout doesn’t address link delay in all situations. For example. or 35 seconds. or 75 seconds. If the connection is dropped. the default value for the initial connection timer is also three seconds. Why not make all connections be ondemand. TCP sets a retransmission timer when it attempts the first data transmission for a connection. The application’s first attempt will initiate the connection sequence. specifies an initial timeout of five seconds. A value of 5. This is an important consideration when setting up the demand dial connections—you need to take into account how the client applications will handle the connection delay. there’s no reason why you should not have the connection persist. The TcpMaxDataRetransmissions value is also a REG_DWORD with a valid range of 0-65535. For example. The default value is five. For all Microsoft Windows platforms. for a maximum timeout of 21 seconds. one router always functions as the calling router and the other always functions as the answering router. As with Windows 2000 and Windows NT. For Windows 2000 and Windows NT 4. The InitialRtt value is a REG_DWORD with a valid range from 0-65535 and it specifies the length of the timeout in milliseconds. the answering router must be configured with an account that the calling router can use to establish the connection. for example. modify the number of connection attempts the application makes. Second Edition . while ISDN could take less than five seconds. The amount of time required to establish a demand dial connection varies depending on the connection media. The number of connection attempts is defined by the registry setting HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions. the second at 3+6 seconds. and a secondary attempt will allow the application to connect after the router has time to establish the connection. If the application supports a variable timeout setting.forwarding packets across metered connections. either router can function as the calling or answering router. The default is three. the first attempt is made at 3 seconds. Since either router can initiate a Administrator’s Guide to VPN and Remote Access. The default value is 3.000. In a one-way connection. if the connection uses a local POTS call or flat-rate ISDN service where there is no per-minute charge. modify the timeout setting to accommodate the link establishment delay.000. For both types of connections. you need to consider whether the connection will be one-way initiated or two-way initiated. TCP doubles the retransmission timeout value for each subsequent connection attempt and by default attempts retransmission two times. but rather forwarding packets across any PPP dial-up connection. A POTS call could take 20 seconds or more to establish a link. There are. For Windows 9x and Windows Me clients. you need to create an account on both sides of the connection to be used by the calling router to authenticate on the answering router. scenarios where you’d want the demand dial interface to be persistent. Setting the retransmission count to 4 with a retransmission timer 44 of five would result in a total timeout of 5+10+20+40. even if it doesn’t cost any more for a given connection to be persistent? Client access is the primary reason.0 clients. The initial retransmission timeout value is 3 seconds. therefore. Increasing the initial retransmission timer to 5 seconds would result in a total maximum timeout of 5+10+20. You can modify the TCP retransmission timer properties to extend the length of time that TCP will attempt a connection before timing out. One-way versus two-way demand dial connections When you’re setting up a demand dial connection. and the third at 3+6+12 seconds. In the case of a two-way connection. In a two-way connection. Windows 2000 automatically attempts to reestablish the connection.

Select the route in question and display its properties. In addition. traffic routed through the default route could cause unwanted connections. open the RRAS console. In the case of manually created routes. the connection will dial any time the traffic is routed through the default route. preventing that traffic from initiating the connection. Another issue to consider before you start creating your demand dial connections is whether or not you want to apply filters and time restrictions to the demand dial connections. If the static route directs traffic to a primary subnet that carries critical traffic. you can configure the filters to allow all traffic that fits the filter criteria to initiate the connection or exclude all traffic fitting the criteria. When you’re configuring routes between your routers. including the reduction of connection charges. Autostatic updates enable RIP to request all known routes from the remote router and add them to the local routing table as static routes.connection. This is because the routers must exchange routing announcements. consider the impact that the default route will have on traffic and the demand dial interface. deselect this option to prevent the traffic from initiating the demand dial connection. simply add the static routes to the appropriate interfaces on both sides of the connection. The solution is to use static routes where the number of routes is small. Static routing and autostatic updates In addition to authentication considerations. These filters let you specify criteria for the source and destination that determines when the demand dial interface can be initiated. if you configure the default route to be used to initiate the demand dial connection. As Figure B shows. and then select the Static Routes node. Use the option Use This Route To Initiate Demand Dial Connections to control whether or not traffic that applies to the static route causes the demand dial connection to be initiated. In this latter scenario. In addition to configuring each static route according to whether or not it can initiate the demand dial connection. or use autostatic updates with RIP when the number of routes doesn’t lend itself to manually created static routes. the traffic will be routed only if the demand dial connection is already established (caused by traffic through another route) and will fail if the demand dial connection is not active. the account name used by the calling router must match the demand dial interface name on the answering router—a requirement for both one-way and two-way connections. To do so (or to configure the behavior for any other route). If the traffic is secondary. the routing overhead traffic generated by the routers could nullify the benefit of using demand dial connections. 45 Demand dial filters and time restrictions Administration . For example. We’ll cover performing autostatic updates in the next article. Because the default route is applied to all traffic not serviced by another route. you’ll probably want the static route to be used to initiate the demand dial connection. you should configure the default route so that it will not initiate the demand dial connection. both need to have accounts the other can use to authenticate and connect. using RIP with autostatic updates is a viable solution. Where there are more complex routing requirements not easily satisfied with manually created static routes. and no additional route updates occur on the interface until you manually perform another autostatic update or the local router initiates another scheduled update. While you could use dynamic routing (RIP or OSPF) over demand dial connections. Deselect the option Use This Route To Initiate Demand Dial Connections. you also need to think about routing issues. Autostatic updates marry the convenience of RIP with the connection control of static routes. For that reason. you can control connection initiation through demand dial filters. one-way event. causing additional periodic traffic and requiring more frequent connections. including when you have traffic bound for a nonexistent or unreachable subnet. expand the IP Routing branch. The autostatic update is a one-time.

also select the option Remote Access Server and click OK. there are no dial-out hour restrictions on a demand dial interface. you might process data transfers only at night and want the demand dial interface to be used only during those hours. Second Edition . Getting started In general.” I’ll show you how you can configure each demand dial interface with hour restrictions to do just that. Configuring demand dial initiation filters Setting up dial-out hours Configuring autostatic updates Configuring persistence Enabling demand dial routing and remote access (RRAS) First. the process involves several steps: Enabling demand dial routing Setting up remote access on the called router Enabling demand dial connections on the dial-out hardware Creating the connection Configuring accounts and authentication Adding RIP and/or creating static routes 46 Administrator’s Guide to VPN and Remote Access. Configure demand dial filters to determine which traffic can initiate a demand dial connection. open the RRAS console and connect to that router. you must enable demand dial routing for each router that needs to support it. verify that the Router option is selected and then select the option LAN And DemandDial Routing. I’ll show you how you actually make the connections. 2000 By Jim Boyce I n the previous article. For example. By default. On the General page. In this article. In some cases.Figure B Another consideration is when the demand dial interface can or should be initiated. I introduced you to demand dial connections in Windows 2000. preventing routing during the day as a means of controlling traffic or reducing costs. right-click the server and choose Properties. In the console. To do so. On a called router. Configuring Windows 2000 for demand dial connections Dec 28. you might want to restrict those hours. In the next article. “Configuring Windows 2000 for demand dial connections. so traffic that fits the route or filter criteria can initiate the connection at any time.

and choose Configure. expand the server. Route IP Packets On This Interface: Select this option to allow IP routing on the demand dial interface. etc. If you’re configuring a demand dial connection for incoming calls in a two-way connection. you’ll need to configure certificates and filters. Send A Plain-Text Password If That Is The Only Way To Connect: This option allows the router to accept plain-text passwords if it doesn’t support encrypted passwords. create the demand dial interface. and choose New Demand-Dial Interface to start the Demand Dial Interface wizard. The properties are the same as those you’d configure for a typical dial-out connection through the Network And Dial-Up Connections folder. Select the Demand Dial Routing Connections option. or automatic selection. you’ll also need to specify the IP address or DNS name of the remote router. The General page enables you to configure the dial-up device used by the demand dial connection. VPN Options: If you choose to connect through a VPN. If you want to use multilink to improve throughput. You specify the script after completing the wizard. open the RRAS console. right-click the demand dial interface you just created and click Properties. such as the modem and ISDN interface. including alternate numbers to dial if the primary is unavailable.) or VPN connection depending on the requirements of the remote router. and if you also want to use the device for incoming remote access calls. consider naming the connection after the remote router. Connection Type: Choose between a physical device (modem. If you choose the VPN option. The wizard prompts for the following information: Interface Name: Specify the name as it will appear in the RRAS console. For easy identification. L2TP. The wizard will prompt you for the account properties for the account the remote router will use to connect to the local router. give the interface a name that matches the account the remote router will use to connect to the local router. specify the phone number of the remote router. ISDN. you have to configure the dial-out port to support demand dial connections. Add A User Account So A Remote Router Can Dial In: If you’re configuring a two-way demand dial interface. In the RRAS console. Route IPX Packets On This Interface: Select this option to allow IPX routing on the demand dial interface. Remember that if you choose L2TP. To begin. Use Scripting To Complete The Connection With The Remote Router: Select this option to enable the local router to use a script to complete the connection to the remote router after dialing. you have some additional configuration to perform. rightclick on the Ports node. In the RRAS console. The User Name field is dimmed to prevent you from changing the account name. Then. and choose Properties. After the wizard finishes. Phone Number: For non-VPN connections. select the Remote Access Connections option as well. the wizard prompts for additional properties. click the port. right-click Routing Interfaces. expand the server. select all appropriate devices from the Connect Using group. This option is dimmed for VPN connections. install and configure the hardware to be used for the connection. Select the VPN type as PPTP. Locate the device’s port. You Creating the demand dial connection Next. Administration 47 .Windows 2000 will restart the RRAS service to accommodate the change. Close the dialog boxes when you’ve finished. select this option. In addition to configuring RRAS to support demand dial. The wizard automatically uses the name specified in the Interface Name property (the first wizard page) as the account name and prompts only for the password for the account.

clients. The Security page is the place to go to configure the authentication method(s) used by the demand dial connection. If the clients use a given protocol. Use the resulting dialog box to select the hours that Use the Options page to configure the connection as demand dial or persistent. If you need to run a script to complete the demand dial connection.25. you’ll need to configure demand dial filters to determine which traffic can initiate the demand dial connection and to restrict (if desired) the connection to specific hours. for example. as well as the protocol. Configure the settings according to the requirements for your data transfer. Right-click the demand dial interface and choose Dial-Out Hours. Second Edition . All traffic that fits the filter criteria will not initiate the demand dial connection.configure additional multilink options through the Options page. Add filters as needed and then select one of the following options: For All Traffic Except: Select this option if you want all traffic except that falling under your specified filter criteria to be able to initiate the connection. Click Add and then specify the criteria based on source network or destination network (or both). click OK. click Configure Bandwidth Utilization Parameters to control dialing and hanging up. In the right pane. Networking. Only For The Following Traffic: Select this option if you want only traffic that meets the filter criteria to be able to initiate the demand dial connection. configure the script in the Interactive Logon And Scripting group. click the appropriate button to configure those properties for the connection. you specify whether the connection will be on-demand (demand dial) or persistent. Next. The Multiple Devices group lets you configure multilink for the demand dial connection. make sure that protocol is enabled for the dialout connection. From the drop-down list. including network protocols. Click OK when you’ve finished creating the filters. enables you to configure the network services that the demand dial connection will use. Configuring filters and hour restrictions Figure A Next. Use the Dialing Policy group to specify the number of redial attempts and interval between redial attempts. use the drop-down list to specify the idle time for hanging up. if you need to use callback or X. In the Connection Type group. First. If you choose Dial Devices Only As Needed. open the RRAS console and select the Routing Interfaces branch. 48 Administrator’s Guide to VPN and Remote Access. right-click the demand dial interface you want to configure and choose Set IP Demand-Dial Filters. select the method you want Windows 2000 to use to establish multilink connections. these properties are the same as for any other outgoing remote access connection. If choosing Demand Dial. Make sure you specify a length of time that accommodates normal idle times during data transmission. The final property page. and the settings are just like any other outgoing dial-up connection. Then. configure dial-out restrictions if you don’t want the demand dial connection to be available all the time. and server type. Again. Finally. The Options page shown in Figure A lets you configure several connection options.

Deselect the option if you don’t want traffic destined for the selected route to be able to initiate the connection. Verify that autostatic Update Mode is selected in the Operation Mode drop-down list. you need to add RIP. select the option Use This Route To Initiate Demand-Dial Connections. The RRAS GUI interface doesn’t provide a mechanism for scheduling autostatic route updates to occur automatically. requests an update from the remote router. The other default settings are correct for connecting to another Windows 2000 RRAS router. expand the server. but in most situations it is a manageable risk. Be sure to take this risk into account when you’re developing your routing strategy for the demand dial connection. a better solution than using RIP is to simply create static routes. When you’re satisfied with the static route properties. If the update request fails for some reason (the remote router is unavailable. close the dialog box and then repeat the process to create any other required static routes. For example. If you’re updating routes in a two-way demand dial connection. the route transfer will begin. open the RRAS console and then expand the server. for example).the demand dial connection is either permitted or denied. obtaining all remote routes. and choose New Routing Protocol. it deletes the existing routes and then You can also create a script for NETSH and execute that script through the NETSH command. Keep in mind that an autostatic update transfers routing data from the remote router to the local router. the local router will initiate the demand dial connection and then request the update. the local router won’t be able to rebuild its routing table. open the IP Routing branch. This is one minor disadvantage to using RIP instead of static routes for the demand dial interface. Here is an example of a script that updates the routing information for a demand dial connection named RemoteOffice: netsh interface set interface name=RemoteOffice connect=CONNECTED netsh routing ip rip update RemoteOffice netsh interface set interface name=RemoteOffice connect=DISCONNECTED Performing manual and scheduled autostatic updates When RRAS performs an autostatic route update. Setting up the routes If the number of routes you need to manage over the demand dial connection is relatively high and you intend to use Routing Information Protocol (RIP) and autostatic updates to maintain the routes. right-click the node (or right-click in the right pane). If the demand dial connection is currently active. save the previous commands Administration 49 . right-click General. If you want traffic destined for the selected route to be able to initiate the demand dial connection. Next. right-click RIP in the IP Routing branch and choose New Interface. Right-click the demand dial interface whose routes you want to update and choose Update Routes. Select the demand dial interface from the Interface drop-down list and configure the static route as needed. make the changes now. In the RRAS console. you need to also perform an autostatic update at the remote router to update its routes. This means that the routes will be unavailable until a successful update occurs. If you need to tweak the settings to accommodate a different remote router or your network requirements. Select the demand dial connection and click OK. Windows 2000 presents a tabbed property sheet that is the same as when you configure RIP on any other routing interface. If not. and choose New Static Route. Open the IP Routing branch and then open the General branch. If the number of routes for the demand dial interface is low. Open the IP Routing\Static Routes node in the RRAS console. Select RIP and choose OK. When you want to initiate an autostatic update. but you can use the NETSH command from a command console to update routes. This enables you to create a script containing the appropriate NETSH commands and schedule that script using the Windows 2000 AT command.

For example. One of the most potentially confusing aspects of two-way demand dial connections is the naming convention you use on both routers. Configuring. MCP+I. At your Headquarters location. set up the connection. to make the connection work properly you should create a user account at Headquarters with a user account name of HomeOffice. and even if you’re not using VPNs at your organization. I’ve primarily focused on setting up a one-way demand dial connection. At your remote location. Conclusion Demand dial connections make it easier for you to use routing to connect networks without having a permanent connection between them. such as PPTP or LT2P. 2000 By Erik Eckel. Network+. network administrators are turning to virtual private networking (VPN) connections to link remote workers to LANs. configure routes. as well as a user account at the remote site with a user account name of RemoteOffice. assume you have two routers in two locations. run the following command to execute the script: netsh -f RemoteUp. and Administering Microsoft Windows 2000 Server Exam 70-216—Implementing and Administering a Microsoft Windows 2000 Network Infrastructure Why a VPN? VPNs have caught on quickly primarily for the following two reasons: VPNs permit employees to connect to office resources from home or other locations using common hardware. secure connections can be configured between a client’s laptop or home 50 Administrator’s Guide to VPN and Remote Access. Second Edition . you’ll need to be familiar with Win2K’s VPN feature if you’re planning on sitting for any of the following exams: Exam 70-210—Installing. You’ll need to configure the hardware.scp Setting up a two-way demand dial connection Up to this point. How to configure Win2K client VPN connections Nov 28. MCSE I ncreasingly. and Administering Microsoft Windows 2000 Professional Exam 70-215—Installing. you have a router with an interface name of RemoteOffice. Windows 2000 includes VPN functionality. By using tunneling protocols. except you perform the configuration tasks at both ends of the connection. VPNs provide secure connections. Therefore.scp. Configuring. In this article.to a text file called RemoteUp. Then. you have a router with an interface name of HomeOffice. Setting up a two-way connection is essentially the same. Remember that when you’re naming the connections each connection’s name should be the same as the connection authentication account on the remote router. and perform the other tasks explained above. Windows 2000 lets you create demand dial connections with a little bit of work. I’ve shown you how.

Just click Start | Settings | Network And Dial-Up Connections. Select the default. select the connection from Start | Settings | Network And Dial-Up Connections. if you’re using a cable modem or a DSL connection. Administration 51 . If you wish to create a shortcut for the dial-up VPN connection on your desktop. you’ll need to specify whether the connection will be used only by yourself or by all users of the machine upon which it’s being installed. Select Dial-Up To Private Network to begin creating a dial-up VPN connection. If you’re installing the VPN link on a laptop.machine and a company’s LAN. For All Users. as diagramed in Figure A. The Windows 2000 Network Connection Wizard offers two methods for connecting to private networks. The wizard will then prompt you to supply the telephone number of the computer or network you wish to call. Most likely. and select Properties. Figure A PSTN Computer Server Laptop VPNs use tunneling protocols to create secure connections through the Public Switched Telephone Network. Provide a name for the VPN connection and select Finish to complete the process. be sure to check the Add A Shortcut To My Desktop box. you may wish to check the Use Dialing Rules box. Next. if everyone using the workstation should have access to the VPN connection. Figure C shows the Dial-Up Connection Properties dialog. you’ll choose this option. Select Only For Myself if you wish to make the connection available only for your user logon. To connect to the remote system. right-click the dial-up connection you wish to configure. Doing so enables you to configure different dialing configurations depending upon your location. You should select Connect To A Private Network Through The Internet if you wish to use a preexisting Internet connection. Should you need to change the telephone number or other settings associated with the VPN connection. The method you select will depend largely on the telecommunications technology you have in place. You should select Dial-Up To Private Network if you plan to use a traditional 56Kbps modem or ISDN connection. you can do so easily. Figure B Creating a dial-up VPN connection Dial-up VPN connections are created by selecting Dial-Up To Private Network from the Network Connection Wizard. The Network Connection Wizard can be reached by clicking Start | Settings | Network And Dial-up Connections | Make New Connection from within Windows 2000 Professional. as shown in Figure B.

If no initial connection is required. Here you can modify TCP/IP settings. substituting the appropriate name.168. To connect. indicate whether you wish to add a shortcut to the desktop. Just as with a dial-up connection. Figure C Figure D You’ll need to supply your networking user name and password for authentication purposes. Supply your user name and password for the network you wish to access (see Figure D). Second Edition . If it does. Click Next. If you want to edit the settings for the connection. select Do Not Dial The Initial Connection and click the Next button. remote access. double-click the shortcut—if you chose to create one—or select the connection from Start | Settings | Network And Dial-Up Connections. 52 Administrator’s Guide to VPN and Remote Access.Creating a tunneled connection If you need to create a VPN connection using a cable or DSL modem. such as 192. a LAN. you can enter the IP address of the machine you wish to contact. you can do so easily. and other configuration information. the IP or host name of the computer to which you wish to connect. select Automatically Dial This Initial Connection and supply the name of the connection you wish to have dialed from the provided drop-down box. Supply a name for the connection. Or. of course. Select the appropriate option and click Next. and you’re ready to begin enjoying the benefits of secure.1. you can specify (or change) the modem to use by clicking Configure.com. Just right-click the connection name and select Properties. Whether data encryption is automatically required. you’ll be asked whether the connection is to be used only by yourself or by all of the system’s accounts. Several other options can be configured using the tabs in your connection’s Properties dialog. and click Finish.1. including: Whether you wish to have connection progress displayed. For example. You can supply the host name in the form somehostname. A variety of settings can be configured for dial-up connections from the Properties box. The wizard will ask you whether an initial call needs to be placed. in the Network Troubleshooting Wizard you’ll want to select Connect To A Private Network Through The Internet. or a WAN connection. Provide the host name or IP address of the computer or network to which you want to connect.

a dialup server that enables remote users to also access the network uses IP forwarding to forward that traffic. Look for the setting IPEnableRouter. but it’s actually easier than on a server. we’ll examine what hardware and software you’ll need for your VPN. explain how to configure a VPN server on your corporate network. requiring only a change to a check box in the TCP/IP properties. MCSE. we’ll remind you that registry editing can be risky. especially for connecting small remote offices and supporting telecommuters from their home offices.). (It’s easier still in Windows NT. Other options you can configure include whether the connection appears in the Taskbar when it’s in use. Windows 2000 Server’s Routing and Remote Access Service (RRAS) enables a Windows 2000 Server computer to function as a full-fledged router. 3. etc. OSPF. Given that more and more companies are turning to VPNs for security reasons. Set the value to 1 to enable IP routing on all the computer’s interfaces. Setting up a VPN with Windows 2000 Oct 18. IP forwarding allows Windows 2000 to. or Point-toPoint Tunneling Protocol [PPTP]). in effect. whether to include your Win- dows logon domain when connecting.) 1. Win2K offers dramatic improvements in functionality and security over the bare bones VPN of Windows NT. and other routing protocols. and show you how to configure telecommuters to make a VPN connection Administration 53 . CCNA H ave you heard about the magical benefits of the virtual private network? Are you ready to test its merits in your remote access infrastructure? If so. 2. act as a router. you’ll want to understand how to configure this networking option. complete with support for RIP. At the same time. The type of VPN server being called (you can specify Automatic discovery. Open the Registry Editor and then open the branch HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\Tcpip\Parameters. In fact. Client for Microsoft Networks. For example. You’ll be amazed at how easy the basic setup of a VPN has become with Windows 2000. Layer-2 Tunneling Protocol [L2TP]. and whether Internet Connection Sharing should be enabled for the connection. 2000 By Jason Hiner. you’ll be happy to hear that Windows 2000 provides an excellent VPN platform. Windows 2000 includes a VPN functionality that is more robust and clearer than previous versions of Windows. Enabling IP forwarding is a relatively simple matter on a Windows 2000 Server computer—you just run the RRAS wizard in the RRAS console. so be sure you have a verified backup before you begin. USE IP FORWARDING IN WINDOWS 2000 PROFESSIONAL IP forwarding in Windows 2000 enables a Windows 2000 computer to forward IP packets. Note: As always. In this article. Enabling IP forwarding on a Windows 2000 Professional computer isn’t as intuitive.Which networking components are used by the connection (such as TCP/IP. thanks to a simple registry edit.

or you can pass authentication to a RADIUS server. we’ll have the VPN server authenticate users locally. Make sure you don’t install other unnecessary services. this means your VPN server is actually functioning as more of a VPN router than as a server. Also. let’s get started on configuring your Windows 2000 remote access VPN. based on routing tables. This will depend on how much bandwidth you have to begin with. you’ll want to set up a workgroup just for the VPN server—something like “Internet. In this example. you will want your VPN server to be a dedicated server with nothing but Windows 2000 Server or Windows 2000 Advanced Server running on the machine. The other network card should have an IP address assigned to the local network. You’ll also need to set the domain/workgroup for your VPN server. Your server will need to have two network cards. you can use a 300 MHz (or better) Pentium II or Celeron machine with at least 128 megabytes of RAM. VPN works best if you have an always-on Internet connection at your corporate network. click on the icon with the name of your server and click 54 Administrator’s Guide to VPN and Remote Access. Preparing the infrastructure Configuring the VPN server The first thing you need to consider is the hardware requirements for your VPN server. you should choose to statically assign IP addresses. The final major consideration is your Internet connection. If you’re going to have a cluster of VPN servers. Keep in mind that this can include non-Windows resources such as NetWare and UNIX servers. One card will connect to the Internet and the other will connect to the local area network. You’ll need to set up one network card with a true Internet IP address and the default gateway of your Internet router. If you have a dial-up Internet connection.” If you want to use Active Directory and have a Windows 2000 domain controller handle authentication. setting up Remote Access Policies. We’ll focus on the basics of VPN setup. and the num- Once you’ve dealt with the hardware issues. Then. in one sense. you may want to use a RADIUS server (such as Microsoft’s Internet Authentication Service) to perform VPN authentication. Once you have Windows 2000 Server installed. I would recommend at least a 450-MHz Pentium III with at least 256 megabytes of RAM. As you’ve probably realized.to the corporate LAN. go to Start | Programs | Administrative Tools | Routing And Remote Access to pull up the RRAS Microsoft Management Console. This setting will depend on how you decide to do authentication. Second Edition . bers of users and remote offices that will be connecting to your VPN server. In an enterprise environment. like any router. creates the secure tunnel. you can use Windows 2000 domain security. allows users to access resources on the subnet to which they are connecting or to another subnet. For a small business or branch office with fewer than 100 users and fewer than 20 remote access connections. what your current utilization is. shown in Figure A. such as DNS. DHCP. and then. With this in mind. Also avoid loading any additional third-party software. the only VPN solution I would recommend would be a server-to-server connection between your corporate office and a remote office. such as setting up a server-toserver VPN with a remote office network. or configuring your VPN connection to pass through firewalls and proxy servers. Using a VPN server can mean that you’ll be able to get rid of many of your phone lines that are currently dedicated to RAS. It authenticates the users. this is robbing Peter to pay Paul because you’ll probably need to consider increasing the Internet bandwidth at your corporate office. Remember that Windows 2000 by itself requires substantial hardware resources. For this configuration. However. and it should not contain a default gateway. have the VPN server join a Windows 2000 domain. but we won’t touch on advanced topics. and IIS. except for things that are absolutely necessary such as backup agents. There are three basic options: The VPN server can authenticate users locally. If you have the VPN server authenticate users locally. you need to install Windows 2000 Server and the latest Service Pack on your machine. During installation.

The settings in the IP tab are crucial because they regulate the IP and network information that incoming VPN Figure B Figure C General tab in the Properties dialog box Settings in the IP tab Administration 55 . shown in Figure C. The VPN wizard is still a little quirky. make sure that you have checked the Router and Remote Access Server selections and that the LAN And Demand-Dial Routing option is selected under Router. you can leave the default settings or tweak them to your preferences. You may be tempted to select the VPN option in the wizard. which will take you into RRAS to begin your configuration. Select Manually Configured Server. This will bring up the main options you’ll use to activate your VPN server. and then configure IP Address Assignment for DHCP or assign a static address pool (in the subnet you want clients to connect on). choose RADIUS Authentication. Set the Adapter option to the adapter that connects to your LAN. Start the configuration by right-clicking on the icon with the name of your VPN server and selecting Properties. As for PPP and Event Logging. In the General tab. are very important.Action | Configure And Enable Routing And Remote Access. and it’s much better to configure the few basic VPN settings in RRAS manually so you’ll know how to troubleshoot and tweak them in the future. If you’re using a RADIUS server. but please control yourself. This will launch a wizard that sets up a new server. shown in Figure B. The settings in the IP tab. You’ll want to check Figure A RRAS Microsoft Management Console Enable IP Routing and Allow IP-based Remote Access And Demand-Dial Connections. Switch to the Security tab and select Windows Authentication if the VPN server is doing its own authentication or if you’re using a Windows domain for authentication.

as you will see when we get to client configuration. so most clients will connect using PPTP. you can select Control Figure D Figure E The Ports Properties dialog box Options in the Dial-In tab 56 Administrator’s Guide to VPN and Remote Access. before any client can connect to your VPN server. After that. You can also make good VPN connections with Windows NT 4. Keep in mind that Windows 2000 Professional is currently the only client that sup- ports L2TP.clients will receive. If your VPN server is authenticating users locally. and 1 Parallel port. and you should see the default configuration of 5 PPTP ports. Configuring remote clients You have now completed all of the basic steps for preparing a VPN server on your corporate network. but you don’t want to enable more ports than you need. select Properties. As you get more advanced with VPN. you need to provide their user account with remote access permission. but you can double-click on the PPTP and L2TP ports and configure the number of ports you need for these protocols. However. Now. 5 L2TP ports. In this example. but they aren’t nearly as fast or as functional as Win2K Pro. While L2TP is destined to become the new standard in VPN. You can leave the default Parallel port alone. as shown in Figure E. and add the IP address of the DHCP server(s) for your local area network. you’ll need to right-click on DHCP Relay Agent (a container under IP Routing). right-click on Ports and select Properties. You want to make sure that there are enough ports for all of your users and remote servers. VPN users can also receive static IPs. as shown in Figure D. Second Edition . In most cases. let’s take a look at how to connect a remote client. I’ll focus on the best VPN client. This is especially effective when using the same DHCP server that clients on your LAN use to receive their IP information. If you did opt to use DHCP. Windows 2000 Professional. there are only a few more settings to configure. I would recommend using DHCP to assign IP information to your VPN clients. After completing the VPN server properties.0 and Windows 98. this article will focus on making connections using the simpler and more universal PPTP protocol. set up user remote access permissions by going to Start | Programs | Administrative Tools | Computer Management | Local Users And Groups | Users and double-clicking a user (or creating a username) that you want to enable for remote access. select the Dial-In tab and then select the Allow Access option. Next.

this should bring up a dialog box to follow along with the authentication steps. click Start | Settings | Network And Dial-up Connections | Make New Connection. you’ll need to specify how to connect to the Internet. name the connection (I suggest something like Office VPN) and click Finish. If you have an always-on Internet connection.asp). Now you can double-click the Office VPN icon to display a login screen. I recommend further study on VPN concepts and troubleshooting by consulting Microsoft’s VPN Web site (http://www. First. such as a DSL or cable modem. rather than receiving their IP information from DHCP when they connect. If you have an “always-on” connection. which will be the fully qualified domain name or IP address of your VPN server. Now. Enter a username and password for a user who has remote access permission and click Connect. you’ll notice the Office VPN icon. On a Windows 2000 Professional machine with an Internet connection. and then select Connect To A Private Network Through The Internet. connecting to a corporate VPN server is simple. you should see the dial-up connection triggered first (you may have to hit Connect for that one and then hit Connect again for the VPN connection). choose Do Not Dial The Initial Connection.Access Through Remote Access Policy and use Remote Access Policies for greater control and security. you’ll need to select your destination address. Now.com/ serviceproviders/vpn_ras/default. We’ve focused on VPN as a remote access solution for telecommuters. At the next prompt. which you’ll use to troubleshoot and adjust settings in the future. but the scope of VPN in Windows 2000 extends far beyond the basic concepts reviewed here.microsoft. shown in Figure G. Click Next to begin the wizard. as shown in Figure F. If you have a dial-up connection. when you open Network And Dial-up Connections. If you have a dial-up connection. Choose whether the connection will be accessible for all users or only for yourself. Figure F Figure G The Network And Dial-up Connections window The Office VPN login screen Administration 57 . and then you will see the dialog box showing the VPN authentication process. This will bring up your client VPN options. The Dial-In tab also lets you set up users to receive a static IP address. choose Automatically Dial This Connection and select your Internet dial-up connection from the list. If you’re ready to pilot a Windows 2000 VPN in your enterprise. Right-click on the Office VPN icon and click Properties. Summary This article has provided a primer for setting up a VPN using Windows 2000. Then.

The end user would be totally oblivious to the fact that the file was passing through the Internet to get to the Las Vegas office. Likewise. To understand how a VPN works. and they’re all different. When it comes to virtual private networking. this is accomplished by using a combination of different protocols and encryption methods. a VPN is nothing more than a method for joining two private networks together by passing data packets between the two networks through one or more third-party networks. That’s a very scary thought when you consider the insecure nature of the Internet. Leased lines typically cost big money. this means that your servers are totally exposed to Internet users. In a Windows 2000 environment. If you stop and think about it. When taking on such a task. Because the Internet is full of people with questionable intentions. Issues to consider What’s a virtual private network? Virtual private networks (VPNs) are often misunderstood. what good is security if you can’t even access your own Administrator’s Guide to VPN and Remote Access. One option is to use a leased line. Because of the variety of virtual private networking solutions. Second Edition . If a leased line is out of your league. Once I’ve covered the basics of how VPNs function. I’ll discuss some of the issues you’ll face when implementing a virtual private network in a Windows 2000 environment. To a user on a VPN. to connect the facilities. there are pure hardware VPN solutions and VPNs that are part of your network operating system. however. any user with the appropriate permissions may access any file on the network without the need for someone to send the files to them. it’s up to a user to send specific files to someone else. Each of these solutions works differently. VPNs work differently than e-mail servers. the idea of passing files across the Internet may not seem like that big a deal. the remote servers look and act as if they are on your LAN. you’ve thought about using a VPN. as in Windows 2000. In its purest form. However. After all. It seems that these days. such as a T-1 line. we all exchange files through e-mail everyday. you have a couple of options. performance and reliability are just as important as security. there’s a good chance that sooner or later someone will ask you to link the various locations’ computer systems together. The most common example of a VPN is a situation in which two networks exchange data through the Internet. 58 At first. practically everyone is selling a VPN solution. suppose a user in Las Vegas needed to access a file from a server in Miami. however. Some of these solutions conform to the standards of a true VPN.Issues surrounding a Windows 2000 VPN implementation Nov 28. and others don’t. In this article. I’ll begin by discussing virtual private networking from the standpoint of a generic VPN solution. let’s assume you’ve been asked to link two corporate networks together. you can buy VPN solutions from router manufacturers and firewall vendors. VPNs are designed so that only registered network users may access your network. This is where the word “private” in virtual private networks comes in. In an e-mail environment. For example. it’s necessary to protect your servers. Instead. For example. If the two networks were linked through a VPN. In a VPN. but a dedicated leased line is too expensive. I’ll discuss the specifics of Windows 2000 VPN security a little later. I’ll discuss implementing a VPN in a Windows 2000 environment. another option is to create a virtual private network. After all. 2000 By Talainia Posey I f your business has multiple locations. the user could access the needed file just as though the Miami server were sitting in the next room.

Now consider your Internet connection. suppose that your corporate networks use IPX/SPX. While IPSec itself is responsible for establishing a secure connection between the two private networks. the issues of performance and reliability can be summed up in a single sentence that I can’t stress enough: Your VPN is only as good as your Internet connections. The packet is then placed onto the network where it will reach the destination PC in the usual manner. the remaining data is a true IPX/SPX packet. it recognizes the packet as a PPTP packet and allows the packet to pass through the firewall (assuming that you’ve opened the appropriate firewall port). At this point. Many forms of Internet communications use the PPP (Point-to-Point) protocol. packets flowing across a VPN tend to be larger than packets flowing across a conventional network.data? When it comes to virtual private networking. The only downside to such an arrangement would be the charges for the long distance phone call. a VPN will work with slow Internet connections. To help you to decide which protocol is right for your VPN installation. For example. To understand why this is so true. To build an effective VPN. Point-to-Point Tunneling Protocol PPTP was the original VPN protocol Microsoft introduced. Therefore. If your Internet connection is too slow to comfortably surf the Web. but you’ll almost have to use some form of broadband communications to build your VPN. Microsoft’s implementation takes security a step further. Once the packet gets past the firewall and reaches the VPN server. The slowest practical connection I’ve seen successfully used for a VPN involved using a 128Kbps ISDN link with a static IP address. what will happen when you flood the connection with VPN packets? I’ll give you one guess. Keep in mind that this rule applies to both offices. After all. the PPTP shell is stripped away. the IPX/ SPX packet would be encapsulated inside a PPTP packet. In a virtual private networking environment. The way the Windows 2000 PPTP implementation works is that standard network packets are encapsulated inside PPTP packets. I’ll discuss the two protocols in detail and then compare the two. Technically. consider how a Windows 2000-based VPN works. the packets are encrypted and encapsulated inside a protocol that’s specifically designed to move the packets safely across the Internet. The PPTP packets are then passed across the Internet. If you’re limited to using analog modems. Browsing the Web involves a relatively small amount of data exchange. communications are faster and infinitely more secure if the two servers dial each other directly rather than having the packets pass through the Internet. IPSec provides the mechanism through which the data is encrypted and decrypted. such as the sender and recipient. I mentioned earlier that VPNs rely heavily on encapsulation. When the remote VPN server receives the PPTP packet. When packets are destined for a remote location. Because of the encryption and encapsulation techniques being used. IPSec is actually a collection of several services and protocols that are designed to collectively provide comprehensive security. widely supported. A significant amount of bandwidth is required for moving these larger packets. The first is Point-to-Point Tunneling Protocol (PPTP). your Internet connection should be as fast and reliable as possible. Although still IPSec is the first standards-based VPN protocol. It uses a mechanism called L2TP (Level-2 Tunneling Protocol) Administration 59 . The advantage of using this method is that it works regardless of the protocol being used on your corporate networks. your VPN is only as fast as the slowest Internet link involved. PPTP is merely an extension of PPP. but the Miami server has only an ISDN link. if the Las Vegas server from my earlier example has a T-3 connection. The IPX/SPX packet contains all the usual information. PPTP is being slowly replaced by IPSec-based VPNs. If a packet was destined for the remote network. IPSec Windows 2000 VPN security There are two protocols you can use for Windows 2000 VPNs. then your VPN will be limited to ISDN speeds.

it’s necessary to understand the differences in the two protocols. IPSec is the protocol of choice. I’ll discuss the actual process of setting up a VPN. IPSec guards against replay attacks by associating a sequence number with each packet. It uses a proprietary encryption algorithm designed by Microsoft and doesn’t support header compression. I discussed some of the issues involved in creating a VPN in a Windows 2000 environment. you have a client. Installing a VPN Before we begin creating a VPN. Second Edition . On one end of the VPN. So which protocol is right for you? It depends on your network. let’s review the basic requirements. If the recipient receives a packet with a sequence number that’s already been received. In this article. If you’re adding an extra site to an existing Windows-based VPN. on the other hand. PPTP also requires that the transit network support the IP protocol. and data. such as cost. Not only does IPSec offer the encryption services necessary for VPNs. and reliability. PPTP. Macintosh. I’ll describe the process of installing a VPN. On the other end of the VPN. Before you can truly make an informed decision about which protocol is right for your network. As I did. In the next article. and cost. it also prevents hackers from launching a replay attack against either network by being “replay proof. however. reliability.to better encrypt things like usernames. IPSec has minimal requirements for the network media since it requires only packet-based point-topoint connectivity. you have the host. If you’re building a brand-new VPN that’s purely Windows 2000 or that uses non-Microsoft/ Linux VPN servers. then it may be wise to stick with PPTP. however. and Linux. 2000 By Talainia Posey I 60 n “Issues surrounding a Windows 2000 VPN implementation” (page 58). such as Windows. Conclusion In this article. IPSec is a standards-based protocol that runs on a variety of operating systems. I discussed some of the primary issues you should consider when building a virtual private network (VPN). the packet is assumed to be fraudulent and is therefore discarded.” A replay attack is the process by which hackers capture packets and then replay them in order to gain access to a network. Setting up a Windows 2000 virtual private network Dec 26. Comparing PPTP and IPSec Now you know a little bit about how both VPN protocols work. This client may be a remote network or a remote user. The host is a Windows 2000 server that functions as a router between the Internet and the private network. is a proprietary protocol designed by Microsoft to run on Windows and Linux platforms. I addressed typical concerns. These issues include such factors as security. passwords. IPSec uses DES/3DES encryption and supports header compression. I’ll also cover some additional issues you’ll face during the installation process. In a nutshell. Administrator’s Guide to VPN and Remote Access. security.

It is possible to implement a VPN even if the host relies on a dial-up connection to the Internet. L2TP. Windows will ask you what type of demand dial interface you want to create. Start by clicking Next. right-click on Routing Interfaces. For the purpose of this article.The server that’s functioning as a router should have a permanent Internet connection. When the Routing And Remote Access console appears. When the service starts. This arrangement allows the free exchange of data between the two networks. right-click on the host server and select the Enable Routing And Remote Access command from the context menu. At this point. Administration 61 . As you can imagine. At this point. both of the Windows 2000 servers involved in the process function as hosts and clients. Now. As such. The resulting screen will display a summary of the configuration you’ve chosen. With that said. you’ll see the Routing And Remote Access Server Setup Wizard. Select the Connect Using Virtual Private Network (VPN) radio button and click Next. don’t select VPN just yet. On the initial wizard screen. you’ll notice (and appreciate) the fact that Windows 2000 doesn’t require you to reboot the server. let’s use L2TP for the purpose of this article. This means the host router would likely have a different IP address every time it connects to the Internet. So. click Next. The resulting screen gives you the choice of several types of routing and remote access. you’ll see there are several configuration options available in the Routing And Remote Access console. Many people choose to name the interface after the network it’s attached to or after the function the interface will provide. Click Finish to close the wizard. Click Yes. Even though this server will function as a VPN router. and then select the New Demand Dial Interface command from the context menu. The dual functionality of each machine allows VPN traffic to flow in both directions. I highly discourage using a dial-up connection. I’ll work through the process of joining two networks through a VPN. 7 days a week. Windows will ask if you want to start the Remote Access Service. most Internet service providers assign dynamic IP addresses to dial-up users. Microsoft recommends using L2TP for new VPN installations. When you do. Instead. it would be very difficult for remote clients to connect to the host if the host’s IP address keeps changing. The choices are PPTP. For example. the wizard will ask you for the name of the interface you’re configuring. you’ll see a screen that asks for the IP address or host name for the remote Figure A The Routing And Remote Access console will contain many more options after you’ve enabled the Remote Access Service.0. When you complete the wizard. such as the type provided through a leased line. Windows 2000 will launch the Demand Dial Interface Wizard. However. as shown in Figure A. you might call the interface VPN Interface. The next screen the wizard displays asks for the type of VPN interface you want to create. Begin the configuration process by clicking the Start button and selecting Programs | Administrative Tools | Routing And Remote Access. click Next to begin the installation process. or Automatic Selection. Once you’ve entered the name of the new interface. When you do. If you’ve ever created a remote access server under Windows NT 4. select Manually Configured Server and click Next. and the service will be started. Now. let’s look at the process for configuring the host router to provide VPN capabilities. That’s because even if you can manage to stay dialed in 24 hours a day. The type of VPN interface you create is really up to you.

Figure B Cleaning house Select the types of data you’ll allow to flow across your VPN link. if you named your interface VPN Interface. then the user account will also be called VPN Interface.34. hackers exploit unused TCP/IP ports. There are countless Internet users with malicious intent who would just love to get their hands on your network. you don’t want just anyone who knows your host name or IP address to build a VPN that allows access to your network. This means you’ll have a separate VPN user name and password for each network. At first. I’ve chosen to allow IP packets but to disallow IPX packets. both networks must be protected. the wizard will be set to automatically create a user account that uses the same name as the interface you’re creating. Therefore. and password confirmation for the remote router. the selections you make will greatly depend on your individual network. click Next. user name. the host name is the remote machine’s registered DNS name. assuming you’ve allowed dial-in access. After you’ve entered the host name or IP address of the remote router. As you probably know. The resulting screen gives you a chance to enter the credentials for connecting to the remote network. However. After all. click Next to proceed. Second Edition . it’s impossible to thoroughly discuss 62 Administrator’s Guide to VPN and Remote Access. Click Finish to complete the process. Once you’ve entered and confirmed the account’s password. there are a few things you need to do to ensure that your network is secure and that your VPN is functional.100. in the space provided you can enter an IP address. IP filtering is a science in and of itself. password. On this screen. Therefore. Each VPN router must be set up to know the authentication information for the remote VPN router it will connect to. Click Next to continue. Now that you’ve created a VPN. such as 147.VPN router. This screen asks what type of packets you plan on routing across the VPN link. I’ve also chosen to create a remote access user account and password so that it’s possible for the remote router (or remote users for that matter) to access the network through the VPN. Remember that each VPN router is connected to the Internet. Remember that you must configure both routers before your VPN will work. Therefore. Again. Now. click Next.100. or a host name. I strongly recommend implementing IP packet filtering in a way that will block all inbound Internet traffic except for VPN traffic (and any other types of traffic you might require). When you’ve entered this information. Typically. For example. When you’ve made your selections. the wizard will display a screen that asks for some dial-in credentials. You’ve now finished configuring your VPN router. Simply fill in the domain name. you can enter a password for the user account. Remember that when you join two networks through a VPN. its purpose is to establish a user name and password that can be used to validate the remote router when it tries to connect. there are other ways to get into your network from across the Internet. this screen may be a bit deceptive. Although the VPN link you’ve just created is secure. It’s easy to accidentally assume this screen is designed to give access to dial-in users. As you can see in the figure. Although this screen won’t allow you to change the user name. such as techrepublic.com. you’ll see a screen similar to the one shown in Figure B.

select Internet Protocol (TCP/IP) from the list of installed components and click the Properties button. starting with an overview of what the service can do. as well as third-party platforms. adding routing capability through an add-on service for Windows NT. I’ve explained how to implement a VPN. 2000 By Jim Boyce M icrosoft introduced Remote Access Services (RAS) early in the Windows NT product cycle.IP filtering in the amount of space I have to work with. I discussed some issues you may encounter during the implementation phase. To enable IP filtering. return to the Routing And Remote Access console and navigate to Server | IP Routing | General. Now. It’s important to point out. You can then use the resulting dialog box to enable or disable various TCP/IP ports. right-click on the demand dial interface and select the Update Route command from the context menu. the Internet. Now. When you do. Introducing Windows 2000 Routing and Remote Access Oct 20. go to the Routing And Remote Access console’s IP Routing | Static Routes section. Conclusion In this article. I’ll take a look at RRAS in Windows 2000 Server. it’s impossible to filter TCP/IP on one adapter but not another. In this article. and even individual servers or client workstations. and integration with other Windows 2000 services. for example. perform this task on the other router as well. however. RAS is the mechanism you use. select TCP/IP Filtering and click the Properties button. Click the Advanced button to view the advanced TCP/IP properties. that in Windows 2000. The routes you created should be visible. you’ve filtered TCP/IP on all the adapters. show you the basic technique. right-click on your Internet connection and select the Properties command from the context menu. you’ll see the Internet Protocol (TCP/IP) Properties sheet. To do so. to dial out from a Windows 2000 computer to access an Administration 63 . Now. Next. Windows 2000 integrates these services in a single Routing and Remote Access Service (RRAS) that provides excellent utility for routing. You should now be able to ping each router from the other router. I can. As I did. The other task you must complete is to exchange route information between the routers and test the VPN link. To make sure that the route exchange worked. remote access. If you filter TCP/IP on one adapter. On the Advanced TCP/IP Properties sheet. Next. however. select the Options tab. Overview of Windows 2000 RRAS Remote Access Services (RAS) enables a Windows 2000 computer to dial and access remote networks. go to Control Panel and double-click the Network And Dial Up Connections icon.

infrared connections. Second Edition . Integration with AD enables user accounts and remote access policies and settings such as callback. Windows 2000 also supports a broad range of authentication protocols including Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). NetWare. demand-dial routing. DHCP. Administration is easier too. Multilink enables Windows 2000 to bundle multiple connections to provide an aggregate bandwidth equaling the sum of the individual connections. such as Active Directory (AD) and Kerberos authentication.25. as well as packet filtering. Windows 2000 RRAS offers several authentication options. and so on. parallel and serial port direct connections. for example). and security. connection sharing. Windows 2000 RRAS supports both unicast and multicast protocols. Windows 2000 Professional computers can also serve as RAS servers but only for one connection at a time. Windows 2000 RAS supports several connection options including modem. allowing clients to dial into the server to access local server resources. enabling replication of client account properties throughout the directory. By supporting Remote Authentication Dial-In User Service (RADIUS)—either through a non-Windows 2000 RADIUS server or through the Windows 2000 Internet Authentication Services (IAS)— Windows 2000 RRAS enables you to rely on Windows 2000 for routing services while offloading authentication and accounting to a RADIUS server. ISDN. such as files and printers. integration. AD integration also can simplify management by providing a single point of administration and 64 enabling you to delegate remote access administrative authority over specific services or organizational units (OUs). NetBEUI. clients can also gain access to the network on which the server resides. Windows 2000’s support for tunneling protocols. and PAP. Windows 2000 RRAS also enables a Windows 2000 server to function as a router. number of physical connections (available modems. such as PPTP and L2TP. You’ll find good network protocol support in RRAS with TCP/IP. You gain the advantage of AD’s replication. CHAP. subject to hardware considerations such as server capacity. IPX/SPX. Depending on the configuration of the server. One of the most important additions is the integration of RRAS into Active Directory (AD). thanks to the ability to browse multiple RRAS servers through AD and manage those servers through the RRAS console. X. and asynchronous transfer mode (ATM). Aggregate two 56-Kbps dial-up connections. and UNIX clients to connect to a Windows 2000 RRAS server in addition to Microsoft clients. which work in concert to support multilink connections. and encrypted authentication for secure router-torouter connections.Internet service provider or a remote LAN. and so on. Windows 2000 Server supports an unlimited number of concurrent connections. for example. A key advantage to using Windows 2000 RRAS for routing services is its integration with other Windows 2000 services. and so on to be replicated across the domain for redundancy. New features in Windows 2000 Windows 2000’s RRAS integrates all the features in Windows NT RAS and the Routing and Remote Access Service and adds several more features to improve performance. A Windows 2000 remote access server supports the same connection options for incoming connections as the outgoing connection options mentioned previously. access permissions. The RAS component in Windows 2000 also enables a computer running Windows 2000 Server to function as a dial-up server. enables clients to establish a secure connection to a remote network through a public network such as the Internet. and you get a theoretical connection of 112 Kbps (although the Administrator’s Guide to VPN and Remote Access. You can also use Windows 2000 RRAS to support incoming Terminal Services client connections. The Windows 2000 RRAS service adds support for both Bandwidth Allocation Protocol (BAP) and Bandwidth Allocation Control Protocol (BACP). an MMC snap-in (Figure A). and AppleTalk enabling Macintosh. accessing LAN resources just as if the client were connected locally to the LAN. SPAP. Extensible Authentication Protocol (EAP).

Security and administration are important areas of improvement in Windows 2000 RRAS. Windows 2000 can automatically dial additional connections to accommodate the increase. Protocols currently supported by Windows 2000 include EAPMD5 CHAP. Windows 2000 RRAS supports RADIUS for authenticating clients. whether that server is running Windows 2000 IAS or other RADIUS implementation (including UNIX platforms). Windows 2000 can automatically drop connections. Bidirectional authentication not only allows the server to authenticate the client’s logon request but also enables the client to authenticate the server’s authority to service its authentication request. When bandwidth demand decreases. providing enhanced transmission security. One of the primary advantages to using RADIUS—other than integration with existing hardware or authentication servers—is the capabilities provided by RADIUS for accounting. which enables additional authentication methods to be supported without changes to the operating system or RRAS. line quality. Version 2 offers improved security primarily aimed at virtual private network (VPN) connections. Administration 65 . LAN Manager coding no longer supported: MS-CHAP version 2 drops support for LAN Manager response coding and password encoding for improved security. The server and client negotiate the authentication method. tailoring those policies to OUs. Another new feature in Windows 2000’s RRAS is support for EAP. groups. Figure A Like other Windows 2000 services. Several third-party utilities exist that provide rich account management through integration of the RADIUS logs with database utilities for SQL and other database platforms. As hinted at previously. We’ll take a look at each of these a little later. The use of the arbitrary challenge string results in a unique key for each session even if the user’s password remains unchanged. Support for MS-CHAP version 2 is another addition in Windows 2000 RRAS.resulting connection is limited by the FCCimposed limit on 56 Kbps connections. Version 2 uses an arbitrary challenge string along with the user’s password to create the session key. BACP enables Windows 2000 to dynamically allocate and de-allocate connections based on bandwidth utilization. or individual accounts. As bandwidth use increases. EAP-TLS. Improved transmission security: Windows 2000 RRAS uses separate cryptographic keys for incoming and outgoing data. Support for RADIUS enables a Windows 2000 RRAS server to authenticate clients that connect through RADIUS-based devices such as modem pools. Managing the number of connections in this way can realize a significant cost savings. RRAS can authenticate access against a Windows 2000 server running the Internet Authentication Service (IAS) included with Windows 2000 Server or any server running a standards-based version of RADIUS. The RRAS server can handle RADIUS authentication itself if IAS is installed on the server or redirect authentication to another server. Mutual authentication: This feature provides for two-way authentication between the remote client and the RRAS server. MS-CHAP version 2 integrates several changes for improved security: Stronger encryption: Previous versions of MS-CHAP used 40-bit encryption and the user’s password to create the cryptographic key for each session. including UNIX hosts. RRAS provides an MMC snap-in that lets you manage all RRAS server properties. and other factors). You can apply BAP/BACP policies through remote access policies. and RADIUS. This resulted in the same key being used for each session unless the password changed.

authentication methods. and NetBIOS over IPX. giving you quite a bit of flexibility in designing your remote access structure to accommodate security needs. Windows for Workgroups. but remote access policies provide better administrative control. or NetBEUI as the network protocol. but it doesn’t support SLIP for incoming connections. PPP supports a good selection of authentication protocols. VPN server.You can apply remote access settings such as callback. is to use remote access policies to apply remote access settings on a group or OU basis. and one you’ll likely use. The console Figure B You can apply remote access settings at the user account level. connect time restrictions. enabling clients to use TCP/IP. This successor to SLIP offers better reliability and performance and provides good cross-platform support. Windows NT 3. or PPP. and LAN Manager remote access. Second Edition . you should rely on one of the other protocols instead of Microsoft RAS. You can also specify the length of time the account is locked out before it is re-enabled. however. You also use the RRAS console to configure remote access policies. or remote server capability. remote access server. The RRAS console enables you to fully manage local and remote RRAS servers (subject to access and security restrictions). provides a wizard to help you configure the server according to its primary function. Exploring RAS protocols and connection types Managing RRAS through the MMC As with other Windows 2000 services. is Point-to-Point Protocol. IPX. Windows 2000 RRAS also supports account lockout. Windows 2000 supports Serial Line Interface Protocol (SLIP) for dial-out connection to remote servers that support SLIP (such as older UNIX-based servers). Windows 2000 RRAS provides support for several protocols and connection types. As mentioned previously. NetBIOS over TCP/IP. enabling you to define settings at the group or OU level. and other properties at the user account level. One final improvement in Windows 2000 RRAS is the addition of support for AppleTalk over PPP. You can configure the server manually and fine-tune the configuration to accommodate changes or settings not available through the wizard.1. which helps prevent dictionary attacks by locking the account after an administrator-defined number of bad logon attempts. Windows 2000 supports PPP for both incoming and outgoing connections. you manage RRAS through an MMC console snapin. Macintosh clients can connect to a Windows 2000 RRAS server using TCP/IP or AppleTalk. allowed session limits. as shown in Figure B. Microsoft RAS protocol requires that the client use NetBEUI as the network protocol. Windows 2000 RRAS supports the Microsoft RAS protocol. A better method. a proprietary Microsoft protocol for DOS. or router. whether Internet connection server. Probably the most common connection protocol in use today. enabling Macintosh clients to connect to a Windows 2000 RRAS server using native Macintosh protocols. Windows 2000 RRAS also supports Point-to-Point Multilink 66 Administrator’s Guide to VPN and Remote Access. offering options that can accommodate both client capability and security needs. with the RAS server functioning as a NetBIOS gateway supporting NetBEUI. network topology. Since NetBEUI will likely go away in the next OS release.

IPX support enables a Windows 2000 RRAS server to function as a remote access server for NetWare IPX clients and also serve as an IPX router to route RIP. For situations requiring secure connections. requiring a toll call to connect. In addition to the IPX protocol. If the LAN already has a direct connection to the Internet. function as a router. These protocols enable Windows 2000 to bundle multiple connections to achieve an aggregate bandwidth. and AppleTalk. NetBEUI is a good solution for remote access to small LANs and where dial-up traffic does not require routing (since NetBEUI is a nonroutable protocol).Protocol (PPMP) and Bandwidth Allocation Protocol (BAP). But connection cost isn’t the only factor. You might use PPTP or L2TP to connect through the Internet to a VPN server on your LAN. Why not just dial directly into the LAN? Connection costs are a primary reason. Windows 2000 RRAS also offers good network protocol support for RRAS connections. for example. Both protocols provide a means for encapsulating and encrypting data packets for secure transmission across public networks such as the Internet. IPX. you can use multilink to combine both B channels of an ISDN connection to achieve an effective throughput twice what you’d get with a single channel (or even do the same thing with two DSL circuits). supporting TCP/IP. BAP lets Windows 2000 dynamically manage the connection. For example. Support for the AppleTalk protocol enables Macintosh clients to access network resources shared by other AppleTalk clients on the LAN. and NetBIOS traffic. the client must be running a NetWare network client. you can do so through the RRAS service. For TCP/IP connections. Since PPTP encapsulates the data unencrypted by default. Windows 2000 supports Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). Administration 67 . NetBEUI. Where additional security is needed. or do any combination of the three. it provides a higher degree of security than PPTP. you’ll need to specifically use MS-CHAP or EAPTLS if you want your PPTP connection to be truly secure. Setup automatically installs the RRAS service but doesn’t enable it. giving you secure dial-up access to your LAN. The RRAS service also allows clients to request a predefined IP address. The server can handle incoming remote access connections. The LAN might be located outside your local calling area. NetBEUI is much easier to configure than TCP/IP and therefore results in lower administrative overhead. If you do need to support NetWare clients that use IPX. Enabling RRAS When you install Windows 2000 Server. you’re probably going to settle on TCP/IP as the protocol of choice. This means you don’t have to install the service but you do need to enable and configure it according to the functions you want the RRAS server to perform. adding or dropping connections as needed according to bandwidth utilization. including those shared through Services for Macintosh or by other local Macintosh clients. you avoid the need to install and support dial-up equipment on the LAN side. RRAS can allocate IP addresses and related settings to incoming connections either through DHCP or a static address pool. you can use L2TP rather than PPTP. SAP. While this requires that both source and destination routers support L2TP and IPSec. Unless you’re configuring a router or remote access server for only Microsoft clients that don’t require Internet connectivity or supporting only NetWare clients. PPTP doesn’t use encryption by default but can use Microsoft Point-to-Point Encryption (MPPE) to encrypt the PPP frames with encryption keys generated with MS-CHAP or EAP-TLS authentication. manage outgoing remote access connections. plus you eliminate a potential security risk—unauthorized clients bypassing the firewall or proxy server to gain access to your LAN through the dial-up back door. L2TP relies on Internet Protocol Security (IPSec) to provide encryption of encapsulated data rather than MPPE. such as the Client for NetWare on Windows 2000 Professional computers or Gateway Service for NetWare on a Windows 2000 Server computer.

Configuring a network address translation server (Internet gateway) The Routing and Remote Access Server Setup Wizard. right-click the server and choose Configure And Enable Routing And Remote Access to start the Routing And Remote Access Server Setup Wizard. What’s next At this point you have a basic background in the Windows 2000 Routing and Remote Access service with a look at many of its requirements and capabilities. you can disable and then re-enable the service to start with a clean slate. although you’ll lose most of your manually configured settings when you do so and you’ll have to reapply them through the wizard. For incoming connections. in the RRAS console. Configuring Routing and Remote Access on your Windows 2000 server Oct 24. and so on. Now. run the wizard again to configure the service. standalone modem pools. and routing. Configuring connections for routers typically means adding a network interface where appropriate and configuring its protocol settings. Internet Connection Server. You have full control over settings after installation and can modify settings as needed if you choose to let the wizard configure the server for you. and after the service stops. 2000 By Jim Boyce I 68 n “Introducing Windows 2000 Routing and Remote Access” (page 63). right-click the server and choose Disable Routing And Remote Access. and then run the wizard at a later time if you want to change the server’s role. The wizard lets you choose between four different types of servers or configure the server manually. DLS equipment. gives you five options for setting up a Windows 2000 RRAS server. your next step is to enable and begin configuring the RRAS server. starting with a network address translation (NAT) proxy. multiport cards. modems. along with security and integration features. and so on. You’ll find the Routing and Remote Access console in the Administrative Tools folder. If you configure the server using the wizard and then decide you want to start over from scratch. The same is true for outgoing RAS connections. ISDN adapter. To do so. You can also configure the server manually. depending on the types of clients you need to support. Second Edition . I discussed the Windows 2000 Routing and Remote Access Service (RRAS). In the left pane. but this typically involves adding only a network interface or installing a modem. this could mean installing additional network interfaces. which runs when you enable the RRAS service. which provides support for dial-out connections. Once the interfaces or remote access hardware is in place and tested. lets you configure a Windows 2000 RRAS server to share its Internet connection Administrator’s Guide to VPN and Remote Access.The first step in getting the RRAS server up and running is to ensure the connections are in place. The first wizard option. it’s time to start configuring your RRAS servers. I also explained the connection and network protocols supported by Windows 2000 RRAS. dial-in connections.

0 The third function the NAT server performs is DNS resolution. This function isn’t a necessity if you want to use a different subnet from the default of 192. As in the case of ICS.240. The server handles the translation. and the server performs the necessary NAT required to enable the clients to connect to the Internet. applying the local address of the target client. the NAT server can allocate IP addresses to clients that are configured to obtain their address leases via DHCP.0. nonroutable subnet to access the Internet.0 with subnet mask 255.0. The server replaces 192. The server replaces the client’s IP address with its own public address and replaces the source port with a different. Figure A Private network interface 192.0.0. the server sits on both the public Internet and the private local network.147. NAT handles three main responsibilities. The NAT server redirects replies to the requesting client. nonroutable subnet but still gain access to the Internet. This option actually offers two different methods to support the Internet connection. For example. you need to understand the different functions that the NAT server performs.255. Address translation is the first function the NAT server performs by translating IP address and TCP/UDP ports for packets traveling between the public interface (the Internet) and the private local network.0. In this configuration. replacing its own IP address for the client’s address.1.1. This is the function that enables clients to reside on a private.147.0. 172. and the server intercepts that traffic (since it functions as the default gateway for the client).5 Workstation NAT Server Workstation Understanding network address translation (NAT) To configure a NAT server. The second function the NAT server performs is address allocation.147. The server replaces the IP address for incoming packets in the same fashion.16.0.0 with subnet mask 255. let’s take a minute to get a background understanding of NAT.0 192. The following are the network IDs reserved for private networks: 10.0.5 and uses a private interface of 192. Here’s how it works: A client on the private network generates packets for a public node. assume that the server resides on the public interface 206. as illustrated in Figure A. unique port number. A client on the private network at 192.168.168. say.17.20 requests a Web site on a standard TCP port 80.5 and replaces the port with. The NAT server performs address translation through the use of a NAT table.0. The second method provides essentially the same function but much more flexibility for configuration.and function as a gateway to the Internet for other computers on the server’s local network. The client computers reside on the local private network. Before diving into NAT setup. Clients submit DNS requests to the NAT server.168. port 5000.n or if you already have a DHCP server on the network to handle address allocation. Public Internet interface 206.0. The Administration 69 Private Network .0.17. though.20 with 206.168.168. each performed by a different RRAS component.0 Workstation NAT enables computers on a private.0 with subnet mask 255. enabling the packets to be routed back. The NAT server then forwards the requests to the DNS servers configured in the NAT server’s TCP/IP settings. which also is available in Windows 2000 Professional and Windows 98SE. The first method uses Internet Connection Sharing (ICS).

Internet Connection Sharing (ICS) The first of the two methods that Windows 2000 offers for NAT services is Internet Connection Sharing (ICS). Even so. the NAT server needs a means of determining the appropriate address and port information for routing the packets. but sharing a dial-up line such as this to enable Web browsing or concurrent FTP sessions isn’t very practical. and NetBIOS over TCP/IP. The ICS server provides DNS proxy name resolution for the clients and performs the network address translation necessary for the clients to use the connection.server stores the replacement data in the NAT table and sends the packet. To get around this problem.254.1 to the server’s local network interface. translation could fail. and ways in which the clients use the connection.0. NAT works just fine as long as the IP address and port data are contained in the IP header of the packet. including Windows 2000 RRAS. The practicality of the connection depends on the type of connection.2 through 192. Certain FTP operations. NAT servers. it checks the NAT table.255. helping isolate them from the Internet. ICS is included with Windows 2000 Server.0. Second Edition .168.) Internet Translation Private Network NAT Service Outgoing Traffic Incoming Traffic NAT editors provide additional processing for both incoming and outgoing traffic where needed.254.0. The server then allocates IP addresses to clients when they start up. When a packet comes back. assigning addresses in the range 192. the server shares its Internet connection and acts as a proxy for the clients to enable them to use the connection as well.168. For example. When the address or port data is contained in the body of the packet (also referred to as the payload). if preferred. and Windows 98SE. such as a T1. You can also configure clients to use static addresses in that range. Windows 2000 Professional. ICMP. as well as other IP operations. highspeed connection.168. Figure B illustrates the concept. This network address translation and the fact that the local network resides on a nonroutable private subnet can provide a layer of protection for the clients. doing the same for incoming packets before passing them to the destination client on the private network. 70 Administrator’s Guide to VPN and Remote Access. The NAT editor analyzes the packet and performs the necessary additional translation to send the packet on its way. and forwards the packet to the correct client. PPTP doesn’t use a TCP or UDP header but instead uses a Generic Routing Encapsulation (GRE) header with a tunnel ID stored in the GRE header identifying the data stream. Here’s why: Enabling ICS on a Windows 2000 Server computer automatically assigns the IP address 192. Figure B NAT Editors (if req. employ NAT editors to perform this additional processing. reverses the translation according to the data in the packet and in the NAT table. number of clients. PPTP. That connection could be something as simple as an analog dial-up connection or a dedicated. can also have problems with NAT because of the way the packets are built. Several clients sharing a 56K dial-up connection to access e-mail is a practical application of ICS. ICS presents an easy way to share a single connection and can provide a layer of security between the clients and the Internet because the local clients reside on a nonroutable subnet. much like a DHCP server. In an ICS connection.0. using a Class B subnet mask of 255. Windows 2000 RRAS includes NAT editors for FTP.

prompts you for the following: Name—This is a friendly name for the connection as it appears in the RRAS console. NAT provides full control over server configuration and is the Internet connection sharing option you configure through the RRAS console. Using a demand dial interface can reduce costs by reducing connection time for metered services. you’ll need to use the second method. whether PPTP or L2TP. VPN protocol—If you choose a VPN connection for the demand dial interface. you don’t use the RRAS console to configure it. If there is only one interface. which runs as part of the RRAS Setup Wizard. (Skip to the section on completing the NAT server configuration.168. Select the network interface through which the connection is shared from the drop-down list.1 address. Windows 2000 starts the RRAS and then launches the Demand Dial Interface Wizard. You can choose an existing network interface with an Internet connection or direct the wizard to create a new demand dial interface. you lose in flexibility. Then. If you choose the latter option to create a new demand dial interface. When you choose the NAT method in the RRAS Setup Wizard. What you gain in ease of configuration. the wizard prompts you to select the protocol. one for the local network and one for the Internet connection (which can be a dial-up connection). If you select ICS in the RRAS Wizard. if you want to configure the NAT server manually. Click the Sharing tab. and if that fails. and choose Properties. Windows 2000 will attempt to use L2TP for the connection. which you should already have installed and functioning. the wizard prompts you to select the private interface. the wizard prompts you to select the device.0. it will use PPTP. Windows 2000 starts the RRAS. as well as the dial-up number. The Demand Dial Interface Wizard. select the Dial On Demand option to enable the server to automatically dial the connection when a client attempts to access an Internet resource. After you specify the public and private interfaces. You can configure RRAS to function as a NAT server either through the RRAS Setup Wizard or manually. If you choose a physical device. the wizard first prompts you for the Internet connection for which the server will provide NAT services. Choose a name that adequately describes the remote connection. the wizard selects it automatically. if the server has more than one interface. Server address—For VPN connections. Simply make sure you have two functioning network interfaces. Configuring a demand dial interface A demand dial interface doesn’t remain connected all the time but instead connects only when a client requests a resource that resides beyond the interface. If you need to use a different subnet or need to control other aspects of the connection. the wizard points you to the Network And Dial-Up Connections folder to enable ICS. If the shared connection is a dial-up connection. however. and then select the option Enable Internet Connection Sharing For This Connection. specify the IP address or Fully Qualified Starting NAT server configuration Although both the ICS and NAT features in Windows 2000 perform network address translation. Windows 2000 automatically reconfigures the network address of the computer’s local network interface and begins handling requests from clients for IP address assignment and Internet access. When you click OK. Connection type—You can choose between physical devices such as modems and ISDN adapters or a VPN connection.) Administration 71 . open the Network And Dial-Up Connections folder. ICS provides an extremely easy means of setting up a shared Internet connection for clients and is essentially a one-click procedure. If you choose Automatic Selection. If the server has more than two additional network interfaces. This is the interface that will be assigned the 192. right-click the Internet connection. because ICS offers few configurable options.If you decide to use ICS. and you can then use the RRAS console to fine-tune the configuration. NAT.

Select the interface for which you want to add NAT services. you need to specify the interfaces on which the RRAS server should perform translation. Or. You can reach these pages later. which include IP and IPX. If you have multiple network subnets. You use the Address Pool page to configure the range of IP addresses assigned by your ISP for your network’s use. if needed. In that case. Select the option Private Interface Connected To Private Network to identify the interface as residing on the private side of the server. by double-clicking the public interface. Adding a NAT interface After adding the NAT protocol. Select this option to have the server translate TCP and UDP ports in addition to the IP address for translated packets. you can configure the server manually. Completing the NAT server configuration After you run the wizard and configure the server for NAT. for example. This section explains how to do that. open the RRAS console and expand the server. Open the IP Routing branch. Rightclick General. If you configure the server through the wizard. you might have already configured the server for another purpose. as well as modify the configuration for both situations. Second Edition . and select New Routing Protocol. Select Network Address Translation. In most cases you’ll need to select this option to enable NAT to function properly for the private networks. To add NAT interfaces. the wizard prompts you for the two minimum interfaces—the public Internet connection and the private network interface. and click OK. you could configure the server with a network interface for each and have the server provide NAT for all the subnets. Windows 2000 then prompts you to specify whether the interface is public or private. You also specify a user account to use for authentication and set other security and connection options. Selecting the latter option enables the Translate TCP/UPD Headers option. right-click Network Address Translation. However. and choose New Interface. Windows 2000 RRAS can provide NAT services on more than one interface.) Open the RRAS console and expand the server in the left pane. you’ll probably need to finetune the configuration. RRAS adds a Network Address Translation node under the IP Routing branch. and you can’t use the wizard to configure the server for NAT (since you’ll lose your current configuration). as shown in Figure C. through the wizard. you can manually configure the server for NAT. Protocols and security—The wizard prompts for the protocols that should be routed through this connection. (You don’t need to perform this step if you’ve configured NAT Figure C Add the public and private interfaces to the NAT protocol through the RRAS console. Select Public Interface Connected To The Internet if the interface resides on the public side of the server. and click OK.Domain Name (FQDN) of the remote VPN server. The property sheet displays two additional pages if you select the public interface option: Address Pool and Special Ports. Enabling NAT manually If you’ve already configured the server through the wizard for a function other than NAT (such as dial-up remote access) or simply prefer not to use the wizard. The next step is to add the interfaces for NAT. 72 Administrator’s Guide to VPN and Remote Access. such as password handling and connection scripting.

puter needs to be accessible to Internet clients. In the Incoming Port Administration 73 . just as it does when only one IP address is available. Or. Next. however. you might need to direct the server to handle specific ports in a certain way. You can have the special translation apply to all incoming traffic on the interface or only to traffic for a specific public IP address. For example. click Add in the Reserve Addresses dialog to open the Add Reservation dialog. click Reservations if you need to reserve one or more addresses for other nodes on the public side of the network or if you need to reserve an IP address for use by a computer on the private side of the network. Figure D Configuring address ranges Use the Address Pool tab on the NAT interface’s property sheet to specify the range of addresses allocated by your ISP to the public side of your network. as appropriate. but it’s using port 8080 instead of the default port 80 and you want to map incoming port 80 traffic to port 8080. Once you’ve done that. you might need that traffic redirected to a specific port on a specific private IP address. using those ports to translate packets to and from the private network. RRAS uses this pool of addresses for mapping packets to and from the private network. you might have a Web server located on the private network and need to reserve a public address for it. you can leave this list empty. Otherwise. For example. Select either TCP or UDP from the drop-down list. if a packet comes in for a specific port. Here’s an example: Assume you have a Web server on the private network. Type the starting address of the allocated range and the subnet mask.The Special Ports page lets you define special translation properties for specific TCP or UDP ports. To do that. the RRAS server requests unique TCP and UDP ports from the protocol stack. it switches to translating the ports. the server leaves the ports as is and only translates the IP address. and enter the IP public address for which the special translation needs to occur. To translate the port for all addresses on the public interface. then click Add. In this situation. Specify both the public IP address to reserve and the IP address of the computer on the private side that will use that address. In special circumstances. Configuring special ports In most cases you can allow NAT to handle TCP and UDP port translation on its own. If you have multiple public IP addresses. If your ISP allocated only one IP address. selecting a currently unused address from the pool. you can apply reservations to reserve one or more of the allocated addresses for other nodes on the public side of your network (for other servers. as shown in Figure D. select On This Interface. you can specify the starting and ending addresses if you can’t use a subnet mask to define the range. first click Add on the Address Pool page to open the Add Address Pool dialog. mapping the public address to the Web server’s private address. If the com- Specify the range of addresses the NAT server uses for translating traffic to and from the private network. To configure a special port. you’d configure a special port so that incoming traffic bound for port 80 is translated to port 8080 on the appropriate IP address. If the server runs out of addresses. click the Special Ports tab. select On This Address Pool Entry. You need to add the address range to the list if your ISP allocated more than one address. To do this. for example). Finally. select the option Allow Incoming Sessions To This Address. RRAS determines the ending address automatically.

either for UDP or TCP. While you could install a DHCP server to provide addresses to the clients. then select the demand dial interface from the drop-down list. we looked at network address translation and configured a Windows 2000 RRAS server to function as a gateway between a private network and the Internet. Open the properties for NAT under IP Routing. Second Edition . You can specify TCP and UDP ports separately. Administrator’s Guide to VPN and Remote Access. Select the option Automatically Assign IP Addresses By Using DHCP. first configure the NAT server’s TCP/IP properties on the public interface to add the DNS servers the NAT server will use for lookup. Then. Add additional port assignments as required by the applications you use. Configuring general NAT properties After you configure each interface as I’ve explained. making those available for other servers or fixedaddress nodes on the private network. In the previous example of the Web server. Remote server port number—Specify the port on the remote server that needs to be remapped on the private network. TCP or UDP—Select the port type for the remote server port. you might run an application that uses nonstandard ports to communicate with a server on the Internet. Provide the following information: Name—This name serves to identify the application in the RRAS console’s list. and choose Properties.text box. you’d put 80 in the Incoming Port box and 8080 in the Outgoing Port box. open the properties for NAT. open the RRAS console and expand the server in the left pane. the NAT server can also handle that function. The options are self-explanatory. Click Add to display the Internet Connection Sharing Application dialog. I’ll take a look at configuring a remote access server to support incoming connections. Configuring applications The Translation page of the NAT server’s properties also lets you configure applications for NAT. you can configure the NAT server to provide the appropriate port translation. Specify the private IP address to which the traffic needs to be routed and the control destination port on the private computer in the Outgoing Port box. You can configure the clients for static IP addressing or rely on DHCP for address assignment. and the NAT server can optionally fill that role if no other DNS proxy is available. then click the Address Assignment tab. The Translation page lets you specify how long the NAT server maintains port mappings in the NAT table. click the Translation tab. open the RRAS console. and open the properties for NAT under IP Routing. To configure address assignment. Configuring address assignment The clients on the private network must reside on the same subnet as the NAT server’s private network interface. Click Exclude if you need to exclude one or more addresses from DHCP assignment. you need to turn your attention to general NAT service properties. In the next article. The General page of the NAT properties lets you configure the level of logging by NAT in the System log. type the port number to which incoming traffic is directed. eliminating the need for a separate DHCP server. What’s next? This time around. then specify the address range by entering the starting IP address in the range and the subnet mask. If you’re using a demand dial interface to connect to the Internet. For example. expand the server. To configure applications. and then click Applications. 74 Configuring name resolution The private clients need a server to provide proxy DNS lookup. There are separate settings for TCP and UDP. Click the Name Resolution tab. A given application could require more than one entry. To configure DNS lookup on the NAT server. So. which is common with Internet games such as Subspace or Diablo. and select the option Clients Using Domain Name System (DNS). select the option Connect To The Public Network. as needed. Incoming response ports—Specify the port translations for the ports on the private network. In the RRAS console. right-click Network Address Translation under IP Routing in the left pane.

For example. These connections might come in through one or more modems connected to the computer’s communications ports. not on the remote computer (except when the client executes a network-enabled application). through a multiport communications card handling multiple modems. A RAS connection that connects the client to the LAN is called a point-to-LAN remote access connection.Configuring Windows 2000 as a remote access server Dec 4. the remote clients can access resources on the server or LAN as if their computers were connected locally to the server or LAN. or even a network interface. So. Setting up the hardware Whether you’re configuring a Windows 2000 Professional computer to enable single connections or a Server computer to handle a modem pool. if you have a modem pool of 48 modems. Remote control applications can’t exist without remote access—the client either dials in to the remote computer directly or dials in to the LAN. On the Windows 2000 Professional side. mouse. essentially limited only by the number of available incoming connections. Remote access is not the same thing as remote control. I’ll take a look at configuring a Windows 2000 RRAS server to function as a remote access server (RAS). Both Windows 2000 Professional and Windows 2000 Server can act as remote access servers. Administration 75 . The applications run on the remote computer rather than on the client’s local computer. Depending on the remote control application. your first step in setting up a remote access server is to configure the hardware for the incoming connections. you can configure a workstation to allow incoming connections through dial-up (one at a time). for example. I What is a remote access server? The term “remote access server” can refer to a server that performs a range of remote access services. 2000 By Jim Boyce n “Configuring Routing and Remote Access on your Windows 2000 server” (page 68). Under Windows 2000 Server. a modem pool/communications server connected to the LAN. clients can open and save files and use printers. and display for the remote computer. albeit with different restrictions on each platform. instead of just providing the ability for clients to dial into the company LAN. Regardless of the type of connection. Remote access makes the client’s local computer a part of the remote network. the remote control application gives the client a long-distance keyboard. just as they can locally. I showed you how to configure a Windows 2000 RRAS server to function as a Network Address Translation (NAT) server. the client uses the remote control application to log onto and run applications on a remote computer. that connection might take the form of a public Internet connection. A RAS connection that connects the client to the dial-up server is called a point-to-point remote access connection. With a remote control application such as Symantec’s pcAnywhere. In effect. you’ll need a remote access connection to the server or to the server’s LAN before the remote control application can do anything. depending on how RRAS is configured. Applications run on the client’s local computer. handling incoming connections for remote clients. using the remote server’s and client’s existing connections to the Internet as the means of communication. Windows 2000 Server will support all those connections concurrently. giving the remote caller the ability to use resources stored on the local computer or on the LAN. RRAS can support multiple concurrent remote access clients for those same purposes. For example. In this article. if you need to use a remote control application to manage a remote server.

ISDN functions in some ways like a PSTN dial-up connection except that the connection is digital rather than analog and provides better throughput. Some services. nor is it the best option in terms of performance. If the device relies on Windows 2000 integrated authentication. Basic Rate Interface (BRI) provides two 64-Kbps channels.While you can certainly grow the server’s capabilities later on. or both. which enables the server to process RADIUS authentication requests from the communications equipment. The speed at which your users need to connect will be the primary deciding factor in your decision. authenticating users against local or domain accounts. you can use either Windows 2000 authentication or RADIUS (the IAS service in Windows 2000). you can use IAS as the authentication service. you need to determine your clients’ current needs and plan for that growth. check with your local communications provider to determine what services they offer. the incoming call rolls to the next available line. you’ll need a channelized T1 (24 channels or dial-up lines per T1) and the appropriate remote access hardware to accommodate the incoming calls. Instead. If one line is busy in the hunt group. PSTN is certainly not the only option. Your communications provider assigns a phone number to each channel. and Primary Rate ISDN (PRI) provides twenty76 three 64-Kbps channels. ATM is a standard communications protocol for highspeed data links. the device’s firmware. ISDN is a third connection option. Windows 2000 supports only X.25 adapters that connect computers directly to an X. Choosing the right communications hardware is a big part of that process. such as ADSL. There are several options for hunt groups that can address such problems as a ring-noanswer due to a hung modem. Even though 56-Kbps modems are standard nowadays. handles the task of assigning IP addresses and performing other tasks to service the RAS clients.25 smart cards—X. and as with the PSTN option. modems and Public Switched Telephone Network (PSTN) lines (standard voice lines. the system might use either RADIUS or Windows 2000 integrated authentication. PSTN will give you a maximum of 33. To support 56-Kbps dial-up connections. you can’t simply install individual 56-Kbps dial-up modems to PSTN lines and have them connect at the full rate. The T1 connects to the device and the device connects to the network. things can get a bit complicated. the server will typically perform two functions: hosting the configurationmanagement software for the device or providing authentication services. Second Edition . If you choose an external communications device. Other connection options include X. for example. If the bandwidth needs aren’t critical. Check with your provider for details to decide what best fits your needs. but cost will no doubt be a major consideration as well. may not be available in your area. ADSL is a relatively new communications mechanism that employs standard copper phone lines to achieve very high data transfer rates.25 and ATM (Asynchronous Transfer Mode) over ADSL (Asymmetric Digital Subscriber Line). If it uses the former. If you choose to get a channelized T1. If you can’t get ISDN or ADSL. In deciding which type of connection is right for you. you’ll want to set up a hunt group for the numbers with a single primary dial-up number. The communications hardware for this type of connection setup typically takes the form of a network device that contains one or more communications cards with onboard modems. In this situation. you generally will not use the RRAS service to provide dialup services for clients. If you’re installing multiple lines. the device’s software will likely include a service that enables the device to interface with the Windows 2000 authentication mechanisms. Depending on the communications device. Depending on the firmware provided with the device. such as a modem pool. once configured. or Plain Old Telephone Service—POTS) are an easy and relatively inexpensive solution. choose one number as the primary dial-up number and have your communications provider configure the lines in a hunt group. Administrator’s Guide to VPN and Remote Access.25 public network.6 Kbps for connections. you’ll probably have to choose between PSTN and digital 56 Kbps.

If you have multiple interfaces on the server. you Figure A Configuring ports In the RRAS console under the server you’ll find a Ports branch. One of the configuration tasks you’ll need to perform is to configure the remote access ports. Maximum Ports: Use this setting to specify the maximum number of connections for the selected port type. For example. the wizard will prompt you to specify the address range. network registration (address. select the port you want to configure and click Configure to set these properties. You can also use this dialog box to reset a port.Configuring the RRAS server through the wizard After the hardware is set up and functioning. If no DHCP server is available. and other information. you’re ready to configure the server as a RAS server. as would be required when a modem is hung. Typically this is a LAN interface. the server will assign IP addresses automatically. specifying the IP addresses or DNS names of the primary and secondary RADIUS servers. IP address assignment: If you’re using TCP/IP as one of the network protocols for RAS clients. however. If you choose this latter option. Demand-dial Routing Connections (Inbound And Outbound): Select this option to enable demand-dial connections for the selected port type. Right-click Ports in the left pane and choose Properties to configure ports. Double-clicking a port on the list displays a status dialog box containing line speed. Or. the wizard will prompt you for the following information: Protocols: Select the installed protocols you need to support for remote access users or add protocols if they’re not already installed. You can choose not to configure RADIUS if you’ll be using Windows 2000 integrated authentication or want to configure RADIUS properties later. The other installed communications devices (such as local modems) will also show up on the list. you need to decide which one the clients will be placed on. Whether you use the wizard to configure the RAS server for incoming connections or configure the server manually. Network connections: Select the network interface to which remote access clients will be assigned. as shown in Figure A: Remote Access Connections (Inbound Only): Select this option to enable incoming remote access connections to the selected port type. Clicking the branch dis- Use the Configure Device dialog box to configure port properties. as well as the RADIUS secret. Phone Number For This Device: Use this setting to specify the phone number associated with the device. you’ll use the RRAS console to configure and fine-tune settings. You can configure the server through the RRAS wizard or manually. RRAS will automatically add 10 VPN ports—five PPTP and five L2TP. for example). connection statistics. you need to decide how IP addresses are assigned to the clients. If you choose the wizard option. You’ll notice that if you configure the server for remote access through the wizard. You can assign addresses through DHCP if a DHCP server is available on the network. Use RADIUS: You can choose at this point to configure RRAS to use RADIUS for authentication. plays the installed ports in the right pane. you can specify a range of addresses the server will use to assign address leases to clients. See the following discussion for more information on configuring the phone number. In the resulting dialog box. Administration 77 .

I’ll show you how to set up remote access policies for your remote access server. First. Allow Access If Dial-In Permission Is Enabled. you needn’t specify individual numbers for each port. If the specified number doesn’t match the value for Called Station ID in the remote access profile. Create a new group named RAS Users and place in it all 78 Administrator’s Guide to VPN and Remote Access. the phone number is used for BAP-enabled connections.might use this setting to limit the number of L2TP connections that can be active at one time. These policies enable you to control allowed access times. If you’re using a hunt group for your phone number pool. With multilink. But now that you’ve set up your remote access server. and configure other Remote Access Policy settings. restrict users to specific dial-up numbers. 2000 By Jim Boyce I n the last few articles. If you enabled this permission. In addition to configuring the hardware and port settings. Configuring remote access policies In my last article about Windows 2000 RRAS. I’ll assume you want to modify the existing policy to allow permission only to users who belong in a specific user group. For my example. it would allow all users to gain remote access by default. I’ve shown you how to configure Windows 2000 for Network Address Translation and as a remote access server. you’ll need to either modify this policy or create a new one. Conclusion The Windows 2000 RRAS service provides many different things for your network. I’ve shown you how to configure Windows 2000 to function as a remote access server. So. Windows 2000 doesn’t change the number of ports shown in the RRAS console until you stop and restart the service. In this case. how do you secure it? In this article. In this article. This is because there are no other parameters yet specified for the policy. One of the most common purposes it serves is as a remote access server. Increasing Windows 2000 RRAS security Dec 7. Second Edition . RRAS rejects the connection. and the server sends the phone number of the connection to the remote client when the client’s system requests another connection. I’ll create a group called RAS users and grant them permission. By default. The phone number property is also used for the Called Station ID property in the remote access profile. you need to configure remote access policies. open the Local Users And Groups console (stand-alone or member server) or the Active Directory Users And Computers console (domain controller). Open the console and click the Remote Access Policies branch. I showed you how to configure the hardware and port settings for your server. Double-click the policy and note that Deny Remote Access Permission is selected. remote access permission is denied through the Remote Access Policy. The phone number property isn’t needed unless you’re supporting multi-link connections or restricting users through remote access policies to a specific dial-up number. I’ll also show you how you can create secure connections across the Internet using VPN protocols. You configure remote access policies through the RRAS console.

expand the Remote Access Policies branch. and for RAS 2 to be 5:00 P. click Day-And-Time Restrictions. what happens if you want two separate groups to have RAS access at different times? Simple: You just create two policies. and click OK. When you define the policies for RAS 1 and RAS 2. Specify the allowed dial-in times in the Time Of Day Constraints window. and a third group that can gain access at all hours but must use L2TP for security. and RRAS would therefore grant (or deny) access subject to the properties of the matched policy.M. If they attempt to use a different tunneling protocol. Windows 2000 rejects the connections. and click OK. such as PPTP. and click Add. Click Add in the Groups dialog box. and then close the property sheet for the policy to apply the change. The policy you just created allows all users in the RAS Users group to log in via RAS at any time.M. click on a policy.M.M. Setting up a VPN server is initially not much different from configuring a remote access server. So.M. open the RRAS console. granting access to a caller if the caller’s parameters match at least one policy. and click Edit. then connect through that Internet connection to the office LAN. Each group of users would belong in an identifying group. and click Add. another that needs access from 5:00 P. select the group. Click Add. Configuring a VPN server Virtual private network (VPN) connections enable clients to establish a secure. For example. as shown in Figure A. You create three policies. although there are a few additional steps and considerations.and down-arrow buttons in the toolbar to change the policy’s location in the list. to 5:00 P. Select Grant Remote Access Permission. Now. Next. open the RRAS console and doubleclick the policy to open its Settings property page. use the WindowsGroup property along with the Tunnel-Type Figure A Configure the Day-And-Time-Restrictions condition to control when remote access users can dial in. To do so. each policy has two properties (in this example): WindowsGroup and Day-And-Time-Restrictions. PPTP and L2TP. You can modify the Day-And-TimeRestrictions profile to allow RAS access only at certain times. users who travel can connect through a national or local ISP.M. private connection to a remote computer or LAN through a public network such as the Internet. one for each situation. and RAS Secure. to 5:00 P. select Windows-Groups. For the third group.M. For example. and use the up. then OK again to close the two configuration dialog boxes and return to the Settings property page. which I’ll name RAS 1. You configure the priority of policies so that RRAS parses them in a specific order..the users to whom you want to grant remote access permission. to midnight. property set to L2TP to restrict users in that group to use only L2TP. Windows 2000 prompts you for 79 Administration . When you run the wizard and select the Virtual Private Network option. This gives you the ability to move the most frequently used policy to the beginning of the list to speed connections and reduce overhead. You configure the allowed logon times for the DayAnd-Time-Restrictions property for RAS 1 to be 8:00 A. RRAS processes all the remote access policies if needed. To configure policy priority. RAS 2. open the policy again. assume you have three groups of users: one that needs access from 8:00 A. the latter provides stronger security than PPTP primarily because of differences in the encryption methods between the two. Configure other settings as needed. Windows 2000 supports two tunneling protocols. a caller might not match the first policy or the second but might match the third. to 12:00 A. Click OK.

but you might have to fine-tune the configuration. If your server is functioning only as a VPN server. network interfaces. If you wish to support both VPN port types. select Remote Access Server. choose Properties. particularly if you are using static routes. Select Remote Access Connections (Inbound Only) to enable remote access for the port type. excluding all other traffic. you might want to configure filters to restrict traffic to and from the VPN server. If you didn’t already do so through the wizard. One difference is when you use the wizard to configure the server for VPN. In most situations the wizard will handle these tasks. or use a static address pool to assign IP addresses to clients. you’ll probably want to ensure a higher level of security than what you’ll have by default. you don’t need to configure any routing properties. Configuring the server for remote access creates only five ports each. you might already have the server configured for another RAS purpose and need to configure the server manually for VPN. consider applying IP filters to allow only PPTP traffic coming to and from the server. Set up the intranet connection—If your server is multihomed (has a public interface to the Internet and a private interface to the intranet). Configure IP addressing and routing— On the properties sheet for the server. configuring the server to rely on DHCP. repeat the process for each. Use the Maximum Ports spin control to increase or decrease the number of ports. Select either PPTP or L2TP and click Configure. it creates 128 ports each for PPTP and L2TP. Configure ports for remote access—You need to ensure that the necessary ports are created and configured for remote access. right-click the server. and then click the Security tab. On the General page. Click Authentication Methods to specify the authentication methods you want to support. In the RRAS console. You need to use either MS-CHAP or EAP-TLS if you need to support encrypted authentication. as well as define the authentication mechanism(s) to be supported. Plus. since no routing is necessary. This will help 80 Administrator’s Guide to VPN and Remote Access. Right-click Ports and choose Properties. IP address assignment mode. right-click the server. first perform these tasks: Set up the Internet connection—This is the public connection through which remote clients will gain access to the intranet. In particular. Expand the server in the RRAS console and open the Ports branch. Remote clients will receive an IP address assignment from the same subnet as the computer’s Internet interface. Open the RRAS console. Configuring the server for PPTP VPN connections Although you can begin using the server to service VPN clients at this point. The number won’t increase in the ports list. Note that you don’t need a second interface to set up a VPN server.essentially the same information as for a Remote Access Server. you still have some tasks to perform to complete the operation. public interface will suffice. you’ll need to enable RAS on the server. and RADIUS authentication status. until you stop and restart the service. Even if you use the wizard to set up a VPN server. however. If you choose the manual method. Second Edition . click the IP tab and select Enable IP Routing. configure the intranet connection and verify connectivity with clients on the intranet. you’ll need to configure static routes or use routing protocols to enable routing between the public and private interface(s). including protocols. A single. If the server has only one network interface. Set up routing (multihomed systems)— If the server is multihomed. configure IP address assignment through the same property page. Enable remote access—If you are configuring VPN support manually. and choose Properties. Verify that the connection is fully configured and functioning. You can choose between Windows Authentication and RADIUS both for authentication and accounting.

and Administration 81 . specifying 0 for the Source Port and 1723 for the Destination Port. As you do for PPTP filters. Open the properties for the Ports branch. The last step in configuring the input filters is to specify the action to take for the filter. enter the address of the interface. Create a filter for Source Network.255. and entering 47 as the protocol number. On the General page of the interface’s property sheet. In the RRAS console. and Destination Port 1723. create the necessary output filters. Next. click Output Filters. Back on the Input Filters dialog box. select L2TP from the Ports list. the IP address of the interface. and click the General branch. Configure the filter to drop all packets except those that meet the filter criteria.255. Source Port 0. Return to the Out- Figure B Configure input and output filters to restrict traffic on the server to VPN traffic. a subnet mask of 255. Right-click the interface on which you want to configure filters and click Properties. Add a second IP filter for Source Network with TCP as the protocol. You also should configure filters to restrict traffic to and from the server to prevent unwanted traffic from being routed through the server.255. the IP address of the interface.255. When the Input Filters dialog box reappears. this time selecting TCP from the Protocol list. Specify 255. if desired. The General page is the place to go to configure filters.255.255 in the Subnet Mask field. specify 1723 as the Source Port and 0 as the Destination Port. setting Protocol to Other. You’ll need to add one more input filter if you intend to use the server as a PPTP client.255. click Input Filters and then click Add in the Input Filters dialog box. Create the first filter for Source Network. put Filters dialog box and configure the filters to drop all packets except those that meet the filter criteria. click Add again and add another filter with the same information as the first. 1723 as the Source Port.255. Create the first filter for Destination Network. you need to configure the L2TP ports to allow remote access. you configure L2TP filters through the properties for the affected network interface. select Drop All Packets Except Those That Meet The Criteria Below. and 0 as the Destination Port. Next. if needed. Click OK to add the filter. However. Select Remote Access Connections (Inbound Only) and then close the dialog boxes.255. enabling you to configure filters differently for each interface. Configuring the server for L2TP VPN connections As you do for PPTP. add a third filter for Source Network. Select Other from the Protocol drop-down list and type 47 in the Protocol Number text box. and click Configure. entering the subnet mask of 255.255. and 500 for both the source and destination ports. a subnet mask of 255. and then click OK. Create a third filter using the same basic information as the first two. Start with the input filters. Select Destination Network. Add a second input filter using the same information but specifying 1701 for both the source and destination ports. To configure the input filters. this time select TCP from the Protocol list. UDP as the protocol. expand the server then the IP Routing branch. UDP as the protocol. as shown in Figure B. using TCP.255. specifying the IP address of the interface.255. Filters apply at the interface level.prevent unwanted traffic from being routed through your server to your LAN or from the LAN to the Internet. If the server will be used as a PPTP client. and then in the IP Address field. configure output filters using much the same process you used for the input filters.

To address this concern.) 82 Administrator’s Guide to VPN and Remote Access. followed by the Remote Access Policies branch. Then. Add a second output port with similar settings but with source and destination ports of 1701. and then click the Encryption tab. Configuring RAS policy for PPTP/L2TP After you configure the ports and other settings for PPTP and/or L2TP. turn your attention to configuring remote access policies to allow VPN connections (and potentially restrict access only to VPN access). Create a new remote access policy. move it after the VPN policy. add a condition for NAS-PortType set to Virtual (VPN). or both. flatten their networks. depending on the levels of encryption you want to allow for VPN connections according to your clients’ configurations.source and destination ports specified as 500. You should also have already installed a second network adapter card in the machine. giving it an appropriate name such as VPN Access. Configure the conditions for the policy to include group membership so that it restricts access only to users who belong in your VPN users group. Conclusion In this article. You need to make this change because the default policy denies access to all users. depending on which protocols you’re supporting on the server. On VPNs. including PPTP and L2TP. Finally. and not compromise connectivity. You can do so using remote access policies and VPN. If you haven’t modified the default remote access policy. Then. L2TP. Configure the filters to exclude all packets except those that fit the filter criteria. you must have your DNS server and DHCP server information handy. U BEFORE WE BEGIN In order to configure the R&R module correctly. you have several different types of protocols to choose from. Double-click the newly created policy to open its properties. MCP sing new products from Sybergen and Linksys to share Internet access is great for the consumer. but these products aren’t practical or efficient for a corporate network. Select the appropriate options on the Encryption tab. Second Edition . I’ve shown you how to increase security for your remote access servers. Routing and remote access on Windows 2000 Advanced Server Sep 6. Add a third condi- tion for Tunnel-Type set to PPTP. (I’ll discuss the reason for this later. this article examines the routing and remote access options available with Windows 2000 Advanced Server. I explained these protocols and how to configure RRAS to support them. create a group (or use an existing group) to give you a means of restricting VPN connections to specific users. configure encryption. First. Windows 2000 Advanced Server allows IT professionals to share Internet access. open the RRAS console. 2000 By Matthew Mercurio.

However. After the installation and a lot of experimenting with the many new modules. it turned out to be a very eye-opening experience. I thought it was a bad idea to place a Windows 2000 box on my network just to share Internet access. Administration 83 . and the configuration of it was even easier. you will see the connection choices. The arrows indicate the location of the Windows 2000 Advanced Server Routing and Remote Access module. the easiest way to get to the Routing and Remote Access (R&R) module is by rightclicking on the My Computer icon on your desktop and choosing Manage. plug-ins. The Routing and Remote Access module installation was relatively easy. a red arrow pointing down will appear on the icon Remote and routing access configuration next to the R&R title. shown in Figure A. Once you are in the Computer Management window. If the R&R module is not running. From here you can configure various connections. Then click Configure And Enable Routing And Remote Access. For the purpose of this article. On the resulting screen. Let’s take a closer look. I’ll focus on the Remote and Routing Access module. and the R&R module. a green arrow pointing upward will appear. Starting the routing and remote access setup wizard To start the R&R setup wizard. will then be visible. If the R&R module is up and running. Figure B Figure C Click Configure And Enable Routing And Remote Access. choose Internet Connection Server. Once the Windows 2000 Advanced Server is installed. A dialog box will appear reporting that you’ve started the R&R wizard. and components included in the new network operating system. expand the Services And Applications tree. For this demonstration.Windows 2000 Advanced Server Figure A I have to admit that at first glance. click the Action button at the top of the toolbar as shown in Figure B. Simplicity is key when it comes to sharing a single IP for Internet access. the Remote and Routing Access module quickly changed my mind. as shown in Figure C. There are many modules. Click Next to continue.

The R&R module will use NAT to masquerade your internal network.” However. First. For the purpose of our demonstration. First. In my case. For this demonstration. Using two NICs We want the ability to share our Internet connection with the rest of the network computers. Second. but I recommend using names that will allow you to quickly recognize which NIC is serving what purpose. Choose your connection type The next screen that appears is the Internet Connection page. The R&R module does the rest. including the popular RAS and VPN connections.Lan to represent my internal LAN. The R&R module gives you a choice to use Internet Connection Sharing (ICS) or Network Address Translation (NAT). Specify your Internet connection NIC. Our second choice is to decide which NIC to designate as the outside Internet connection. and click Next. then you might want to create a demanddial connection. do we want to create a demand-dial Internet connection? Since we have a cable modem and a 24/7 connection to the Internet. and the only visible IP will be the one assigned to you by your ISP. be sure to use unique names for your cards. This is where our naming convention pays off. I then used RacerX. When installing your NICs. Second Edition . Simply choose the card that is directly connected to the Internet. you are ready to make the choice between ICS and NAT. I have two 3Com 905B cards installed. you must decide what IP scheme to assign the inside card.Home for my external card because this is the card that is actually connected to the outside Internet. so we will need an additional NIC placed in the PC. our answer is “No. This is especially handy when you happen to be using the same brand of network cards. you must set up a DHCP server before beginning the setup. Here we have a couple of choices to make. Assign the outside Internet connection NIC an IP address assigned to you by your ISP. I chose NAT. choose the first option—Internet Connection Server. if you are using a dial-up modem or a modem pool. 84 Administrator’s Guide to VPN and Remote Access. as shown in Figure D. and I suggest you do the same. as shown in Figure E. Figure D ICS or NAT Select the Network Address Translation (NAT) routing protocol. and then give an internal IP scheme to the second NIC. The naming convention is entirely up to you. we will choose NAT. so I used Wizard. Figure E After you have chosen Internet Connection Server and clicked Next.A FEW WORDS ABOUT NAT There are a couple of things to keep in mind when setting up NAT through Routing and Remote Access.

will then appear. After reading this. and we are finished. and it supports both PPTP and L2TP/IPSec as tunneling protocols. Thomas Shinder. I think that not only is this a good large network solution. Click Finish to complete the Routing and Remote Access configuration.0 VPN server configuration was tedious and difficult. I would probably stick to the Sybergen or Linksys products unless you are planning to do other things like host a Web or FTP server. MCSE he Windows 2000 Routing And Remote Access Service (RRAS) allows you to configure a Windows 2000 Server family computer as a VPN server. Figure F Wrapping up I realize that using Windows 2000 Advanced Server might have a high price tag attached for a home network user’s solution. 2002 By Dr.0 version of the RRAS VPN server. you’ll be ready to tune your VPN server environment for the quickest and most secure inbound connections you can get out of your setup. shown in Figure F. We have set up the Windows 2000 Advanced Server to act as a router and share our single IP to use with the rest of our network.The final screen. Optimize inbound client connections for your Windows 2000 VPN servers Jan 22. In this article. However. Implementing a VPN server allows you to dispose of your modem banks and replace them with a single fast connection to Administration 85 . I’ll explain what you can focus on to optimize your inbound VPN connections. While the Windows 2000 VPN server is easy to set up and configure. and the only tunneling protocol supported was PPTP. Windows NT 4. you should do several things to make sure you have the most T effective and efficient inbound VPN server traffic possible for your network. The Windows 2000 VPN server represents a tremendous improvement over the VPN server functions available in the Steelhead release of the Windows NT 4. For the general home user. Client side Most Windows 2000 VPN servers allow inbound VPN connections from external network VPN clients directly connected to the Internet. but you’ll do more after you run the wizards. You configure the Windows 2000 VPN server using easy-to-use wizards. The VPN Wizard does most of the legwork for you. but it is also a good SOHO business solution as well. in which case Windows 2000 Advanced Server might be the choice for you.

Your remote users don’t need to make expensive long-distance or 800-number calls to reach the corporate network. PPTP has suffered from a bad reputation as an unsecure VPN protocol. PPTP was introduced with the Steelhead release of the Routing And Remote Access Server for Windows NT 4. Your network policy should be set so that passwords are changed periodically. To secure your PPP logon credentials. The passwords should contain letters. as users will balk if they have to change and remember new. The default PPP authentication protocols are MS-CHAP and MS-CHAP version 2. and symbols. complex passwords frequently. you can focus on three areas to optimize client connections: PPTP client connections L2TP/IPSec client connections Simplifying client connection setups using the Connection Manager Administration Kit PPTP client connections The VPN Wizard creates a number of PPTP ports on the external interface of the VPN server that accept incoming calls from PPTP VPN clients. though. MSCHAP allows downlevel operating systems to authenticate with the VPN server. Second Edition . The version included with Windows 2000 is PPTP 2. hackers and other Internet intruders will be able to break into the VPN server almost as easily as they could have with the previous version of PPTP. Make sure your clients use complex passwords of at least eight characters.asp). you should disable Figure A Accessing the RRAS’s Properties dialog box Figure B Configuring PPP Authentication Methods 86 Administrator’s Guide to VPN and Remote Access. The first version of PPTP got some bad press because of some well-described security holes. If your VPN clients choose simple passwords. On the client side. Be careful not to force password changes too often. but the level of security is dependent on the complexity of the passwords used by VPN clients. It closes the holes seen with the initial version of PPTP and includes a number of performance enhancements. nothing could be farther from the truth.microsoft.0. PPTP is the fastest of the VPN protocols included with the Windows 2000 VPN server and the easiest Windows 2000 VPN protocol to set up and configure.com/ntserver/ techresources/commnet/rras/rras. However. All they need to do is establish a connection to a local ISP and then create the virtual link to the internal network via a VPN client connection.0 (http://www. you should use PPTP as your VPN protocol. PPTP is a secure VPN protocol. numbers. Although Microsoft patched those holes.the Internet. If you’re a beginner at setting up Windows 2000 VPN servers.

select All Tasks. and click Restart (see Figure C). Figure C 2. Right-click on the server name. Restart the Routing And Remote Access Service. If your organization requires a maximum of only 10 concurrent VPN connections. Click Apply and then click OK in the server Properties dialog box. change the number of PPTP ports Restarting the Routing and Remote Access Server after configuring the PPP Authentication Method to the number you require.MS-CHAP authentication and require MSCHAP version 2. right-click on your server name and click Properties. you can also change the number of L2TP ports: 1. expand your server name and then right-click on the Ports node in the left pane of the console. perform the following steps: 1. Click the Properties command. To disable MS-CHAP authentication. In the Authentication Methods dialog box. it makes little sense to use up resources required to support 128 PPTP virtual interfaces. 4. While you’re changing the PPTP ports. Figure D Figure E Changing the number of PPTP listening ports Reducing the number of VPN ports Administration 87 . In the Routing And Remote Access console. Select Start | Programs | Administrative Tools | Routing And Remote Access. Each VPN port configured on the VPN server requires system resources. 5. select the Security tab (Figure B) and click the Authentication Methods button. remove the checkmark from the Microsoft Encrypted Authentication (MS-CHAP) checkbox and click OK. 3. In the Routing And Remote Access console (Figure A). In the server Properties dialog box. To ameliorate this situation.

If you want to change the number of L2TP listening ports. you’ll want to use L2TP/IPSec for your VPN client connections. 4. After the Certificate Server is installed and configured. L2TP/IPSec clients require computer certificates to authenticate to the VPN server. L2TP/IPSec client connections If you want the best security Windows 2000 VPN servers have to offer. In the Ports Properties dialog box. Second Edition . Figure F Starting the Automatic Certificate Request Setup Wizard 88 Administrator’s Guide to VPN and Remote Access. click Apply and then click OK in the Ports Properties dialog box. Perform the following steps to enable autoenrollment: 3. You can configure a Certificate Server on your internal network using Microsoft Certificate Services. After you have completed configuring the port numbers. type the number of desired ports in the Maximum Ports text box (see Figure E). creating L2TP/IPSec connections is a no-brainer. In the Configure Device . Even if you do plan to roll out an L2TP/IPSec VPN solution. repeat the procedure by clicking on the WAN Miniport (L2TP) entry.WAN Miniport (PPTP) dialog box. Once the VPN client computers have computer certificates. L2TP/IPSec doesn’t depend on just the username and password information to secure a connection. I know many administrators who balk at the idea of implementing L2TP/IPSec VPNs. PPTP is the best protocol for small to medium-size businesses that don’t want to implement a Public Key Infrastructure to support L2TP/IPSec VPN calls. It’s not that they don’t want to use L2TP/IPSec.2. Click OK after making the change. it’s just that they’re unfamiliar with setting up a Certificate Server and configuring Group Policy to automatically assign client certificates via auto-enrollment. Computer certificates cannot be “guessed” and provide a high level of security for VPN client connections. Group Policy is configured to automatically enroll domain members and assign machine certificates. click on the WAN Miniport (PPTP) entry and then click the Configure button (see Figure D). it may actually be easier to allow PPTP and L2TP/IPSec VPN connections to live side by side for a while so that you can implement client-side computer certificates and support downlevel operating systems that are in the process of being upgraded.

See Figure G. You’ll receive notification that the policy will be refreshed but that it may take some time to replicate across multiple domain controllers. Then at some point.) Click Next to continue. When new computers join the domain. and then use L2TP/IPSec connections after they obtain the certificate. but only the first one to receive the request will service the request. Note that this method works for machines that are domain members. select the certification authority (CA) that you want to process the request. Right-click on the Automatic Certificate Request Settings node. select the Computer certificate option. it’s useful to have a PPTP VPN connection in place before moving over to L2TP. they’re automatically assigned a computer certificate. (Note that only certificate templates that are installed on the Certificate Server will be available on the Certificate Template page. Figure G 2. Selecting multiple CAs adds a measure of fault tolerance to the process. click on the domain Group Policy object and then click Edit. and click on Automatic Certificate Request Settings (see Figure F). Selecting the Computer Certificate Template for auto-enrollment Figure H 6. You can use the Web-based certificate request interface to assign machine certificates to machines that are not members of the domain. you can shut down the PPTP listening ports and use only L2TP/IPSec. Click Next to continue. On the Certificate Template page. Right-click on your domain name and click Properties. 7. Open a command prompt on the domain controller. 4. In this situation. expand the Computer Configuration. click Finish. select New. Selecting the certification authority to process auto-enrollment requests 9. Existing domain members will receive a certificate after they restart or during a policy refresh. Administration 89 . 3. 10. On the last page of the wizard. Users can connect via PPTP. In the domain Properties dialog box’s Group Policy tab. On the Certification Authority page (see Figure H). Windows Settings. select Start | Programs | Administrative Tools | Active Directory Users And Computers. and press [Enter]. type secedit /refreshpolicy machine_policy. On a Windows 2000 domain controller. In the Group Policy window.1. and the Public Key Policies nodes. use the Web-based certificate enrollment form to obtain a machine certificate. You can select multiple CAs. Click Next. Security Settings. 5. 8. The Welcome page for the Automatic Certificate Request Setup Wizard will appear.

3. Figure I Conclusion Forcing the type of VPN connection to create with the VPN server I DON’T SUGGEST THIS. BUT IF YOU HAVE TO… If you must allow VPN clients to access the Internet at the same time they’re connected to the VPN server. click the Networking tab. and click OK. As VPNs have quickly become the de facto standard for remote access. Once you disable the Use Default Gateway On Remote Network option. Note that if you want the client to use only PPTP. if not successful. In the VPN connection object’s Properties dialog box. the user will be able to access the Internet and the internal network simultaneously. Getting rid of MS-CHAP version 1. don’t forget that both the clients and the servers can use some good old-fashioned tweaking. right-click the VPN connection object and click Properties. You may get complaints from your users regarding their ability to access the Internet after they establish the VPN link to the corporate network because a new default route is added to the VPN client’s routing table.When VPN clients connect to the Windows 2000 VPN server. you can select Point To Point Tunneling Protocol (PPTP) and prevent negotiation for an L2TP connection. you can configure the VPN client connection object to allow this. click the down arrow in the Type Of VPN Server I Am Calling drop-down list box. 2. You don’t want your clients to access the Internet at the same time that they access the internal network. the default client configuration is to negotiate the type of VPN tunnel. changing the number of L2TP ports. click the Layer-2 Tunneling Protocol (L2TP) option (see Figure I). On the Networking tab. and configuring clients to use only L2TP/IPSec are sound ways to get your incoming VPN connections zipping along with speed and security. this represents a very poor security configuration. so should your knowledge of VPN optimization. As you work to set up and configure your VPN. the need for further optimization. enabling auto-enrollment. This inability to access the Internet while the VPN link is active is the preferred configuration. is necessary in order to make the best of your VPN server connections. The VPN client will try L2TP/IPSec first and. Right-click the My Network Places object on the desktop and click Properties. try PPTP. like so: 1. Although the improvements from previous versions are significant. The key entry is Use Default Gateway On Remote Network. depending on the version of VPN client connection object you’re using. Second Edition . In the Network And Dial-Up Connections dialog box. as with most Microsoft products. it’s critical for systems administrators to get up to speed on their optimization. You can configure the client to use only L2TP/IPSec by configuring the client connection properties. 4. All Internet-bound requests will be routed through the VPN link and will cause attempts to browse the Internet or access Internet e-mail servers to fail. 90 Administrator’s Guide to VPN and Remote Access. You’ll find this entry in various places. It would be like allowing internal network users to add a modem to their machines so that they can access the Internet independently of any client access controls you’ve set on your firewall. As VPN technology grows and stabilizes.

there are several services. such as WINS. DNS. Another option is to have a DHCP server assign name server addresses to the VPN client. This is only partially true. This address is typically obtained from the internal interface of the VPN server. The VPN clients will always be assigned a default fault and host route to the IP address of the tunnel server’s virtual IP address. you might need to manually select the interface that assigns name server addresses. you need to optimize both the client-side and network-side services. DHCP. Because the browser service is a NetBIOS-dependent service. This also includes the PDC or PDC emulator for the network. Note that you cannot assign name servers based on user account. because they collate and redistribute the browser list. all servers on the network need to be configured as WINS clients. Here. The WINS server is even more useful for allowing clients to connect via a UNC path. you aren’t limited to this option. J WINS The Windows Internet (network) Naming Server (WINS) resolves NetBIOS names to IP addresses. you should configure on the internal network with your VPN clients in mind. check out my article. I will explain how you can optimize WINS. Unfortunately. so they never directly communicate with a DHCP server—not even when you have configured the VPN server to obtain IP addresses from a DHCP server. Once you have these services set up correctly. While the most common method of assigning IP address and name server information to VPN clients is via automatic assignment by the VPN server. However. The fact is. “Optimize inbound client connections for your Windows 2000 VPN servers” (page 85). Thomas Shinder. and DHCP. One thing you cannot assign to RAS clients via DHCP options is a default gateway. Ultimately. that means you’ll get a lot fewer support calls from your VPN users. which appears as a list of network resources (computers) in the Network Neighborhood or the My Network Places application. Administration 91 . For ultimate speed and security. The VPN client software can be configured with static IP and name server addresses. many popular network services are dependent on the NetBIOS interface and NetBIOS name resolution. MCSE ust setting up a VPN with RRAS is not enough when working in an enterprise-level environment. For a review of methods that you can employ on the client side. This creates a problem when your VPN clients need to browse to resources on subnets outside of the broadcast range of the VPN interface on the VPN server. if you have multiple internal interfaces. DNS. you don’t need WINS if you run a Windows 2000 network that doesn’t require any NetBIOS services. The VPN client obtains the WINS server address from the VPN server. especially servers that can act as master browsers on their local subnet. However. your VPN client connections will work as if they were directly connected to the internal network via an Ethernet cable. I’ve heard people say that if you run a Windows 2000-only network. The browser service is responsible for populating the browser list. your VPN clients can obtain DHCP options by configuring a DHCP relay agent on the VPN server itself. Also. The most prominent NetBIOS-dependent service is the browser service. you don’t need a WINS server. and the routing table and addressing infrastructure to improve your VPN clients’ speed and security. To solve the broadcast problem. VPN clients can also be assigned IP addresses on a per-user account basis. it depends on local subnet broadcasts to communicate with other browser service participants. you must install and configure a WINS server on the internal network. 2002 By Dr. From the server side.VPN networking services built for speed Feb 19. DHCP options such as WINS and DNS server addresses can be assigned this way. The VPN client will query the internal network VPN CLIENTS NEVER DIRECTLY COMMUNICATE WITH A DHCP SERVER Keep in mind that VPN clients are RAS clients.

and news services on your internal network using FQDNs. you probably already have a DHCP server The DHCP server can be on the same network as the internal interface of the VPN server or on a remote network. These applications and services use DNS for host name resolution. Right-click the General node and select New Routing Protocol. and the WINS server will return the IP address of the server on the internal network. DHCP If you work on a network of any appreciable size. Click on Internal and OK. Type nslookup and the fully qualified domain name of an internal network host.net. you should test the configuration before allowing your users to connect to the VPN. The DHCP Relay Agent will appear in the left pane. e-mail. Installing and configuring the DHCP Relay Agent on the VPN server is easy. type in the IP address of the DHCP server and then click Add and OK. you must configure a DHCP Relay Agent. USE NSLOOKUP TO CONFIRM DNS FUNCTIONALITY When setting up your VPN clients to use the internal network DNS infrastructure. In the New Routing Protocol dialog box. Right-click the DHCP Relay Agent node and select New Interface. In the DHCP Relay Agent Properties dialog box. which acts as a router for DHCP messages. In the RRAS console. you’ll find that name resolution will proceed much faster and more reliably after installing DNS and configuring the VPN client to use the internal network DNS server. Although DNS doesn’t populate the browser list. When a DHCP server is configured with a scope. expand your server name and then expand the IP Routing node. leave the defaults—unless you want the DHCP packets to hop more than four routers—and click OK. If you are running a Windows 2000 Active Directory network. such as server1. If you aren’t running Active Directory or DNS on your internal network. you want to ensure that DNS is configured on the internal network. you’ll have relatively little use for NetBIOS-dependent applications. you already have a DNS infrastructure in place. Nslookup should return the proper internal network address for server1. A NOTE ABOUT SCOPES A scope is a collection of IP addresses that belong to a particular network ID. it can service requests for IP addresses from clients on that network ID. they are native TCP/IP-based applications.internal. Note that if you place the DHCP server on a remote network. click on the DHCP Relay Agent entry and click OK. In the DHCP Relay Properties dialog box. DNS If you construct your network well. Create a dial-up connection to the VPN server and then open a command prompt.net. The DHCP Relay Agent will now forward DHCP messages to the DHCP server you entered in the Properties dialog box. For VPN clients to access Web. The majority of applications used on current networks aren’t tied to the NetBIOS interface. If you need to use a DHCP server on a remote network. it performs a host of other valuable functions for your VPN clients.WINS server that was assigned to the VPN interface on the client. The VPN server will be able to obtain addresses for the DHCP clients by taking advantage of the DHCP message routing capabilities of the DHCP Relay Agent. FTP. You can quickly test the VPN client DNS functionality using the Nslookup tool. the server should have a 92 Administrator’s Guide to VPN and Remote Access. You can create custom scopes for your VPN clients to make it easier to control the IP address assignment to these machines. Second Edition . providing IP addressing information to your internal network clients. That same DHCP server or servers can be used to assign IP addresses to your VPN clients. which is why the DHCP Relay Agent is considered a routing protocol.internal. Right-click the DHCP Relay Agent node and open its properties sheet.

a new gateway with a lower metric is created on the laptop’s local routing table. However. which makes it impossible for the laptop to access the Internet and the internal network through the VPN interface at the same time. instead of logically. RIPv2 supports Variable Length Subnet Masking (VLSM) and password protection for sharing routing information with its neighbors. all the addresses will be served from the scope matching the primary IP address bound to the network interface. the VPN clients will be able to reach all segments on the internal network. as the GUI Gateway configuration on the VPN client The default Microsoft VPN client configuration sets the client to use the default gateway on the remote network. When the user establishes the VPN link. configure the routing table on the VPN server. Each interface is connected to the same physical segment. I recommend you use the RRAS console to create new routing table entries. the server must be physically. it requires little or no configuration after it’s installed. The VPN clients take advantage of the router table on the VPN server to reach resources on remote networks. Once the VPN server has routing table entries for all the subnets on the internal network. If there are only a few internal subnets. The primary IP address is the IP address on the top of the list of IP addresses found in the Advanced tab of the TCP/IP configuration for the interface. because it’s a broadcast-based protocol. you can configure the routing table on the VPN server manually. The Relay Agent will allow assignment from the appropriate scope. but it is more complex to configure and shouldn’t be considered a “plug and play” routing protocol solution. These networks require that you use a routing protocol. Routing tables When you have a single network segment on your internal network. All nonlocal packets are routed through the VPN interface. When you select this option.NIC installed with an IP address for each network ID for which it has scopes. The VPN clients can be assigned IP addresses on the same network ID as the internal interface of the VPN server and reach all resources on the local network segment. interface is easier to use and leads to fewer mistakes in configuration. While RIPv2 is much easier to set up and configure. If the internal network has multiple network IDs and VPN clients need to reach resources on these multiple network IDs. it doesn’t scale well. because the DHCP server service will bind only the primary IP address on each interface. which creates a default route on the laptop so that all nonlocal packets are sent to the ISP’s router. OSPF is a more powerful routing protocol that provides a great array of routing options. The Windows 2000 RRAS supports both the Routing Information Protocol version 2 (RIPv2) and Open Shortest Path First (OSPF). you don’t have to worry about router issues. multihomed. The modem creates a connection to the ISP. The routing table can be configured using either the Route Add command or by using the Routing and Remote Access console. and only a single path to each subnet. Large networks that allow multiple paths to internal network resources don’t lend themselves to static routing table entries. For example. Administration 93 . which represents a host-based route that sends all nonlocal packets through the VPN interface. MULTIHOMED DHCP SERVERS You can multihome a DHCP server so that it supports scopes on multiple network IDs. problems arise when the internal network has multiple subnets. suppose the client is a laptop computer that isn’t connected to a network that establishes a link to the Internet using a dial-up modem interface. The change in the default gateway on the client can cause some sticky issues. but DHCP clients on the same physical segment as the multihomed DHCP server can receive addresses from any of the scopes. RIPv2 is the easiest to configure. However. a new default gateway is set on the VPN client. If you try to logically multihome the server.

A far superior solution is to configure the VPN client machines to use the corporate Proxy/Firewall servers to access the Internet. getting the internal network tuned up to support your VPN clients takes a bit more effort. To get around the dynamic address assignment issues. the machine will listen for RIP version 1 broadcasts. Conclusion The Windows 2000 Routing and Remote Access Service may make it easier to create a VPN server. on a large network. DNS. The solution is to enter routing table entries for all the subnets on the machine connected to both the VPN and the corporate network.This should be considered a good thing. do the following: Open Control Panel and click Add | Remove Programs. and DHCP servers on the internal network to support the VPN clients. With this information. however. A better solution is to enable a RIP listener on the machine. When a machine connected to the routed corporate network needs to create a VPN link to a VPN server on an external network—or even on the intranet if you are using VPNs to segregate your security zones—you may have another issue. The Windows 2000 RRAS server can be configured to issue RIP v1 and v2 broadcasts to support machines configured as RIP listeners. the RIP listener will not use routing table entries. because the RIP listener software listens on the physical interface. and you shouldn’t allow it on your VPN clients either. you never know what the gateway address will be for the client’s VPN connection. a workaround for this problem would be to manually create static routing table entries on the laptop computers after the VPN link is established. Click Networking Services. This is akin to allowing your corporate network users to attach modems to their desktops and connect to the Internet while still connected to the corporate network. this is unfeasible. Click OK. Then. Second Edition . however. The RIP listener isn’t an answer to the routing table problems that dial-up modem clients have when connecting to the VPN server over the Internet. and how VPN clients handle routed internal networks. So if you’re using only RIPv2. The reason for this is that if you use DHCP to assign an IP address to the VPN clients. You don’t let your internal network desktop users do this. However. VPN CLIENTS CANNOT BE CONFIGURED AS RIP LISTENERS Machines connected to the internal network can be configured as RIP listeners. To enable a RIP listener on a client machine. you’ll be ready to begin that VPN rollout that your boss has been bugging you to get started. Click Add | Remove Windows Components. The RIP listener doesn’t listen on the virtual interface. After the RIP listener is enabled. Even if the RIP routing protocol is installed on the VPN server. you can assign a static IP address to a user’s account on the Dial-in tab of the user account properties. The tips in this article should help you appreciate the importance of having WINS. Select the Rip Listener check box. it will not be able to share routing table information with VPN clients. The default gateway will change to the VPN interface and the machine will no longer be able to access remote subnets on the corporate network. You can create static routing table entries. you force the VPN clients to conform to the corporate Internet security policy. It isn’t very wise to allow VPN clients to bridge their Internet and VPN connections because the client can act as a gateway for Internet intruders to access the corporate network. 94 Administrator’s Guide to VPN and Remote Access.

you can have a single Remote Access Policy apply to all VPN servers. To configure an RRAS policy to optimize your VPN environment: 1. Thomas Shinder. change the number of L2TP ports. However. T Using RRAS policies RRAS policies allow you to simplify and optimize all of your RRAS server connections by centralizing the management of VPN client connections. you can enable MS-CHAP version 2. Doing both of these things allows you to increase your VPN server’s efficiency and blow the socks off your users. Note that Deb Shinder’s user account is allowed dial-in access based on the Remote Access Policy. 2002 By Dr. In the Routing And Remote Access console. and configure clients to use only L2TP/IPSec. The extant Remote Access Policy can be specific to a particular VPN server. On the client side. or if you decide to use RADIUS for authentication and accounting. there are a number of configurations that you can implement to help that server reach its full potential. enable auto-enrollment. MCSE hough it isn’t difficult to set up a Windows 2000 VPN server for use. To make the most of RRAS policies. Figure A shows the available options when a Windows 2000 domain is run in native mode.Optimal VPN server configuration and management Mar 18. On the server side. a couple of simple but powerful actions allow you to optimize connections: using Routing and Remote Access Service (RRAS) policies and configuring IP address and name server assignments. This allows you to configure the policies on a granular basis by configuring the properties of user accounts. run your Windows 2000 domains in native mode. a general setup doesn’t allow for optimal use of the server’s resources. expand your server name and click on the Remote Access Policies node in the left Figure A Figure B Administration 95 .

The condition now appears in the policy’s properties dialog box (Figure E). click the Add button. Click Figure D Figure E 96 Administrator’s Guide to VPN and Remote Access. and a Network Access Server port type condition. 2. 5.) To add a condition. You can create a new RRAS policy or edit the existing RRAS policy. and the connection type must be a VPN connection. 3. double-click on the Allow Access If Dial-In Permission Is Enabled policy in the right pane of the RRAS console. To edit the existing RRAS policy. To allow only L2TP/IPSec VPN tunnels for the Domain Admins group covered in this policy.pane. select the Layer Two Tunneling Protocol (L2TP) entry and click the Add button. (This option is seen in the If A User Matches The Conditions frame. In Figure B. connections are accepted at any time on any day of the week. select the Tunnel-Type attribute and click the Add button. users must be members of the TACTEAM\Domain Admins group. a Windows group membership condition. In the Available Types column in the TunnelType dialog box. for example. In this example. you can see that several conditions must be met to allow a connection to the RRAS VPN server: a day and time Figure C condition. The Select Attribute dialog box appears next (Figure C). Only after all these conditions are met will the Grant Remote Access Permission option be activated. Second Edition . 4. The entry will then move to the Selected Types column (Figure D).

Select the Encryption tab. However. Deselect the Microsoft Encrypted Authentication (MS-CHAP) check box. This will force 128-bit encryption on all connections matching the conditions of this Remote Access Policy. Since domain administrators will carry out the most security-sensitive operations. To assign addresses via DHCP. 8. it is important to note that your RAS VPN client never directly communicates with the DHCP server.Figure F Figure G Deselecting MS-CHAP forces the server to use MS-CHAP version 2 for the Remote Access Policy. and levels of encryption. 7. which require different VPN tunnel types. 6. You can create multiple RRAS policies to meet the specific needs of your organization. you might want to force 128-bit encryption for all their sessions. click the Authentication tab (Figure F). time of day requirements. You might want to create other policies for different groups of users. Edit to change the profile settings for this policy. Administration 97 . it will obtain extra blocks of IP addresses from the DHCP server ad libitum. The default settings allow both MS-CHAP and MS-CHAP version 2. In the above example. you can install a DHCP Relay Agent on the RRAS server to assign a limited set of DHCP options to VPN clients. The RRAS server doesn’t assign any DHCP options. Click Apply and OK to accept the changes you have made to the policy’s profile. click Apply and OK to accept the changes you made to the RRAS policy. I set some stringent settings on connections made by domain admins. leaving only the Strongest encryption option selected (Figure G). If the VPN server uses all the available addresses it obtained during boot-up. Configuring IP address and name server assignments There are two ways VPN servers can assign addresses to clients: via a DHCP server or via a static address pool. Deselect the Basic and Strong check boxes. Then. In the Edit Dial-In Profile dialog box. The VPN server obtains the IP addresses used for VPN client assignments during VPN server boot-up.

Click Apply and OK to accept the changes. The Allow IPBased Remote Access And Demand-Dial Connections option must be selected if you want the VPN server to assign addresses to the VPN clients. VPN clients will be able to access only resources on the VPN server itself. 2. 98 Administrator’s Guide to VPN and Remote Access. Right-click the server name in the Routing And Remote Access console and click Properties. Second Edition . click the down-arrow on the Adapter drop-down list and manually select the adapter that should be used for WINS and DNS server assignments to VPN clients. To configure address assignment: 1. This name server assignment takes place during the Internet Protocol Connection Protocol (IPCP) negotiation process. and IP addresses can be assigned to VPN clients from this pool.A static address pool can be configured on the VPN server. You don’t need to use DHCP options to assign name servers to VPN clients. You’ll also make life simpler if you choose a range of addresses that are on subnet—on the same network ID as the internal interface of the VPN server. you can manually select which interface will be used to assign name server addresses to VPN clients. make sure internal network clients are not using the addresses in the pool. If it does. because the RRAS server will automatically assign WINS and DNS server addresses to VPN clients based on the WINS and DNS server settings on the internal interface of the VPN server. 3. If you need to use a static address pool. If you have multiple internal interfaces on the VPN server. The default setting is to use DHCP for IP address assignment. The VPN clients will be configured with WINS and DNS server addresses that are configured on the interface you select. it sometimes gets things wrong. The RRAS server determines which interface should be used to assign name server settings. Figure H Conclusion Using RRAS and configuring IP addresses and name server assignments allows you to further tune the settings on your Windows 2000 VPN server and create a VPN environment that meets the requirements of your organization. If it’s not selected. Click on the IP tab (Figure H). however. select the Static Address Pool option and click Add to add a range of IP addresses. The Enable IP Routing check box should be selected if you want the VPN clients to access servers on the internal network. Doing so can make your job go a little smoother and your end users happy campers. If you choose the static address pool option.

And when they do. Of course. In my experience. Simply put. Nevertheless. The . the number of bytes transferred. unfortunately. so that you will know about them before a user contacts you. which all have the base name of the server (name or address) that you provide when you load the utility.Troubleshoot Windows RAS and VPN connections with these tips Oct 19. You can have the utility running permanently on your workstation so that you can quickly check the server’s status with the utility’s GUI. or slow down the user’s connection. many of these problems are beyond the administrator’s immediate control. with the extensions . the most obvious thing to check is that the server is running and that the RAS service is started. and . and Internet bandwidth problems. If you have multiple RAS servers. you can do this from your workstation rather than physically on the server itself. Gather timely information When a user complains that the RAS server is down. A failure to respond means the service or server is down. This includes information such as the number of currently connected users. or you can run it on another computer and leave it to collect the monitored information to file. . and the total and peak number of connections. the IP address allocated and type of port used. which. once a RAS server is up and running. However. As a background task.asp). 2001 By Carol Bailey. subsequent reported problems tend to be user-related issues rather than server problems. You configure the alert (for example. But a quicker and more elegant solution is to run the RAS Server Monitor (Rassrvmon.userdetails files provide more details on each connection made and include information such as user name and workstation name. works only with Windows 2000 RAS servers and not with NT4 RAS servers. so you can publish the current status of your RAS server on your company intranet. total bytes transferred. you should have multiple instances of the RAS Server Monitor—one for each server.userlist and .exe) from the Windows 2000 Resource Kit (http://www. MCSE+I M anaging remote access servers can be among the most highmaintenance activities that any administrator has to juggle. total calls.com/windows2000/techinfo/reskit/default. you usually have to confirm that everything is working as expected on the server side before they will doubt their end of the connection. Administration 99 . issues with the user’s ISP (if connecting over a VPN).webstatus. So what can you do to streamline the troubleshooting process? I’ve put together some tips that can help with this time-consuming exercise. and the line speed. Most admins check this by pinging the server and then connecting to the server to verify that the RAS service is up. The first alerting service monitors whether the RAS service is up by sending the MprAdminPortEnum API to the server you specify.userlist. tons of things can go wrong that prevent a user from connecting. The . such as client configuration difficulties. and only after I’ve proved that the problem is not with the RAS server have they looked a little closer to home and found the problem. you can bet users will contact you and complain about problems with the RAS server(s). the connection duration.userdetails. This utility produces three files. hardware problems at the remote user’s end. I’ve had many frantic calls from remote users complaining that the RAS server is down and must be fixed immediately because it is imperative for them to do their work.webstatus file is designed to be posted on a Web server. the first and last connection. stop a user from accessing network resources.microsoft. You can then check the information ad hoc. you can also configure the RAS Server Monitor to alert you if it detects problems.

you can’t blame the firewall for the connection problem. there may be legitimate reasons for this inactivity (for example. Obviously. By default. this will be reported as an error since there will be no connectivity taking place. You can use the Windows 2000 Resource Kit utility PPTP Ping to confirm that this protocol is working between client and server. and they can get so complex that it’s difficult to figure out which policy is being used. making it very quick to search and confirm whether a user account has been granted that right. If you are using AH as well as ESP in your IPSec policies. However. In the early stages. Is your firewall preventing VPN users from connecting? Are Remote Access Policies preventing users from connecting? Windows 2000 Remote Access Policies are great for granular control of user permissions and connections. You can then import this information into a database or spreadsheet. which condition is responsible for a failed connection. you will need to allow TCP port 1723 and IP protocol port 47 to pass through your firewall. and document your choices (perhaps with a flowchart to show their decision criteria for allowing connections). It can be quite tedious and time-consuming to individually check this on multiple accounts. use the simplest policies you can. the simplest way to check the viability of the VPN server itself is to eliminate the firewall by setting up a client VPN connection over Ethernet rather than over the Internet.exe on the client. you will need UDP port 500 and IP protocol port 50 to pass through the firewall. this time period is 10 minutes. Does the user have dial-in permission? My first tip here would be to make sure that you know how the administration modes work for Remote Access Policies. which would not be detected by the service API monitor. If this doesn’t work when there is no firewall between the server and the client. when you are testing your VPN server.exe on the RAS server and install pptpclnt. but on RAS servers that are usually busy during the day. bear in mind the order of processing. they can also be a pain to support. even if you have to load it on the same machine as Win2K RRAS. Issue the command pptpclnt <ip address of VPN server> on the client. which makes it much easier to troubleshoot policy problems. If you’re running RAS servers in a nativemode Active Directory domain. If port 1723 is blocked or if port 1723 is open but protocol 47 is blocked (the most common configuration mistake with firewalls). This is because IAS will record which Remote Access Policy is being used with each connection in the Event Log. If the protocol reaches the server. overnight hours and quiet periods during popular vacation times). If you have VPN connections using PPTP. and thus. you will need to grant the dial-in permission on each user account. If you are using L2TP/IPSec. One way to ease the burden a bit is to make it a regular administrative task to use the Resource Kit tool RASUsers to output a list of all users on a server or domain that have been granted this right. the server will display a successful message. However. you can use the new permission Control Access Through Remote Access Policy on all user accounts so that dial-in permissions are always kept centrally on your RAS servers as part of your Remote Access Policies. The second alerting service monitors for inactive RAS connections over a specified time period. Second Edition . if you are still using NT4 RAS servers or your Active Directory is not in native mode. it could indicate that there’s a problem with the line(s). My second tip—particularly when using multiple RAS servers—is to centralize authentication with Windows 2000’s Internet Authentication Service (IAS).send an e-mail message or log an error) by running a program of your choice when the number of failed responses continues over a period of time. you will also need IP protocol port 51 to pass. Simply install pptpsrv. 100 Administrator’s Guide to VPN and Remote Access.

etc. you can supply the phone book as an automatic download that will update clients with any changes. You may find that deploying preconfigured connections with a dialer program is a worthwhile investment of time. look to see whether you are using 3DES encryption on most connections (the default for 128-bit versions). such as CHAP authentication for non-Windows clients and no encryption for better throughput. such as domain controllers. and total bytes transferred. consider disabling the default L2TP/IPSec policy and configuring your own policy that uses DES rather than 3DES. from the information produced by Rassrvmon. You can include a static address book for your RAS server details or. when a user has to configure a connection from scratch. Windows 2000 Server now ships with Connection Manager Administration Kit (CMAK). to provide reports If possible. If the certificates have been issued outside Active Directory. which allows you to preconfigure remote access connections for your users and customize the configuration with your own company logos. If you suspect the additional stress of running L2TP/IPSec is responsible for poor performance. discourage or prevent most users from changing their RAS settings if their configuration is working. Contingencies Many network admins prefer VPN connections over dial-up modems these days because they have many cost advantages and it’s easier to run multiple simultaneous connections. You could also invest in a network card that offloads some of the IPSec processing. they also offer a more secure medium. but one of my tips is to give remote clients LMHOSTS and/or HOSTS files that contain the domain name and the main servers. and L2TP/IPSec will be higher still (because of the IPSec processing). PPTP will incur more processing than PPP (because of the encryption). Verify that both client and server have a Certificate Authority (CA) in common and that both have been issued with a valid computer certificate from this CA. Because these dial-up connections use Point-to-Point rather than the Internet. (Windows 2000 Local Group Policies are fantastic for enforcing this.htm. If so. You can use its sister utility. WINS servers. which means that you may consider configuring them with lower security options. which eliminate the need for modem banks. if their ISP is having problems. Reportgen. If you are using Windows 2000 Remote Access Policies. this is another matter. consider keeping some PPP ports in case users have problems connecting over the VPN—for example.microsoft. The RAS Server Monitor also provides statistical information you might find useful here. However. such as peak connection time. If you think poor performance could be due to overstressing your RAS server. total connect time. it’s particularly important to ensure that the certification path has been installed and the system date/time is correct on both computers.com/ WINDOWS2000/en/server/help/cmak_ ops.) However. and any servers the user needs for network resources. You’ll find details for using CMAK at http://www. I would put problems with certificates at the top of the list of potential problems. This should reduce any problems that might be caused by name resolution issues. use the Performance Monitor counters to keep an eye on memory and processor metrics.Are certificates preventing L2TP/IPSec users from connecting? When it comes to troubleshooting L2TP/ IPSec connections. you can easily configure the security settings for these different connections based on the port type being used. Administration 101 . Prevent user misconfiguration problems Are there performance problems? There are a hundred and one reasons for connections not going as quickly as users would like. which can help provide trend analysis to help you determine whether reports of poor performance are linked to high usage. if you think your RAS server details may change.

change the TCP sequence and acknowledgment numbers. typically an IP packet. but it may also swap TCP source and destination ports. rfc-editor. CCNP. However. and having some contingency plans to call upon. MCSE+I. and change IP addresses contained in the data payload.com/ warp/public/556/nat-cisco. We’re going to look at the reasons behind this common problem and see what you can do about it. NAT doesn’t just swap IP source and destination addresses. col (L2TP). Encapsulation can also be referred to as tunneling. It can then be decrypted only by using a secret key or a password. For more information. NAT is based on RFC1631 (http://www. here are four basic concepts you need to understand: Encapsulation involves wrapping a header around a data unit. Encryption provides a way to secure sensitive data by translating it into private code. preconfiguring connection details for users.org/rfc/rfc1631. certificate verification. Learn why NAT can cause VPN connection problems Nov 8. The tips have included gathering timely information on your RAS servers’ sta- tus. For instance. firewall configuration. IP packets get encapsulated in a frame-relay header when they traverse a frame-relay WAN. Important concepts First.Summing up Running a trouble-free RAS service isn’t easy. verifying dial-in permission and Remote Access Policies. refer to Cisco’s article “How NAT Works” (http://www. This can make them troublesome for NAT. performance improvements. SCSA M any a network administrator has tried to set up a virtual private network (VPN) client from a workstation with a nonroutable (private) IP address only to find out—amid much frustration— that the network address translation (NAT) on the Internet router keeps the VPN client from making the connection. 102 Administrator’s Guide to VPN and Remote Access. Second Edition . change the IP and TCP header checksums. Layer 2 Tunneling Proto- VPN protocols Now we need to look at a few of the important differences between the two VPN tunneling methods: IPSec and L2TP—These two open protocols are popular across multiple platforms. 2001 By David Davis.cisco.txt) and is typically used to connect a private network to a public network. Keep in mind that to function. A VPN encapsulates and encrypts packets to send a private network’s data over a public network (such as the Internet) to another private network. which contains the IP source and destination addresses. but I hope these tips and tools will help you streamline troubleshooting this important service. Point-to-Point Tunneling Protocol (PPTP). and IP Security (IPSec) are the most popular protocols for securing VPN traffic. they usually encapsulate and encrypt the IP datagram.shtml). such as connecting your company network to the Internet.

and the IPSec authentication data is still valid.IPSec can work in two different ways: transport and tunnel. or “NAT friendly. On Cisco equipment. the IP header is not encrypted but exposed. Most rely on some kind of IPSec encapsulation into UDP packets. So the VPN server drops the packet. If you are using NAT. a connection can be made. Many NAT and VPN dilemmas are created by this assumption. In transport mode. You should also check with your router and VPN vendors for specific solutions Administration 103 . you will likely be using IPSec. you want the traffic bound for true Internet destinations to be NATed. When the packets arrive at the NAT router. the application headers. Transport mode is between a client and a server. whereas the tunneling. Different standards and vendor implementations are being used to make this work. and the VPN client never gets connected. Let’s return to our original scenario of the troubled network administrator who configures a workstation with a private IP address and tries to use a VPN client to go through a NAT-enabled router. This concept is invaluable when setting up and troubleshooting NAT and VPN together. However. Thus. PPTP—This Microsoft propriety protocol does not encapsulate or encrypt the IP datagram. and you want the traffic destined to travel through the IPSec tunnel to be tunneled.” Windows 2000 RRAS (Routing and Remote Access Services) uses this VPN protocol by default. choosing Windows 2000 VPN (RRAS) services with PPTP can greatly simplify your VPN-NAT issues. TCP/UDP headers. used by an IPSec or L2TP VPN gateway. Final word This is a complex topic that should not be taken lightly. If you are using IPSec with NAT on a Cisco router. this means that the admin is using IPSec in transport mode. NAT can break a VPN tunnel because NAT changes the Layer 3 network address of a packet (and checksum values). Because the IPSec packet is now encapsulated. stripping it off on the other side. Upon arriving at the VPN server. the authentication data in the packet is invalid because the IP header information was modified by NAT. you can get around the VPN-NAT issues by selecting the traffic that is to be NATed and making sure that that traffic is not NATed but encapsulated and encrypted in the IPSec header. this is accomplished using an access control list. choosing PPTP can often eliminate the NAT-VPN issues created with IPSec and/or L2TP. it has a different network address. which makes this protocol compatible with NAT. NAT devices do not affect the packet’s IP header information. But after a packet goes through the IPSec or L2TP VPN tunneling process. Tunnel mode is between two IPSec tunneling gateways (for instance. and data are encrypted. encapsulates/encrypts the Layer 3 network address of a packet with another Layer 3 network address. the entire packet (including the IP headers) is encrypted and new IP headers are appended. VPN product vendors are beginning to build IPSec NAT traversal capabilities into their products. NAT and VPN NAT is supposed to be transparent to whatever applications it works with. The authentication data is calculated based on the values in the IP header (among other things). two routers or servers). In tunnel mode. In other words. the authentication data is calculated based on the values in the IP header (among other things). the IP headers are modified (NATed). We’ll assume that the administrator is using an IPSec-based VPN client (not PPTP). As I said. after a packet goes through the NAT process. To deal with this issue. if you are trying to create a tunnel through the Internet between two Cisco routers (or other non-Microsoft devices or operating systems). leaving the IP headers exposed. In other words. However. Remember that in transport mode. not NATed. Because this is from a client to a server. it has the same network address. Understanding how NAT and the different VPN implementations do what they do is crucial.

that their products may have for dealing with NAT and VPN interoperability. Cisco provides the following sample network configurations and scenarios that can help to better understand and manage NATVPN issues: “Configuring Router to VPN Client, Mode-config, Wild-card Pre-shared Key with NAT” (http://www.cisco.com/warp/public/ 707/25.shtml) “Configuring an IPSec Tunnel through a Firewall with NAT” (http://www.cisco.com/warp/public/ 707/ipsecnat.html) “Configuring a Router IPSec Tunnel Private-to-Private Network with NAT and a Static IP Address” (http://www.cisco.com/warp/public/ 707/static.html)

“Configuring Router-to-Router Dynamicto-Static IPSec with NAT” (http://www.cisco.com/warp/public/ 707/ios_804.html) “Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks” (http://www.cisco.com/warp/public/ 707/overload_private.shtml) “Configuring IPSec Router-to-Router with NAT Overload and CiscoSecure VPN Client” (http://www.cisco.com/warp/public/ 707/ios_D.html)

Create a gateway-to-gateway VPN with ISA Server 2000
Sep 24, 2001 By Dr. Thomas Shinder, MCSE


irtual private networks (VPNs) allow you to connect to private network resources over the Internet. The VPN link mimics the connection you would have if all devices were directly connected to your private LAN. The difference is that instead of connecting directly to the private network, devices connect first to the Internet and then establish the virtual link that creates the connection to your private network. The most common implementation of VPNs is allowing a client computer, such as a Windows 2000 Professional notebook, to make a connection to the Internet and then establish the VPN link. After establishing the

VPN link, the computer becomes a member to the private network. The client then will be able to access resources on the network, such as printers and shares, just as if it were directly connected. A less common, but important, implementation of VPNs is to use them to connect entire networks to one another. The VPN link acts like a routed connection that allows clients on both sides to access resources on the opposite side. Communications move through the Internet but are protected by the encryption provided by the tunneled connection. You need a VPN server on each end of the link to create this type of VPN. The


Administrator’s Guide to VPN and Remote Access, Second Edition

configuration is most frequently referred to as a gateway-to-gateway VPN. The gateway-togateway VPN allows messages to be routed from one network to the other with a secure encrypted tunnel over the Internet. Configuring a gateway-to-gateway VPN in Windows 2000 is not for the faint of heart. In this article, we’ll look at how to make the process of creating the gateway-to-gateway VPN easier by using ISA Server 2000 (ISA Server). ISA Server makes it easy to create a gateway-to-gateway VPN with VPN wizards that actually work.

routers to forward Internet-bound traffic to the internal interface of the ISA Server. In addition, you will need to configure the network routers to forward traffic destined for the network ID of the remote network on the other side of the VPN to the internal interface of the ISA Server.

Configuring the VPN connection

When using ISA Server to create the gatewayto-gateway VPN connection, you must use two wizards: The Local VPN Wizard The Remote VPN Wizard The Local VPN Wizard is run at the location that will receive the calls from remote VPN servers. This wizard is usually run on the ISA Server at the central office, after which it will be ready to accept calls from an ISA Server at a remote, branch office. The Remote VPN Wizard is run at the remote location—the location initiating the calls. The Remote VPN Wizard uses information collected by the Local VPN Wizard to create the connection.

Preparing for the VPN

A lot of people have trouble getting a VPN to work correctly the first time they implement one. The main reason is that they forget that a gateway-to-gateway VPN is just like any other routed connection. The ISA Server acts like a router; therefore, you have to configure your network to support a routed infrastructure. In a routed network, you need to address issues related to: DNS host name resolution NetBIOS name resolution Routing tables If the two networks host different internal network domains, you need to configure DNS to support name resolution for both sides. You can do this in a number of ways. You could make DNS servers on each side secondary servers of one another. You could also create referral records for nonlocal domains on each of the DNS servers that point to the DNS on the opposite side of the link. NetBIOS name resolution is handled by a WINS server. Since the connection is a routed link, NetBIOS name broadcast queries will not traverse the VPN. Make sure there is a WINS server on each side of the link. You should configure the WINS servers to be replication partners if you wish to resolve NetBIOS names for machines on the opposite side of the VPN. In a single-segment network, all machines will have the internal interface of the ISA Server set as their default gateway. On a multiplesegment network, you will need to configure

COMMUNICATIONS The Local VPN Wizard is run on the machine that will accept inbound calls from the remote VPN server. However, you can tell the Local VPN Wizard to allow both sides to initiate a call.

Running the Local VPN Wizard
The first step is to run the Local VPN Wizard. Perform the following steps to configure the local VPN Server: 1. Open the ISA Management console. Expand your server or array and right-click the Network Configuration node in the left pane. Click the Set Up Local ISA VPN Server command.

2. On the Welcome To The Local ISA Server
VPN Configuration Wizard page, click Next to continue.

3. The ISA Server Virtual Private Network
(VPN) Identification page will appear. 105


In the Type A Short Name To Describe The Local Network text box, type a short (less than 10 characters is safe) name for the local network. In this example, we’ll call it local. In the Type A Short Name To Describe The Remote Network text box, type in a short name for the remote network. In this example, we’ll call it remote (Figure A). Click Next.

5. Use L2TP Over IPSec. 6. Use PPTP. 7. Use L2TP Over IPSec, If Available.
Otherwise, Use PPTP In this example, we will select Use L2TP Over IPSec, If Available. Otherwise, Use PPTP (Figure B) because it gives us the most flexibility in establishing the connection. Generally, you will want to use IPSec for your gateway-to-gateway tunnels, but it is helpful to have PPTP available for initial testing. You can remove the PPTP packet filters after you have confirmed that your VPN is functioning and that your IPSec configuration works properly. Click Next. 1. The Two-Way Communication page will appear next. If you wish to allow both ends to initiate a call, put a check mark in the Both The Local And Remote ISA VPN Computers Can Initiate Communication check box. If you do not, only the remote VPN server will be able to initiate a call. In the top text box, enter the IP address of the FQDN of the remote ISA Server. In the bottom text box, enter the NetBIOS name of the computer or the NetBIOS name of the domain (if the machine is a domain controller). In this example, we will allow bidirectional initiation of calls. We will use gateway.tacteam.net as the FQDN

4. The ISA Server Virtual Private Network
(VPN) Protocol page will appear. You have three choices:

Figure A

Naming the VPN connection

Figure B

Figure C

Selecting the tunnel type

Configuring bidirectional call initiation


Administrator’s Guide to VPN and Remote Access, Second Edition

Figure D

Figure E

Configuring access to the remote network IP addresses

Configuring the local network IP addresses

of the remote gateway and type in the domain name of the remote VPN server, TACTEAM (Figure C). Click Next.

Figure F

2. On the Remote Virtual Private Network
(VPN) Network page, enter the IP address range of the remote network. If you do not want access to all computers on the remote network, enter the IP addresses of the individual machines that you want access to. To add the address ranges, click the Add button. In this example, we’ll allow the local network to access all the machines on the remote network ID (Figure D). Click Next.

3. The Local Virtual Private Network (VPN)
Network page will appear next (Figure E). Select the external address of the ISA Server to which the remote ISA Server will connect. Confirm that the entries for the local network ID ranges are correct and click Next.
Naming the configuration file and creating a password

5. On the final page of the wizard, click the
Details button to review the changes made to your machine. If the Routing and Remote Access service has not been started, the wizard will start it and make the configuration changes noted in the Details. Click Finish.

4. The ISA VPN Computer Configuration
File page will appear. You’ll use this file to create the remote VPN server. Type a path and file name in the File Name text box. Then, type in and confirm the password (Figure F). You can save this to a floppy disk to carry with you to the remote site or you can save it to the hard disk and e-mail it to an administrator at the remote site. Click Next.

Running the Remote VPN Wizard
Running the Remote VPN Wizard is simple because you already made all the configuration decisions when you ran the Local VPN Wizard. To run the Remote VPN Wizard, perform the following steps:


4. You can configure the demand-dial interface to drop the connection after a period of idleness or to be a permanent connection. 2002 By Dr. Click Set Up Remote ISA VPN Server. After selecting the file. Second Edition . Figure G Figure H Running the Remote VPN Wizard Completing the Remote VPN Wizard Troubleshoot ISA Server VPN connections Jun 24. Type in or browse to the file name. The ISA VPN Computer Configuration File page appears next. and right-click on the Network Configuration node in the left pane.1. users on either side of the VPN will be able to initiate a demand-dial connection to the remote network. Once the Local and Remote VPN Wizards have been run. but they can’t help you resolve VPN problems. Thomas Shinder. The ISA Server’s VPN Wizards do most of the work when creating the VPN 108 W server or VPN gateway. MCSE hen working with ISA Server configured to run a VPN. click Next. Click the Details button to see the changes that will be made to the server. By learning about the problems you might face and how to fix them. Click Finish to complete the wizard. 2. type in the password (Figure G) and click Next. you’ll be better prepared to face the challenge should problems arise. You may also wish to select the check boxes that will open the Help files on how to configure demanddial interface and IP packet filters. On the Welcome to the Remote ISA Server VPN Configuration Wizard page. I’ll show you how to identify and Administrator’s Guide to VPN and Remote Access. Open the ISA Management console. however. expand your server or array. 3. The Completing The ISA VPN Configuration Wizard will appear (Figure H). In this article. troubleshooting the VPN problems can be one of the most difficult tasks you’ll encounter.

The biggest problem occurs when the ISA Server administrator doesn’t have a network infrastructure to support the ISA Server solution. DNS An alternative to NetBIOS name resolution is DNS host name resolution. What kind of problems can I expect? Most ISA Server VPN problems are related to VPN server or VPN client configuration and not to the actual ISA Server setup. the obvious solution is to configure a WINS server. If the client is configured with an inappropriate domain name or no domain name at all. VPN client. the request may succeed. the LMHOSTS file can be a viable alternative. This is because the ISA Server software does very little in relation to VPN connections. if you use static addresses for network servers. The only thing the ISA Server does when you run the ISA Server VPN Wizards is create the packet filters to support the VPN protocols. the LMHOSTS file will be worthless. You can manually or automatically configure the VPN client with an address of a VPN server on the internal network. The problem most VPN clients run into when it comes to hosting name resolution on the internal network occurs when the VPN clients try to resolve unqualified names on the internal network. VPN clients get their name server addresses from the settings on the internal interface of the VPN server or from a DHCP server on the internal network. NetBIOS If you have problems with NetBIOS name resolution.troubleshoot problems with ISA Server VPN connections. If machines on the internal network use DHCP for IP address assignment. Some common VPN configuration and management errors you may encounter include: Name resolution issues IP addressing problems VPN client configuration problems VPN gateway issues Authentication and encryption errors Once you get a handle on these areas. They can query the internal network DNS server to resolve host names on the internal network. because the VPN client cannot use NetBIOS broadcasts to resolve NetBIOS names on the internal network. An alternative is to configure an LMHOSTS file on each Administration 109 . When using ISA Server. LMHOSTS files are an inferior solution because they aren’t dynamically updated. you’d need to choose the one that has the name server addresses that you want assigned to the VPN clients. But in that case. A WINS server is required if you want your VPN clients to resolve the NetBIOS names of machines on the internal network. However. The Routing And Remote Access Service (RRAS) handles all other components of the VPN. Click the IP tab on the Properties page. You can configure which adapter to use for name server assignment by looking at the Properties page of the VPN server. When the VPN client sends an unqualified request to the DNS server on the internal network. you’ll be in good shape to have a smoothly running ISA Server VPN server. This becomes an issue when the VPN client wants to use DNS host name resolution to resolve the NetBIOS names on the internal network. the DNS resolver on the client typically appends the VPN client’s domain name to the request. If the VPN server had multiple internal network adapters. you should just assign a WINS server address to the VPN client in the first place. If you configure a static address pooling for the VPN clients. Make sure the Name resolution Name resolution issues are common with ISA Server running a VPN server. You can easily handle the problem by installing and configuring the appropriate network services. VPN clients can use a DNS server that is manually or dynamically assigned to them. If the internal network DNS server is configured to use a WINS server for name resolution. the request for name resolution will fail. the clients obtain their name server address from an internal interface on the VPN server.

such as WINS address. If your users need access to a network server browser list. If the network routing infrastructure isn’t set up to support the offsubnet addresses that you assign the VPN Figure A Figure B Select the interface that you want to assign name server addresses. to VPN clients is to install and configure the DHCP Relay Agent on the VPN server. You can assign VPN clients on-subnet and off-subnet addresses. as shown in Figure A. make sure you install and configure the DHCP Relay Agent on the VPN server computer. You can also use a DHCP server to assign addresses to VPN clients. On-subnet addresses are those that match the same network ID as the internal interface of the ISA Server. The only way to assign DHCP options. Select the VPN interface on which you want to use the Web Proxy service. One thing that definitely won’t work without a WINS server is the browser service. You can also use off-subnet network addresses for the VPN clients. VPN clients never directly communicate with a DHCP server because the VPN server doesn’t pass broadcast messages from VPN clients to the internal network. however. DNS address. 110 Administrator’s Guide to VPN and Remote Access. When your ISA Server is configured to run as a VPN.Adapter field at the bottom of the IP tab is set to Internal. In this instance. The server will obtain more addresses when needed. the RRAS server doesn’t retain any DHCP options. DHCP Your other option is to use a DHCP server on the internal network. The DHCP Relay Agent will proxy for the VPN clients and allow them to receive DHCP options. Make sure that the addresses in the static address pool aren’t already in use on the network and that they aren’t assigned to a scope on any of your DHCP servers. The RRAS server will obtain addresses from a DHCP server when the RRAS server starts up. This can be a useful security measure. the VPN clients are assigned IP addresses that are not on the same network ID as the internal interface of the ISA Server. because VPN clients have a valid IP address for the network ID that the VPN server is directly attached to. and domain name. Onsubnet addresses are easiest to manage. Second Edition . You can configure a static address pool in the same dialog box seen in Figure A. you must install a WINS server and configure the VPN clients to obtain the WINS server address. IP addressing VPN clients can get an IP address from a static address pool or from a DHCP server on the internal network.

0. Let’s look at an example of a dial-up VPN client. click the Connections tab. as shown in Figure C. but it isn’t a default route. Whether you use on-subnet or off-subnet addressing on the VPN clients. a network route is added to the VPN client’s routing table. and a default route for network ID 10. All packets for that network ID (and all subnets of that network ID) are sent to the VPN server. Either intentionally or out of curiosity. The route sends requests for the classful network ID the VPN client was assigned for its VPN interface.0. it’s critical that you configure the routing table on the VPN server with the appropriate network IDs on your internal network. you must configure the routers on the network to forward responses to the offsubnet network ID to the internal interface of the VPN server. You can configure a proxy server address and port number in the connection’s Settings dialog box. Put in the IP address of the outgoing Web requests listener and port 8080. Doing so will prevent rogue VPN clients from accessing the internal network. All other nonlocal packets are sent to the ISP’s remote router. At the client. there is one setting common to almost all versions—the Use Default Gateway On Remote Network option. it is a good idea to configure the VPN clients to use off-subnet addresses. If there are networks you don’t want the ISA Server to reach. and credentials when you use the Web Proxy service. If you use off-subnet addresses for VPN clients.1. they still won’t be able to access anything other than resources on the VPN server itself. the only resources the VPN clients will be able to access are on the VPN server itself. You can still allow VPN clients to access the Internet through the ISA Server by configuring the VPN client’s browser to use the Web Proxy for the VPN connection. When selected. A good way to prevent users from torpedoing internal network security is to design the IP addressing and routing scheme so that if users are able to set their VPN clients to not Use The Default Gateway On The Remote Network. In general. Windows VPN client software is configured slightly differently. leave them out of the routing table. However. Figure C VPN client configuration Enter the IP address. When the Internet Options screen appears. users may harpoon network security by disabling the Use Default Gateway On Remote Network option. You’ll also need to include the credentials required by the Web Proxy service if you’re requiring authentication for outbound access. The VPN client is assigned the IP address 10. 111 Administration . find an entry for the VPN connection (see Figure B).0/8 is configured on the VPN client. This prevents VPN clients from accessing the Internet and the corporate network at the same time. Select that connection and click the Settings button. launch Internet Explorer and select Internet Options from the Tools menu. all packets for nonlocal networks are forwarded to the ISA Server’s VPN interface. This is the default option. When users disable this option. The VPN client then has a direct link to both the Internet and the corporate network and can become a gateway between the Internet and the corporate network.0. depending on the operating system.100.clients. port. On the Connections tab. but all other networks must be included in the routing table.

The only solution is to configure the third-party device to use L2TP/IPSec. DHCP. Even though the VPN server contains the proper routing table entries to forward requests to the network IDs on the internal network. except for a small problem with allowing both sides to initiate a connection.0. the off-subnet VPN client won’t be able to take advantage of them because they are not using the VPN server as their default gateway. You can prevent this problem by allowing only the central office to dial up the connection. preventing either from accepting an incoming connection. those VPN clients configured not to use the VPN server as their default gateway will be able to access resources on the VPN server. Place WINS. remove the dial-up credentials from the demand-dial interface configured by the VPN Wizard. you’ll end up with a potential race condition when the VPN connection is dropped. Gateways can join a remote office to a local corporate network. The Local Wizard is run on the machine receiving the call from the remote office VPN server.0.0. This can create a problem when you want to configure a pure IPSec tunnel between the ISA Server computer and a third-party hardware VPN device. or you can configure 112 Administrator’s Guide to VPN and Remote Access.0/16—will be forwarded to the existing default gateway.0/16 range.The best way to do this is to assign the VPN clients off-subnet IP addresses. Any nonlocal requests—including those for network ID 10. make sure that you configure compatible IPSec policies. VPN gateways ISA Server includes a couple of nice wizards that allow you to create a local and remote VPN gateway. These wizards work fine. Authentication and encryption Your ISA Server configured to run VPN supports both PPTP and L2TP/IPSec VPN connections. On the passive side. ISA Server does not support pure IPSec VPN tunnels. Configure your routing infrastructure to send packets for the appropriate network IDs to the network on the other side of the VPN gateway. Remember that your VPN gateway solution creates a routed connection to the remote network.254. If you configure both sides with the ability to dial one another.0. Design your network services infrastructure to support the routed networks. This is because when the client is configured not to use the default gateway on the remote network. using mechanisms appropriate for each network service. This will help if you want to use a preshared key between the VPN server and the black box. DNS. The gateway-to-gateway VPN router configuration should have a passive side that receives calls and an active side that makes calls. Windows 2000 creates a default L2TP/IPSec policy. For example. and directory services with this routed architecture in mind. You should treat the connection between the networks like you would any other routed connection. Second Edition . If you do decide to use L2TP/IPSec. After configuring the VPN gateways. Only the remote office should have the capability to call the central office. go to the local VPN server and configure the machine to never redial a connection. the internal interface of the VPN server is connected to network ID 10. You can disable the default IPSec policy and use an alternate policy. you should install and configure redundant services on each side of the link and configure them to replicate with one another.0/16 and the VPN clients are assigned IP addresses in the 169. Since the link between VPN gateways is not always reliable. Each server will try to dial the other simultaneously. I often see questions from ISA Server administrators who wonder how to deal with NetBIOS and host name resolution for hosts on the other side of the network. The Remote Wizard is run at the VPN server at the branch office. the actual default gateway on the client points to the ISP (the Internet) or whatever default gateway the client already has set up. You handle this problem as you would with any other routed network solution.0. which obviously won’t work in getting to subnets on the VPN network. With this setup. but they won’t be able to access resources anywhere else on the internal network. This will prevent one of the most common communication failures between networks joined by the VPN gateway.

For example. There is one major ISA Server configuration issue to take into account when implementing an L2TP/IPSec VPN: The Internet Key Exchange (IKE) required for the IPSec connection requires that you allow fragmented packets through the ISA Server. you might want to configure PPTP VPN connections instead. Traveling users with laptops or handheld computers will inevitably want files on the home network. you just can’t bring everything with you.a new IPSec policy to be used for your L2TP connections. Configure Windows XP Professional to be a VPN server Mar 18. When you know the main areas that can cause ISA Server’s VPN to fail. usability features available to Windows Me users and adding the powerful networking features available in Windows 2000. A Windows XP computer can accept a single incoming connection on each interface that can accept a connection. The primary issue is either with the VPN configuration in RRAS or with problems with the underlying network infrastructure. MCSE F or the Small Office/Home Office (SOHO). Windows XP Professional VPN features are a real boon. create the ideal remote access solution for the SOHO. This creates some risk because there are known exploits that take advantage of packet fragmentation. the typical Windows XP’s all-in-one VPN solution Windows XP Professional is designed as the one-stop solution for the SOHO. Because of this. The combination lets you. PPTP security is highly depend- ent on password complexity. you can fix the problems as they appear. Thomas Shinder. the support professional/net admin. a Windows XP machine can accept incoming connections on each of the following interfaces: Dial-up modem serial interface Infrared interface Parallel port interface VPN interface While it’s unlikely. then PPTP VPNs can be as secure as L2TP/IPSec VPNs. If you configure the ISA Server to block fragmented packets. This is where the beauty of the Windows XP Professional computer connected to an always-on connection such as DSL or cable modem shines. The Windows XP Professional remote access server capabilities are very similar to those available in Windows 2000 Professional. ISA Server configuration is not the problem. taking all the Administration 113 . Solve those VPN trouble spots ISA Server is built with VPN connectivity in mind. In the majority of instances. However. 2002 By Dr. In this article. a Windows XP Professional machine with the above configuration could conceivably accept up to four simultaneous RAS connections. If you’re able to implement a secure password infrastructure. all L2TP/IPSec VPN connection attempts will fail. I’ll explain how to configure a Windows XP Professional computer to accept incoming VPN connections and discuss some tips on improving the remote access experience for the VPN client computer user. That always-on link can be used to accept incoming VPN connections and allow your mobile users to access shared folders and files on your private network.

Windows XP Professional includes a New Connection Wizard. you should configure the VPN interface before you configure ICS on the same computer.1 through 24 to fix the preexisting network configuration. In the Network Connections window The Network Connections window (Figure A). Click Start | Control Panel. Second Edition . The IP address of the LAN interface of the ICS computer was changed to 10. step-by-step 1.1 through 16. Create an incoming connection with the New Connection Wizard Like Windows 2000 Professional. open the New Connection Wizard. RUNNING ICS AND INCOMING VPN CONNECTIONS ON THE SAME INTERFACE I have been able to run ICS and incoming VPN connections on the same interface. it’s easy to change the IP address to one that fits the existing network environment. However. 3. In this example. either through a dial-up modem interface or a VPN interface. one is directly connected to the Internet and the other is connected to the internal LAN. In addition. The machine has two network interface cards.0 or Windows 2000 domain. In the Control Panel. 2.configuration consists of a single RAS client connection.0. Figure A How to create the VPN server interface.168.0.0. to prevent problematic configuration issues. I’ll assume the Windows XP Professional machine is not a member of a Windows NT 4. open the Network Connections applet. Figure B Figure C Configuring XP to accept incoming connections 114 Administrator’s Guide to VPN and Remote Access. While ICS changes the IP address of the LAN interface of the ICS computer to 192. I’ll show you how to use the New Connection Wizard to create the new VPN server interface. the external interface of the machine is configured for Internet Connection Sharing (ICS).

10. On the Advanced Connection Options page. 11. select the users that are allowed to make incoming VPN connections. select the Allow Virtual Private Connections option (Figure E) and click Next. 6. On the Incoming Virtual Private Network (VPN) Connection page. 5. 7. Figure F Figure G Any user that isn’t selected won’t be able to initiate an incoming connection. Click Next. select the Set Up An Advanced Connection option (Figure B). you can select optional devices on which you want to accept incoming connections. Configuring TCP/IP properties Administration 115 . click Next. On the Welcome To The New Connection Wizard page. On the Networking Software page. On the Devices For Incoming Connections page (Figure D). On the User Permissions page (Figure F).4. click on the Internet Protocol (TCP/IP) entry (Figure G) and click the Properties button. In the Incoming TCP/IP Properties dialog box. On the Network Connection Type page. select the Accept Incoming Connections option (Figure C) and click Next. place a check mark in the Allow Figure D Figure E Note that you are not presented with any of the network interfaces on the computer. 9. 8.

In practice. there is no point in creating a VPN connection to the internal interface card. After the Incoming Connection is complete. Note that MPPE 128-bit encryption is automatically enabled and that Microsoft CHAP v2 is used for authentication. click Finish to create the connection. VPN server optimization tips The New Connection Wizard made it easy to create the VPN server interface. no devices are listed. since you can now create VPN connections to both network interface cards. Figure K shows the connection status dialog box of a Windows XP VPN client connected to a Windows XP VPN server. If you want the VPN client to access resources on the internal network. Second Edition . the routing table on the Windows XP VPN server needs to be configured with paths to the various internal network IDs. but you can still do more to optimize your VPN connec- tions. You can use the ROUTE ADD command to create these routing table entries. all the machines on the internal network should have a default gateway set using the IP address of the internal interface of the Windows XP VPN server. This will allow VPN callers to connect to other computers on the LAN. the IP address assigned to the VPN client should be on the same network ID as the internal interface of the Windows XP VPN server computer. right-click on the connection in the Network Connections window and click the Properties command (Figure I). VPN callers will be able to connect only to resources on the Windows XP VPN server itself.Callers To Access My Local Area Network check box (Figure H). 12. If this check box isn’t selected. Small networks that use a Windows XP Professional machine for a VPN server probably won’t have network services such as WINS or DNS. note that you can create PPTP or L2TP/IPSec VPN connections. The comment No Hardware Capable Of Accepting Calls Is Installed isn’t true. If name resolution on the private Figure H Figure I Granting LAN access to callers Accessing the properties of the VPN server link 116 Administrator’s Guide to VPN and Remote Access. Note that on the General tab of the Incoming Connections Properties page (Figure J). First. In addition. On the Completing The New Connection Wizard page. In the unlikely event that the SOHO has multiple network segments.

If both machines had machine certificates from the same Certification Authority installed. one at a time. an L2TP/ IPSec VPN link could have been negotiated. you can connect to that computer from virtually anywhere in the world using a VPN link. VPN clients will call only the external IP address of the Windows XP Professional VPN server.0. If the Windows XP Professional client has a dedicated link to the Internet and a static IP address. Administration 117 .2 DEFIANT Figure J TIP When you save the LMHOSTS file to the <system_root>\system32\drivers\etc folder. when you save the file in Notepad. The VPN client must be configured with an IP address or host name for the Windows XP Professional VPN server. the following line could represent an entry in an LMHOSTS file: 10.0. you can use that IP address in the VPN client configuration interface. A couple of services you might want to look into are TZO and DYNDNS.network is an issue for the VPN client. then you should create a LMHOSTS file. if the Windows XP Professional VPN server is assigned an IP address via DHCP. a simple text file that contains name and IP address mappings. If the Windows XP Professional computer has a dedicated connection to the Internet. Both of these services will let you dynamically register a computer’s IP address into the public DNS database. put quotes around LMHOSTS. However. To prevent Notepad from appending a file extension to the filename. The VPN server setup is simple and can accept calls from any Windows PPTP or L2TP/IPSec client. make sure that the file doesn’t contain a file extension. you’ll have to use an Internet host name and a method of registering the host name dynamically. For example. Figure K Conclusion Windows XP Professional provides simple VPN server capabilities that let you connect single VPN clients to your internal network.

In this article. LAN. Once you’ve clicked through these screens. and you’ll enter a phone number instead of an IP address. which will ask if you’d like to add a shortcut to this connection to the desktop. and 118 Administrator’s Guide to VPN and Remote Access. You can modify Dialing and Redialing options. under the Network Connection screen. DIAL-UP If you’re connecting via dial-up. remote access. 2002 By TechRepublic Staff V PNs have caught on quickly with small and medium-size businesses. In the wizard. VPNs provide secure connections. Connecting to the VPN You can configure a variety of settings for dial-up and VPN connections. The next two screens will ask for the company name and the IP address of the VPN server. you can do so easily through the Properties window (see Figure A). you’ll find four selections (instead of the five in Windows 2000 Professional). there are only two differences. navigate through Start | Control Panel | Network And Internet Connections and click the Set Up Or Change Your Internet Connection link. Security options. you’ll select Dial-up Connection instead of Virtual Private Network connection. If you want to edit the settings for the connection. Click Finish. or WAN connectivity. Select the Virtual Private Network Connection option and click Next. VPNs permit employees to connect to office resources from home or other locations using common hardware. which will open the New Con- nection Wizard. we’ll describe the process of setting up a VPN client connection within the Windows XP operating system. If you’re configuring laptops for remote VPN connections via DSL modem.How to configure Windows XP client VPN connections Apr 25. click the Setup button. TCP/IP. To connect. 2. click Yes. the next window will ask you to specify the type of connection you’re creating. Then. you can do so from the Properties window. In the New Connection Wizard. Supply your User Name and Password for the network you wish to access (see Figure B) and you’ll be ready to start enjoying the benefits of secure. Second Edition . double-click the shortcut—if you chose to create one—or select the connection by clicking Start | Connect To and selecting the name of the connection you created. primarily for three reasons: 1. Figure A If you need to change the telephone number or other settings associated with the VPN connection. 3. choose No if you don’t. The cost to set up and maintain a VPN is low compared to other networking connection solutions. Once the Internet Properties window opens (Figure A). The connection type you’ll select is Connect To The Network At My Workplace. you’ll be greeted with the final screen. If you want a VPN icon.

In this article. Associating programs with a specific service. but had to transport floppies. I’ll show you how it’s done.NET. Given that more and more companies are turning to VPNs for security reasons. AUTHOR’S NOTE You can configure NT to act as a VPN for both dial-up and Internet connections. you can deploy a VPN for those users in need by using NT’s RAS. including: Changing security settings of individual components. I’ll show you how to configure NT to act as a VPN for users who are coming in over the Internet. and they all want access to your network with the same ease and rights as if they were in the office next door to you. such as Firewalling and NAT. 2002 By John Sheesley n the good old networking days. Nowadays. Several other options can be configured on the tabs in your connection’s Properties window. users are scattered all across the globe. I Even though you’re still running Windows NT.Advanced options. Not any more. so you didn’t have to worry about them either. Configure Windows NT to support VPN connections May 31. VPN on Windows NT If you want to deploy a VPN on your network and you already run Windows NT. life as a network administrator was simple. you need to understand how to configure this networking option. Selecting privacy settings for Internet zones. The only users you had to worry about connecting to your network were the ones in your building. Users working from home or on the road couldn’t access network resources. Deploying a VPN doesn’t mean that you have to upgrade to Windows 2000 or wait for Windows . Users at other locations had their own networks with another network administrator to take care of them. Supply your networking User Name and Password for authentication purposes. Configuring a proxy server. then you don’t necessarily have to invest in a hardware Administration 119 . Figure B XP makes VPN a cinch Windows XP includes a VPN functionality that is more robust and clearer than in previous versions of Windows. That’s where VPNs come in. For the purposes of this article.

When the Network Properties window appears. click Protocols. PPTP can use any of the following protocols: Password Authentication Protocol (PAP) Shiva Password Authentication Protocol (SPAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) You can support up to 256 simultaneous logons to your Windows NT server over the VPN. if you want to connect 50 users. and four times to scroll to 52. you can’t directly type the number of connections in the Number drop-down list box. NT uses either 40-bit or 128-bit encryption keys to encrypt traffic that travels to and from the server. For authentication purposes. NT will prompt you to install the RAS service. Doing so is almost as easy as deploying a VPN using Windows 2000. Select Point-to-Point Tunneling Protocol and click OK. The first thing you must do to configure PPTP is set the maximum number of connections that you want to allow via VPN. For security. Click OK to close the window after you’ve set the number of connections you want. Oddly enough. You can deploy a VPN solution using NT’s RAS. Next. Instead. When the files finish copying. NT will begin configuring PPTP. You would press 5 three times to scroll to 51. you must add PPTP. shown in Figure A. Once connected. First. which will cause the list box to scroll first to 5 and then to 50. users have the same rights on the network as if they were connected via a LAN. with the actual encryption level depending on the software used by the VPN client. 120 Administrator’s Guide to VPN and Remote Access. Do so and wait while it copies the files to your server. you would press 5 twice. Some of the things missing from Windows NT’s VPN include: Support for L2TP Policy support for remote access Support for an Internet Key Exchange Support for IPSec Active Directory integration That said. Make sure RASPPTPM is selected as the default device. Click OK to close the Setup Figure A Figure B You must specify the number of PPTP connections. NT’s VPN solution is still very robust and secure.VPN or upgrade to Windows 2000. and so on. To set up a VPN that will allow access from the Internet. because Windows NT is older than Windows 2000. So. you don’t gain all of Windows 2000’s additional features in the Windows NT VPN. However. NT’s VPN uses Point-to-Point Tunneling Protocol (PPTP). You can specify anywhere from 10 to 256 connections. By default Windows NT configures its RAS to allow connections via dialup. you must select the number of connections from the box. You’ll then see the Select Network Protocol screen appear. Second Edition . Click Add on the Protocols screen. You’ll then see the PPTP Configuration screen. Configuring Windows NT for VPN support Configuring Windows NT for VPN support is a fairly easy task. You can speed up the process somewhat by pressing the first number of the connection you want. Your server will prompt you to insert the Windows NT Server CD. right-click Network Neighborhood and select Properties.

Don’t worry about selecting the Enable Multilink 121 Administration . If users need a particular static IP address for some Figure C The Network Configuration screen controls network settings for the connection. You’ll then see the Remote Access Setup screen. such as dial-up modems. Next.Message window informing you of this to continue. This will ensure that users don’t attempt to use the RAS to connect to external resources. make sure VPN1-RASPPTM is selected in the RAS Capable Devices drop-down list box. click the Configure button. make sure that the Receive Calls Only radio button is selected. On this screen. NT will then begin copying the RAS files to your server. When it’s done. You’ll see the Network Configuration screen appear. Click OK if everything looks correct. Chances are you’ll use only TCP/IP. shown in Figure B. as shown in Figure C. From an administrative standpoint. double-check the other selections. You can add other devices later if you want. NT will display the protocols currently running on your network. Click OK to continue. That way you don’t have to worry about overlapping addresses or filtering rights based on TCP/IP addresses. reason. select the Require Microsoft Encrypted Authentication radio box. Figure D This screen allows you configure the protocol for the user. To allow users to access any network resource. The Allow Remote TCP/IP Clients To Access box allows you to control the type of access that remote users have. you can select the Allow Remote Clients To Request A Predetermined IP Address check box. Select VPN1 and click Configure. You can limit them to resources only on the VPN server by selecting This Computer Only. Click OK once you’ve made all of your selections When you get back to the Network Configuration screen. To configure the protocol. you’ll see the Add RAS Device screen. To secure communications between clients and the server. click Network to configure the network settings for the remote connection. On this screen. it’s easiest to use DHCP. select Entire Network. To allow remote connections. you make selections that dictate how NT will assign the TCP/IP address for the remote user. You can either use DHCP to assign network addresses or assign addresses from a static pool. you can see any RAS connections your server is prepared to handle. You’ll then see the RAS Server TCP/ IP Configuration screen. The Server Settings pane contains the selections for network protocols the client will be able to use once connected to the VPN. shown in Figure D. When the Configure Port Usage screen appears. so deselect any other protocols. You should select only protocols necessary for the users to get their work done.

shown in Figure E. click the Dialin button. Alternatively. To start the Remote Access Admin utility. Allowing users to access RAS Just because you install RAS and VPN support on your server. reapply the last Service Pack you applied to your server and restart it again. doesn’t mean your users can use it. Figure F You can control the Remote Access Service using Remote Access Admin. You’ll then have to restart your Windows NT Server. there’s no easy way to select multiple users at once. By default. you can click the Grant All button to give VPN rights to every user on your NT server and then scroll through the User list box and remove the check from the Grant check box. Click OK to shut down the window. you have two choices: You can either change the user’s rights within User Manager For Domains or you can use the Remote Access Admin utility. To grant a user the right to use the VPN. and it won’t work if users are connecting via VPN. select the user to whom you want to grant VPN rights. When the configuration finishes. This is used primarily by dial-up clients to maximize throughput. You’ll then see the Remote Access Admin Window appear. When the utility starts. Click the Grant Dialin Permission To User check box to allow access to the VPN. you can click Continue to close the screen and finish the configuration. Windows NT denies everyone the ability to access the server via VPN. To allow a user to use the VPN. Start the User Manager For Domains by clicking Start | Programs | Administrative Tools (Common) | User Manager For Domains. Unfortunately. you’ll be ready to start using RAS. This window lists the available RAS Server and other information for the RAS server. You can also use the Remote Access Admin utility.check box. Click OK to close the Network Configuration window. make sure that No Call Back is also selected. This increases security on your network and allows you to rest easy knowing that not just anyone can get in through your VPN. To allow a user to use the VPN. After the server restarts. Select the Grant Dialin Permission To User check box. Figure E You can control user rights using the Remote Access Admin utility. click Start | Programs | Administrative Tools (Common) | Remote Access Admin. Second Edition . If you want 122 Administrator’s Guide to VPN and Remote Access. You’ll then see the Remote Access Permissions screen. After this last restart. select Permissions from the Users menu. NT will copy more files to your server and configure the RAS service based on the selections you made. When the User Properties screen appears for the user. You must select each user one at a time. Make sure the No Call Back is set in the Call Back box. Select Properties from the User menu. This box is only useful for users that dial in to a modem. NT will display an informational screen telling you what utilities to use to administer RAS. You’ll then see the Dialin Information screen appear. Click OK to close the Dialin Information screen and then OK again to close the User Properties screen. which I’ll discuss more below. After you return to the Remote Access Setup screen. scroll through the Users list box until you find the user you want. Again. Let’s look first at the User Manager For Domains.

As you can see. You’ll then see the Remote Access Users screen. You’ll then see the Communications Ports screen appear. Remote Access Admin has a static display. double-click the server. If you want to view information about a user account. Figure G The Remote Access Admin utility. gives you full control over the RAS. you can quickly deploy a VPN for your network. From this screen you can do the following: Disconnect the user from the VPN by clicking Disconnecting User Send a message to a specific user by selecting the user and clicking Send Message Send a message to all users by clicking Send To All View detailed information about the connection by clicking Port Status If you click the Port Status button. select Stop Remote Access Service. select Start Remote Access Service. select Refresh from the View menu. including such things as how much bandwidth the user can use. You can start or stop the RAS from the Server menu. and the user’s VPN IP address. VPNs on NT: Virtually Painless Networking Even though you’re still using Windows NT. Remote Access Admin also allows you to view user information. Figure H Remote Access Admin shows information about logged on users. This screen looks similar to the Communication Ports screen except that rather than showing connections. you don’t have to be left out in the cold when it comes to deploying such things as VPNs.to quickly remove access to the VPN from every user. You can also pause access without unloading the service by selecting Pause Remote Access Service. To stop the service. shown in Figure G. Using NT’s RAS. and you can administer their access without learning any new operating systems. it does show information about user rights in general. along with the maximum number of connections and current number of logged on connections. To start it. select Active Users from the Users menu. To view detailed information. While it doesn’t show detailed information about permissions and such. Here you can see detailed information about the user’s connection. it shows connected users. along with callback and password information. To refresh the screen. Other Remote Access Admin tasks The Port Status screen shows you detailed information about a user’s session. highlight it and click User Account. It doesn’t change as users log on and log off. how many packets have been transmitted. To do so. you’ll see the Port Status screen. and thereby the VPN. 123 Administration . You’ll then see the screen shown in Figure H. shown in Figure F. Like the Communications Ports screen. Remote Access Admin lists the servers that can support VPN. click the Remove All button. you can send messages or disconnect users from this screen. Users can dial in and have the same rights as if they were connected locally.

PPTP-based VPN server. 2002 By Rick Vanover indows 2000 Server has been on the market for more than two years. connection types. Windows NT.microsoft. unfortunately. Windows . Of course. This option is assigned in each user account from within the User Manager For Domains administrative tool. In terms of VPN troubleshooting. Figure A Figure B Enable Dialin Permission for users who will make VPN connections. Use the Grant All button to enable RAS/VPN permissions for all users.Monitoring and troubleshooting VPN connections in WinNT Jun 12.com/search/ preview. But many enterprises have consolidated around Windows NT Server 4 as a back-end infrastructure. but some important server-side issues must be considered as well. and its successor.aspx?scid=kb. This will also generate an Event 20082 of source Remote Access in the Event Log of the Remote Access/VPN server.Q117304). even though VPN was a very new technology back when NT was released in the mid-1990s. is just around the corner. and client configurations. Microsoft provides a nice list of all RASrelated error codes and a description for each in Knowledge Base article Q117304 (http://support. supporting an NT VPN server requires the administrator to be diligent in monitoring and optimizing the VPN and to be able to troubleshoot issues that appear in the day-to-day administration of an NT VPN server. If a user does not have this option enabled on the account. That includes using NT as a first-generation. I have found most issues to be related to the client-side configuration. the connection will not be established and the user will be told that dial-in permission does not exist for the selected account. Second Edition .en-us. This option simply states whether this NT account can access the Remote Access Service (RAS). 124 Administrator’s Guide to VPN and Remote Access. does not allow the dial-in right to be assigned to a local or Troubleshooting In supporting VPN clients. as shown in Figure A. W Rights issues The rights needed to access an NT VPN server are assigned by the Grant Dialin Permission To User option in each user account. networking setup. we’re going to take a look at rights issues.NET.

This setting is configured in the properties of the Point-To-Point Tunneling Protocol within the Network applet of the control panel on the VPN server. wireless. For the VPN client. broadband. an important consideration is whether the VPN connection will Administration 125 . I have had many issues with ISPs that add protocols or adapters into the client networking setup. such as special client software from the ISP. if you do change ISPs. While it is likely that the VPN server will not be changing ISPs frequently. where the only accounts on that computer are the dial-in accounts (not the domain accounts). as shown in Figure C. This option does not allow you to select a number of users and assign the right—it assigns all listed users the right to dial in. On the server. name resolution means. Users tend to change ISP connections frequently. For example. have the client connect to “vpn. Another concern related to connection types and networking setup comes up when users try to use a nonstandard ISP to connect their VPN. you don’t have to reconfigure all of your client configurations. you will be dealing with different connection types. When supporting users. you may have a mix of how users connect to your VPN server. and gateways can affect the reliability of your VPN solution. Using the Remote Access Admin console to give all users dial-in rights is most useful if you are using your Windows NT VPN server exclusively for remote dial-in (including VPN). If you have a user who is having trouble accessing the VPN. If you are supporting telecommuters. you’ll need to watch the situation carefully. The Remote Access Admin will allow you to assign the dial-in right to all users. Make an effort to be aware of how your VPN clients are connecting to the Internet (and then to your VPN server).com” and make sure that your DNS records are modified accordingly during your ISP change. be sure that you have enough VPN connections enabled for the number of potential VPN users that will be connecting. users needing occasional remote access. You can bypass this limitation somewhat by using the Remote Access Admin administrative tool. which will make an ISP change easier for everyone involved. I have learned to have the clients connect to the VPN’s fully qualified domain name instead of an IP address.company. and depending on your situation. Various dial-up.global group. If you take this approach. as shown in Figure B. Topics like RAS setup. Set the allowed number of incoming VPN connections. and other connections may cause you headaches in trying to support VPN users. Also. you should provide or recommend a good ISP for dial-up access in order to save yourself a lot of headaches down the road. try to provide or recommend the best solutions based on your experience. A nonstandard ISP is one that adds items into the Network applet of the control panel. and/or site-to-site VPNs. satellite. ask whether any software was installed that may have affected the network stacks. ISP networking issues. Figure C Connection types Supporting VPN clients entails an assortment of responsibilities. It also lets you revoke all users. That way. Networking setup The networking of a VPN can be a frequent trouble spot.

authenticate the client to be part of the Windows domain or authenticate it on the VPN server and simply give it a connection to the internal network. This setting is configured on the VPN client, and it varies slightly with different versions of Windows. Generally, you can configure this setting by selecting (or not selecting) the Include Windows Logon Domain in the Properties dialog box for the VPN connection in the Network/Dial-up Connections applet. Figure D shows an example of what this looks like using Windows XP as the client operating system. (Windows 2000 looks almost identical to this.) Another important aspect of the VPN client setup is the default gateway. If the client VPN connection is set up to use the default gateway on the remote network, all Internet traffic will be routed through the VPN connection. For example, if someone makes a VPN connection from a home machine, any time that person tries to access an Internet site, the request will be sent over the VPN tunnel to the company network and out the Internet.

The downloaded page will then be sent back down the VPN tunnel to the client. Obviously, most of the time you’re not going to want this to happen. But if you do want to enable this setting— for example, for tracking all Internet traffic from a company laptop—on a Win2K client, go to the Properties of the VPN connection and select the Networking tab. Then, select TCP/IP, click Properties, click Advanced, and select the Use Default Gateway On Remote Network check box, as shown in Figure E. Name resolution is also an important part of supporting a VPN client. The easy option is to have RAS use DHCP assignments for VPN connections. This option will usually give the clients the same network resolution services that DHCP connections on the internal network are entitled to use and will greatly simplify the work of an admin.

Client configurations
Client VPN problems can be tough to diagnose. I have found client troubleshooting

Figure D

Figure E

Set up the client to use the gateway of the remote network.

Select whether you want the connecting client to be part of the Windows domain.


Administrator’s Guide to VPN and Remote Access, Second Edition

issues generally not to be related to VPN/ PPTP but to changes on the end user’s PC. This can include problems with: Virtual hardware devices (modems in particular) not operating correctly. Bogus DHCP leases/assignments requiring a manual release/renew. Installed software that has modified the networking stack of Windows. Settings that have been accidentally changed on the VPN connection itself. While diagnosing these problems is challenging, getting the VPN to work again is usually fairly easy. One trick I’ve relied on is creating two identical PPTP connections on the client computer. I put one on the desktop as a shortcut and keep one untouched. Since the end user does not utilize it, I can use it as a support tool. This setup allows you to tell if the settings of a PPTP connection are inhibiting the user from authenticating and/or connecting correctly.

active connections have been online, and provides statistics on the number of bytes transferred. Use WINS/DHCP Admin—This tool lets you determine whether you have a DHCP lease reserved for a VPN client. Reevaluate VPN strategy—If the VPN solution is a trusted VPN (all TCP ports open) to all clients, consider adding TCP/IP security (Advanced Properties of TCP/IP from the Network applet of the control panel) for the explicit ports needed to the VPN server’s internal interface.

Microsoft provides detailed information about client and server PPTP connections on Windows NT Server 4. You can download these documents from the Microsoft Web site (http://www.microsoft.com/ ntserver/techresources/commnet/ default.asp).


Monitoring the VPN connections is important to ensure that they are working correctly and are not being abused. Here are some ways you can monitor your VPN server: Use Remote Access Admin—This configuration applet shows you current connections, lets you see how long the

Final word

The Windows NT 4 VPN server is still in use in many organizations, and keeping the connections working correctly will ease your administration worries. The tips provided here should be a valuable companion for troubleshooting and monitoring your NT 4 VPN servers and their connecting clients.

The Win9x VPN client connection guide
Jun 5, 2002 By Dr. Thomas Shinder, MCSE


PN Servers go a long way toward saving money for companies with remote access clients. In the not-so-distant past, companies that wanted to give road warriors access to corporate internal network resources needed to install modem banks and multiple phone lines. The cost of installing

multiple dial-up RAS servers was compounded by the long distance charges or costs incurred from 1-800 numbers. VPN servers remove this cost-rich hardware/telco layer and allow you to support dozens and even hundreds of remote access calls with a single VPN server and highspeed Internet connection.


Most of the articles I see on the Internet focus on how to set up and configure the VPN server. This makes sense, since most of the complicated work in setting up a VPN client/server solution is done at the VPN server. However, configuring VPN clients is not always a piece of cake. This is especially true when dealing with legacy VPN client operating systems, such as the Windows 9x line. We’ll look at how to configure your Win9x computers to be VPN clients that connect to Windows NT 4.0 VPN servers. You can use the same procedures to configure the Win9x clients to connect to Windows 2000 VPN servers. The only major difference between connecting to Windows NT 4.0 and Windows 2000 VPN servers is that the Windows NT 4.0 VPN servers do not support the L2TP/IPSec VPN protocol. However, this doesn’t pose much of a problem for our Win9x VPN clients, because the only VPN protocol supported by Win9x operating systems is the Point-to-Point Tunneling Protocol (PPTP).

A Y2K fix for the VPN DHCP client component. Fixes that improve the stability of the PPTP connection. Support for internal ISDN adapters. Multilink support. Support for PPTP connections over a “LAN” or dedicated connection (such as DSL or cable). Check out Microsoft Knowledge Base article Q297774 (http://support.microsoft.com/
default.aspx?scid=kb;en-us;Q297774& SD=MSKB&) for full details on DUN 1.4.

Windows 9x Dial-up Networking Service 1.4 (DUN 1.4)

There are several versions of DUN 1.4, one each designed for Windows 95, Windows 98, and Windows 98SE. Information about the updates and files for download can be found in Microsoft Knowledge Base article Q285189 (http://support.microsoft.com/default.aspx ?scid=kb;en-us;Q285189). Be aware that you will need to restart the computer at the end of the DUN 1.4 installation.

Windows Me does not require the DUN 1.4 Dial-up Networking update.

Before getting into the nuts and bolts of configuring the Win9x VPN client, you need to familiarize yourself with the latest update to the Win9x Dial-Up Networking Service, DUN 1.4. There are several reasons why you’ll want to download and install DUN 1.4, including: Support for 128-bit encryption.

Configuring the Windows 9x VPN client

Figure A

The procedure for configuring the Windows 9x VPN clients is very similar, with only very minor differences between each version. Prior to configuring the PPTP VPN client connection on the Win9x client, make sure you have an Internet connection to the Internet VPN server. The Internet connection device can be an analog dial-up modem, ISDN terminal adapter, a DSL line, or a cable connection. Let’s use the Windows 95 client as an example of how to configure all the Win9x clients. Perform the following steps on your Windows 95 computer: 1. Click Start | Programs | Accessories. Point to Communications, and then click on Dial-up Networking.


Administrator’s Guide to VPN and Remote Access, Second Edition

2. The Dial-up Network Wizard Welcome
dialog box will appear (Figure A). Click Next to continue.

3. On the next page, type in a name for the
connection in the Type A Name For The Computer You Are Dialing text box. Click the down arrow in the Select A Device drop-down list box and select the Microsoft VPN Adapter option (Figure B). DUN 1.4 added this feature to your Windows 95 computer. Click Next.

address on your VPN server that is listening for incoming VPN connections. If you do not have a DNS entry for your VPN server, enter an IP address instead. Click Next.

5. On the last page of the wizard (Figure D),
you’ll be told that you’ve done everything right and that you’ve created a new connection. After clicking Finish, the connectoid will appear in your Dial-Up Networking folder.

4. On the Make New Connection page, type
in the IP address or the Fully Qualified Domain Name (FQDN) of the VPN server that the Windows 95 computer will connect with (Figure C). If you use an FQDN, make sure that there is an entry in the public DNS that resolves to the IP

6. Return to the Dial-Up Networking window. You should see the icon for the VPN connectoid you just created, and another connectoid for an ISP connection if you require a dial-up connection to access the Internet (Figure E).

Figure B

Figure C

Figure D

Figure E



which is the VPN server’s VPN interface. you can change the name or IP address of the VPN server. Second Edition . Also. When you click on the TCP/IP Settings button at the bottom of the Server Types tab. the VPN client is assigned a new default gateway. check the Require Encrypted Password box. uncheck protocols that you do not use. you’ll see what appears in Figure H. However. This Figure F Figure G Set high encryption for the link. If you do not disable the protocols. you should leave the default settings Server Assigned IP Address and Server Assigned Name Server Addresses as they are. This is convenient because. For connections that support MS-CHAP. If you want to use MS-CHAP version 2. the VPN client uses the VPN interface as the gateway for all nonlocal network addresses. the ISP assigned the computer a default gateway at the ISP to allow the client access to the Internet. when the Use Default Gateway On Remote Network option is enabled. Therefore. You can make many customizations on the Server Types tab (Figure G). you don’t have to create a new connectoid. The end result is that the VPN client cannot access the Internet once it connects to the corporate VPN. the Log On To Network and Enable Software Compression options are enabled. If this option is disabled. if the name or address of the VPN server changes. If the client dialed in to an ISP first. Right-click the VPN connectoid and click Properties. Most VPN servers will automatically assign IP addressing information to the VPN client.NOTE You must create the dial-up connection separate from the VPN connection. the client will negotiate MS-CHAP version 2 with the VPN server first. The most interesting option is the Use Default Gateway On Remote Network. Further tweaking with VPN Properties You might want to do some further tweaking of the VPN connection. the client will drop down to support MS-CHAP version 1. By default. the VPN client will be able to access both the internal corporate network and the Internet at the same time. The Use IP Header Compression option should be set if the VPN server supports this option. If the server does not support MSCHAP version 2. make sure that data encryption is enabled. When this option is selected. Just change an existing one. If you want to optimize connection speed. 130 Administrator’s Guide to VPN and Remote Access. On the General tab (Figure F). the client will attempt to negotiate each one selected.

Windows 98/98SE allows you to configure a redial value and a wait interval before redialing. The interfaces are virtually identical after installing DUN 1. The only difference you’ll see is found in the Connections menu in the Dial-up Networking window. You also have the option to be prompted before a dial-up connection is established. In the Dial-up Networking window. Both Disable Sending Of LAN Manager Passwords and Require Secure VPN Connections are enabled by default. the client will first negotiate 128-bit Figure I Figure J Administration 131 . the connection attempt will fail. The secure VPN connection option will force 128-bit encryption. click Connections and then click Settings (Figure I).4. Figure H The Windows 98/98SE VPN client Configuring the Windows 98/98SE client works exactly the same as configuring the Windows 95 client. LAN Manager password authentication is inherently insecure and should always be disabled. If this option is not enabled. Allowing the VPN client to access the Internet through the ISP and also the corporate network through the VPN at the same time is poor security practice. This option isn’t available in the Windows 95 dial-up networking. This is akin to allowing users on the internal network to plug modems into their computers and thus bypass corporate Internet access policies. If the VPN server does not support 128-bit encryption. Click on the Security tab and you’ll see what appears in Figure J.creates the possibility that the VPN client will be able to route packets from the Internet to the internal network. This is helpful when you use dial-up networking to map network drives via the VPN interface.

If the negotiation fails. This is in spite of the fact that the WINS address is configured only on the NIC. it will fall back to 40-bit encryption. I’ll explore OWA to give you an understanding of how it works and how to implement it. the NIC may need to be removed before the VPN user can connect to the network remotely. Second Edition . The user may need to run the winipcfg utility from the Run menu to renew the IP address. Only the virtual IP address can be listed on the external interfaces of the cluster members if you expect to connect down-level clients to a PPTP VPN NLB cluster. Understanding Exchange 2000 Server’s Outlook Web Access Mar 22. 2001 By Jim Boyce M icrosoft introduced Outlook Web Access (OWA) in Exchange 5. and improved functionality for clients. Overview of Outlook Web Access OWA provides a means for clients to connect to an Exchange server through a Web browser to access their mailboxes. Some of these features are added through OWA itself and others in combination with Internet Explorer 5.0.0 to enable clients to access their Exchange Server mailboxes through a Web browser. Exchange 2000 Server includes some additional features not provided by OWA in Exchange Server 5.encryption.x. 132 Administrator’s Guide to VPN and Remote Access. manipulate their calendars. Note that manually setting a DNS server address on the machine’s NIC will not prevent the PPTP VPN client from obtaining a DNS server address from the VPN server. Microsoft has made some significant improvements in OWA in Exchange 2000 Server to provide better performance. If the VPN client fails to connect to a PPTP NLB cluster. the user should contact his ISP to determine if GRE connections are allowed for the user’s account. In this article. Some final thoughts on troubleshooting There are a handful of troubleshooting issues you should be aware of before finalizing your VPN client/server solution. and perform many—but not all—of the tasks they can perform when connecting to mailboxes through an Outlook or Exchange client. You may run in to issues when users plug directly into the corporate network with an Ethernet card while at work. the ability to support a larger number of users. the PPTP VPN client will not be able to obtain a WINS server address on the PPTP VPN interface. Clients can send and receive messages. and then go home and try to connect to the same network through the PPTP VPN interface. confirm that only the virtual IP address appears on the external interface of each of the cluster members. Many ISPs do not allow incoming GRE packets into their networks.” If the VPN client cannot establish a VPN connection with the corporate VPN server. or they require that the user pay extra for a “business account. If that does not work. If a WINS server is manually assigned to a NIC. Windows 9x clients will not be able to connect to VPN NLB server clusters if the NLB interface still has the actual IP address configured on the cluster servers.

OWA is a good alternative for those users who don’t need the full range of features offered by Outlook and can save the administrative and support overhead—as well as licensing costs—to deploy Outlook. You can view and modify existing contacts as well as add new ones. which enables you to download only message headers and not message bodies. it doesn’t offer all the capabilities provided by the Outlook client. select the message header. all without downloading it to your client computer. Clients can connect to the Exchange server. spelling checker. Likewise. Calendar.x uses Active Server Pages (ASP) to provide communication Administration 133 .x.2 or higher. but OWA 2000 supports HTML-based messages as well. and Macintosh users the ability to access Exchange Server mailboxes and participate in workgroup messaging and scheduling. an added benefit is the ability to delete messages without downloading them. However. OWA can also be a useful means for giving UNIX.0: drag-and-drop editing and shortcut menus. OWA also lets you access your Contacts folder through the Web. You also can access embedded objects in messages. which provide full access to Exchange Server and its features. This is useful when you have a corrupted message that is causing your Outlook client to hang or you have a message with a large attachment that you want to delete rather than download. you can view the Journal but you can’t add new Journal entries. However. and Outlook rules for processing messages. including the previously mentioned drag-anddrop editing and shortcut menus. and forward or delete messages. browsers that support DHTML and XML offer a richer set of features than those that do not. some features rely on Internet Explorer 5. send new messages. and named URLs—rather than globally unique identifiers (GUIDs)—for objects. You can view and modify existing items as well as create new appointments. Client options OWA supports any Web browser that supports JavaScript and HTML version 3. A brief overview of the OWA architecture OWA in Exchange Server 5. and Contacts folders. Although giving clients access to the inbox without requiring an Outlook or Exchange client is certainly an important aspect of OWA.x. but it doesn’t enable you to create new tasks. This includes Internet Explorer 4.x offers an interface to OWA that is much closer to the native Outlook client. For example. multimedia messages. OWA is useful for enabling roaming users to access the most common mailbox features when they don’t have access to their personal Outlook installation. For example. and OWA naturally supports e-mail access. Other new features include support for ActiveX objects. Outlook gives you this ability through its Remote Mail feature.OWA isn’t meant to be a complete replacement for Outlook or the Exchange client. Two new features in OWA 2000 rely on Internet Explorer 5. OWA’s features E-mail is inarguably the primary function of Exchange and Outlook.0 or later. reminders.0 or later and Netscape 4. including a preview pane and a folder tree for navigating and managing folders. read those messages. OWA in Exchange 2000 Server adds a few new features for messaging. OWA doesn’t provide the means to use your mailbox offline. but the ability to view your schedule and add new appointments is certainly useful. another feature not supported by 5. Linux. view the headers in the inbox. Other features not supported by OWA that are available through Outlook and the Exchange client are timed delivery and expiration for messages. OWA doesn’t give you the same level of access to your Calendar folder as Outlook or the Exchange client. public folders containing contact and Calendar items. In addition to its messaging features. Internet Explorer 5. Even though OWA is a useful tool for accessing your Inbox. In addition. You can simply connect to the mailbox with your browser. Finally. OWA enables clients to access their Calendar folders. both the current and previous versions support rich-text messages. OWA provides access to your Tasks folder (and to all your other folders as well). and delete the message. For example. reply. as well as native Kerberos authentication.

but dropped it due to performance problems. or POP3 to users on the Internet. The front-end server sits on the Internet. For example. The Web Store supports several important features.between the client and the Exchange server. Anonymous: You can use anonymous access on public folders to simplify administration. Under Exchange 5. however. is now integrated within Exchange 2000 Server as part of the Web Store. for example. Exchange 2000 Server uses a different architecture that improves performance and thereby increases the number of users that a server can support. and supports multiple protocols. it also offers the least security because passwords are transmitted unencrypted. and XML. Topology considerations for deploying OWA If you host only one Exchange 2000 Server computer. Although it offers the broadest client support. rather than residing on IIS. In addition to these three authentication mechanisms. Instead. Through its support for multiple protocols and APIs. but rather than having to process a client request. there really aren’t many considerations for deploying the server. Integrated Windows: This option uses the native Windows authentication method offered by the client. The reliance on ASP essentially makes OWA a feature of Internet Information Server (IIS) rather than Exchange Server. Other Windows platforms use NTLM rather than Kerberos.x and reduces the number of users a server can support through OWA. The client browser still uses HTTP to connect to the site. uses Lightweight Directory Access Protocol (LDAP) to query the Active Directory for the location of the requested resource (mailbox. Second Edition . eliminating the need for the client to enter the credentials again when connecting to OWA. IMAP. Internet Explorer uses Kerberos to authenticate on the server. including HTTP. WebDAV. The combination of ASP and MAPI imposes a performance overhead that limits OWA’s capabilities in Exchange Server 5. OWA. On Windows 2000 systems. OWA functions primarily as a Web site hosted under IIS that uses ASP to process client requests and then uses HTTP to communicate with the Exchange server (which uses MAPI to manipulate the message store). and other data. either outside the firewall or inside a perimeter firewall. OWA in Exchange 2000 Server no longer uses ASP but instead relies on HTML and DHTML. The server uses the Messaging Application Programming Interface (MAPI) to handle messaging requests. The Web Store isn’t specifically targeted at supporting access through OWA. It accepts requests from clients on the Internet. The browser uses the client’s Windows logon credentials to authenticate on the server. Web pages. IIS simply passes the request off to the Exchange server and transmits replies back to the client. the Web Store opens up additional avenues for developers to extend Exchange functionality 134 and offers alternative means of accessing Exchange data. OWA supports the use of Secure Sockets Layer (SSL) to provide additional security for remote connections. In a multiserver environment. including e-mail messages. The Web Store provides a single store for multiple data elements. the Web Store offers a richer set of features and capabilities for storing and accessing data through means other than just Outlook. Administrator’s Guide to VPN and Remote Access. you need to give some careful consideration to how you will structure your Exchange environment. Security is better than Basic authentication because passwords are encrypted. documents. such as off-line access and remote client access.x. you should use a front-end server/back-end server scheme. When you provide access to your Exchange servers through HTTP (OWA). Authentication options OWA provides three options for authentication: Basic: This option uses clear text and simple challenge/response to authenticate access. Microsoft originally included Web Store access in Outlook XP (the next release of Outlook) to enable Outlook clients to use HTTP to work with their message store.

each user would have to know the name of the server hosting his or her mailbox and enter the appropriate URL. By providing a single point of entry. You don’t have to do anything to configure a server as a back-end server. Clients can use one of two methods to connect to their mailbox through a front-end server: either authenticate on the server (providing implicit authentication on the back-end server) or use explicit logon at the back-end server.for example). Because the frontend server always uses port 80. The front-end server then passes the request to the appropriate back-end server using HTTP port 80. removing that load from the back-end servers.techrepublic. clients add their account name. The back-end servers handle the traffic from the front-end server like any other HTTP traffic. you can set up multiple front-end servers to handle the traffic. The ability to place the back-end servers behind a firewall is another extremely important reason to use a front-end server. Any server not configured as a front-end server is by default acting as a back-end server. In situations where you have a high volume of traffic through the front-end server. A front-end server is a specially configured Exchange 2000 server. Front-end servers also offer a performance advantage in situations where you need to use SSL to provide additional security between the client and server. Configuring OWA You configure OWA using the Microsoft Exchange Manager and Active Directory Users Administration 135 . Decide what strategy— including placement of front-end servers to firewalls—makes the most sense for your organization. clients must connect to these servers directly. In the latter. The front-end server hosts no mailboxes and therefore doesn’t expose the mail system to intrusion. It also means that back-end servers that listen on a nonstandard port can’t function with front-end servers. When a request comes in to a front-end server. For example. If you didn’t have a front-end server. The front-end server then looks up the address in the AD and forwards the request to the back-end server for the user based on the information it finds in the AD. This frees up additional processor time for the back-end servers to process messaging requests from clients. even though the client might be using SSL to communicate with the front-end server. Instead. the front-end server extracts the user portion of the URL and combines it with the SMTP domain name to construct a fully qualified SMTP address.com to access their mailboxes. In the case of explicit logon. The front-end server can be configured for SSL and perform the associated encryption and decryption. SSL and encryption are never used between the two. you make it much easier to expand and rearrange the back-end server configuration without affecting your users. In the former. You would also use explicit logon when you need to access a mailbox that isn’t your own but for which you have access permissions. The front-end server then passes the traffic back to the client. One of the advantages to using a frontend/back-end topology is that you have to expose only one namespace to the Internet because that front-end server functions as the point of entry of sorts for your back-end Exchange servers. the server uses LDAP to query the Active Directory to determine the location of the requested data. acting as a proxy for the HTTP traffic. clients can specify the URL of the front-end server without their account name. keep the front-end/back-end topology requirements in mind. As you begin planning how you will deploy and manage your Exchange servers in light of OWA. sending responses back to the frontend server. com/jboyce. A back-end server is just a normal Exchange 2000 server. By configuring the front-end server to perform authentication prior to relaying requests to the back-end servers. users might connect to http://mail. as in http://mail. Clients never know that a server other than the one they specify in the URL when they connect is actually handling the messaging requests. specifying the appropriate port number.yourcompany. you considerably reduce the risk of denial-of-service attacks on your back-end servers. and passes the request to the appropriate back-end server.

there is no configuration needed at the back-end server to enable it as such. The front-end server can still host an information store and even user mailboxes. you might want to limit the users who can use OWA. POP3. you need to tweak one setting on the front-end server to make it function as a front- Sometimes your users need to access e-mail on the network but don’t have access to Outlook or Outlook Express to do so. and which public folders are exposed to clients. Microsoft improved the feature in Exchange 2000. Microsoft created Outlook Web Access in Exchange 5. Advanced Features. In general. Open the Exchange System Manager and locate the server in the Servers branch under the server’s administrative group. Second Edition . POP3. you can’t access the front-end server’s store through any of these protocols. 136 Administrator’s Guide to VPN and Remote Access.And Computers consoles. although changes you make through the Exchange System Manager overwrite changes you make through the IIS console. Conclusion Configuring a front-end server If you intend to use a front-end/back-end topology. You also can configure certain aspects of OWA through the Internet Services Manager console. As with most things. I’ve given you a quick look at OWA in Exchange 2000. Select HTTP. Because the back-end servers handle requests from the front-end server like any other request. You do so through the Active Directory Users And Computers console. but these mailboxes are accessible only through MAPI. Expand the Users branch and locate a user for whom you want to deny access through OWA. Controlling user access By default. Typical configuration tasks you would perform include specifying which users can access their mailboxes through OWA. and IMAP4 traffic. you should use the Exchange Manager and Users And Computers consoles for most configuration tasks. using the IIS console only for those tasks not available through the other consoles. and IMAP4 traffic to the back-end server(s). Select the option This Is A FrontEnd Server and click OK. all users are enabled for OWA when you install Exchange 2000 Server. and deselect the Enable For Mailbox option. To solve this problem. Keep in mind when you designate an Exchange server as a front-end server as explained above that you are directing the server to forward all HTTP. In this article. Because the server forwards all HTTP.0. which authentication methods to allow. click Settings. Configure any other settings as needed for the user and close the user’s property sheet. end server. In many situations. Open the console and choose View. You need to restart the Exchange and IIS services or restart the server for the change to take effect. Right-click the server and choose Properties to open its property sheet and then click the General tab. Click the Exchange Advanced tab and then click Protocol Settings.

Enabling Web access of Exchange accounts using Outlook Web Access Jan 18. It isn’t supposed to replace the Outlook client. request delivery. minimum High-speed network connection to the Microsoft Exchange server Microsoft Windows NT Server 4. In this article. read receipts. the OWA server handles most of the processing that’s normally performed by the client. you may experience problems accessing your folder list. The server processes includes MAPI sessions. send and receive file attachments and hyperlinks. set message priority. see free and busy times for multiple users. You may need to add more resources to the server or add more servers to handle the full load. MCSE D o you have traveling users who want to access their Exchange e-mail from the road. and create folders. or digital encryption. and automatically send and respond to meeting requests. E-mail: You do not have access to personal address books. such as Netscape Navigator) will work. or later (or any browser that supports frames.02. OWA limitations OWA will not allow you to use advanced e-mail features. The following are features not available when using OWA: Offline use: You must be connected to Microsoft Exchange Server to view information. 4. and RPC communications with the Exchange server. What does OWA do? OWA provides secure access to e-mail on your Microsoft Exchange server using a Web browser. address resolution.) Active Server Pages (ASP) Active Server components or Outlook Web Access components It’s a good idea to test your server’s configuration by starting small.0. 2001 By Troy Thompson.0 operating system with Service Pack 4 or later Microsoft Internet Information Server (IIS) (Microsoft Exchange Server 5. access day and week views. OWA features Outlook Web Access has many features. content conversion. This allows your organization to have identical clients on all platforms. Although the Web browser performs some processing on the client computer. Public folder access: You have access to custom views in table format.5 supports IIS 3. Each client requires a compatible browser to connect to the ASP on the OWA server. spell checking.0 supports only IIS 3. but you don’t want to go through the trouble of setting up VPN access for them? You can solve this problem by using Microsoft’s Outlook Web Access (OWA) for Exchange server. Calendar and group scheduling access: You can create one-time and recurring appointments in a personal calendar. rendering. including the following: Basic e-mail: You can use the Microsoft Exchange Server global address book. as well as how to install it. It also makes it inexpensive to access mail since you can download browsers for free from the Web.0. Microsoft Exchange Server 5. Otherwise.0. Administration 137 . I’ll explain some of the limitations of OWA.0 and later. Because of this. including UNIX workstations. and you can group and sort messages in a folder. state information. Internet Explorer 3. Give only about 100 users OWA and monitor your server to make sure it can support them. but it’s recommended that you use Internet Explorer 5. the server on which you install OWA must meet the following server requirements: Pentium 6/200 single or dual processor 256 MB of RAM. client logic.

The Messages Rendered counter for the MSExchangeWEB component: This shows the number of messages opened by clients and helps classify the user profile. Even though a single connection will not consume many resources. Because of this. use Microsoft Exchange Server digital encryption and signatures. as shown in Figure A.Calendar and group scheduling: You are without the monthly view and other customized views of your calendar. you should use Performance Monitor to measure the overall number of ASPs processed per second. Some counters to keep track of in Performance Monitor are listed below: The Requests Per Second counter for Active Server Pages: This should be between 10 and 15. The Sessions Time Out counter for Active Server Pages: This shows the number of ASP sessions that have timed out. you should restart the IIS server. If you deselect any box. ASP sessions that are open on the IIS/ Outlook Web Access Server. Collaboration applications: You cannot use Outlook 97 forms. to IIS and Outlook Web Access components. or synchronize local offline folders with server folders. Second Edition . Another recommendation is that you should dedicate one or more servers. On the next screen you will be presented with the components to install or uninstall. You use the Exchange Server CD to start the installation. There are two ways to implement a firewall with the OWA architecture: Administrator’s Guide to VPN and Remote Access. However. Before installing Outlook Web Access throughout your organization. The Outlook Web Access server will actually perform most of the work for connected clients. If the number of clients increases. Supporting one client connection is the same as running an instance of Outlook on the Outlook Web Access server. that component will be uninstalled. Public folder access: Outlook views are not in table format. you should consider adding additional Outlook Web Access servers. The Requests Executing counter for Active Server Pages: If requests are executing but the IIS server is idle. When this counter exceeds 15 ASP requests per second. you can always add more Outlook Web Access servers to load balance. Click Continue and follow the directions that appear. The Requests Total counter for Active Server Pages: This shows the total number of ASP requests started. Capacity planning The number of ASP requests per second that the server can process determines the load placed on IIS by Outlook Web Access. The Requests Queued counter for Active Server Pages: This should be between one and 20. Choose to set up Exchange and its components and then choose Add/Remove. Windows NT Challenge/Response (NTLM) authentication is not supported. or track acceptance of meeting attendees. the server will respond more slowly to user requests. you also cannot view details with Free/Busy. If the Performance Monitor counters are consistently too high and users frequently get “server too busy” messages. and CPU usage will reach 100 percent. Microsoft recommends that you implement a firewall. if Outlook Web Access and Microsoft Exchange Server are not installed on the same computer. other than your Microsoft Exchange Server. the Outlook Web Access server will run many active MAPI sessions to Microsoft Exchange Server. OWA security issues If Outlook Web Access clients access Microsoft Exchange Server over an Internet connection. it will start to queue incoming user requests. many sessions will. drag and drop to move appointments. The Active Sessions counter for Active Server Pages: This shows the number of 138 Installing OWA The installation of OWA is straightforward. Be sure that everything you want to install or have already installed has its check box selected.

The advantages of this type of authentication are: All browsers support Anonymous authentication. Using Basic over SSL authentication also allows users to access resources that are not on the user’s OWA server. select Outlook Web Access from the Options list. The username and password are then transmitted as encrypted information over the network to the IIS/OWA server. The advantages of this type of authentication are: All browsers support Basic authentication. To add support for OWA. Both the user name and password are transmitted as clear text over the network to the IIS/Outlook Web Access server. Users must be granted the Log On Locally right on IIS. The advantages of this type of authentication are: Almost all browsers support Basic over SSL authentication. Figure A Anonymous Anonymous authentication allows users to use OWA without specifying a Windows NT user account name and password. Anonymous authentication provides access only to resources that are published anonymously. The disadvantages are: Basic authentication is not secure because it transmits passwords across the network as unencrypted information. which is usually named IUSR_ComputerName. The disadvantages are: Anonymous authentication is not secure.Between IIS/OWA and Microsoft Exchange server Between the client and the IIS/Outlook Web Access server Outlook Web Access can be configured to use the following methods of user authentication: Anonymous Basic (clear text) Basic (clear text) over Secure Sockets Layer (SSL) Windows NT Challenge/Response (NTLM) I’ll discuss each method and its advantages and disadvantages below. even if those resources are not on the user’s OWA server. you should also use Secure Sockets Layer. Users can access an unlimited number of resources. If you choose this method of authentication. such as public folders and directory content. which encrypts all information passing through IIS. Basic (clear text) over Secure Sockets Layer Basic authentication over SSL requires users to specify a valid Windows NT user account name and password before they can use OWA. Administration 139 . Users can access only the Global Address List and public folders that are configured for anonymous access. Users are prompted for a username and password. Basic (clear text) Basic authentication requires the user to specify a valid Windows NT user account name and password in order to use OWA. Users are not prompted for credentials. The user has the rights of the default anonymous account.

The advantages of this type of authentication include: NTLM authentication is relatively secure. The limitation of NTLM is that all resources the user can access must reside on the same server as IIS and OWA. The disadvantages include: Due to the encryption. you should not use the Save Password feature in Internet Explorer— especially if the computer is shared among users. Users are not prompted for a username or password. Also.Users can access all Microsoft Exchange Server resources. the abandoned sessions will continue to consume server resources until they are timed out. Users should be instructed to log off from their OWA session instead of just closing their browsers. Since it is simple to install and maintain. The username and password are sent from the browser to the IIS server as encrypted information. The disadvantages include: Users can access resources only on the IIS/OWA server. the server may still perform poorly because ASP memory cleanup happens as a background process. 140 Administrator’s Guide to VPN and Remote Access. the messages accessed during the previous OWA session may still remain on the local disk. If caching is not disabled. Windows NT Challenge/Response (NTLM) Authentication NT Challenge/Response requires users to specify a Windows NT user account name and password before they can use OWA. which makes it possible for someone to see another user’s messages. Users must be granted the Log On Locally right on IIS. Other security issues For increased security. it is well worth the time and effort required to set it up. performance can be reduced. Users must enter a valid username and password. Not all browsers support NTLM authentication. it is a good idea to disable local caching on the browser. I’ve shown how Outlook Web Access gives you additional functionality for servicing your e-mail needs. Second Edition . It makes it easy for users to check messages from anywhere in the world using a browser—no additional client software is needed. Even if users log off from their OWA sessions properly. Basic over SSL authentication is much more secure than Basic authentication without SSL. Conclusion In this article. NTLM authentication is not supported if IIS/OWA and Microsoft Exchange Server are located on different computers. If an OWA session is not properly shut down when the client is finished connecting to the server.

with a single namespace. CCA. as part of the default setup of Exchange 2000. The only change needed is the selection of the This Is A Front End Server check box in the server’s Properties dialog box. you must restart the Exchange and IIS services or restart the computer. The obvious benefit here is the single. a front-end server may be just what you need. reliability. The other benefit is seen when allowing OWA access via a secure firewall connection or DMZ. The change essentially tells the Exchange 2000 server to redirect all HTTP traffic to a back-end server that contains the user’s mailbox. one front-end server is recommended for every four back-end servers. As Figure A illustrates. 2002 By Del Smith.Enhance Exchange 2000 OWA using front-end servers Mar 20. I’m going to show you how to go beyond the basic setup of Exchange 2000 OWA to explore ways your organization can leverage the key benefits of a front-end/back-end (FE/BE) OWA architecture. The front-end server first performs a lookup in AD to determine which back-end server should receive the request and then relays the request to the appropriate server. the type Figure A Active Directory Back-end servers Laptop Firewall Exchange 2000 front-end server Firewall Exchange 2000 Server A Exchange 2000 Exchange 2000 Server B Server C An FE/BE topology Administration 141 . mailboxes can be moved between back-end servers and users can still use the same URL. CCNA. As a general rule. Using an FE/BE topology Are you already running multiple Exchange 2000 servers in your organization? If so. the front-end Exchange 2000 server sends HTTP requests to a back-end Exchange 2000 server running OWA. only the frontend server is exposed on port 80 to the Internet. Microsoft recommends using the FE/BE server architecture to deploy OWA. Any server running Exchange 2000 Enterprise Edition can become a front-end server. it provides an additional level of security. if your organization requires more performance. no customization is needed to run OWA. and security than an “out of the box” OWA solution provides. consistent namespace the front-end server pro- vides to users. The actual number of front-end servers needed will depend on the number of users. After making the change. Since this server does not contact user mailboxes or data. However. In fact. Additionally. MCSE M icrosoft Outlook Web Access (OWA) is a tightly integrated component of Exchange 2000. Of course this is just a rule of thumb. With this topology. Users don’t need to remember URLs specifying exactly which servers their mailboxes are on. shown in Figure B.

including fast CPUs and adequate memory. and the average length of sessions. which improves network performance by removing SSL processing tasks from back-end servers. However. They also do not support using SSL to communicate with back-end servers. All of these factors lead to the conclusion that SSL on the front-end is the best solution. as we’ve done in Figure C. Securing communication between servers The front-end server handles authentication in one of two ways. This is where another benefit of FE/BE architecture comes in. Front-end servers do not support Windows Integrated Security (which includes both NTLM and Kerberos authentication). OWA logon for front-end servers Typically. frontend servers can handle all encryption and decryption processing. Exchange 2000 front-end servers support only HTTP 1. When using SSL. You should also note that HTTP communication between the front-end and back-end servers is not encrypted. or it is set up to forward the request anonymously to the back-end Exchange 2000 server. The recommended configuration is to have the front-end server authenticate users. users must enter their username in the format domain\username when logging on to a front-end server.of users (light vs. Front-end servers do not need large or particularly fast disk storage but should have specs similar to a Web server. Figure B Figure C Requiring SSL on the front-end servers Configuring a front-end server 142 Administrator’s Guide to VPN and Remote Access. as well as between front-end and back-end servers. so the use of SSL is highly recommended.1 basic authentication between client computers and front-end servers. Basic authentication allows for just a weak form of encoding when sending usernames and passwords across the network. heavy). you should make SSL connections to the front-end server mandatory by disabling access without it. Either the server is configured to authenticate users. Just modify the Exchange and Public virtual directories and manually enter the default domain name. as shown in Figure D. Second Edition . As an added measure of security. you can configure the front-end server to assume a default domain so that users do not need to type their domain name.

the control that the back-end server is referencing might not exist. An additional option for authentication is to configure a User Principal Name (UPN) logon for users. Implementing site-to-site VPN with BorderManager 3. To configure UPN. Always remember to upgrade every front-end server in the organization before you upgrade any back-end servers. Summary When deployed properly. users can authenticate using user@domain. After you configure this in the properties of the virtual directories on all front-end and back-end servers. After replication is complete. All you will need to do is install Administration 143 . This is because of the way OWA’s templates and controls were designed. MCSE. OWA won’t work for users whose mailboxes are on the upgraded back-end server. A problem arises when the servers run different versions of service packs. and the front-end server is running a previous service pack.After making this change. 2001 By Ron Nutter. which will use the Internet to connect your locations. CNE. If a template on a back-end server references a control on a front-end server. result in greater performance. and provide tighter security than the generic setup offered by default on Exchange 2000.) Figure D Entering a default domain name for user logons Service pack install order The order in which you apply Exchange 2000 service packs in an FE/BE OWA architecture is important. an OWA solution using front-end/back-end architecture can be more reliable.x Feb 28. Use this topology to take your OWA to the next level. Just make sure that you upgrade all front-end servers first so that users see templates from the back-end server. This allows users to enter their e-mail address as their username. ASE R unning point-to-point data circuits (also known as private lines) between your company’s locations can be very expensive. (Note that Exchange SP1 is recommended if you decide to use this feature.com as their username. especially if one or more of those locations are overseas. enter a backslash in the Default Domain text box shown in Figure D. no domain name is required. As a result. users can log on with just their username and password. These templates reference the previous versions of the controls. which still exist on the front-end server because the files are versioned and not removed in an upgrade. make sure that the System Attendant service is running so that the configuration settings replicate from the directory to the IIS metabase or simply restart Exchange System Attendant to force replication. BorderManager is more than just a firewall or a method of controlling access to the Internet—you also have the ability to establish a virtual private network (VPN).

We will be using NetWare 5. The first thing that you will need to do is tell BorderManager what the TCP/IP addresses are for the public card and for the VPN network. You will be prompted to enter a random seed to be used to generate the key. you will need to be very careful about when you reboot the server. Type LOAD VPNCFG at the server’s console prompt and press [Enter]. Second Edition . I recommend setting up a proof of concept system to make sure that everything will work as expected. Once you have entered the required information. you will need to have some type of encryption setup. At this point.) When the encryption generation process is complete. highlight Yes.1 and BorderManager installed on the server that will be your master VPN server and that the appropriate Support Packs have been installed. Although we will be setting up just a two-site VPN in this article. You will see a screen on the server showing a string of numbers and letters. each additional site you add to your VPN will be a slave server. Highlight the Generate Encryption option and press [Enter]. you will see a message on the server screen to that effect. press [Esc]. This address has to be unique on your network. A fault tolerant network (one that can handle problems thrown at it and keep running basically undisturbed) might be accomplished by implementing a dedicated VPN server at each location and then making the BorderManager server you already have a slave VPN server. Before you start One thing you will want to think about before beginning to implement a site-to-site VPN is whether to implement VPN services on your existing BorderManager server or implement a server dedicated solely to the VPN links between locations. Highlight the Authenticate Encryption Information option and press [Enter]. Don’t worry about remembering this string. as you shouldn’t be working with this server significantly on a day-to-day basis. Before implementing this type of solution. A series of messages will shortly appear indicating the NDS schema is being extended and the base VPN configuration is set up. that is. In this article.a data circuit to a local ISP and a BorderManager server at each location. the address in this range can be used anywhere else on the network—anywhere. except on the other BorderManager server (which will use a different address out of the range defined by the subnet mask that you enter for the VPN tunnel). When the VPNCFG main menu screen appears. the information used by the servers to set up the VPN between sites. You will be returned to the VPN master server screen. In order for the VPN to work.1 with Support Pack 2a applied and BorderManager 3. You will need to have this information ready for the network administrator at the other end of the VPN connection (if you aren’t going to do the install yourself) so that the admin will know 144 Administrator’s Guide to VPN and Remote Access. you should be able to reduce the amount of downtime from reboots. A message will appear indicating you can have only one master VPN server in the network.5 with BorderManager Support Pack 2 applied. The VPN address and subnet mask will take a little thought before you proceed. Highlight Configure TCP/IP Addresses and press [Enter]. as this will take your entire VPN down. (This doesn’t have to be the same on each server. The first step involves setting up a master VPN server (each VPN configuration will have only one master VPN server). If you put the VPN services on your existing BorderManager server. If you implement a dedicated VPN server. we will assume that you already have NetWare 5. Highlight Continue and press [Enter]. You will need to enter the TCP/IP address and subnet mask for both the public and VPN tunnels. and press [Enter]. The public TCP/IP address and mask are the same as the ones you defined on your BorderManager server. highlight and press [Enter] on the Establishing site-to-site VPN on the master server Master Server Configuration option. This is known as the digest. Enter a random string of letters and numbers and press [Enter]. we will walk through the steps of setting up a site-to-site VPN.

highlight Yes. Now that the master VPN server is set up. A pop-up box Setting up the site-to-site VPN on the slave server will appear asking you to verify the path to the Minfo. highlight Yes and press [Enter].vpn file. For example. Highlight the Copy Encryption Information option and press [Enter]. Once the information is copied to a file. we would use something like 10. accept the default and press [Enter]. This information will be used on the master VPN server to actually build the VPN connection between servers. When you do. After the Minfo. A screen will appear when the VPN information has been created. One thing to note at this point is that if you will have multiple slave servers in your VPN Administration 145 .2 for the TCP/IP address of the VPN tunnel on the slave VPN server. You have the option of e-mailing the Minfo. Highlight the Slave VPN Server Configuration option and press [Enter]. Load the VPNCFG NLM on the slave server. Press [Esc].10. You need to export the information necessary so that the slave VPN server will know how to talk to the master VPN server.255.255. Highlight the Copy Encryption Information option and press [Enter] to continue. you will need to do something a little different. As with the master VPN server. Let’s assume you are doing the slave VPN install yourself and have brought this file on a floppy. The default path should be A:\.0. you will need to enter the TCP/IP address and subnet mask for the public card and the VPN tunnel. Unless your server’s floppy drive is something other than A:. In the case of the slave VPN tunnel. Press [Enter] to return to the main VPN menu screen. Put a blank floppy in the server’s A: drive. and press [Enter] to continue.that the setup is enabled correctly. In our example. Insert the floppy into the slave server’s floppy drive and press [Enter]. and another screen follows when NDS has been extended to handle this task. Press [Enter] to continue. you’ll see the screen shown in Figure A.vpn file that will be created. The next step involves copying the VPN information from the slave server to a floppy so that the master VPN server will know how to set up the VPN tunnel between servers. You will be asked to verify the drive and path to the Sinfo. mailing the floppy. Highlight the Configure TCP/IP Address option and press [Enter] just as you did on the master VPN server.1. we can move on to the slave VPN server. Enter the requested information and press [Enter].1. The name of the file it creates is Minfo.vpn file copies. You will next be asked to enter information to help randomize the Diffie-Hellman public and private keys that will be generated on this server. Your next step will be to generate the encryption information necessary for this server to be able to participate in the VPN.vpn. if you entered a TCP/IP tunnel address on the master VPN server of 10. Figure A You must configure TCP/IP on the slave server.vpn file to the administrator at the other end of the connection. or going to that location yourself. Highlight the Generate Encryption Information option and press [Enter].1 with a subnet mask of 255. you will need to use the same subnet mask on the slave VPN but with a different TCP/IP address.10. This information should match exactly what you saw on the master VPN server. If this matches. you will see a message on the server’s console screen. you will see a digest screen displayed.

Highlight the Master Site To Site option and click on the Details button.configuration.vpn file. The disadvantage with this solution is that it will produce additional traffic at your master VPN site. click Control Options. You will also want to choose the topology you want for your VPN. This will make the process easier if you have to tear down and recreate the VPN for some reason. Double-click on Sinfo. you will be presented with a screen that will allow you to add the slave VPN server to your VPN network. each VPN site will have connections to two of its neighbors. you will need to go into NetWare Administrator.vpn (or the file name you have renamed it to). If the master VPN server is down. This solution is fine if most of the traffic will be between adjacent systems but could cause delay because of additional hops produced by this configuration when the most distant systems need to talk to each other. you will see a digest info screen containing a Figure B Figure C You must choose your topology in NetWare Administrator. From the VPN Master Server properties screen. Both the Star and Ring options could suffer communication problems if a critical part of the system were to go down.vpn file to another name descriptive of the site it is for. With Full Mesh. as shown in Figure B. With a Star topology. you should still be able to talk. all the VPN sites can reach all of the other sites directly without having to go to the master VPN site first. When the VPN Master properties screen appears. On the Control Options properties screen. Star. Once you have selected the options on the Control Options screen and clicked OK. you should still be able to talk between systems even if one or two are down. Second Edition . Completing the VPN setup in NetWare Administrator To complete the site-to-site setup. You have a choice of three topologies: Full Mesh. all slave sites will have to go through the master site before they will be able to talk to other slave sites. 146 Administrator’s Guide to VPN and Remote Access. Once the VPN file has been copied to the floppy. You can monitor your VPN on the VPN Member Activity screen. After NetWare Administrator reads the file. you will see a message on the server telling you about renaming the file. With the Ring option. Doubleclick on the NDS server object that is running BorderManager. you will need to select what protocols you want to cross the VPN. but you won’t be able to add or remove slave VPN servers until the master VPN server is back online. you will want to rename the Sinfo. Click on the BorderManager Setup tab and then click on the VPN tab on the BorderManager Setup properties screen. With the Full Mesh option. and Ring. click Add and browse the floppy containing the Sinfo.

Congratulations. TCP/IP RIP is enabled by default. Click on the Status button and check the sync status of the VPN servers. first try pinging the TCP/IP address of the VPN tunnel on your end. you will have a base from which to start when figuring out the problem. When the VPN Member Activity screen appears. Click OK to save this configuration and return to the VPN Master properties screen. how many packets are being sent/received. As with any other network addition. Highlight the VPN server that you want to check and click on the Activity button. Click Yes to proceed. you may want to deselect TCP/IP RIP and go with static route mappings to help prevent access to parts of your network by the other companies that will be connecting to you. you may need to temporarily unload the filters to do this next series of tests. you will see the slave VPN server you just added appear in the list of VPN servers. After you have added a slave VPN server to your network.series of letter and number combinations. As you can see. ping the TCP/IP address of the VPN tunnel on the server you just added and finally the TCP/IP address of the private card on the slave VPN server.VPN files you used to create the VPN in case you need to tear down and re-create the VPN. etc. A similar message will appear on the slave VPN servers. If you will be connecting other companies (and other NDS trees) into your VPN. you will see what is going on with a particular slave VPN server (what protocols are being used. Depending on the way you have implemented filtering in BorderManager. Next. Another screen to check periodically is the VPN Member Activity screen. Any time you add another slave VPN server or make significant changes to the network and have what appear to be communications problems.). you will see a message appear on the master VPN server console screen telling you that a server has been added.vpn file. click Yes to enter the info read from the Sinfo. Conclusion Monitoring the VPN Monitoring the VPN is something that should be done periodically even if things are going well. Any time you add a server to the VPN. this is a good screen to check to make sure that all the servers are upto-date with the information about the rest of the network. you now have a VPN up and running. This screen is reached from the sync status screen mentioned earlier. setting up a site-to-site VPN isn’t that hard. shown in Figure C. If your pinging fails to get a response at any point in this process. Leaving this option enabled will allow the remote sites to seamlessly route over your network without your having to enter static routes within NetWare Administrator. When the Adding Server To VPN screen appears. If you haven’t already started doing so. The information on this screen should match what was displayed on the digest screen on the slave server when you created the encryption information. this indicates a communication problem that should be addressed before proceeding. take a few moments to document what you have done and the TCP/IP addresses being used for the VPN tunnel and make a copy of the . When the VPN Master screen appears. Administration 147 . The VPN Members screen should now be visible. have the individual responsible for the slave VPN servers keep a log of changes made to the servers so that if things stop working.

Setting up the server side of VPN The process of setting up client-to-site VPN in BorderManager begins with establishing an Rconsole session to the server that’s running BorderManager. You must use both the IP address and subnet mask that are currently bound to the public card in the server that’s running BorderManager.255. Second Edition .255. enter the IP address that is currently assigned to the public card in your BorderManager server. Virginia. Finally.1 with a subnet mask of 255. It also ensures that the traffic is handled properly for the encryption and decryption that occurs as a part of the clientto-site VPN process. highlight Yes.x. you still need to find a way to allow access to files on the network and access to server-based services that don’t support SSL. which gives the client VPN traffic a place to route. 148 Administrator’s Guide to VPN and Remote Access. Highlight Not Configured beside Public IP Address.x) and press [Enter].NLM) in order to check the existing filters. However. this approach isn’t recommended. and Novell Sup- port won’t be able to help if you call in with a problem. and press [Enter].0 that’s bound to private cards in your BorderManager server. Change to the console command prompt and type filtcfg (or load FILTCFG if you’re using NetWare 4. type VPNCFG (or load VPNCFG if you’re using NetWare 4. For Web site access. if you have 10. and select the menu option that will update the changes you made. A secondary message will follow to indicate that VPNCFG can’t add the filters it needs in order to operate.255. A message will appear indicating that there can be only one master server. Highlight Configure TCP/IP Filters and press [Enter]. you’ll need to load the filter configuration NLM (FILTCFG. I’ll take you through the steps of setting up the client-to-site VPN function in BorderManager 3. enter the IP address and subnet mask to be used for the VPN tunnel of the configuration. highlight Configure IP Address and press [Enter]. you can use SSL (Secure Socket Layer) on your Web server to provide a layer of protection.0. When the Master Server Configuration screen appears. You also will need to enter the subnet mask that matches the IP address of the public card.0.3. Press the [Enter] key to continue.255.1. and press [Enter] to save the configuration. It will give the virtual private address that you are assigning to the VPN tunnel part of the configuration. You will want to assign an IP address from a different range than the one that is being used currently on the private card(s) in your BorderManager server. When the TCP/IP screen appears.2. For example. it may result in sporadic operation of the client VPN function of BorderManager.x Jan 12. enable outgoing RIP filters. press [Esc].) In this article. 2000 By Ron Nutter.0. (Yes. ASE P rotecting the data on your corporate network is becoming more important each day.x) and press [Enter]. This problem happens because the outgoing packet filters are disabled. Once you have entered the IP addresses and subnet masks for the public and private side of the VPN part of BorderManager. Although it may be possible to bind a secondary IP address to the public card. I’d like to point out two things that aren’t made clear in the BorderManager documentation. there are a few server-based services that don’t support SSL. MCSE. you’ll probably receive an error message saying that VPNCFG can’t configure packet filters. Highlight Continue and press [Enter].Setting up client-to-site VPN in BorderManager 3. but it’s a normal occurrence when packet filters haven’t been configured or when packet filters have been created.0.1 and 10. Press [Enter] to acknowledge the error screen. At the console command prompt.1 using a subnet mask of 255. To clear this error. CNE. If you haven’t progressed to the point with BorderManager that you’ve configured packet filters. you should use something like 10.

you can continue with the BorderManager VPN configuration. Return to VPNCFG. To pass IPX traffic over the VPN connection. and press [Enter]. then click OK. highlight Disabled beside the status options and press [Enter]. highlight the Display VPN Server Configuration option and press [Enter]. Press [Esc] until you’re prompted to exit VPNCFG. which were added during the 149 Administration .1 or later. The latest VPN client is BM3VPD04. Now. the speed of the processor on the BorderManager server. Depending on the level of activity on your BorderManager server. another message will appear. these messages may repeat themselves several times before you see a timestamp completed message for each NLM (VPMASTER. Although restarting the program is a requirement for BorderManager only when you’re running on NetWare 5.EXE. Double-click on either of the VPN options.NLM and BRDSRV. When the key generation is finished. it’s a good idea to restart on NetWare 4. highlight the Enabled option and press [Enter]. press [Enter]. enter a unique IPX address. highlight the Generate Encryption Information option. or both. which was released around mid-September of 1999.NLM and press [Enter]. Press [Enter] to proceed. a message will appear on the screen to inform you of its completion. you can terminate the Rconsole session. you’ll want to restart the BorderManager server and make sure that everything relating to the VPN service loads and initializes correctly. When you see the Enter Random Seed box. After starting NWADMIN. A series of messages will tell you that the NLM is checking to see if the filters it needs have been set and that the NLM is updating the VPN filters. You should see several waiting for timestamp messages. The remainder of the VPN setup will take place on a workstation running NWADMIN and using the BorderManager snap-in. and the number of currently pending requests that the server is processing. then highlight Yes and press [Enter]. After you see these messages. During the installation. Setting up the client side of client-to-server VPN To minimize problems.NLM. Then.NLM’s Master Server Configuration screen. The LAN VPN connection is a recent addition to the client VPN portion of BorderManager. the server side portion of the client-to-VPN setup is pretty much complete. When this process has finished.highlight Outgoing RIP (Routing Information Protocol) Filters and press [Enter]. click the BorderManager Setup button and click the VPN tab. You will use the Dial-Up VPN when you come in over a regular dial-up connection. enter a random string of characters (maybe something like your Admin password!) and press [Enter]. Now. It allows you to use an existing connection. When you see the Outgoing RIP Filter screen. and you’ll see a message indicating that VPMASTER. Click the box beside Client To Site and click Details. Press [Enter] to proceed. Verify that all the information you entered is correct and that all the key lines indicate Configured. A screen will appear and indicate that the encryption information is being generated. to gain access to your network over an encrypted connection instead of having to put up with a slower async connection. you should use Novell client version 3. such as a DSL connection or cable modem. Next. LAN VPN. the VPN attributes will be added to NDS. highlight the Update VPN Filters option in VPNCFG. you will be asked to choose Dial-Up VPN. Factors affecting the amount of time that this process will take include the length of the random key that you entered. Then.EXE. Now. Press [Esc] when the process is complete.NLM was loaded successfully. go to the disk 1 directory and run SETUP. After running the self-extracting executable. press [Esc] until you are given the option to exit FILTCFG. too—just to make sure that everything is OK so far. double-click the NDS server object that’s running BorderManager.NLM). One quick check is in order before you try to establish that first encrypted connection to your network. Highlight Yes and press [Enter] to continue. A series of messages will appear on the console prompt screen of the BorderManager server. The Master Site To Site box should be checked. At this time. Before proceeding to the client portion. When that process is complete.

Clear Current Using the dial-up VPN is fairly simple. The best way to fix this problem is to uninstall the VPN client. Display Results Winuse your existing setup to call your ISP and dow. It can Connection. If you do. you server to which you will be connecting. don’t include a leading period your network. but when you enter the specific NDS context of your users may become a little confused when the user account that you are using to log in. and the Performing NetWare Login. Click the NetWare take your users to log in to the network and Login tab and fill in the NetWare user name. and Ware user name. calls that you will probably get when they start When entering the NDS context for this user.Manager won’t have to field requests from the VPN users who are routed over the same conell client software first. If you can click your container and/or personal login scripts may be necessary to allow users to get in and out on only the Enable IPX check box and the of your network quickly. they try to reach another Web site while they’re While the software should be able to handle it. you will have a few extra things to (which you’ll see only if you’re going to estabremember. uninstall the exist. you have a Make sure that your users know that while client-level problem that will need to be they are logged in. using this access. they will see a progress box under the VPN the de-installation Status tab of the process one step furYou may find that you have more VPN client. allow you to anticipate the kinds of questions/ password. NDS contact. Bordering NetWare client and network card driver. If you still When the users click OK to establish the have a problem. You will need to enter your Netlish an IPX connection to your network). process is comregistry by the Novpleted. Enabled IPX Encryption options. Keep in mind that public IP address of the BorderManager while you are using the LAN VPN client. In the won’t be able to access anything that is off context field.give you an idea of what kind of changes to installation of the VPN client software. As each ther by removing all step of the login/ entries that were credemand for the VPN service than you authentication ated in the Windows have resources to handle the need. The first time you invoke either of the VPN Enabled IP Encryption. the following mesEstablishing a connection with sages: Connecting For Authentication. password. Authenticating the LAN VPN option NetWare User. which will take VPN connection. Your options are the dial-up VPN option Enable IPX. and reinstall the network card driver and Nov. Testing which appears on the desktop next to the them will help you determine how long it will VPN installation program. dial-up and a DSL-type connection. Now. you’ll want to get a copy of the Novell UNC32 executable. they won’t be able to addressed. Login To NetWare. getting their e-mail from your Exchange or I received error messages when I used a leadGroupwise server. users will see ell client software. click the NetWare Options tab. It will tainer name. Establishing a connection with click the NetWare Options tab. and server IP address. build an encrypted connection to your BorderBefore turning remote access over to your users. or you may have a problem 150 Administrator’s Guide to VPN and Remote Access. Authenticated NetWare User. Run Scripts. Manager server. After you reboot the software. Second Edition . One option that I would recdon’t include a leading period before the conommend you start with is Run Scripts.browse the Internet or access resources that are off of your network. context. ing period. You begin the process by you may want to try logging in over a regular double-clicking the Dial-up VPN Client icon. It’s actually a good thing. other options are not available. the problem should be resolved. network. followed by the VPN nection on which they are coming into your client software. Before clicking OK to start the login process. and Close Script Results Automatically.

The progress screen will flash the number that is being dialed. Optimizing the client VPN connection If you’re using the Single Sign-on feature of BorderManager and loading the CLNTRUST. This information should match what is available by clicking the Digest button in NWADMIN. If you get an NDS-309 message just after the connection is made. If your BorderManager server is running on NetWare 5. Now. make sure that the login name. you may want to recheck your BorderManager server and make sure that it has been restarted. Also. Since some dial-up users can sometimes expect a response from the server just as if they were attached directly to it. controlling the applications that they can access remotely may be worthwhile. click the VPN Status tab and click OK to begin the process of establishing the connection to your BorderManager server via your ISP. you may want to try either reestablishing the connection or verifying that everything is configured correctly on your BorderManager server. Click on the drop-down box beside the dial-up entry name and make sure the correct Dial Up Networking address book entry is selected. you may want to leave all the options enabled in order to get an idea of what you may want to deselect when you put the client VPN process into production use. If you normally don’t use DUN but use software provided by the ISP to establish your connection. If the information doesn’t match.EXE and DWNTRUST. you may want to talk to your ISP’s tech support folks to see if you need to do something differently. you might consider deselecting the IPX Only option to minimize the amount of negotiation that occurs in setting up an encrypted link for more than one protocol. Now. Once all the statements in the login script have been processed and all the icons in the NAL window have been displayed. personal. The next step is to click the Dial-up tab. there won’t be any benefit to having them run these files. For your first time dialing up. you may want to have them use the regular DUN icon to establish the connection to the ISP and then the LAN VPN icon to make and break the connection to your corporate network.logging in. You may want to think about not using Novell’s Application Launcher if you have a lot of icons for distributing available applications to your users. You also can make them part of a group that bypasses that part of the login script. Otherwise. In that case.EXE files from the login script (a container. you’ll want to enter the public IP address of your BorderManager server. password. and NDS context have been entered correctly. click the NetWare Options tab and make sure that the Enable IPX option is selected. you will be presented with an Authenticate VPN Client message with a series of numbers and letters that will look something like 4D DD F2 93 7A CD CD BB 23 57 BB AA 23 3D F3.username—instead of just a user name if they used DUN to establish the connection. Once the connection has been made to the ISP’s modem pool. For example. Enter the correct dial-up user name and password for the Dial-up Networking (DUN) configuration that you are using.ppp. The first time that you establish a dial-up connection to your BorderManager server. the message will change to Authenticating Dial up user (ISP) and then to Authenticating NetWare User. Since they’re coming in over an encrypted connection. Suppose that you have users who want to access the Internet before or after they use the encrypted link into your network. they won’t have to reestablish a nonencrypted connection to use the remainder of the Internet. you may want to 151 Administration . or profile script). As I mentioned earlier. That way. if at all. the VPN connection may not work correctly. You can use either a separate NDS container or a special group to limit the applications that are available to remote users. try establishing a VPN connection and deselecting the Process Login Script option. Depending on how involved your login scripts are at a container level. those who use Netcom as their ISP would have to use us. as indicated in the BorderManager VPN installation instructions. you might want to consider having your users type in a special login ID in order to bypass that part of the login script.

set up a special NDS context through which the remote users will log in—thus minimizing lengthy login times. It will give you a way to administer ZEN application objects, too. (You really don’t want your users to load the applications that they’ll use over a slower dial-up connection while they’re on your network, do you?) This approach can help you restrict access into the network via BorderManager VPN by modifying the rule that you set up earlier, which limited use only to those who are in the container that is eligible for VPN access.

Monitoring client VPN connections

Now, double-click the NDS in NWADMIN upon which BorderManager is running. When the BorderManager screen appears, click the BorderManager Setup button. Select the VPN tab and click the Details button. A list of servers currently configured for VPN will appear, with each server listed by name and public IP address. To see what is happening with the VPN function on a particular server, highlight the name of the server in the list and click the Status button. A synchronization status screen will appear, and you’ll see the server you just selected listed again with a status that should show as up to date. To see the current VPN connection status, click the Activity button on the Synchronization Status page. You’ll see several boxes of information on this screen that cover everything from global parameters relating to the overall VPN connection to those items that are protocol specific. When this screen comes up, it will show only serverto-server-based connections by default. You’ll need to click the Clients button to change the view to the Client to Site VPN view. In the upper left-hand corner of the VPN Member Activity screen, you’ll see a listing of the currently active connections. Each connection will show the user’s NDS login name with an up or down arrow for both IP and IPX protocols. This screen is good to watch while users are trying to establish a VPN connection and are complaining that they can’t get through. Since this screen is somewhat static in nature, you’ll need to use the Update button to make sure 152

that you are looking at the most current information about the connection. Watch the up and down arrows on this screen as connections are being made. Different colors are used to indicate problems, progress in establishing the connection, or activity levels on the selected connections. Click the Help button to learn what the colors mean and how to interpret the information that they are giving you. As you turn the VPN function into production use, you may find that you have more demand for the VPN service than you have resources to handle the need. By default, the idle time that a connection is allowed to have before the connection is broken is 15 minutes. You can change this amount of time by clicking the Timeout button and decreasing or increasing the timeout value. Once the connection is dropped, users will have to restart the VPN client function and log in again to the network in order to continue their work. If you want to see a step-by-step log of what occurs as a connection is established, authenticated, or broken, begin by clicking OK and closing out the VPN Member Activity screen. When you return to the previous screen, click the Audit Log button. When the Audit Log screen appears, the end time will be the current time for the workstation upon which NWADMIN is running, and the start time will be approximately nine hours before that time. Your only option in this version of the BorderManager snap-in is to use the up and down arrow on the time box to adjust the date and time. Once you’ve selected the desired date and time ranges, click the Acquire button, and the information will be extracted from the BorderManager logs. You’ll see a step-by-step record of what occurred while the connection was being established or broken. Using the check boxes, you can filter what is presented, and you won’t have to suffer from information overload. Several messages will appear on the server console screen as connections are made and broken. On incoming connections, you’ll see an incoming WAN connection first as the request comes through and then a message when the connection is authenticated. The final message will appear when the authenticated connection

Administrator’s Guide to VPN and Remote Access, Second Edition

is disconnected or stopped. These messages give you a quicker view of VPN usage without your having to go into NWADMIN and drilling down to the view that you want.

Avoiding problems in BorderManager

If you’re running BorderManager 3.0 on NetWare 5, there are a couple of steps that you need to take in order to keep things running smoothly. You’ll want to copy these files: IPFLT31.NLM from the directory created by the NetWare 5 SP3A—Products/ NOBM3.5/SYSTEM CSAUDIT.NLM from the Products/ NOBM/SYSTEM/CSAUDIT.NLM directory Place both NLMs in the SYS:SYSTEM directory. Since BorderManager depends on

CSAUDIT.NLM, you’ll need to restart the server after the new NLMs are copied and in place. You’ll have to update these NLMs so that the filters needed by BorderManager and the VPN function can be updated and accessed correctly. Verify that you are using the latest NetWare Service Pack and the latest service pack for your version of BorderManager. We’ve walked you through the basics of setting up client-to-site VPN in BorderManager. The service itself is fairly straightforward to set up and should be trouble free—as long as you take your time setting things up. Using the client-to-site VPN function allows you to use the ISP’s modem pool and national data network without having to build your own.

Serving up NetWare’s Web Manager
Aug 1, 2000 By Steven Pittsley, CNE


ow about a server management tool that requires no installation, allows you to perform administrative tasks from any Web browser, and costs you absolutely nothing? You say it sounds too good to be true? Well, in this instance, it really is true. The NetWare Web Manager is installed automatically during NetWare 5.1 installation, requires no initial configuration, allows you to use a Web browser to perform management tasks, and is a standard piece of NetWare 5.1. In this article, you will learn about some of the outstanding features of this great new utility. The NetWare Web Manager consists of a set of NLMs that run on the server. During NetWare 5.1 installation, the command to load the NLM is added to AUTOEXEC.NCF. To

manually load the Web Manager, type LOAD NSWEB at the server console. Figure A shows the Web Manager screen that’s displayed on the server. As you can see, very little can be accomplished here. Your only options are to restart or shut down the Web Manager.

Accessing Web Manager

To access the NetWare Web Manager, launch your Internet browser of choice and type a URL that uses the following syntax:

An example of this would be https:// server1.novell.com:2200. The default IP port is 2200, but you can change this. You can verify the IP port from the Web Manager screen on the file server, which is shown in Figure A. 153


Once you enter the URL, you must log in as a user with Admin rights. After being authenticated, the Web Manager General Administration screen will be displayed in the browser and will look similar to Figure B.

2. The Global Settings section allows you to
select where you obtain directory service. Your choices are Local database, LDAP directory server, and NDS.

Using Web Manager

3. The Users and Groups section provides
you with rudimentary NDS management capabilities. NetWare Administrator still has much more functionality, but this utility works well for making basic changes.

You are given the following four choices under the General Administration heading: 1. Admin Preferences will provide you with Web Manager administration functions. You can turn on/off SSL, shut down Web Manager, change the IP port, set logging options, and view access and error logs.

4. Cluster Management provides you with
basic cluster administration capabilities.


Figure A

The Web Manager screen enables you to restart and shut down the Web Manager.

Figure B

You can return to the Web Manager General Administration screen by clicking the Server Administration link in the upper-right corner of any of these screens. From the Web Manager’s main page, you have access to each of the Web servers installed on the network, as well as the NetWare Management Portal and NDS management. If a server is running, the On button will be lit, and if the server is stopped, the Off button will be lit. Clicking these buttons will either stop or start the server. You can access the Web server configuration screens by clicking the button located next to the On and Off buttons. The file server name that is displayed on the button indicates where the Web server is installed. The Web server configuration pages are easy to navigate and provide you with excellent functionality. The most exciting feature of the NetWare Web Manager is the ability to access it from virtually any workstation on the network, regardless of the client software that’s running on the computer. Thus, if you are working in a remote area that has an NT domain, you can still manage your NetWare server. A traveling administrator will love the easy access and powerful capabilities of the NetWare Web Manager.

The Web Manager General Administration screen enables you to perform administrative functions.


Administrator’s Guide to VPN and Remote Access, Second Edition

Believe it or not: A Linux VPN without kernel recompilation
Oct 26, 2001 By Jack Wallen, Jr.


ou read correctly. Until today, I would never have believed it myself. Having dealt with the likes of FreeS/WAN and PoPToP, I know how difficult it can be to have to recompile a kernel, attempt to load in the proper modules, and then (and only then) hope the application will work with both your client and your VPN server. Just when you thought it was unsafe to tread the VPN waters, along comes Cisco to save the day for Linux client users. The new Cisco vpnclient is not only amazingly simple to use, but it’s also secure and reliable. In this article, I’ll install, configure, and run an instance of Cisco’s new vpnclient for Linux.

would like the executable binary file to be placed, and whether you’d like the VPN service to start at boot time. It’s that simple. Once you’ve installed the application, start the VPN service with this command:
/etc/rc.d/init.d/vpnclient_init start

How to obtain and install vpnclient

This VPN client package is included in the VPN Solutions package and supports the Intel version of Red Hat Linux 6.2 (or glibc >= 2.1.1-6 libraries) using kernel >= 2.2.12. Unfortunately, you can’t get this package without buying the VPN Solutions package, but it’s well worth the purchase if you want both a rock-solid VPN server and a killer client application. The first step of the installation is to unpack the package. The release I tested was vpnclient-linux-3.0.8-k9.tar .gz. To unpack this file, run the command:
tar xvzf vpnclient-linux-3.0.8 -k9.tar.gz

Configuring Cisco’s vpnclient can be tricky if you’re not sure where to put the configuration. When you install the application, you’ll notice a sample.pcf file in the vpnclient directory. (All user profiles must have the .pcf format.) This file is what you’ll base your configuration on and is also mirrored in the /etc/CiscoSystemsVPNClient/Profiles/ directory. The latter file is the one that the application actually uses. The file is laid out in the MS Windows .ini format, which is similar to other Linux configuration formats, such as smb.conf. It looks like this:
[main] Description=sample user profile Host= AuthType=1 GroupName=monkeys EnableISPConnect=0 ISPConnectType=0 ISPConnect= ISPCommand= Username=chimchim SaveUserPassword=0 EnableBackup=0 BackupServer= EnableNat=0 CertStore=0 CertName= CertPath= CertSubjectName= CertSerialHash=0000000000000000000000 0000000000 DHGroup=2 ForceKeepAlives=0


which will create a new directory called, simply enough, vpnclient. The next step is to cd into the newly created directory with the command:
cd vpnclient

Now you’re ready to run the install. The installation of this package is quite simple. As root, run the command:

You’ll be asked a few questions regarding the location of your kernel source, where you

The minimum configurations you’ll need in your .pcf file are [main], Host, AuthType, GroupName, and Username. The [main] configuration simply demarcates the main section of the


you may be asked for the following: Group Password User Name User Password Domain Eventually. including reset. and a 1 means the password is encrypted within the profile. EnableNAT: A 0 disables NAT. Second Edition . The vpnclient application comes with a statistics command that allows you to view information about your connection. and then start your connection. you’ll want to shut down your firewall. I whipped up a shell script that.4. and repeat Hurdles Establishing a connection Establishing a connection with Cisco’s vpnclient is very simple. If you’re not sure whether CONFIG_NETFILTER is set. you can run the following commands: cd /usr/src/linux-2. For stability’s sake. changes the input policy. route. If that particular window does not have focus. and starts the Administrator’s Guide to VPN and Remote Access. A couple of situations cause this problem.You can kill this running connection in two ways. drops the firewall. This assumes the console window running the command has focus.2/arch/i386 grep CONFIG_NETFILTER defconfig If you see this line: # CONFIG_NETFILTER is not set The second method is to press [Ctrl]C.configuration file. The command syntax is: vpnclient stat [reset] [traffic] [tunnel] [route] [repeat] Client statistics The arguments offer the following information: reset: Restarts all connection counts from zero traffic: Displays a summary of bytes tunnel: Displays IPSec information route: Displays configured routes repeat: Keeps a visible. When running any sort of security protocol. If you have this enabled. The GroupName is the name of the IPSec group used on the VPN server. SaveUserPassword: A 0 means the password is displayed in clear text in the profile. 156 then you are good to go. To make this task quicker. and run this command: vpnclient disconnect What would a network administrator’s job be without hurdles? Actually. The AuthType configuration is set to either 1 (preshared keys) or 3 (digital certificate that uses an RSA signature). tunnel. and a 1 enables NAT.pcf. your client will establish a connection with the server. you’d run the command (as root): vpnclient connect Mooch Depending on your profile configuration. Once you’ve changed these configurations. save the file and you’ll be ready to start up the application. Let’s say you’re using the profile named Mooch. The Host option sets the IP address (or URL) of the VPN server. and your command prompt will not come back to you. when run as root. su to root. the vpnclient can cause the Linux kernel to lock up tight. continuously refreshing display of various statistics. The Username is the string that identifies the individual user. The first is when you have CONFIG_NETFILTER enabled in your kernel. Other configuration options that can be added are: UserPassword: This is the password used for authentication. traffic. The first method is to open another console. flush both the input and the output chains. change your input policy to ACCEPT if it’s set to DENY. The client will disconnect from the server with either of these methods. such as ipchains or iptables. To bring up a connection with this profile. you’ll have to recompile your kernel and disable CONFIG_NETFILTER. put your cursor in the window and click the left mouse button. The second situation arises when you’re running any sort of firewall on the client machine. Cisco’s vpnclient tool has only one small hurdle to get over.

I ran my ip_chains_script. If you do not trust everyone on your VPN network. Other than the one firewalling issue. I ran this command: /etc/rc.d/ directory with the name vpn_connect. Simple.VPN connection. you won’t have to bring your firewall back up until the session is over. Kudos to Cisco for finally offering a multi-platform VPN solution that any mid-level computer user can set up and run. Notes Administration 157 . It’s about time Linux found itself with a simpleto-use VPN solution. and it works like a charm. The takeaway? Don’t worry about your firewall while you’re using Cisco’s vpnclient.d/vpn_connect After gaining a secure connection to TechRepublic’s Cicso VPN server. it performs flawlessly. The script looks like this (using the Mooch connection configuration): #!/bin/sh /sbin/ipchains -F /sbin/ipchains -P input ACCEPT vpnclient connect Mooch I saved the file in the /etc/rc. After your connection is made. To start the VPN connection. use caution when trying to start a firewall on the host machine of the vpnclient application. Conclusion The connection started without locking up the machine. it will only leave you rebooting your machine over and over. This assumes that you trust everyone on your VPN network. only to watch the machine soundly lock up after the first few packets passed through. I’ve used this vpnclient to connect to TechRepublic’s Cisco VPN server.



Administrator’s Guide to VPN and Remote Access, Second Edition

The articles in this chapter explain some of the issues you may encounter when configuring VPN solutions to work within a network’s existing security infrastructure. You’ll learn to troubleshoot problems that arise when configuring VPN servers to make connections through firewalls, routers, and proxy servers. Configuring VPN connections with firewalls ......................................................................................159 Securing the Edge: Windows 2000 Firewall/VPN and beyond: The firewall................................162 Securing the Edge: Windows 2000 Firewall/VPN and beyond: Tuning the security ..................164 Secure Shell: Protecting data in transit..................................................................................................165 Making the most of OpenSSH ..............................................................................................................170 Protect your VPN by keeping a tight rein on passwords ..................................................................173


Configuring VPN connections with firewalls
Nov 8, 2000 By Jason Hiner, MCSE, CCNA

he process of setting up connections or a virtual private network (VPN) has been greatly enhanced and simplified by software solutions for Windows NT/2000, NetWare, and Linux/UNIX, as well as by hardware solutions offered by vendors such as Cisco and CheckPoint. However, configuring VPN connections to pass through firewalls, proxy servers, and routers continues to bring many network administrators to their knees in exasperation and submission to the gods of the network cloud. Thus, we are going to review how to configure VPN servers to make connections in concert with your stoic network defenders. One of the first decisions a network engineer has to make when configuring a VPN server is where to place it in relation to the network’s firewall. As Figure A shows, there are essentially three options for placing a VPN server. The most common approach is to place the VPN server behind the firewall, either on the corporate LAN or as part of the network’s “demilitarized zone” (DMZ) of servers connected to the Internet. Geography is extremely important when configuring and troubleshooting VPN connections that pass through firewalls. It lets you know which interfaces on the firewall will need filters assigned to them to allow VPN traffic. We’ll talk about filters at length in the next section. The thing to understand about geography and firewalls is that filtering occurs on the firewall’s external interface—the interface that connects to the Internet. As I mentioned above, the most common place for a VPN server is behind the firewall, often in a DMZ with mail servers, Web servers, database servers, and so on. The advantage of this placement is that it fits cleanly into the network’s current security infrastructure. Also, the administrator is already familiar with how to route traffic through the firewall and only has to become


VPN server geography

familiar with the ports needed by the VPN server. However, the other two options have benefits as well. Placing a VPN server in front of the firewall can lead to greater security in some cases. Remember that a VPN allows users who are external to the network to feel like they are sitting on a machine inside the network. A hacker who hijacks a connection to a VPN server that is inside the firewall will be able to do some serious damage. However, if you have a dedicated VPN box that sits outside the firewall and that is only capable of sending VPN traffic through the firewall, you can limit the damage a hacker can do by hacking the VPN box. This option also allows you to limit the resources authenticated VPN users can access on the local network by filtering their traffic at the firewall. However, one vulnerability with this scenario is that the traffic between the firewall and the VPN server is not encrypted. The third option is to co-locate your VPN server on the same box as your firewall. In this

Figure A
VPN Server in Front of the Firewall

Corporate LAN


VPN server

VPN client

VPN Server Co-Located with the Firewall

Corporate LAN

VPN server and firewall

VPN client

VPN Server Behind the Firewall

Corporate LAN

VPN server


VPN client



case, the VPN server is still logically behind the firewall, but depending on its capability and utilization, it can complement a firewall very well, since both are essentially performing routing functions. This works nicely, since in most businesses, firewall/proxy services use more resources during the daytime hours, and VPN services use more resources during the evenings. However, keep in mind that having multiple services functioning on one box always involves management and troubleshooting challenges.

A packet filtering firewall is usually placed on a router and is managed through basic access control lists, which can be challenging to configure and manage. Here’s a common VPN problem to watch out for: Many administrators set up their VPN servers, configure their firewalls, and discover that they still can’t connect. They eventually realize that the ACL on their Internet router is filtering the VPN traffic and dropping the packets.

Application filtering
An application gateway firewall involves what is commonly known as proxy services and functions at the higher layers of the OSI reference model. This type of firewall offers more extensive, customizable features, such as userlevel access control, time-of-day access control, and advanced auditing and logging. It typically readdresses traffic so that it looks like it’s coming from the firewall rather than from the internal machine. In this manner, these firewalls act as a “proxy” on behalf of the internal network instead of providing a direct connection between internal and external networks, as you have with simple packet filtering firewalls. It also focuses on managing and controlling access to TCP/IP applications such as FTP, HTTP, rlogin, and so on.

Understanding firewall and filter functionality

There are two types of filters and three types of firewalls to be aware of when configuring VPN connections. Filters come in two basic flavors: Packet filtering Application filtering A firewall can engage in packet filtering, application filtering, or both. Filtering involves accepting or denying TCP/IP traffic based on source and destination addresses of packets, TCP/UPD port utilization and other TCP/IP headers information, and specific user and computer details in advanced firewalls.

Packet filtering
A packet filtering firewall merely examines traffic at the network layer (Layer 3 of the OSI reference model) and accepts or rejects it based mainly on source and destination addresses. Although a packet filtering firewall can do some blocking based on TCP and UDP port numbers, in most cases, it isn’t the best solution. However, packet filtering does provide speed, simplicity, and transparency. Another important VPN troubleshooting tip deals with network address translation. If the Internet router or any router between the firewall and the VPN server is providing NAT, it will probably break the VPN tunnel and cause your connection to fail. The VPN server should have an Internet IP address on the external interface and not an internal IP address assigned by a DHCP server or hiding behind NAT. Most of the time you will get this Internet IP address from a subnet assigned to you by your ISP. 160

Packet filtering and application filtering
Stateful inspection firewalls combine packet filtering and application filtering. They also employ a more secure firewall technique called dynamic packet filtering. With regular packet and application filtering, a port such as port 80 for HTTP is opened by the firewall and remains open for incoming and outgoing traffic. This presents a network vulnerability that hackers can exploit. However, stateful inspection firewalls open and close ports as they are needed for traffic, drastically decreasing vulnerability to external attacks. Most popular firewalls, such as Microsoft Proxy Server 2.0, Network Ice’s ICEpac, and the leading UNIX solutions, use dynamic packet filtering.

Allowing VPN traffic

Now that you can see how various firewalls function, hopefully you can identify several

Administrator’s Guide to VPN and Remote Access, Second Edition

We didn’t try to provide a stepby-step how-to on configuring firewalls and filters because of the vast configuration differences in the various hardware and software platforms. the same principles apply. It also wouldn’t hurt to offer a sacrificial NIC or 100baseT cable to the networking gods before attempting your configuration. In terms of protocols. this will probably be a real IP. For example. The router and/or the VPN external interface must be configured to accept TCP/IP connections from the VPN clients and/or VPN servers that will be connecting to it from the Internet. as well as the myriad different network typologies that are possible. For the most part. Thus. If you have a restrictive IP access policy in place. proxy servers. this is more challenging. you should be able to locate information on configuring filters and access control lists for your specific hardware and software platforms on the vendors’ Web sites.places on your network where your VPN connection could be tripped up. Conclusion Hopefully. When we get to Layer 7 (the application layer).0 and the forthcoming Internet Security and Acceleration Server 2000 have predefined “PPTP receive” and “PPTP call” filters. In some cases. as well as IP protocol ID 47 for GRE (generic route encapsulation) tunnel maintenance. we need to look at setting up filters to allow PPTP or L2TP with IPSec traffic based on the ports that they use. However. you’ll need to be aware of the GRE port. if your VPN server is behind your firewall. if you are using a commercial firewall solution. Security 161 . However. such as an ISDN adapter. These generally work pretty well. you’ll need to worry only about setting up the PPTP filter for port 1723. you’ll set up a firewall filter to accept incoming traffic on port 1723 or simply select the predefined “PPTP receive” with a Microsoft solution. As for L2TP with IPSec. But if you’re working with more complex firewall systems and do-it- yourself servers. PPTP uses TCP port 1723. and routers. which will be easy to configure. which connects to the Internet via a Cisco router. but it uses UDP port 1701 for L2TP and UDP port 500 for IPSec’s IKE (Internet key exchange). We will begin with VPN filters at Layer 3 of the OSI reference model and work our way up to Layer 7. When we look at receiving VPN traffic at Layer 3 we need to examine both the router that provides Internet access and the VPN server’s external interface. we’ll cover VPN connections made using PPTP or L2TP over IPSec. For remote VPN servers that are connecting. the access control lists (which manage filters at Layer 3) must be configured to allow incoming traffic from the IP addresses of these clients and servers. for remote clients who are probably using a dial-up connection to an ISP and getting a different IP address each time. the VPN server may have an external interface that connects directly to the Internet. you’ll need to be aware of the geography of your VPN server in relation to your firewall. and you are receiving connections only from individual VPN clients (and not from remote servers). Microsoft solutions such as Proxy Server 2. Let’s see what filters you need to set up on these firewalls in order for VPN traffic to pass through them. You’ll also need to go into the Cisco router and make sure that there are no access control lists filtering the VPN traffic. IPSec also uses IP Protocol port 50 for ESP (encapsulation security payload)—the equivalent of GRE for PPTP—but it doesn’t require a filter because the ESP header is typically removed by IPSec during routing before it hits the firewall. The other option is to allow access to all IP addresses by default and let upper-level filters accept or deny their packets based on application criteria. you can get the range of IP addresses this client could use from his or her ISP or figure it out by deduction after a few connections. the principles we reviewed here will enable you to better understand where your VPN connection could be running into snags in connecting through firewalls. Remember. such as Linux.

In an effort to stretch those dollars. We went with the default values. Second Edition . As if this weren’t enough. During the install. 2001 By Robert McIntire hile companies continue to spend money on higher speed Internet connections. it’s only reasonable that they should expect more for their budget dollars. (You have the option of installing just the firewall. you. Additionally. W Firewall upgrade process Since Internet connectivity had to be maintained throughout the process. we recommend it after 162 Administrator’s Guide to VPN and Remote Access. one for the Internet connection and the other for the internal LAN. they are escalating the security on these connections to ensure that only those who should have access can actually gain access to their private networks.0 to MS Internet Security and Acceleration (ISA) Server 2000. The overall topic envelops a case study of a recent networking project in which I was involved. the client already had a service network set up at the Internet router with enough free public address space to accommodate both gateways simultaneously. After completing the installation. the WINS and DNS info were provided.microsoft. which we then applied. Also. the remote clients would then be connecting to a terminal server inside the firewall on the LAN. This is standard operating procedure when configuring most firewalls. if necessary). Both NICs were statically addressed with appropriate addresses for the respective networks. We were fortunate to find that Microsoft provided many of the features and options that we required to complete this project. Now. Then we installed ISA. we decided to install a new server. You’ll see that. let’s turn our attention to the installation considerations. At that point. which includes both functions.Securing the Edge: Windows 2000 Firewall/VPN and beyond: The firewall Jul 25. In this first part.com/ isaserver/evaluation/demonstration/). many companies are implementing VPNs for remote access by employees. the LAN clients’ browsers would simply need to be changed to point to the new Proxy server. we checked for product updates on the Microsoft ISA site. the client had decided to upgrade from MS Proxy Server 2. as the old system would stay online until the new system was installed and tested. Fortunately. rather than performing the MS upgrade process on the previous Proxy server. When configuring the internal NIC. you can download a timelimited evaluation copy from the Microsoft Web site (http://www. you’ll be asked several questions. Although Windows 2000 doesn’t seem to require a restart after such operations. as most of them seemed appropriate (and we could change them later. The general idea was to upgrade the client’s Internet security and provide for VPN remote access. can secure your network. There was a security alert with a patch. This fairly new product is actually a firewall/ cache server and is certified by ICSA. Fortunately. At the time of this writing. We decided to apply Win2K Service Pack 2. just the caching server. We installed two NICs in the new server. Although it may seem overly ambitious. we’ll be tackling several different yet related issues in this article. with a little ingenuity and a bit of customization. we also had to address secure authentication schemes in a rather custom fashion. The LAN clients needing Internet access would not be deterred during our upgrade. but the default gateway was left blank. or integrated mode. with the plugs out of the way. as it was the most current at the time. Microsoft required that Service Pack 1 be installed prior to the ISA software.) We chose to install it on a member server so that we could utilize some of the domain-based features to control content access. we’ll address the primary piece in this puzzle: the firewall upgrade. too.

We then created a rule allowing the aforementioned traffic and associated our group with the rule. Locally speaking. This may be a bit of a problem when testing connectivity with your ISP. In Microsoft terminology. installed filters seem to allow pings from internal clients to pass through the firewall but do not allow a response to outside sources attempting to ping the external firewall interface. it is a true and tested firewall platform. this is known as Publishing. After scanning it. Microsoft does provide the ability to save the configuration to a proprietary file type to use in case a restoration of your ISA server is necessary. and the default configuration appears solid.0. HTTPS. There are also packet filters included that you can activate to funnel SMTP and WWW traffic.. To do so. You’ll want to check the routing tables on your server after the installation is complete to insure that no unexpected routes have been added. Essentially. as well as any other OS patches. we felt very good about the product. it was time to perform any custom configuration for this site.). you’ll be able to receive e-mail from the Internet. Testing the firewall Configuring the firewall After the initial installation was complete. HTTP. so you’ll want to make sure that enough disk space is available to do so. we created a group of users by internal IP address range. You can push e-mail through ISA to your internal SMTP server and allow external Internet clients access to internal Web servers. we wanted to ensure both connectivity and security. the ISA install did several things on our system. it adheres to a deny-all model (except for ICMP). let’s look at how we can provide basic At this point. After this. All in all. it installed and configured RRAS and packet filters to allow only some basic ICMP packets. as it seems quite similar to Proxy Server 2. you’ll want to verify the LAT table. For one thing. You may also want to consider a separate hard drive for logging. The only thing that passed was specifically what we had allowed. The first thing we did to configure our firewall was to create an opening for basic Web and FTP traffic. especially if you allowed the install process to generate the LAT. However. FTP. Now that we have client access on the outbound.installing the firewall software. The one oddity about this is that the default. as it seemed to be a black hole for TCP/IP packets.e. Conclusion The good thing about ISA Server 2000 is its familiarity. This ensures that NAT is working correctly and that connectivity and name resolution are functioning properly. the installation process is easy and straightforward. We needed to allow traffic appropriate to the client’s site (i. Once you publish your e-mail server. etc. we used a port scanner to check security at the external interface. inbound access. unlike Proxy Server. We made sure that internal clients could ping Internet sites by address and name. Unfortunately. Basically. It’s automatically set up to perform logging. Security 163 . the ISA server appears to provide no facility for printing a configuration report.

Now that the cat was out of the bag. they would need to connect to the terminal server inside the VPN/Firewall perimeter system. In so doing. The client’s concerns about strong authentication led us toward several potential solutions. how did we implement this model? Verifying the computer The overriding concern when considering how to verify the computer identity was whether or not we wanted to deal with the complexity of implementing MS Certificate Services. and then users would actually log on to the domain during the second part of the connection process—the terminal server session. That would provide for the remote logon. At this point. At worst. The client company wanted not only the usual domain logon but also a remote form of logon. In so doing. To do so. This service is now provided with Windows 2000.Securing the Edge: Windows 2000 Firewall/VPN and beyond: Tuning the security Jul 30. When connecting to this server. We implemented authentication but. When deciding to use Certificate Services. you can generate your own computer-based certificates for verifying user and computer identity. we took an initial firewall installation a step further and implemented a client access VPN. We could have chosen to use RADIUS (IAS. From here. the remote PC would be connected to only the actual VPN system. Another option that was considered was to perform the remote logon by having users log on locally to the actual VPN server using a specific remote access account. To do so. exposure would be limited to the VPN system. It turns out that the reasoning behind the extra level of authentication stemmed from an underlying issue. at least on paper. we could actually create the remote users in a local database on the IAS server. We shelved these as secondary options because they didn’t really give the client what they were looking for. Then the issue would arise about which servers to install it on. but we all agreed that the best manner in which to implement it was at the system level. With it. we began to move in the right direction. due to client requirements. we would have to create our own root certificate authority (CA) and then a subordinate CA. they would then be confronted with the actual domain logon. Now. we then had to go above and beyond. we had to determine how to use it in a productive manner. 2001 By Robert McIntire I n the article “Securing the Edge: Windows 2000 Firewall/VPN and beyond: The firewall” (page 162). they would not be exposing the domain logon process to prying eyes. but we didn’t have the luxury of an extra server. The subordinate CA was installed on the Terminal server. in Microsoft speak) to authenticate users. We assisted the client in writing a security policy that addressed the issue. we decided to install it on a domain controller well inside the network. The bottom line was that we had to authenticate the physical computers gaining access to the VPN. Second Edition . we had satisfied the security constraints set by the client. rather than having the IAS server refer to the domain database for user verification. We experimented with these and several other combinations until we realized that we were looking at things from the wrong angle. The client was concerned about users sharing passwords for remote access. yet provide only the features 164 Administrator’s Guide to VPN and Remote Access. Some experts recommend taking the root CA offline so that there is no chance of compromise. the remote user would run the terminal client and enter the IP address of the internal terminal server. Since it’s a good idea to secure the root CA. Extra strength authentication One of the additional parameters designated for securing the VPN was an extra level of authentication. After this initial computer authentication process.

Among these. and Telnet. we had several options. this was no small task. we could have chosen to use IAS for RADIUS authentication. In this way. we had to change the authentication method in the remote access policy that was created by the VPN setup wizard. we would have an internal CA. Looking back over the scope of the project. Then we requested and issued certificates for each remote client and the VPN server. chances are that the computer is being used in I a network environment as a simple firewall or as a server providing such services as HTTP. One option was to use an external CA like VeriSign.we needed. Then again. If you specify all of the needs and requirements before you start the implementation phase. Extensible Authentication Protocol (EAP) facilitates the use of certificates and thus had to be configured. which would refer to an external root CA provider for certificate verification. We tried to connect and were immediately rejected. I would make only a few recommendations. But. At each juncture in this overall process. Unfortunately. Since Linux is a networked operating system by design. Under the RRAS console. we simply edited the profile to include EAP and then again in the local system properties (within the Security tab). Why Secure Shell? Often. With the myriad of features and options available with MS Certificate Services. After installing the certificates. one of your top considerations for any computer should be security—whether it’s local security or network security. Eventually. plan it carefully. we configured our test client to also use EAP under the VPN connection icon’s properties. things turned out well as the project evolved. it’s convenient to administer remotely. we next had to modify the authentication method at the VPN server. FTP. although the certificates were not external to the company. And the Windows 2000 Help system does not provide the depth needed to effectively complete such a project. On the VPN system. it’ll make the process much smoother. Then came the moment of truth. given the client’s specifications and preexisting constraints. And. we wanted to treat them as such during the initial connection process. Security 165 . and Linux supports remote administration. 2000 By Vincent Danen f you’re a network or systems administrator. I highly suggest supplementary documentation. This configuration is used for generating certificates to external clients. At that point. we chose to install the CA as a standalone. Microsoft provides a Web interface for CA servers that allow other systems to request certificates by simply connecting to the CA via a browser using the http://ca_server_name/certsrv URL. like the Windows 2000 Resource Kit. Conclusion Keep in mind that this was not the only way to fulfill the need for Internet access and security. we made a few adjustments and successfully connected. Secure Shell: Protecting data in transit Mar 3. Last but not least. the Microsoft Web site is a little thin on specific information regarding custom configurations like these. After double-checking the details (and Q259880).

If you think that you are protected just because you require a password for access. view it later. there are also a dozen points of interception. remote administration happens all the time. government for encrypting nonclassified data 166 Administrator’s Guide to VPN and Remote Access. What if they installed a packet sniffer or keyboard monitor on your system? The root password could then be obtained quite easily. without a direct dial-in connection to your server. your network traffic will probably be routed through point B (a host out on the Internet) or even multiple point Bs. You can plug the hole and change the user’s password. think again. I highly recommend installing and using Secure Shell (SSH). Because of the nature of the Internet. It will tell you how many hops and how long of a delay between hosts it will take to reach your final destination. But by then. If this is the case. Anyone who’s curious can “listen” to your network traffic as it goes from point A (let’s say the system administrator at home) to point C (the server at work). To find out how many hops exist between you and any given destination. Linux is very secure. hops between your system and the one you’re trying to reach. you should view your entire system as compromised. Your system is compromised. such as: BlowFish: A 64-bit encryption scheme developed by Bruce Schneier Triple DES: The Data Encryption Standard. is encrypted and safe from packet sniffers and other network monitors that may pose a security risk to similar programs. and rdist. With a little bit of work and through the use of firewalls. like programs that have the suid or sgid bits set for other users (like root). Unfortunately. you can make a computer that runs Linux virtually invulnerable to any attacks across the Internet. They may even make attempts to learn the root password of the system. if there are a dozen hops to the machine you’re trying to reach. The Internet is not the only place that harbors curious individuals. rcp. It’s possible that you’ll have a few. rlogin. your entire sys- tem could become compromised. As regular users. not only can they view your network data. the same cannot be said about the Internet itself. an administrator staying at home can work on and configure a remote Linux machine at the office across the Internet. Secure Shell supports a number of encryption algorithms. Anyone with a packet sniffer or other network-monitoring tool can see and intercept your network data. they may not get very far. give the program traceroute a try (which is usually located in /usr/sbin). SSH was designed to provide strong authentication and secure communication over insecure networks (as noted in the Secure Shell RFC). as a component of their Internet sites. but the exposure has already occurred. rsh. or even as their gateway to the Internet. SSH is a client/server suite of programs that encrypts data prior to sending it and that unencrypts data once it is received.With such programs as Telnet and rlogin. Clear transmission is fundamentally a bad idea. but once they have access to your system. With more and more companies choosing Linux as a server. which means that there is no encryption or “scrambling” of the network data. IP masquerading. Once this type of interception occurs and someone has obtained a user password to your system. Most protocols transmit data in clear-text format. The best way to deal with this situation is to prevent it from happening in the first place. but they can maintain a local copy of it. or even a few dozen. which was developed in 1974 by IBM and is used by the U. Second Edition . and possibly glean passwords from it.S. Just what does Secure Shell do? To guard against vulnerability and to protect your day-to-day network data. Every packet in transit. it’s too late. Once an unwanted guest has access to your system. Conscientious system or network administrators should avoid it even on local networks. whether across a local LAN or from point A to point C in the above illustration. and it should be avoided like the plague. SSH is a suitable alternative for programs like Telnet. there are a number of holes they may exploit. and TCP Wrappers (which prevent unwanted guests from launching services). Keep in mind that.

And finally.zedz. Besides providing encryption for network data. There is also a copy program called scp. The benefits to compiling your own version of SSH are the various options that you can set during compilation and that you can customize to secure your network further. or it can use TCP Wrapper support. In other words. SSH is. which involves a host pretending that an IP packet comes from another (trusted) host. which occurs when a remote host sends out packets that pretend to come from another (trusted) host. There are two different schools of thought on this issue. If you feel more comfortable using IDEA than using RSA. which makes it far more secure than Triple DES RSA: The Rivest-Shamir-Adelman algorithm. which will register new keys for the ssh-agent program. It prevents manipulation of data by people in control of intermediate systems (the hosts through which IP packets “hop”). it can also protect against attacks based on listening to X authentication data and spoofed connections to an X11 server. To accomplish this task. It generates an RSA key that is used by sshagent to authenticate both locally and remotely. SSH for Linux is a freely available program. listens on TCP Port 22. A number of the compilation options can be set in the configuration files if you choose to go with a binary distribution. Using it is quite similar to using simple Telnet. you can use IDEA quite easily without changing how SSH works. and it allows you to perform any console-based commands on the server. however. SSH can be independent from the rest of your system in terms of which hosts are allowed to connect. The only catch is that. Security 167 . a powerful block-cipher encryption algorithm that operates with a 128-bit key. SSH can be used as an effective “tunneling” mechanism and can secure far more than just remote logins and file transfers. but it boils down to how your system is configured and how you want to customize things. In its most basic form. it includes some key management programs like ssh-add. ssh. An important configuration option that can be specified only at compilation is whether or not SSH will use TCP Wrappers.net/pub/crypto/ redhat/i386) or the source code itself from the SSH site (http://www. Finally there is ssh-keygen. As you can see. one as client and one as server. which is the key generator for SSH. This program is used to perform RSA-style authentication over networks when you’re using SSH. because SSH is client/server-based. Despite all of this functionality. using SSH for remote connections does not require an enormous learning curve. a widely used public-key/private-key cryptographic system SSH’s multi-algorithm support is quite extensive and user-definable. Secure Copy provides a secure means to copy files from one machine to another. It can protect against IP Source Routing. both the remote host and the local machine must use SSH. and when it receives a connection request from a valid SSH client. quite versatile and can be used for more than that task alone. Authentication and session encryption are completely transparent. The client program is very much like a Telnet client in every respect. SSH can also be used to protect against IP Spoofing. including the client program. It protects against DNS Spoofing (when an attacker forges name server records). it comes with a number of programs. it allows remote hosts to access and store your RSA private key. You can obtain the binary programs from ZEDZ (ftp://ftp. it starts a new session. SSH can offer a complete replacement for insecure programs like Telnet and rlogin. How does it work? SSH is a suite of programs designed to secure connections between two computers. and there is no apparent slowdown of information in transit beyond perhaps the seconds when the session authenticates. SSH provides a method to secure remote logins and intransit data and provides a way to protect files and documents transmitted from one machine to another.IDEA: The International Data Encryption Algorithm. The server itself. sshd. much like the rcp program.com/).ssh. Since SSH is based on keys to authenticate between client and server.

preferably. It is not an interactive copying program.deny (specified unauthorized hosts).which enables SSH to allow and disallow connections based on the hosts defined in /etc/hosts. it’s TCP Port 22). These options include the number of bits to use in the server key (by default. To any systems administrator. I recommend disabling all running Telnet servers completely. it’s 768 bits). /etc/ssh_config. The syntax is: scp user@host1:[/path/filename] user@host2:[/path/filename] There is little real benefit to running sshd from Inetd. There are a number of other options that can be used by the SSH daemon on the command line. permits more options to control how the daemon operates. Second Edition . Some of the options on the command line allow you to select which cipher (encryption method) to use. the suite of programs will become available to you. The configuration file for the daemon. is that SSH must generate a server key prior to responding to the client. and this action can take a few seconds because or it can be abbreviated to scp [/path/filename] user@host2:[/path/filename] SSH can also be used as a tunneling program to create rough Virtual Private Networks or to allow remote users to access a remote 168 Administrator’s Guide to VPN and Remote Access. like FTP. how often sshd regenerates the server key (by default. In fact. removed completely. but it’s very similar to the cp program that’s used locally. Once you’ve decided which method you’re going to use (source or binary) and you have installed SSH. SSH can use this tool. The RSA key is usually re-generated hourly (which can be changed in the configuration). You can then decide whether sshd will be a persistent service (started on its own and continually running) or whether Inetd will start it upon request. If you want Inetd to start the SSH daemon when required.conf (if you have TCP Wrapper support enabled): ssh stream tcp nowait root /usr/sbin/tcpd sshd -i What are the specifics? or if you have TCP Wrapper support disabled: ssh stream tcp nowait root /usr/bin/sshd sshd -i it has to generate the key immediately before it can authenticate a session. The side effect to using Inetd. and more. running the daemon stand-alone is recommended. but it uses a unique syntax to copy files. as well as its own configuration file. Consequently.conf so that the Inetd super-daemon will never open a Telnet session when an incoming request on TCP Port 23 is received. It allows you to select which cipher you want to use on the command line.allow (specified authorized hosts) and /etc/hosts. The Secure Copy program should be used whenever you need to transfer one file to another. or it can use its own form of allow/deny authorization (when compiled without TCP Wrappers support). and it is never written to the disk—so as to preserve the key’s integrity. rexecd. you will think that you’re sitting in front of the server itself. sshd keeps a generated RSA key in memory so that it can respond to client requests immediately. it’s once an hour). Because of this added security. TCP Wrappers is an excellent security tool that works similarly to a firewall. however. rlogind. The system will not be secure until all of these programs are disabled or. It will connect to the remote SSH server and initiate an interactive Telnet-like session. which user to log in as (if not the current user). The SSH daemon does not take much memory or CPU when idle. Normally. ssh. also has a number of command-line options. you should also disable the rlogin and rsh suite of programs (rshd. it is so transparent that. The two configuration files are used to select services and to authorize or “unauthorize” specific hosts or domains from using those services. and rexd). and so forth. beyond the login. alternate ports to listen to (by default. the session initiation will take a few seconds longer than necessary. This disabling can be done by commenting out the Telnet field in /etc/inetd. The SSH client program. add the following to your /etc/inetd. so there is no need to worry about wasted resources if it is not used very often. /etc/sshd_config. By the same token.

So. liu. html) is useful. or even for the administrator who uses Linux as a server at work and runs Windows at home. and the ever-increasing number of clients for other operating systems proves that the usefulness of SSH is not limited to UNIX and Linux alone.com/).com/) and from Gordon Chaffee (http://bmrc. there is NiftyTelnet. SSH has been quite popular for many UNIX and Linux system administrators for years. wrote an excellent SSH extension for Tera Term Pro that makes the Telnet client fully SSH-compliant. It can be used to run encrypted PPP sessions on top of a standard SSH session. It is a popular Telnet client for To Linux and beyond Windows. in the real world.edu/people/chaffee/s hnt). If you want free alternatives. For Macintosh. It is not currently available to the public but should be soon. However. you can take a look at some of the programs listed below. which are useful in securing NIS services. You can find more information on the official FiSSH site (http://pgpdist. like Linux. so anyone who plans on using SSH needs to do so with a UNIX or Linux server. and it’s called Free FiSSH. Unfortunately. commercial alternatives have an associated cost. Robert O’Callahan. That is yet another reason for using a stable and free platform. as well. there are no free servers for many operating systems. which supports SSH natively and can be obtained from Jonas Walldén (http://www.html).edu/FiSSH/index. There are also two ports of SSH (command line) to Windows from the SSH site (http:// www.se/~jonasw/freeware/niftyssh/).X11 server securely. not everyone uses Linux.ssh. It can also be used to communicate with outside entities from behind a firewall. TTSSH (the SSH extension) can be obtained from the TTSSH home site (http://www. It would be useful for operating systems that come without a direct version of SSH but that use Java. Security 169 . you can securely download e-mail that would otherwise be transferred in clear-text (unless the server supports APOP or a similarly encrypted POP3 protocol and only if your client program supports the same protocols). For Windows.datafellows.com. however. You can obtain various commercial SSH client implementations (called F-Secure SSH) for Windows and Macintosh systems from DataFellows (http://www. but almost a necessary one. because of its TCP forwarding options.lysator. For the Linux user. there are SSH clients for other platforms. Unfortunately. For those who use Java.co.berkeley. however.jp/authors/VA002416/teraterm. Tera Term Pro (http://hp. does this fact limit SSH’s usefulness at all? Definitely not! Within a heterogeneous network. It can be used to provide encrypted access to POP3 servers so that. there is also a Javabased SSH client called MindTerm that can run stand-alone or within a Web browser. by tunneling it via SSH. There is yet another SSH client for Windows in the works. but it doesn’t come with SSH support natively.html). It can be used to provide secure RPC sessions. Secure Shell is an excellent suite of programs. It should be apparent that SSH is not only a useful solution to many security issues. vector.au/~roca/ttssh. Beyond that.zip. mit. in a networking environment. the uses for SSH are virtually endless because of its built-in tunneling and forwarding capabilities.

when you connect to a remote site. you will have to copy /home/joe/.x and 2.pub.pub to the remote system and place it into the ~/. you will want to run this command instead: ssh-keygen -d Key-based authentication Typically.x server. For instance. you need to stop right now and try it. you need to supply a password. If you use telnet and still don’t know what OpenSSH is. This is easily done since you should already have access to the remote system. with everything from passwords to the text you type encrypted.ssh/identity. especially if you use strange and convoluted passwords (which you should).ssh/ id_dsa and /home/user/. you will have to recreate your private key. because it offers the benefit of fewer keystrokes and is just as secure as using password authentication. Because SSH 2. Simply copy your new ~/. you can connect to computers across a network or the Internet in a completely secure fashion. Run the following command to change the permissions: chmod 600 ~/. is not about how to install OpenSSH. SSH 1. This is true for remote logins and for copying files securely. which means that you can make use of password-less connections to the remote machine. some using OpenSSH and others using SSH 2. or even about the basic uses of OpenSSH. If you connect to various servers. if your user name is joe. unlike OpenSSH itself. however. you need to secure your private key. To do this. The first step is to create your private and public keys.pub on the local system to /home/joedoe/. With it.ssh/ identity. this may be the best method for you to make use of. Now that you have your keypair generated. and that you have appropriate access to the system. it will create a DSA key instead. you have to enter your password only once.ssh/authorized_keys 170 Administrator’s Guide to VPN and Remote Access. Once you have completed this command. In this article.ssh directory on the remote system.x. If the remote server uses SSH 2.x.x are both commercial implementations of SSH and are not free. If you use the -d option. then you are in dire need of a little education.ssh/id_dsa. Second Edition . The first is your private key. so take pains to ensure it does not become so. If you connect to a remote system often. (If your private key ever becomes compromised.x uses a different algorithm. If you’ve been using telnet and have never given OpenSSH a try. Using this method. you will have a file called /home/user/.ssh/ identity and another called /home/user/. OpenSSH also uses a key-based method of authentication. Since both keys are saved in different files. you can run both commands. and the second is your public key. simply run the command: ssh-keygen This will work for any OpenSSH or SSH 1. While in its most basic form OpenSSH can be used for secure remote logins and secure copying of files to and from remote computers. This article. we will explore some of the more advanced features of OpenSSH and discover how to make using it simpler and more powerful. you have no idea what you’re missing. these files will be /home/user/.) The easiest way is to change the permissions of the file so they are readable and writable only by you and no one else. at the beginning of your session. The password is required to authenticate you so that the remote system knows that you are who you say you are. but on the remote system it is joedoe. they can peacefully coexist.ssh/identity. there is far more that OpenSSH can do.pub.ssh/identity This will make sure that only the user who created the keypair has access to the file.Making the most of OpenSSH Mar 7. The next step is to distribute your public key to the servers you will be connecting to via SSH. 2001 By Vincent Danen I f you run Linux in a networked environment and don’t yet know what OpenSSH is. OpenSSH is an open source and free implementation of the SSH (Secure Shell) protocol.

Then you can run ssh-add from any terminal. The first thing you will need to do is run the ssh-agent program using the shell’s eval command.on the remote system. Now you will be able to start SSH sessions from that terminal alone without ever having to enter your password again (until you close or log off the terminal. Many people use SSH tunneling to retrieve their POP3 mail from their ISP or other system. the remote server must also run SSH in order for this to work. Once this is completed. or any other TCP/IP service through the SSH connection by connecting to a local port which travels through the SSH “tunnel. If you did not enter a password when you generated your keypair. of course). Once you have done this. or ~/. use the -c command-line option. the remote server runs SSH. If you connect to the remote machine by multiple computers. You can easily determine whether the remote system runs SSH either by trying to use the SSH client to connect to it or by telneting to the standard SSH port (22) on the remote machine. By using SSH tunneling for this. they will connect from the secure SSH port to the unencrypted (normal) port. What this means is that you can create a secure connection to a remote computer and transfer files.xsession if you boot directly into X. These programs will allow you to store your key in memory once you have entered the passphrase that ssh-keygen prompted you for. and it may seem a little complicated at first glance: ssh -f [user@remote] -L [localport]: [fqdn-of-remote]:[remoteport] [command] This program must be run in the exact same terminal that you ran ssh-agent in. This entire operation is seamless for your client connections.pub file into it. you prevent people from sniffing your POP3 password.ssh/ identity. you can include the public key for each user on those computers in the remote authorized_keys file by inserting the contents of the local ~/. mail. Run the following command: eval $(ssh-agent) and you can also remove an identity from the system memory by using: ssh-add -d Port forwarding You will then see a message that displays the ssh-agent’s PID number. Let’s assume for a moment that your POP3 username is joe and that your POP3 account is Security 171 .ssh/authorized_keys wise authenticated. The next step is to make use of the ssh-add and ssh-agent programs. the remote server does not run SSH. Once that has been printed to the screen. you must make the authorized_keys file world-readable and writable only by you by doing: chmod 644 ~/. It will load the key into memory and ask you for your password. The ssh-agent program is an authentication agent that will run in the background and seamlessly handle requests to connect to remote sites. and you also prevent anyone from sniffing the contents of your e-mail. OpenSSH also provides an option to compress data. If the connection is permitted. you can do so using: ssh-add -l on the remote machine. and any future terminals you open during that login will be like- Let’s take a look at a commonly used example. you will need to add the eval command to your X startup files: ~/. If it is denied. you will still need to run these programs. and you will not be able to connect to it securely.” At the remote end. The syntax for port forwarding is as follows. To use compression. Of course. Now.xinitrc if you start X from the console. the authorized_keys file can hold more than one public key. which may help you get your mail faster. run the ssh-add program: ssh-add OpenSSH also provides a method to tunnel protocols securely using port forwarding. you are almost ready to begin. If you want to have this capability in all terminals you open. you simply won’t be asked for a password. and all data will be encrypted. If you want to list the key(s) that are currently stored in memory.

Once you’ve done this. Once you execute the command. Or you can use a BASH script similar to this. Then you can run the following command when you log in to your system: ssh-agent ~/bin/getmail if you saved the above script as the executable file ~/bin/getmail. The configuration file is read from top to bottom. is joe.ssh/environment. Second Edition . Once you have done this. Expanding upon the example above. To take the example further. let’s look at a sample ~/. which contains the following line: XAUTHORITY=/home/user/. Now let’s take a look at another use for SSH tunneling.com -L 1110:mail. sleep 5m. We then create a tunnel from port 1110 on the localhost to port 110 (the POP3 port) on the remote host. mail. If you use fetchmail. close the session and then start another session using: ssh -f -x -l [user] [remote host] xterm This will open up an xterm from the remote machine onto your local computer. so that some data keeps the connection alive. Further configuration options And that’s it! What this does is tell fetchmail to connect to port 1110 on the local system. you will not have a user configuration file.located at mail. you will be able to run it in this manner. We then run the command sleep 10 to keep the connection alive long enough for the mail client to connect to the remote server. so you may want to copy /etc/ssh/ssh_config to ~/.fetchmailrc configuration file that it uses.ssh/ssh_config. use the following command: ssh -f -c joe@mail. which You can also configure OpenSSH to make it easier and more convenient for you to use. so we provide that as the username and the fully qualified domain name for the remote host name on the command line. Suppose you wanted to run X applications from a remote server and have them displayed on your local computer. To establish the tunnel.somehost. of course.somehost. There are three ways that you can pass options to OpenSSH. As long as you have permission to execute the program. or an administrative program.somehost.com:110 sleep 10" password private.com. Our login on the remote machine. The preconnect command tells fetchmail to execute the command in quotes prior to making the POP3 connection to download mail. To take this one step further.com -L 1110:mail. in order of priority: command line. user configuration. and they are.com:110 sleep 10 will run fetchmail every five minutes to download mail: #!/bin/sh ssh-add while true. The first step is to log in to the remote machine and create a file called ~/. combine this with the ssh-agent and ssh-add commands we looked at previously. and you will need to enter your password only once.somehost. It uses matching. you can then point your mail client to port 1110 on the localhost to retrieve your e-mail. To change system-wide configuration options. you will be aware of the ~/. and systemwide configuration. such as using tail on a log file. do fetchmail —syslog —invisible. the home directory of the remote user.fetchmailrc file: poll localhost with protocol pop3 and port 1110: preconnect "ssh -f -c joe@mail.com. This is easily done with OpenSSH as well and provides a secure way to use remote applications.somehost. such as Netscape.somehost. simply edit the /etc/ssh/ssh_config file. let’s take a quick look at the fetchmail program and see how you would have to configure fetchmail to make use of this SSH tunnel.Xauthority The /home/user directory is. By default. You can basically put anything here that produces some activity. done This command will start the port forward command with compression enabled. so the first configuration option that matches the situation is the 172 Administrator’s Guide to VPN and Remote Access. The last line provides the password for the POP3 account. xchat. you will be prompted for your password on the remote system. You can do this with any application you like.

“So as a result. however.ssh/ssh_config file to look like this: Host *sh HostName somehost. which are the default in the configuration file. An employee at Edwards’ former workplace was fired under questionable circumstances. Simple. now a senior network administrator for eLink Security 173 . to make use of SSHenabled FTP. And since OpenSSH is completely free. It can be used to secure many aspects of your system and generally make life easier and let network administrators breathe easier. we basically had a situation where we couldn’t get his current data that he had done for the day.com User joe ForwardAgent yes # Be paranoid by default Host * ForwardAgent no ForwardX11 no FallBackToRsh no file. You can use tunneling for anything from POP3 to SMTP. a secure FTP client and its associated secure FTP server. Because of this. there is no reason why it should not be used. and authenticate using your key. Let’s look at a quick example: Assume that you have an account on somehost. and deleted all of his documents off the network. The employee went home. 2002 By Dana Norton oe Edwards knows what damage one person can do to an organization by misusing a virtual private network (VPN) password. isn’t it? Connections to all other machines will continue to use the default paranoid settings. Conclusion Now all you need to do is type: ssh sh instead of: ssh joe@somehost. With all the obvious advantages of using OpenSSH.” said Edwards. Using key-based authentication is a simple. OpenSSH will look up the host name in the configuration Protect your VPN by keeping a tight rein on passwords May 22.com There are a number of shortcuts you can take with OpenSSH without reducing security. means of making life a little easier. and even use it for FTP and HTTP connections. You might edit your ~/. to connect to the remote machine.com whenever you connect to the remote machine. using other insecure options should be considered a thing of the past. dialed into the J employer’s VPN. yet secure. Creating secure tunnels with SSH also has many advantages.one that will be used. Creating a tunnel for FTP is unnecessary. and you want to simply type sh instead of somehost. as you can use scp (secure copy) to transfer files or use sftp. However. your specifics should be listed first and the more general options specified last. you still want to keep the paranoid settings for every other host.com as the user joe. OpenSSH is more than a simple secure shell. which will protect you from untrusted hosts. You’re using the one-time password authentication method discussed previously. use your user name to log in. You also want to be able to use X11 forwarding to run remote applications on your local machine.

Encourage users to use other forms of protection at home. the director of product marketing for Corporate Edge Services for Nortel Networks (http://www. “So if an employee leaves. “VPN passwords are the keys to the kingdom. and that VPNs meet this need. MD (http://www. so if it’s secured via passwords and you don’t have good password control mechanisms. “A bad thing to do is to fire someone in the evening and not let us know.” he said. In the wrong hands. in Framingham.. “With a VPN. They’re also one of the only ways an organization can protect its VPN. Edwards also saw how an employee who disliked another fired employee accessed a VPN using the terminated employee’s password and sent hateful e-mails to supervisors in the organization under the fired employee’s name.Communications. Second Edition . Inc. For example. MA (http://www. “Obviously the more frequently you refresh your passwords.courion. MD (http://www. Passwords are necessary for secure access to a VPN. The need for secure passwords is increasing simply because VPN use is rising. That would be the stuff that you’re doing when you dial in from home.” he said. a single VPN password can open up an entire network to a malicious user or hacker.” said Doyle. he could very well go home and either still get sensitive information off the network or still send out e-mails basically using your company’s service for his own good. For example. when an employee leaves the organization. the problem scenarios I mentioned could have been avoided if the organization’s human resources department had told the IT team when an employee was to be fired. If the idea of turning over one password to each user makes you shake in your boots.” said Tom Rose.” said Marty Roesch. Inc.nortelnetworks. “Passwords really are the only line of defense today between an intruder and your data. John Doyle.” said Roesch. “One is remote access.” said Edwards. an Internet service provider (ISP) in Bethesda. the more difficult it becomes for a hacker to compromise a password or obtain one. “You use a VPN to secure your point-to-point communications.sourcefire.. the president and founder of Sourcefire. you can access through 174 Administrator’s Guide to VPN and Remote Access.com/). “There are two principle applications for VPNs. you should uninstall those passwords immediately. establish a policy that states that users must use firewalls and other protection solutions that are approved by the organization. These examples demonstrate why IT managers must control VPN password use in their organization and delete passwords when they are no longer needed.” he said. a provider of network monitoring infrastructure solutions in Columbia. Staying on top of password use is the easiest way managers can protect VPNs. And then there’s the branch-to-branch stuff. How to manage IT passwords “For example. said that Nortel Networks sells VPN services to all types of companies.” he said. He added that users in an organization’s branch offices need network access from anywhere.elinkcommunications. Keep your organization safe Protecting your network is one reason each user in your organization needs a VPN password and also the reason IT managers need to focus on managing passwords to prevent abuse.” said Rose. a provider of self-service identity management solutions. the vice president of marketing for Courion. and carrier partners that offer managed VPN services.com/). it should. then you run the risk of a password getting out. government entities.” said Edwards. Here are other password management tips: “Refresh passwords at least every 60 days. Tell them that it is impossible to deploy security software to users outside of an organization’s network and that they cannot trust external computing platforms. This overall growth means that VPNs are more important to an organization’s productivity. at any time.com/). VPN use and risk increase anybody’s ISP on basically anyone’s network. Explain to users why they must be careful with VPNs.com/). IT managers should establish a system to track passwords to know when certain passwords are no longer needed. That would describe most companies.

Managers should especially encourage a user with “12345” as a password.asp?Node= PWC).” he said. If you do not use an automatic system. say. 123.courion. to change it for security reasons. “That way if someone’s using a password of. com/products/pwc/index. we can actually make those people change the password and force the password length. and symbols are stronger than oneword or number-string passwords. You can use an automatic solution. Courion makes and distributes PasswordCourier (http://www. Edwards checks each password in his organization twice a month. numbers. Notes Security 175 . which is pretty common. for example. The application can also tie all of a user’s passwords together into one central location where they can be changed or updated automatically. search your network for weak passwords. For example. Longer passwords that are a mix of letters. For example.Force users to create strong passwords. an application that enables managers to securely reset forgotten passwords or automatically delete expired ones.

Notes 176 Administrator’s Guide to VPN and Remote Access. Second Edition .

.....191 Customize the security of L2TP/IPSec connections ................... TechRepublic’s TCP/IP primer...........................................................................................................................202 Protocols ......199 The Windows NT 4....................................................................................................................Protocols When it comes to administering a VPN..............186 Configuring certificates for an L2TP/IPSec VPN . and IPSec connections..............196 Troubleshooting L2TP/IPSec VPN connections in Win2K ........ PPTP..... L2TP..183 Putting the “private” in virtual private networking ..177 Troubleshoot your network errors with TechRepublic’s TCP/IP checklist ................................................ you have to know your protocols...................180 Troubleshoot Novell TCP/IP network errors with TechRepublic’s checklist ................................................................0 PPTP VPN client connection guide ........................................ This chapter contains the material you need to troubleshoot TCP/IP........................................

all the utilities that work with TCP/IP live in the Application layer. Let’s follow the path that a portion of data. In the case of networking computers. It needed a way for employees and associated institutions around the world to be able to communicate large amounts of data quickly and securely. networking drives the Internet.TechRepublic’s TCP/IP primer Sep 1. TCP/IP defined What is TCP/IP and how does it work? TCP/ IP is defined as an industry standard suite of protocols that computers use to find. That technology is called TCP/IP. and Internet utilities. takes when it travels the TCP/IP highway. Internet layer 4. Examples of these include programs like PING. and TCP/IP is no different. so it contracted with a small company to develop the technology to accomplish this. So how does it all work? How is it that one computer can “talk” to another no matter where that computer is? Simply put. A protocol is a set of standards and rules that need to be followed. or a packet as it is commonly called. A good example of this is NetBIOS. W What is TCP/IP made of? Under the hood. and communicate with each other over a transmission medium. The result of this assignment has become the most popular means for two computers to communicate with each other. Common practices and functionality are the basis for which all standards are produced. There are four general layers of the TCP/IP stack: 1. nearly all computers are connected to one another in some fashion.S. Whole courses are taught on TCP/IP alone. TRACERT. As IT professionals. understood. access. TCP/IP’s architecture consists of several “layers” performing certain functions. These utilities provide the user with connectivity. Transport layer 3. an application programming interface (API) that supports a desktop operating environment. Physical or Network Interface layer A full-scale description of each layer and its underlying functionality is well beyond the scope of this article. and Telnet. Application layer The data you want to send starts off at the top of the TCP/IP stack in the Application layer. you are using your computer’s implementation of TCP/IP. Networking and computer networks are not new concepts. The data you send follows a certain path and is transmitted in a specific way so that when it arrives at its final destination. 2000 By Jason Pachomski ith the explosion in the popularity of the Internet. This layer contains network applications and services that the user interfaces with in order to use network communication. Finally. The first indications of where they would take us began to surface in the late 1960s with the U. Department of Defense. file transfer capabilities. When you transmit over the Internet. Protocols 177 . and used by the receiving machine without any problems. The protocol suite is implemented via a software package most commonly known as the TCP/IP stack. it can be read. Also living in the Application layer are utilities for things like file and print services and name resolution. Each layer contains protocols. From the mission-critical database server in a large corporation to the old clunker in your basement that the kids play games on. FTP. utilities for remote administration. However. Application layer 2. we need to understand and implement the functionality that fuels this technology. the concept of a “stand-alone” PC is quickly becoming obsolete. This functionality ships with all versions of Windows from 95 and up and can be easily installed using the network setup applets in the Control Panel. a protocol is the set of standards and rules that a machine’s hardware and software must follow in order to be recognized and understood by other computers. here’s a brief overview of the part each layer plays and how they work together.

ICMP is mostly used by routers to send information back to a source computer about a transmission that computer is trying to make. as well as the right application running on that machine. TCP is considered a connection-oriented protocol. into its physical equivalent address. The designers of TCP/IP wanted to make sure that the data you send gets received by the right machine. In the Transport layer. ARP’s job is to resolve a logical IP address.mywebsite. Reverse Address Resolution Protocol (RARP) and Internet Group Management Protocol (IGMP). Entire books are available on TCP. flow control. When you use the PING utility. That is why TCP is the most widely used protocol in Internet communications. or network topology the PCs live on. there are mechanisms for error checking. however. Internet layer Beneath the Transport layer is the Internet layer. UDP is told by the Application layer which machine it is supposed to transmit to. IP addressing and address resolution occur within the Internet layer. The Transport layer provides this functionality. A connectionless protocol such as UDP. operating system. but simply put. UDP. Second Edition . as well as reliability issues. and the Transport layer. with no questions asked. This makes TCP a more reliable. The two major components of the Transport layer are the Transfer Control Protocol (TCP) and the User Datagram Protocol (UDP). No matter what type of machine. There are also two less-used protocols. A slew of functions are built into TCP that check and recheck the data while the two machines are connected. Table A: Terms defined API NetBIOS PING TRACERT FTP Telnet A message and language format that allows programmers to use functions within another program A protocol that provides the underlying communication mechanism for some basic NT functions. they’re speaking the same language. transmission. it passes the data down the line to the Transport layer. such as browsing and communication between network servers A command used to verify the existence of and connection to remote hosts over a network A diagnostic utility that determines the route a packet has taken to a destination A protocol for transferring files to and from a local hard drive to an FTP server located on another TCP/IP-based network A remote terminal emulation application that has its own protocol for transport 178 Administrator’s Guide to VPN and Remote Access.Transport layer Once the Application layer is through with the data. as long as both machines are using TCP/IP. Three key protocols reside in the Internet layer: Internet Protocol (IP).com. and verification ensuring the integrity and completeness of the data it is working with. IP addressing is a scheme that standardizes how machines are identified and differentiated from one another. does not establish a connection with the target machine at all. But UDP has rudimentary error checking and flow control. A connection-oriented protocol is one that establishes a connection with another machine and maintains that connection for the entire duration of data transmission. This obviously makes UDP a much faster protocol when it comes to data transmission. Address Resolution Protocol (ARP). Each of these serves a specific purpose. This scheme allows any computer running TCP/IP to communicate with other computers running TCP/IP anywhere in the world. there is one very important difference between the two. and Internet Control Message Protocol (ICMP). the Transport layer is an interface that applications use for network connectivity. while UDP is considered a connectionless protocol. such as www. the information you receive was gathered using ICMP. Although TCP and UDP are the main workhorses of this layer. albeit slower.

Protocols 179 . it has evolved due to its nonproprietary standards. we would still be in the stone-age of networking. These standards provide a framework for programmers who develop protocols.Physical layer The final layer on the TCP/IP stack is the Physical layer. It also gives developers universal concepts so they can develop and perfect protocols. It also shows the four layers of the TCP/IP Reference Model and how they map to Microsoft’s TCP/IP. is not such a bad idea. Its responsibilities include: Interfacing with the computer’s network hardware Checking for errors in incoming packets of data Tagging outgoing packets with errorchecking information Acknowledging the receipt of a packet Resending that packet if no acknowledgment is returned by the recipient This layer is almost totally invisible to the everyday user. each layer of the TCP/IP reference model corresponds to a part of the OSI model. The OSI reference model Figure A This diagram illustrates the layers of the OSI Model and how they map to different areas of Microsoft’s TCP/IP. This layer is at the base of the stack and is the last section a packet must go through before it’s sent out across the transmission medium. The Open Systems Interconnected reference model (OSI/RM) is the standard that all other protocols follow. given this layer’s complexity. Although TCP/IP was originally developed to traverse heterogeneous network environments. which. Without it. As you can see in Figure A. The OSI/RM provides a framework that connects heterogeneous systems using a common protocol. TCP/IP has transformed the way people use computers. The Physical layer contains a collection of services and specifications that provide and manage access to the network hardware.

new Internet software. ask the user whether new software was just loaded or whether any recent changes have been made to the Listing A C:\WINDOWS>PING 127.0. most network problems are often due to Physical Layer failures. Start PINGing. you’ll receive a list 3. Check the hub to see if the system is getting a link across the cable. in Windows. but finding the culprit can be difficult. 4.0. TechRepublic’s TCP/IP checklist server? Ask around before attacking coworkers’ PCs. If this is the case. Otherwise. 2000 By David Mays hether your systems are powered by Windows or Linux. If the server stopped working. Start at the NIC.0. attempt to PING yourself from the Windows command prompt or use the Linux shell. The physical topology of your network is most prone to failure.1: bytes=32 time=1ms TTL=32 PING statistics for 127. and so on. is there a green light? Check the wiring closet to see if someone “borrowed” the patch cable. 7.0.0. Windows users should see the response shown in Listing A. Received = 4.1 PINGing 127. including the installation of service packs. Is it plugged in? Check all network cable connections. If you do not receive a successful PING from yourself.0.0. learn if the outage is affecting others or just a single desktop. 5.0.0. What stopped working? The client or the 2. get one. Cabling is very susceptible to electricians. Check the physical network.0. It should provide the information shown in Listing C. Often the problem can be traced to an improperly configured TCP/IP setting. try re-installing the TCP/IP protocol from the Network Control Panel.0. Lost = 0 (0% loss).0.1: bytes=32 time<10ms TTL=32 Reply from 127. Second Edition . If you don’t have a cable tester. Your local “loopback” address for such testing is 127. 8. First. HVAC personnel. Maximum = 1ms.0. see if your Ethernet card is loading properly by using ifconfig. When you issue the interface configuration (ifconfig) program.Troubleshoot your network errors with TechRepublic’s TCP/IP checklist Jan 21. 1.0. network configuration problems inevitably arise. Use the following checklist to help identify and eliminate network TCP/IP errors.0.1: Packets: Sent = 4. Average = 0ms 180 Administrator’s Guide to VPN and Remote Access. Elf Bowling games.1 with 32 bytes of data: Reply from 127. focus on fixing the server. In fact. and so on. while Linux operators should see the results shown in Listing B. you must stop the test using [CTRL]C. which requests four PINGs.1: bytes=32 time<10ms TTL=32 Reply from 127.1. Both Windows and Linux have the PING command. 6. If a single client PC has stopped responding to the network.0. In a typical network you have this order (client->gateway>server) or (client->gateway->internet). cleaning people. W system. In Linux. Note that in Linux you must add -c 4 to the command.1: bytes=32 time<10ms TTL=32 Reply from 127. Approximate round trip times in milli-seconds: Minimum = 0ms. you should notice many office mates banging their heads against their desks simultaneously.

You can find this in the IPCONFIG screen with NT systems (WINIPCFG for Windows 98) or in Linux by running the netstat-rn command.0.1: icmp_seq=3 ttl=255 time=0. If PINGing your loopback worked fine. With loopback.1 (127. 11. Find the IP address of your gateway.0.0. you’re probably experiencing a Physical Layer failure. If the loopback (lo) is not listed.0.255 MTU:1500 Mask:255. The next problem area is in the gateway. with PINGing on your local subnet you tested for failure on the failing machine.100 UP BROADCAST RUNNING MULTICAST Metric:1 RX packets:219876 errors:0 dropped:0 overruns:0 frame:0 TX packets:153838 errors:0 dropped:0 overruns:0 carrier:0 collisions:77 txqueuelen:100 Interrupt:10 Base address:0x230 lo Link encap:Local Loopback inet addr: then try PINGing someone who is on the same subnet as you.0.0. 0% packet loss round-trip min/avg/max = 0. In Linux.168. If you can PING someone on your local subnet. in this scenario you should attempt to PING 192. 10.0.168. the IP address is set to 192.1 UP LOOPBACK RUNNING Mask:255. you’ll receive errors. Use the Start | Run | IPCONFIG command to learn your NT machine’s IP configuration (use the WINIPCFG command with Windows 98).0.2 ms 64 bytes from 127.1 PING statistics —4 packets transmitted. In the ifconfig example above. you were just testing the inner workings of the Listing B [root@gateway /root]# PING -c 4 127.100.1: icmp_seq=0 ttl=255 time=1.1.0. you may have an incorrectly configured kernel or possible problems with the loopback module. move on to the next step.255.0 inet addr:192. providing these results shown in Listing D.9/1.0. Try recompiling/ reinstalling to see if that resolves the problem.1: icmp_seq=2 ttl=255 time=0.0.9 ms —.1: icmp_seq=1 ttl=255 time=0.1 PING 127. otherwise. If you can’t.168. Be sure the target IP address being PINGed is a valid IP address assigned to a system. 56 data bytes 64 bytes from 127. Listing C [root@gateway /root]# ifconfig eth0 Link encap:Ethernet HWaddr 00:00:11:22:33:44 Bcast: your interfaces. Thus.0.9 ms 64 bytes from use ifconfig to learn your network settings. 9.1.0 MTU:3924 Metric:1 RX packets:15 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 Protocols 181 .9 ms 64 bytes from 127. Try replacing the network card and using a new patch cable.1.168. 4 packets received. The usual suspects are bad cables or a NIC gone bad (they do that sometimes).2 ms TCP/IP protocol stack.

this will prove a solid connection from your PC to the gateway. 12. 182 Administrator’s Guide to VPN and Remote Access. This is a problem.1. locate Start | Settings | Control Panel | Network | TCP/IP | Gateway and add your gateway.0 Flags U UG MSS 0 0 Window 0 0 irtt 0 0 Iface lo eth0 The -rn prints the routing table and puts everything in numeric format. It must have a local interface (IP address) on your subnet to listen to the traffic on your network.0.0. the router administrator may have loaded an old config.0. If you don’t have a gateway configured.0. and you have one configured. If you do so successfully. If you can’t get to a particular system in your network or on the Internet.168. then one will not show up in WINIPCFG or when using netstat.254.71.0. You can skip to the next section. Your router is improperly configured. and others will be affected as well.254 Genmask 255.0. After you get past an initial install. On the Internet. the PC is working. it’s time to call in the big guns.1.68). the default gateway (0. PING something that is on the other side of the gateway. it should run for quite some time without any trouble. Second Edition . that resource may not be available. reboot your system. Remember.0.0 0. even in a global thermonuclear war. This is your local interface on your router.Listing D [root@gateway /root]# netstat -rn Kernel IP routing table Destination 127. check with the administrator to make sure this isn’t the case. You may want to tell the administrators of those systems about this checklist! Certainly.0 192. Always look for the most obvious problems first. you should not have a problem.0 Gateway 0.0.0) is 192. If there is no interface. The final step is through the gateway. use linuxconf or set up a temporary route using: route add default gw gateway_ip_address where gateway_ip_address is your gateway.0 0. and the router (gateway) interface is working. the cabling is working. if you receive no response from the gateway. If it has one but has stopped working.168. In Linux. However.0. TCP/IP was designed to be indestructible.0. Conversely. In an intranet.0. PING a printer on a remote subnet. If you have made it this far. In Windows. have the router administrator add one. you can expect they’re working through the same difficulties as you.200. PING this address.0. In this example. PING Yahoo! (204. it could mean you’re experiencing a router failure. and if in doubt.

This guide offers some straightforward troubleshooting steps to help diagnose and resolve problems on misbehaving Novell TCP/IP networks. Determining the scope and nature of a problem will allow you to diagnose and resolve any issue correctly and efficiently. the answer to this question will provide the resolution to our problem. been severed or crushed by a heavy piece of furniture. Equipment breaks or software changes are made. If you don’t have a link light. but it is a sign of connectivity. and it will provide you with a good starting point for troubleshooting configuration issues. but older clients don’t have this capability. Next. Is one user or a single system affected. Check physical connections. CNE J ust as with Windows or Linux systems. the network connection is accidentally removed. This does not always mean that the signal is good. head for the wiring closet. This will test the TCP/IP protocol stack and verify that it is working correctly. Check the network signal. Reconnect both ends of the patch cable to ensure the connection is good.0. check for error lights on the network device and confirm that the network feeds are securely connected. and network cards can be configured incorrectly. verify the physical cabling from the communications closet to the wall jack. Occasionally. If you aren’t receiving a signal at the client. TCP/IP network configuration issues can prove quite frustrating to solve on Novell networks. Sometimes users move their computers and forget to plug in the network connection. Verify that the network card has a green light. Check the wiring closet. Verify the line speed. If everything in the communications closet is good. As simple as it may be. NetWare 5 clients will automatically reconnect if there’s a lapse in the network signal. Switch ports can be forced to slower speeds. When we’re faced with network troubles. take a moment to absorb the big picture. you can follow these steps to restore network service to your users and systems. check for a link light on the hub or switch port. or does the problem have an impact on the entire department? First. If they are. Single-client problem If a single client is having connectivity problems. Here’s a step-by-step guide that you can use the next time your Novell network experiences TCP/IP problems. Also verify that the switch port and the network card are not both configured to auto sense the line speed. try another port. Novell administrators can save time by following a troubleshooting checklist.Troubleshoot Novell TCP/IP network errors with TechRepublic’s checklist Jun 21. rebooting the workstation resolves many problems. Using a line tester. go back to the workstation and PING the local loopback address of 127. verify the speed of the connection. Determine the scope of the problem When troubleshooting any problem. try to What changed last? We do not live in a perfect world.0. call the help desk to see if it is receiving similar complaints. Reconnect both ends of the network cable and check to see if the cable has Protocols 183 . Finally. neither one will be able to determine the correct speed. and it’s up to us to resolve the ensuing problems. Reboot the computer. our first step should be to answer one simple question: What changed? Many times.1. Using a line tester. Rebooting the workstation shouldn’t make the problem worse. Use PING to test connectivity. Next. 2000 By Steven Pittsley.

The results will show each hop that the ICMP packet takes to reach the destination address. which is TechRepublic’s site. move a couple to a different device and see if the problem goes away. A failure on any of these devices should pinpoint the problem. Here are some troubleshooting tips that can help you isolate the problem and restore connectivity to your users and systems. If that is successful. the workstations may regain connectivity after being rebooted.80. try using a different computer on the “bad” network connection. determine if all the devices in the closet are powered on. PING the network equipment from the affected area. take a moment to verify the other settings. Use TRACERT to test connectivity. such as a remote server or an Internet address. you should have no doubts about the configuration of the network card. to check the route to TechRepublic.160. Finally.233. or 208. As described in the previous section. Use WINIPCFG to release/renew the IP address. A localized power outage is a common cause of network failures. Finally. Reinstall the network drivers. but older clients will be unable to do so. Install a new NIC. If you use TRACERT from a working area and then from the non-working area. the differences may help you pinpoint the problem. Try a different computer on the same network connection. A failure of any of these devices should pinpoint the problem. use TRACERT to quickly test the network devices from the affected area to the Internet. If you are unsure of the IP addresses of various network devices. Department or area connectivity problem When one or more segments of a TCP/IP network lose connectivity. not one that has been sitting on the shelf for the past six months. the problem usually lies with the network equipment.PING various locations on the network. followed by a device on the other side of the gateway. you would type TRACERT 208. are both routes the same? If they aren’t. so that you don’t introduce new problems into the already fuzzy equation. Select an Internet address. Releasing and renewing the IP address lease can eliminate problems with a particular address. type TRACERT and then the IP address. Second Edition . A failure of any of these devices should pinpoint the problem. While the WINIPCFG screen is displayed. For instance. PING the default gateway. Use TRACERT to test connectivity. Start by PINGing a workstation on the same network segment as the non-working client. determine if all the data jack numbers are connected to a single network device.160. can go bad. then look to the nonfunctional computer to resolve the problem.4. At a command prompt. NetWare 5 clients will be able to reconnect automatically. use the handy command-line utility TRACERT. Next.49.19. First.19. Network cards. such as 192. Using a laptop is probably the easiest method. Install a brand- new card. which is Novell’s home page. PING the default gateway. like any other device. Reboot at least one workstation. If the outage is brief. If you don’t know whether the issue is a computer problem or network problem. If they are. but you can also borrow a nearby computer that is not in use. 184 Administrator’s Guide to VPN and Remote Access. look for error lights on the switch or hub and confirm that the network feeds are securely connected. Reinstalling the network card driver will allow you to start from scratch with the network software. followed by a device on the other side of the gateway. If the other computer works normally.49. After doing this. Try to PING the switch from a workstation located in the affected area. Collect a few data jack numbers and head to the communications closet. Check the wiring closet.

you normally won’t have many problems with it. Protocols 185 . Check the wiring closet. you should never overlook the obvious. Ask someone from the wide area network (WAN) team to confirm that the device is configured correctly. If so. Verify that other protocols are working correctly. determine whether one of them is having a problem or if they both have similar problems. Here are some tips to help you troubleshoot these problems and restore network service to your users or systems. check for a link light on the hub or switch port. Look for error lights on other ports and verify that the network feed is securely connected. Because an entire area has been affected. Verify the line speed. However. However. Are all network cards having problems? If the file server has multiple network cards. This is not always true. Check the patch cable and reconnect both ends to ensure the connection is good. Verify that all the settings in these two boot files are correct. If your network contains segments with differing speeds. unloaded. if you’re not receiving a signal at the server. Make sure that the network card bindings and configuration are correct. While it’s normally rare to find your server unplugged from the network. reload the driver. Using SET commands from the console. then you can begin to look toward a TCP/IP configuration problem. many of the wiring closets are also well secured. Before doing so. try another port. Check the network signal. File server TCP/IP problem Once TCP/IP is configured and working on a file server. An operator or cleaning person could accidentally disconnect the network connection and not even realize it. You might also try a different port on the network device. If one is working and the other one is not. Check CONFIG. Since most servers are in a secured area. it’s possible that someone has made changes to a router or network device. If you don’t have a link light. use the line tester to verify the speed of the connection. Switch ports can accidentally be forced to a slower speed and network cards can be configured incorrectly. Using a line tester. If you aren’t receiving a signal at the client.Verify any router or network changes. head for the wiring closet. Verify that the network card has a green light to indicate that a network signal is present. but it is very rare to see a network card unable to pass a single protocol. Next. or changed. unbind the protocol from the network card. head for the wiring closet. It is rare for both network cards to physically fail at the same time. Things to consider. occasionally something is changed and problems arise. verify that it is working correctly. If the connection is made through a leased line. Was any software recently installed on the file server? Has the server gone down lately? Why was it down? Press the up arrow key to scroll back through many of the recent commands that have been executed and look for something to be loaded. or even try a different network device altogether. Check the physical connections. and bind the protocol back to the card. If your file server is running IPX or another protocol. Someone may have recently changed something that is causing the problem you’re facing. set.NCF and AUTOEXEC. verify that the new device is working correctly. check the configuration of the failing card. verify the physical cabling from the communications closet to the wall jack. Verify bindings and network card configuration. contact the provider’s support desk to verify that the device is working correctly.NCF for changes.

x includes a nifty utility called TCPCON. The IP Packet Forwarding field should be set to Router. we do not live in a perfect world. Install a new network card. This is especially true if the connections are of long duration or over very long distances. You’ll be taken to a new screen that shows the route that the ICMP packet took to reach the destination. Administrator’s Guide to VPN and Remote Access. Choose an IP address from a distant router or the Internet and at the server console type: IPTRACE <IP address>. To stop the log. A NetWare server’s IPTRACE utility is very similar to TRACERT. followed by the default gateway and a device on the other side of the gateway. From the server’s system console screen. TCPCON can also be used to verify the IP Routing Table. or cable modems. PING the local loopback of the file server to verify that the TCP/IP stack is working correctly. Use IPTRACE to test connectivity. The console screen should immediately start scrolling TCP/IP information. Putting the “private” in virtual private networking Apr 12. But as we noted earlier. you can issue the RESTART SERVER command. If this test is successful. Reboot the server. Use TCPCON to gather TCP/IP statistics. PING a device that is on the same segment as the server. Using the NetWare server’s PING utility. DSL. On a NetWare 5 server. and the reason is obvious: The ability to connect to a private LAN by “tunneling” through the public Internet provides both convenience and cost benefits. but they should provide you with a good starting point. enter: SET TCP IP DEBUG = 1. MCSE V 186 irtual private networks (VPNs) are growing in popularity. These troubleshooting steps may not solve all your connectivity problems. Because of the impact that this solution will have on your users and systems. or to link to the sites of partners or customers. Intranet and extranet VPNs can be used to connect corporate offices at different locations to one another using a dedicated connection. and you shouldn’t see any packets being DISCARDed. including ones that might be working and currently in use. enter: SET TCP IP DEBUG = 0.NLM. 2001 By Debra Littlejohn Shinder. This is called an access VPN. A failure on any of these devices should pinpoint the problem. Verify that the server is not discarding TCP/IP packets. If you determine that the network card is bad. you will never need to use them. You should be able to see the values in the middle of the screen changing as network traffic flows to and from the server. and can work across analog or ISDN dial-up lines. Verify that IP routing is enabled by selecting Protocol Information -> IP -> IP Packet Forwarding.Use PING to test connectivity. This will affect all your users and systems. install a new one. Hopefully. rebooting the file server should be used only as a last resort. NetWare 5. Second Edition .

and Layer 2 Tunneling Protocol (L2TP). and others—such as CheckPoint’s FWZ Encapsulation—are proprietary. Ensuring the integrity of the data— making sure that it has not been modified during its travel between sender and recipient.A great deal has been written about VPN tunneling and popular tunneling protocols such as Point-to-Point Tunneling Protocol (PPTP). such as Secure Shell (SSH).and hardware-based implementations. as there are no universal standards. What about the second part of the equation? A virtual network is useful and may save money (because a client can dial up a local ISP instead of making a long-distance call directly to their company’s RAS server). also called the encapsulating protocol. as it routes packets across the Internet. Using a tunneling protocol. PPP in a dial-up connection) travels. The tunnel is the conduit by which the data travels over the public network. but it is more commonly used to provide security for an L2TP tunnel. you must find a way to make it private. This is also called packet authentication. I will show you how VPN security works. IPSec can also perform tunneling. These tunneling protocols make virtual networking possible. A secure VPN connection provides all three of these services using security protocols. but it’s not secure. they must support at least one TIP There are many ways to construct a VPN tunnel. The authentication and encryption protocols used for a VPN connection depend on the particular implementation by the vendor of the VPN solution and settings selected by the VPN user (on the client side) and the network administrator (on the server side). Layer 2 Forwarding (L2F). This is called authentication. including: Verifying the origin of the data—making sure that the apparent sender really sent it. Security of data communications involves several issues. For a VPN client and VPN server to establish a connection and communicate over an internetwork. including both software. but it does not secure the data itself. a client computer anywhere in the world can connect to a server running the same protocol and access the entire company LAN on which the server resides (provided both are configured appropriately). Data packets are traveling across a vast public network and could be intercepted and read or changed en route. it also requires separate protocols to provide the privacy. Encryption protocols provide confidentiality. Providing confidentiality for the data— making sure that if an unauthorized party does intercept it. discuss the protocols that keep the data private as it travels through the tunnel. The key is that both the client and the server are connected to the global Internet. and address the question of “Just how safe is it to send your data through a VPN?” Components of a secure connection The tunneling process is called encapsulation because the tunneling protocol. Protocols protect privacy Just as a VPN requires a tunneling protocol to establish the virtual network. Before virtual networking can be used for sensitive or missioncritical communications. creates the tunnel through which the passenger protocol (for example. The network is virtual because there is no direct connection from the client or server. These include: Authentication protocols Encryption protocols Authentication protocols are used to validate the identity of a user or computer and ensure data integrity. Some use open source software. IP is typically the carrier protocol. Each VPN vendor can offer its own solution. Protocols 187 . it cannot be read. A carrier protocol carries the encapsulated packet. In this article. That’s what VPN security protocols are all about.

Authentication can also be provided by Remote Authentication Dial-In User Service (RADIUS). Using the public key that matches it. With mutual authentication. the process goes both ways. which is used to authenticate Shiva clients. Certificates use public and private keys (a key pair) to sign messages. allowing the hash value to be sent across the network instead of the actual password. which is an industry-standard protocol that requires clients to send user and connection information to a RADIUS server. which authenticates the client and authorizes the connection request. Two of them are user-level authentication (PPP authentication) and machine-level authentication. TIP Hashing is a nonreversible method of applying an algorithm (formula) to a string of characters. the sender’s public key is included in the certificate. TIP Digital certificates use cryptography to verify identity. User-level authentication When a VPN client attempts to make a connection to a VPN server. the client also authenticates the server to verify its identity and protect against server masquerading. VPN authentication There are different authentication levels associated with VPNs. or spoof (forge) data. Second Edition . while making it difficult for an unauthorized person to intercept. In addition. Challenge Handshake Authentication Protocol (CHAP).common authentication protocol and one common encryption protocol. The ISAKMP protocol is used to create a security association. PAP is the least secure authentication method because if an unauthorized person uses a packet sniffer (for example. the server will use a PPP user-level authentication method to confirm the client’s identity based on the user’s credentials (account name and password or smart card and PIN). alter. the VPN server must verify that the client has the proper permissions to establish the connection (this is called authorization or access control). the Network Monitor software built into Windows NT/2000) to capture the data as it travels across the network. such as a password. where the server “challenges” the remote client to supply authentication credentials. which is a version of CHAP developed by Microsoft to authenticate Windows clients. which uses plain text passwords to authenticate the client’s identity. Some user-level authentication protocols include: Password Authentication Protocol (PAP). It is called nonreversible because you cannot reverse the formula and recover the original data. Message Digest 5 (MD5) is used to hash the message. to disguise the original data. Machine-level authentication When the IPSec encryption protocol is used. the authentication of the client and server machines is done using machine certificates. Microsoft CHAP (MS-CHAP). the recipient can verify the sender’s identity. The first two are supported by Cisco’s L2F implementation. he or she will be able to view the contents of the packets and read the password. PAP is not recommended for VPN authentication. and the Oakley keygeneration protocol is used to generate and manage the authenticated keys that are used to secure the data. 188 Administrator’s Guide to VPN and Remote Access. which uses the Internet Security Association and Key Management Protocol (ISAKMP). the third is associated with Microsoft’s PPTP. Shiva PAP (SPAP). MS-CHAP v2 is a mutual authentication protocol by which both the client and the server prove their identities to one another. The sender signs the message using his or her private key.

Both ends of the connection must implement AH. The entire packet is signed (see Figure A). IPSec Encapsulating Security Payload Encapsulating Security Payload (ESP) can provide authentication. The authentication header is placed between the IP header and the TCP/UDP header on the data packet. Workstation Workstation Workstation Workstation When ESP is used between two gateways. it can still be read if intercepted. it does provide protection from modifica- tion. it is then decrypted so it can be read. The key is used to lock the data. providing authentication and integrity but not confidentiality. IPSec is described in RFC 1825. Just as a ten-letter password is more difficult to guess than one with only three letters. IP Header Authentication Header TCP/UDP Header Data Entire packet is signed AH signs the entire packet. Figure B Workstation Workstation VPN tunnel Workstation Workstation Internet VPN server (gateway) VPN server (gateway) TIP L2TP is an Internet standard. For example. The components of IPSec are: Authentication Header (AH) Encapsulating Security Payload Security associations (SAs) Let’s take a look at how these components work. IPSec was developed to add security to data that travels across a network (not only VPN connections) and is capable of providing both authentication and encryption. the more secure it is. data is encrypted only when traveling over the Internet. he or she will not be able to read the messages without access to the encryption key. and the signature ensures that the identity of the sender is known and that the data has not changed since it left the sender. The packet is signed. IPSec Authentication Header (AH) AH can provide authentication and integrity between a set of hosts or between a set of gateways. It is important to understand that AH does not provide confidentiality of data. and confidentiality of data traveling between two or more hosts or two or more gateways that have Protocols 189 . Microsoft PPTP VPNs use the Microsoft Point-to-Point Encryption (MPPE) protocol. If someone captures the data packets in transit. The specifications for Cisco’s L2F (see RFC 2341) do not specify an encryption protocol. Both implementations operate in conjunction with the IP Security Protocol (IPSec) to provide encryption.VPN encryption Figure A The data that passes through a VPN tunnel is encrypted to provide confidentiality. and the longer the key is. integrity. However. Both Microsoft and Cisco now support L2TP as the preferred tunneling protocol. a 128-bit key is more difficult to crack than a 40-bit key. When it reaches its destination. The protocol used to secure VPN data depends on the encapsulation protocol that is used to build the tunnel. defined in RFC 2661.

The Internet Engineering Task Force (IETF) has established a standardized way for this process to take place. the communicating computers create the ISAKMP SA. The computers must then authenticate the key information exchange (note that the keys themselves are not exchanged. data. Oakley protects the identities during this step. which is generated by the Diffie-Hellman protocol. Second Edition . VPNs often utilize gatewayto-gateway encryption. using two technologies: ISAKMP Oakley ISAKMP manages the security associations and negotiates the security policies. The packets will then be transmitted through the tunnel to the destination computer. data protection. data is not encrypted while on the private network (see Figure B). and the computers exchange information that allows the generation of a shared secret key. ISAKMP/Oakley is known as the Internet Key Exchange (IKE). The security association is like a contract between the sending and receiving computers (source and destination) that lays out the terms or rules for the transaction. ESP creates a tunnel to provide privacy for tunneled packets. ESP in transport mode is used to provide the security for a tunnel created by L2TP. The security association is established by a two-part process: Key exchange Data protection During the key exchange step. ESP and AH can operate in two modes: transport mode or tunnel mode. There are two because one is used for inbound communication and the other for outbound. Cisco Systems prepared IETF drafts specifying standards for IKE and made a version of IKE available at no charge via the Internet. When used in transport mode. Multiple IPSec SAs can be protected by one ISAKMP SA. IPSec security associations IPSec creates a security association (SA) to define the security services and keys that will be used to secure a communication between two hosts or gateways. In this case. The destination computer will use the inbound SA and corresponding key to verify 190 Administrator’s Guide to VPN and Remote Access.implemented ESP. the sending computer will use the outbound IPSec SA to sign the packets (to provide integrity) and encrypt the data (for confidentiality). although encryption is not required if only authentication and integrity are desired and confidentiality is not required. which protects the data while it is traveling on the public Internet. and ESP trailer are signed In transport mode. ESP does not sign the entire packet. but not the IP header (see Figure C). It protects the data. Policy is negotiated. Once the SAs have been established. The ISAKMP SA protects the negotiation. Oakley generates the authenticated keys that are used to protect the data. The packets can be encrypted using Data Encryption Standard (DES) or 3DES (also called Triple DES). In tunnel mode. only the information that is used to generate the shared “master” key). The second step. begins with the negotiation of a pair of SAs that are called the IPSec SAs (to differentiate them from the ISAKMP SA). ESP does not sign the entire packet. Policies are negotiated for the new SAs. Figure C Data and ESP trailer are encrypted IP Header ESP Header Data ESP Trailer ESP Authentication The IPSec authentication and encryption process ESP header.

Microsoft and Cisco. and calls are cheaper for users because they incur only local charges to their ISP rather than long-distance costs. I discussed how VPNs work and went under the hood to examine the security protocols that put the “private” into virtual private networking. and then the decrypted data will be passed by TCP/IP to the appropriate application. it is more often used in transport mode to provide encryption of data that passes through an L2TP tunnel. MCSE+I M uch has been written on the merits of using a virtual private network (VPN) connection for remote access and how Windows 2000’s Routing and Remote Access (RRAS) service has greatly simplified the process. Then. L2TP/IPSec. Configuring certificates for an L2TP/IPSec VPN Dec 14. and confidentiality. or router functioning as a security gateway between the communicating computers.the integrity signature and decrypt the data. However. One of the most common security protocols in use today is IPSec. however. Windows 2000 (and Windows XP) natively supports the more secure form of VPN. In this article. In this installment. as well as how to customize and maintain that connection. support L2TP and IPSec as the most secure and effective means of implementing VPNs. little has been written about how to configure L2TP/IPSec beyond saying. see “Setting up a VPN with Windows 2000” (page 53). since it allows corporations to use a persistent Internet connection rather than a bank of modems. 2001 By Carol Bailey. Many of us have mastered the use of PPTP connections for a VPN. WIN2K VPN AND RRAS BASICS For the basics on using and configuring Windows RRAS with VPN connections. Summary Security is a major concern for VPN implementations because the data passes across the public Internet to reach the private network. There are many ways to provide protection for tunneled data. proxy server.” So this three-part series will provide a step-by-step tutorial on how to get Windows 2000 Professional to make an L2TP/IPSec connection to a Windows 2000 VPN server. TIP If there is a firewall. It can even be used in tunnel mode as the encapsulation protocol that creates the virtual tunnel. “It’s more complicated. integrity. my next two articles will focus on customizing and troubleshooting L2TP/IPSec connections. packet filtering must be configured to allow the IPSec packets to go through. I’ll explain how to use the Windows 2000 Certification Authority service to achieve a connection. Unfortunately. IPSec can provide authentication. The main benefit of a VPN is cost savings. It all starts with the certificates The most likely reason that L2TP/IPSec connections fail is because of problems with Protocols 191 . along with other vendors.

you will be installing the Certification Authority service. and that IP address assignment is handled correctly. However. you may need to reconfigure it to allow the L2TP/IPSec connection through. such as using a thirdparty Certification Authority like VeriSign (which should provide its own instructions on this) or using Windows 2000 Active Directory automatic certificate deployment.) is working.) One of the best sources of information on this is Microsoft’s white paper Windows 2000 Certificate Services (http://www. If all your clients’ Internet connections must go through NAT (as opposed to having static IP addresses).asp).certificates.microsoft. Click Yes to continue and then click Next.. these services will be on a different server from the one running RRAS. go to the Add/Remove Windows Components and select Certificates Services. subordinate and issuing servers). Open UDP port 500 and IP port 50. ensure that your Windows 2000 Professional can successfully connect to your Windows 2000 RRAS server using PPTP with TCP/IP. that the user is allowed remote access. that remote access policies aren’t preventing a successful connection. For example. join a domain. a valid computer certificate is required on both the client and the server. First. If you suspect your firewall or another 192 To streamline the process for the testing purposes of this tutorial. outside the VPN environment. Administrator’s Guide to VPN and Remote Access. double-check to make sure that the date and time are correct on the server. However. Third. intermediary device (e. On the Windows 2000 Server. so IIS also needs to be running on the certification server. NAT server) may be preventing your L2TP/IPSec connections from working. There are various ways of obtaining a computer certificate for a L2TP/IPSec connection. In its default configuration. Second. This will verify that the basics of RRAS are working. and how you will secure this service. if you have a firewall between the client and server. ensure that your client’s Internet connection is not going through a network address translation (NAT) server. you need to think about the hierarchy you’ll be using (root CA. Preliminary configuration steps Make the following checks before we begin: First. the certificate lifetimes and key lengths. etc. Now. although we won’t describe the IPSec policy configuration. Configuring the Certification Authority service Deploying your own certificates with an inhouse Certification Authority requires careful planning. the computer cannot be renamed. I’ll describe how to eliminate Internet devices to confirm whether these are preventing the L2TP/IPSec connections from working.asp?url=/TechNet/ prodtechnol/windows2000serv/deploy/ 2000cert.com/technet/ treeview/default. Then. These instructions also hold good for using just IPSec on your network. (Standard advice is to take the root CA offline and physically secure it until needed.g. my next article will help. router. or be removed from one. that associated hardware (modem. because certificates are based on timestamps. The first window prompts for Certification Authority Type. Microsoft’s L2TP/IPSec implementation is probably not for you. Select Stand-alone Root CA (Figure A) and click Next. Microsoft’s IPSec implementation has known problems with NAT. This allows anyone with a Windows 2000 Server to benefit from L2TP/IPSec connections regardless of whether they’re running Active Directory or they have an NT 4. just as they should be on a production network. you’ll be prompted to configure the Certification Authority service.0 domain or even a simple Windows Workgroup. Second Edition . Certificates will be requested and issued through the Web browser. this article will describe how to use L2TP/IPSec connections by issuing your own certificates—without Active Directory— using the Windows 2000 Certification Authority service in Stand-alone mode. cable modem. we will use only an online root CA as the issuing certificate server. You’ll see a warning dialog box telling you that after installing this service.

Load it up. Stopping IIS will allow us to create the virtual directory we are going to use for deploying the certificates. and the expiration date/time. and Failed Requests. because you will need it to Figure C The newly installed Certification Authority service manually issue the computer certificate requests. Keep this console open. both client and server need to have a Certification Authority in common. so have the CD handy or have the files available locally or over a network connection). My example uses the CA Name of MyCompany Root (reminding me that this is root CA). with some defaults already in place. Fill in the other boxes with as much or little information as you desire. You should now see a warning box that IIS is running on the computer and must be stopped to proceed. Then. you won’t need to complete the additional step of retrieving the Certification Authority certificate. although you must supply a CA name. Click OK. Issued Certificates. as you can see in Figure B. Windows 2000 ships with these. and it should look like Figure C.Figure A Figure B Specifying the Certification Authority Type Specifying the CA details The next prompt will ask for CA Identifying Information. When the installation is complete. select the Content tab. The next screen is for the Data Storage Location. the validity time of the certificate (two years). There’s no need to reboot. Under the CA. click the Finish button and then click Close. The defaults are for your country/ region. all of these should be empty. At the moment. You should now have Certification Authority listed as one of your Administrative Tools on this server. If you are using one of the well-known thirdparty CAs (such as VeriSign). Keep the defaults and click Next. and Protocols 193 . and the CA virtual directory will install (prompting for the Windows 2000 source files. click the Certificates button. Pending Requests. you’ll see folders for Revoked Certificates. which refers to the certificate database and log. Configuring the systems for your Certification Authority For the computer certificate element to work. as you will see if you run Internet Explorer. choose Internet Options from the Tools menu. both need to have a computer certificate issued by that CA.

click Home or connect to the Certificate Web site again. as we did for the CA server. You should see the home page for Microsoft Certificate Services with the name you gave the CA displayed at the top. Open Internet Explorer and go to http://<CA servername>/certsrv (where <CA servername> is the name or IP address of the CA server we just set up). The workstation could complete this step when it’s on the corporate network (if it’s a laptop) or after connecting through the VPN server using PPTP (if it’s a remote workstation). this would be http://w2kca/certsrv. and unique thumbprint. The next screen should inform you that the CA certificate has been successfully installed. the fact that it was self-issued (because it is a root CA. You’ll need to complete the following steps on both the Windows 2000 RRAS Server and the Win2K Pro client machine. Click on the Install This CA Certification Path link. serial number. there is no higher server to sign this certificate). including the name you gave it. the client workstation and the RRAS server will need to connect to Figure D Connecting to the Microsoft Certificate Services Web site Figure E the CA server. This will result in a warning message asking you to confirm that you want to add the certificate to your Root Store. and other information. Retrieve The CA Certificate Or Certificate Revocation List. before you begin. we’re ready to request a certificate (the default option). as shown in Figure D. such as the time validity. Click Yes. The Choose Request Type screen will appear with the default being User Certificate Request For Web Browsing. Requesting the certificate Installing the CA certificate over the network Once you’ve installed the CA Certificate. so make sure this option is selected and click Next. select Advanced Request and click Next to display 194 Administrator’s Guide to VPN and Remote Access. as would be the case with an offline CA). Second Edition . This time. verify the correct date and time on these machines. Instead. Remember that IPSec uses computer certificates and not user certificates. and click Next. You’ll then see some information about the certificate. Again. Note that in this tutorial. as shown in Figure E. In my example.select the Trusted Root Certification Authorities tab. Instead of requesting a certificate immediately (the default option). so this default will not work for our L2TP/IPSec connection. The following page allows you to install the CA path directly from the server (possible because we are connecting to it over the network) or download the CA certificate into a file (an approach you should use when the CA server is not connected to the network. select the top option.

RRAS Server). Click Submit. Click on Install This Certificate. Ready to connect That’s it. since we know this is our certificate request. Fill this in with care. for the VPN client).g. you should now have an entry under the Pending Requests folder. The following screen will inform you that the certificate was issued. The final screen should tell you that your certificate has been successfully installed. Now you’ll be prompted to fill in the details of the certificate you require. for the RRAS server) or Client Authentication Certificate (e.. select Check On A Pending Certificate. and you will be prompted to select the certificate you requested. You must also select both Create New Key Set and Use Local Machine Store. click on Home or reconnect to the Certificate Web site again. You will need to specify an identifying name (e. it dictates the certificate’s specification in terms of its usage and security.the Advanced Certificate Requests screen. we can quickly issue it by right-clicking on it in the details pane and selecting All Tasks | Issue.. For a production environment. you don’t have to wait that long. Second.. However. it allows the CA administrator (who must manually inspect each certificate request) to identify you and check that the information you are supplying is in accordance with acceptance policies. since you are the CA administrator. Issuing a certificate from the Certification Authority The Pending Certificate request Installing the certificate Back on the server or workstation. and the Intended Purpose must be either Server Authentication Certificate (e. Accept the default selection of Submit A Certificate Request To This CA Using A Form and click Next. This time. and you can now close the browser. When you’ve completed these steps on both your client computer and RRAS Protocols 195 . you might need to change some of the other options for security reasons (e. Because it’s the only one. you’ll notice that this is where the administrator would check the identification details before issuing the certificate and use the e-mail address supplied if necessary to check or verify information.g.. the key size). and the next screen will tell you that your certificate is pending—waiting on the administrator to issue it—and that you must retrieve it within 10 days. it will be selected by default. so go ahead and click Next. but these settings will suffice for our test connection. as shown in Figure H. The entry will disappear from the Pending Requests folder and will appear under Issued Certificates.g. First. Figure F Requesting a computer certificate for IPSec Figure G In the Certification Authority console on your server. If you scroll through the details pane so you can see all the column information. as shown in Figure G.g. The information you supply here is twofold. as shown in Figure F. Happily.

The defaults supplied with Windows 2000 mean that an L2TP/IPSec connection will be tried before a PPTP connection. which you won’t see 196 Administrator’s Guide to VPN and Remote Access. The Security Policy console (under Administrative Tools) allows you to view and edit these IPSec policies. Second Edition . check the Ports listed in the RRAS console. This will include: T How the default L2TP/IPSec policies work. Figure H Because Windows 2000 automatically generates IPSec policies for L2TP/IPSec connections. Along with configuring computer certificates. How to monitor the IPSec connections. you have an L2TP/IPSec connection up and running. an L2TP/IPSec connection involves some in-depth work with the VPN settings and other configuration options. If your RAS client connects.server. If it lists a WAN Miniport (L2TP) VPN device as Active. Final word This tutorial has explained how to achieve an L2TP/IPSec VPN connection between a Windows 2000 RAS client and Windows 2000 RRAS server using the Windows 2000 Certification Authority service. How to override the default IPSec settings. you should have nothing further to do but stop and restart your RRAS service and try a VPN connection from the client machine. 2001 By Carol Bailey. automatic IPSec policy for L2TP connections. you must assign a preconfigured IPSec policy to the computers. they should have your CA root certificate installed and have computer certificates from this CA that allow them to use IPSec. However. How the default L2TP/IPSec policies work When you’re using Microsoft’s IP Security (IPSec) outside a VPN environment. by default. MCSE+I hose who are familiar with a PPTP VPN in Windows 2000 will find that an L2TP/IPSec VPN is quite similar but contains some more complicated settings and management. This article will introduce you to the more advanced approaches that will enable you to customize the security of your Win2K L2TP/IPSec connections. Installing the certificate Customize the security of L2TP/IPSec connections Dec 18. Microsoft uses a hidden. which I discussed in “Configuring certificates for an L2TP/IPSec VPN” (page 191).

By default. you’ll have to use the Netdiag Windows 2000 Support tool by typing netdiag /test:ipsec /v at the command line. these two resources are a good place to start: “IP Security for MS Windows 2000 Server” white paper (http://www. When you have a successful L2TP/IPSec connection. but it won’t tell you anything about the IPSec side of the connection. The RRAS console will tell you that an L2TP connection is being used. restart the policyagent service and then the RRAS service or reboot. If this fails. However. You can see the L2TP policy in use with the IP Security Monitor. They are the source address(es) of Protocols 197 . Look for an Active status on an L2TP WAN Miniport. It should look similar to Figure B. The default L2TP Rule policy is in use on the server when the RRAS server is listening on L2TP ports and on the remote workstation when the client tries to connect over L2TP/ IPSec. You can check to see that an L2TP connection is being used on the VPN server by looking at the Ports folder in the RRAS console on the VPN server. You’ll find them under the Current Phase 2 SAs section when you use the Netdiag command. along with their basic components. This is why there is no need to change anything on the client’s connection properties if the defaults are still in use when you try to make an L2TP connection from the client. This monitor gives you some (but not all) of the information on the current IPSec connection.in the Security Policy console.asp?url=/TechNet/ prodtechnol/windows2000serv/ evaluate/featfunc/ipsecure. it then falls back to trying PPTP.microsoft. You’ll also have this level of information recorded in your Security Event log if you have enabled auditing for successful logons.com/technet/ treeview/default. you will need to go into the connection’s Network properties and change the Type Of VPN Server I Am Calling setting from Automatic to Layer-2 Tunneling Protocol (L2TP). If you stop the IPSec policy agent on the VPN server (for example.microsoft. you’ll have to delve a little deeper. To see exactly what IPSec settings are being used. The policy filters on the VPN server are sensible ones that you probably shouldn’t change. you will delete this default policy. and you can see it only when it’s in use. and you’ll see the L2TP Rule policy. as shown in Figure A. if you need some background information. a Windows 2000 client VPN connection will try an L2TP/IPSec connection first. Figure A RRAS showing an active L2TP connection However.com/ WINDOWS2000/en/server/help/ ipsec. you might want to change this for security reasons so that only an L2TP/IPSec connection will be tried. The default L2TP Rule is automatically deleted on the Windows 2000 client whenever the L2TP/IPSec connection is terminated. It is called the L2TP Rule. To re-create it.asp) “Internet Protocol security (IPSec)” from the Windows 2000 Server Manual (http://www. If so. This article assumes that you have a basic understanding of how IPSec connections work.htm) How to monitor the IPSec connections You use some of Win2K’s standard IPSec monitoring utilities to see what IPSec settings are being used for your L2TP/IPSec connections. To see all the information. type ipsecmon from a command prompt on the RRAS server. by typing net stop policyagent) after RRAS has initialized.

However. but there may be times when this option is necessary for political reasons—for example. which is a stronger algorithm than MD5. You may be surprised when looking through the full list of 16 “offers” in Netdiag that there are more secure security methods on the list that will not be used by default because they are farther down the offer list. and you can use SHA1. However. they both have Win2K SP2 installed). having this offer automatically listed (albeit at the bottom of the offer list) may worry you because you cannot change this default offer list. so if your Windows 2000 client and Windows 2000 VPN server offer the same level of encryption (e.. you can use both Authenticated Headers (AHs) and ESP to ensure that the header information (addresses) is not changed in transit. a VPN client that doesn’t use the Microsoft default L2TP Rule may be configured with different security options. The default L2TP Rule allows the VPN server to offer 16 security preferences. Second Edition . This is not most people’s idea of a virtual private network..g. the resulting security methods used will be data encryption (ESP) with DES and Cipher Block Chaining (CBC). if you specifically want to ensure that all connecting remote clients will encrypt their data.the VPN server’s Internet NIC to any destination address and any source port from the VPN server to destination port UDP 1701. you can customize your IPSec settings to prevent the possibility that this offer will be used. (The equivalent options can be found under the Security Methods tab when using the Security Policy console. If the encryption levels are not the same on the server and the client.e.) To see all offers. the resulting policy will be ESP 3DES/CBC HMAC MD5. you should realize that connections using 3DES are slower and demand more processing on the server. The easiest way to do this is to install SP2 or to install the High Encryption Pack if you are running a pre-SP2 machine with 56-bit encryption. This matches the ESP DES/CBC HMAC MD5 in Figure B. How to override the default IPSec settings The default L2TP/IPSec policy in use You may be wondering how it is possible to use any of the other offers if a Windows 2000 remote client to Windows 2000 VPN server uses the same policy. type netdiag /test:ipsec /debug on the server. what is interesting is that (as with any IPSec connection) the remote access client and VPN server can negotiate security options that will be used for the connection. The least secure offer on the list has AHs without encrypting the data at all. the lower one will be used. together with MD5 as the chosen algorithm method. If both server and client support strong encryption (i. and if you use AH as well as ESP. when the data is being transferred in a country where encryption is banned. you will also need to open Protocol ID 51 on your firewall. both support only 56bit encryption). Because the first match between client and server will be used. both of these come with the overheads of additional processing. However. So if you want the highest encryption Figure B level on your L2TP/IPSec connections. For example. However. The first match between client and server will be used. so you can’t predict which of the 16 offers will be 198 Administrator’s Guide to VPN and Remote Access. ensure that both the server and all clients support 128-bit encryption. which always results in matching ESP with 3DES and MD5. Fortunately.

routers. For example. firewalls.. Listing A: Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters Troubleshooting L2TP/IPSec VPN connections in Win2K Dec 20. as this article will demonstrate.000 bytes. Or you can do the same on the client side so that both sides use only one offer. switches. You’ll find additional information on Microsoft’s VPN site (http://www. and you want to use DES instead. monitor.g. 2001 By Carol Bailey. add a new registry key (REG_DWORD) of ProhibitIpSec and set the value to 1 under the Windows Registry key shown in Listing A. Microsoft’s L2TP/IPSec connections usually fail for two main reasons: Problems with certificates Internet device problems (e. Summary This article has provided information that should help you understand. and use Netdiag to ensure that your options are being implemented. you may have deployed SP2 on all of your Windows 2000 computers for the security patches but do not want the extra processing of 3DES.com/windows2000/ technologies/communications/vpn/). using the SHA1 algorithm. or a desire to use IPSec settings that are different from the default. AH and ESP. Or you may want to use the strongest combination possible. you’ll need to disable the default L2TP/IPSec policy and create one manually that matches the security options you want to use.used. which are every 3. MCSE+I S etting up and managing an L2TP/IPSec VPN in Windows 2000 is quite different in many respects from working with a standard PPTP VPN. you need to configure your own IPSec policy and assign it. select the security methods you want. Make sure you also choose to rekey every so often and select your own settings for this or use the sensible defaults in the L2TP/IPSec policy. you may have good cause to change the IPSec options on the VPN server. or NAT) Other potential problems include: Protocols 199 . Make sure that you change the default authentication from Kerberos to certificates. reboot the computer. and tailor Microsoft’s L2TP/IPSec connections for a more secure VPN connection. If you decide to go this route. Use the filters previously mentioned. Because of this uncertainty. Or you may decide you don’t want the risk of potentially offering a VPN connection that doesn’t encrypt data. Next. So it’s not surprising that troubleshooting these connections also requires some unique tactics. Now.microsoft.600 seconds or every 250. To disable the default policy. You can do this just on your VPN server to ensure that only the security settings you want will be used and then let the client work through its default offer list until a match is found.

rte. mixture of cases. mixture of alphanumeric and nonalphanumeric. but you’re unlikely to get a sympathetic hearing from Microsoft if you report problems with them. don’t forget all the rules about choosing secure passwords (at least eight characters.g. and maintaining your own Certificate Authority. This article will also help if you’re configuring your custom L2TP/IPSec policy with certificates. Perhaps you cannot justify the expense of using a thirdparty Certificate Authority. If you need help setting up this policy. there are step-by-step instructions in the Microsoft Knowledge Base article Q240262. if using an in-house CA. try the steps in this article. You can confirm that it exists under Trusted Root Certificates Authority | Certificates or by checking that the computer certificate is listed and valid under Personal | Certificates. managing.com/default. However. if using an in-house CA). you can use Microsoft’s testing site (http://sectestca1. So remember that it is possible to use Microsoft’s L2TP/IPSec connections with password authentication instead of certificates.microsoft. However. instead of selecting a preshared key. But specify password authentication and type in the password you want to use. select Use A Certificate From This Certificate Authority (CA) and select the CA by browsing. “How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication” (http://support.EN-US. This is possible only if you disable the default L2TP/IPSec policy and configure your own IPSec settings. Microsoft does not endorse using computer password authentication for L2TP/IPSec connections. If you suspect that certificates may be to blame for your L2TP/IPSec connections failing to connect. Here are a few other things to check: Verify that the date/time is correct on the client and the VPN server (and the issuing CA. we said that Microsoft’s L2TP/IPSec is not compatible with NAT. See Microsoft’s VPN FAQs 200 Administrator’s Guide to VPN and Remote Access.. Cisco’s version) because they use a different implementation.microsoft.aspx ?scid=kb. or you have a nonMicrosoft L2TP/IPSec client that is compatible but can use only passwords. you’ll have to disable the L2TP policy on both server and clients and then configure and assign your own IPSec policy as described in my article “Customize the security of L2TP/IPSec connections” (page 196). etc. To use passwords instead of certificates for your L2TP/IPSec connections. Internet device problems Check any Internet device that might be blocking the connection or changing the packets. Typically. For the Authentication Method. this will be a firewall or a NAT server but can also include a faulty switch that is occasionally corrupting packets or a router that isn’t forwarding Protocol ID 50.q240262). Alternatively.).com/) to install a computer certificate from Microsoft’s online CA. In the first article in this series. For production use. Open the Certificates console on the client and verify that the CA path is installed. Second Edition . You may decide that this is a configuration you actually want to use all the time rather than just for troubleshooting because it allows you to use L2TP/IPSec and bypass all the overheads of installing. some L2TP implementations are NAT-friendly (e.Straining server resources Interoperability with other systems Problems with certificates My article “Configuring certificates for an L2TP/IPSec VPN” (page 191) worked through an example of how to use your own in-house CA to issue computer certificates required for L2TP/IPSec connections in Windows 2000. If you still suspect that certificates may be the problem. an option to confirm this is eliminating them and using password authentication instead of certificates. It argues that it is not a secure implementation because passwords are always vulnerable to guessing and/or cracking and will be stored in the registry or Active Directory as part of the IPSec policy. One of the advantages of using your own IPSec policy is that you can change the authentication method from certificates to passwords.

more crudely. it may be a good idea to eliminate the Internet side of the equation by trying to make a VPN connection from a client machine on your LAN.com/windows2000/ techinfo/howitworks/communications/ remoteaccess/vpnfaq. the order they’ll be tried. Check my previously mentioned article on customizing security for information on the default IPSec settings that will be tried. if your L2TP/IPSec connections are not working.) Attempt to connect your newly created VPN connection. Assign the workstation a static IP address in the same range as the VPN server so that routing is not required and then make sure that you can successfully ping between the client and server. With the Microsoft implementation. either with the Performance utility running as a service or. and when. using a network card that offloads some of the IPSec processing. or disabling the default policy and specifying DES encryption instead of 3DES. Interoperability with other systems If you are hoping to use either the client side or the server with a different vendor’s implementation of L2TP/IPSec. you can’t change Microsoft’s implementation of L2TP/IPSec. so you should always connect at least two remote clients before celebrating. (This is not the default. If you discover the processor slowing down. etc. create a new VPN connection on the Windows 2000 Professional machine that doesn’t automatically dial the ISP connection first. Enable logon auditing and check the Event Viewer’s Security log for IPSec errors such as negotiation timeouts (could be lack of a valid certificate or a packet Protocols 201 .asp) for more infor- over the Internet. So. However. check for interoperability issues and determine whether they can be configured to communicate. for the data encryption—than PPTP connections.(http://www. If you have a successful L2TP/IPSec connection when connecting this way but not when you connect a similar client Straining server resources L2TP/IPSec connections consume more server processing power—specifically. chances are you can configure the custom IPSec settings to match if the defaults do not work. Next. you should have a good L2TP/IPSec connection. including adding another processor. so if the IPSec connection fails. bandwidth. it may be possible for NAT to allow one client to connect with L2TP/IPSec but not allow subsequent connections. at least you have narrowed it down to something on the client or server rather than attempting to verify all the possible Internet issues (hardware devices. It’s important to verify that the connection is an L2TP connection. you have several options. check the connection’s Status Details). If the third-party vendor’s implementation also uses Transport mode and port 1701 for the IPSec side of the connection. if your client and server are configured correctly. and the UDP port number of 1701 cannot be changed. check the Active Ports under the RRAS console. Keep an eye on the VPN server’s CPU usage. which uses IPSec in Transport mode (not Tunnel mode). which will happen by default if both client and server can support it. mation on the Microsoft implementation and how it differs from other vendors’. firewall. or on the client. Even if you’re not using NAT and think you have configured your firewall correctly (to allow UDP port 500 and Protocol ID 50). it’s time to start inspecting your Internet devices. PPTP and L2TP connections work just fine over Ethernet since all they care about is a valid underlying TCP/IP connection. you’ll need to temporarily rearrange your network so that there’s a standard Ethernet connection between the VPN server’s Internet adapter and your testing workstation. ISP services.). (On the server. If your connections still don’t work. the tunnel is never even attempted. This will be especially true if you are using strong encryption.microsoft. with Task Manager’s CPU Performance figures. To test this connection. Additional guidance L2TP/IPSec connections must establish an IPSec connection before the tunnel (L2TP). and how you can disable them and define your own policy if necessary.

This situation doesn’t pose much of a problem for our Windows NT 202 4. because the only VPN protocol supported by Windows NT 4.0 PPTP VPN client connection guide Jun 10. sometimes hundreds.com/default. too. VPN servers remove this capitalintensive hardware/telco layer and allow you to support dozens. If the company wanted to avoid long-distance charges. 2002 By Dr.0. it includes a number of features that improve the user experience and automatically adds 128-bit encryption support. The cost of installing multiple dial-up RAS (Remote Access Service) servers was compounded by long-distance charges.microsoft. The only major difference between Windows NT 4. You may also find these TechNet articles useful: “Basic IPSec Troubleshooting in Windows 2000” (Q257225) (http://support. Administrator’s Guide to VPN and Remote Access.microsoft. I also recommend that you install Internet Explorer 6.microsoft.asp) to get at least Windows NT 4. aspx?scid=kb. You can use the same procedures to connect Windows NT 4.0 VPN servers. Make a note of the actual error logged and then look it up on Microsoft’s Knowledge Base (http://support. has given you a good basic understanding of how Microsoft’s implementation of L2TP/IPSec works. aspx?scid=kb.EN-US. PREREQUISITES Before configuring your Windows NT 4.q259335) Summary I hope this article has provided some useful tips to help troubleshoot your Microsoft L2TP/IPSec connections and.0 Service Pack 6a.0 is the Point-to-Point Tunneling Protocol (PPTP). MCSE I n the not so distant past. you should install the latest service packets and security hotfixes. companies that wanted to allow road warriors access to resources on the corporate internal network had to install modem banks and multiple phone lines.being blocked by network devices). Second Edition .com/default.0 clients to Windows 2000 VPN servers. it still had to shell out for a 1-800 number. Thomas Shinder. visit the Microsoft Windows Update for Windows NT Server Web site (http://www. of remote access calls with a single VPN server and high-speed Internet connection.EN-US. You’ll find all the security hotfixes released since Service Pack 6a on this page. combined with my previous articles. The Windows NT 4.en-us.q257225) “Basic L2TP/IPSec Troubleshooting in Windows” (Q259335) (http://support.microsoft.0 VPN servers do not support L2TP/IPSec VPN links.aspx ?scid=fh.0 and Windows 2000 VPN servers is that the Windows NT 4. I’ll look at how to make your Windows NT 4.0 PPTP VPN client software.com/default.0 computers VPN clients for Windows NT 4.kbinfo).com/ ntserver/nts/downloads/default.0 computer you plan to make a PPTP VPN client. If you haven’t updated the Windows NT 4.0 VPN clients.

In the Select Network Protocol dialog box. To change this setting. use the default entry (which is 1). click the Protocols tab. In the Network dialog box. click the Configure button in the Remote Access Setup dialog box (Figure D). (Windows NT 4. Click OK. Change the setting to Dial Out Only in the Configure Port Usage dialog box (Figure E) to prevent the Windows NT 4.0 CD in the tray. On the Protocols tab. Protocols 203 . PPTP VPN clients aren’t going to connect to more than one VPN server at a time.Figure A Figure B Figure C Creating the PPTP network protocol Your first step in creating a Windows NT 4. The Add RAS Device dialog box (Figure C) will appear and display the name of the single RAS device installed on the VPN client machine. the adapter is configured to allow outbound and inbound calls. At this point.0 Workstation computer. the VPN interface is automatically configured to call out only. Figure E Configure the interface to make outbound calls only. Click Continue. you’ll see a dialog box that informs you that RAS will be installed. A Windows NT Setup dialog box will appear and ask you for the location of the setup files. or just put your Windows NT 4. click the Add button. The VPN device is now added to RAS. Figure D The network interface is available on the VPN client computer. In the PPTP Configuration dialog box (Figure B).0 Server from allowing incoming calls to the VPN interface.0 PPTP VPN client is to install the PPTP networking protocol. select the Point-to-Point Tunneling Protocol (Figure A) and click OK.0 Server computer. On a Windows NT 4.) Click OK. If you install the VPN interface VPN1 – RASPPTPM is the name of the VPN interface on the VPN client. on a Windows NT 4. This entry is used by the VPN Server to define how many virtual VPN interfaces the server should have available for VPN clients. Right-click on the Network Neighborhood icon on the desktop and click Properties.0 VPN servers support up to 256 PPTP interfaces. You can type in the path to a local or network location. Click OK to install and start RAS.

Click on Dial-Up Networking. Creating the ISP dial-up entry VPN clients typically call an ISP to establish an Internet connection before they establish their VPN link. Check with your ISP to see what type of password authentication it requires. Restart the computer to complete the installation of the protocol. Always select the I Am Calling The Internet option (Figure H). and not the WAN protocols used to contact the VPN server. The Point-to-Point Tunneling Protocol will be added to the list of protocols on the Protocols tab of the Network dialog box. Enter a name for the connection (Figure G) and click Next. Click Close. and it’s not likely you’ll bother with SLIP connections these days. Figure F Figure H Figure I You can use alternate numbers when you use an ISDN terminal adapter that uses different numbers for each line.Click on the Network button in the Remote Access Setup dialog box (Figure D) to configure the LAN protocols you want to support on the VPN interface. Second Edition . Click OK to create a phone book entry for your ISP. You won’t need to use the third option in this dialog box unless you’re using a SLIP connection. Note that these are the LAN protocols used over the PPTP link. If you have a number you need to dial to access an outside line. A dialog box will appear informing you that your phone book is empty. Click Start | Programs | Accessories. Click Next. The Server page will appear. You’ll be asked for location information. Creating RAS connections in Windows NT 4. You’ll always use TCP/IP to connect to the VPN interface on the VPN server (Figure F).0 isn’t as intuitive as it is in Windows 2000/XP. Click Close to dispatch the dialog box after entering the information. 204 Administrator’s Guide to VPN and Remote Access. Click the Continue button in the Remote Access Setup dialog box. This action brings up the first page of the New Phonebook Entry Wizard. enter that too. so let’s take a look at Figure G how you configure a PPP connection to an ISP. Enter at least your area code.

In other words. Creating the PPTP VPN dial-up entry If you use a dial-up connection to connect to the ISP. the PPTP connection rides on top of the ISP connection. The same wizard you used to create the dial-up connection creates the VPN connection. Click the New button in the Dial-Up Networking dialog box (Figure J) to create the VPN connectoid. In these cases. and cable connections. DSL. The new Phonebook entry will appear and you can use it right away (Figure J). The Windows NT 4. Click Next. These numbers are useful when your ISP gives you multiple POP access numbers.Figure J Figure K Enter the FQDN or IP address of the VPN server. you’ll need to activate that before connecting the VPN link. The only difference is that you use the IP address or Fully Qualified Domain Name for the phone number and configure the connection to use the VPN interface (Figure K). You can click the Alternates button to add alternate numbers to try if the first one fails. you’ll need to select the VPN device you created earlier (Figure L). Enter your POP access number on the Phone Number page (Figure I). Figure L Figure M Protocols 205 . you don’t need to establish the dial-up entry before firing up the VPN. You don’t need to restart the computer. click on the More button in the Dial-Up Networking dialog box’s phonebook area and click the Edit Entry And Modem Properties entry to bring up the Edit Phonebook Entry dialog box. such as T1. After you create the VPN connectoid.0 PPTP VPN client can also take advantage of dedicated links. and then click Finish on the last page of the wizard. In the Dial Using drop-down list box.

Figure N Figure O IP HEADER COMPRESSION SUPPORT Your Windows NT 4. Use Windows NT 4. The only option you need to select is Accept Only Microsoft Encrypted Authentication. The default setting is to allow IP address assignment automatically from the VPN server. Use the Use IP Header Compression option if your VPN server supports this option. the VPN client uses the VPN interface as its gateway for all non-local networks.0 VPN server supports them (Figure M). This creates the possibility that the VPN client will be able to route packets from the Internet to the internal network.0 Server does not support MS-CHAP version 2 (because it has not been updated with the latest service pack). The Use Default Gateway On Remote Network option is an extremely important one for you to understand. When you select this option. If the Windows NT 4. It’s definitely not as easy to configure as the Windows 2000/XP client. This is the most common option. Second Edition .Click on the Server tab and select the LAN protocols you want to support in the VPN in the Network Protocols frame. you’ll have solid and secure connections that use MS-CHAP version 2 for authentication and 128-bit data encryption. Typically. when the client first dials into the ISP. If this option is disabled. Click OK. 206 Administrator’s Guide to VPN and Remote Access. but your Windows 2000 VPN won’t if you haven’t upgraded to at least SP4 on the VPN client. and you’ll see the screen shown in Figure O.0 VPN Server will support this option. When the Use Default Gateway On Remote Network option is enabled. the VPN server assigns the VPN client a new default gateway. but if you need to specify a particular IP address or DNS server.0 for secure VPN connections Configuring the VPN client on a Windows NT 4. the VPN client will be able to access both the internal corporate network and the Internet at the same time. Select Enable Software Compression and Enable PPP LCP Extensions if your Windows NT 4. But once you get the Windows NT 4. which forwards all non-local packets to the VPN server. Selecting this option ensures that the PPTP VPN client uses MS-CHAP version 2 to authenticate with the Windows NT 4. Click the TCP/IP Settings button and you’ll see what appears in Figure N. select the option to specify and enter the appropriate IP address.4 installed.0 computer is more challenging than it is on Win9x computers with DUN1. which is one of the ISP’s routers to the Internet.0 Server. The result is that the VPN client cannot access the Internet once it connects to the corporate VPN. the client will fall back to MS-CHAP version 1. Click on the Security tab. the ISP assigns the computer a default gateway.0 PPTP VPN client installed.

....... If your organization is planning to invest further in its security infrastructure..................................228 High marks for Mangosoft’s VPN alternative .........................................................................................................210 SonicWALL PRO-VX provides fast............................................................................................................220 Sharing Internet access with just one IP address..230 More options for secure collaboration .....................................................................................222 Share small office broadband pipes using a Linksys router and Win2K Pro ..............224 Check Point offers integrated firewall and VPN on Linux ......CD-ROM Solutions ................................................................ VPN services on a Cisco PIX firewall................................................................................................215 Who said you can’t afford your own router? ...................Solutions The articles in this chapter highlight a handful of the available products and services designed to safeguard remote-access computing......................................................213 The D-Link DI-704 cable/DSL gateway .. you’ll want to read up on the capabilities of these products................................ simple firewall and VPN solution...........207 Eight commonly overlooked troubleshooting tips for the Cisco PIX VPN............................................................

How do remote-access VPNs work? My setup and some assumptions For this article. IPSec is generally configured to allow Layer Two Tunneling Protocol (L2TP) connections from Windows 2000 or XP VPN clients. which IKE uses to derive a secret password without having to transmit that secret password over the connection The number of seconds for which the security association will be valid (with a default of 24 hours) 207 Solutions . Couple that with the Cisco PIX firewall’s inherently strong security architecture. My PIX firewall has 16 MB of RAM with an 8-MB flash and is licensed for VPN connections.VPN services on a Cisco PIX firewall Jun 27. A little knowledge makes it easier to troubleshoot in the event of a problem and easier to maintain the service overall. I’ll use a Cisco PIX 515 firewall running version 5. which is a vendor-neutral standard that defines methods of setting up virtual private networks. I’ll focus on client-to-PIX VPN configurations. as if they were directly connected to it. IKE is an automated method that allows for additional features such as dynamic authentication.1 of the Cisco PIX management software. You can negotiate the parameters manually or via IKE. 2002 By Scott Lowe. (These operating systems come bundled with IPSec-enabled L2TP clients. Once the negotiation is complete. contact your Cisco reseller to purchase the appropriate licenses. Under IKE. I’ll assume your PIX is either up and running in production or in a working state in a lab where you can modify the configuration. For Cisco PIX installations. keys can change in midsession. VPNs are quickly becoming one of the most popular methods for allowing remote access to networks and for establishing secure connections to small remote-office locations.) IPSec operates in two steps. which raises an important point: In order to use these services on your PIX. Clients that use the VPN are able to see services on the host network transparently. VPNs go hand in hand with firewall devices. In a remoteaccess configuration. to access the VPN services as well. If it doesn’t. step two uses this negotiated security information to begin passing data. which will enable you to provide remote network access to partners or telecommuters. and you can see why the PIX is an ideal platform for establishing this kind of service. You should be able to pass traffic through the firewall before embarking upon this VPN journey. I’ll show you how to set up VPN services using your existing PIX firewall. The first order of business is to understand the protocol at work: IPSec. IKE configuration uses five parameters to define its policy: The encryption algorithm IKE will use The hash algorithm it will use The method of authentication it will use to identify IPSec peers The group identifier. About Cisco PIX VPN services The Cisco PIX VPN services are based on IP Security (IPSec). Before setting up the VPN. Using either manually configured keys or Internet Key Exchange (IKE)—which I will discuss next— step one handles the negotiation of security information between client and host. In this article. The Cisco PIX firewall supports both PIX-to-PIX and client-to-PIX VPN configurations. MCSE B ecause of their flexibility. Cisco provides a VPN client that will allow other operating systems. Cisco calls this a remoteaccess VPN. The second step is the negotiation of parameters between client and host. and NT. you’ll need to make sure your PIX software license includes VPN capability. 98. it’s a good idea to brush up on the basics of how VPNs work. In this article. such as Windows 95.

I’ll show you the configuration from a PIX running version 5. followed by a sequence number of 20.0 for the IP address and the netmask specify the wildcard nature of the command.1172. With the ip local pool vpnpool statement.0. isakmp client configuration addresspool local vpnpool outside—This command tells the PIX which previously configured pool of addresses to use and which interface will be using them. A transform set specifies one or both of the IPSec security protocols.16. ip local pool vpnpool 172. These transform sets come into play during client negotiation to determine what protocol the PIX will use to protect the VPN traffic. which defines the transform set to be used with this mapping. ISAKMP stands for Internet Security Association and Key Management Protocol and is one of the security protocols IKE supports.) isakmp key keyname address 0.16. which is a 56-bit encrypted security protocol. set transform-set. For the purposes of this article. you’re ready to set up client VPN services on your PIX. which is essential if you are to support remote users.0—This command configures the PIX to use a wildcard. isakmp policy 10 authentication preshare—This command assigns a priority of 10 to the policy statements. which uses the MD5 hashing scheme for encoding. One of the primary functions of this command is to specify a dynamic map named Cisco. Second Edition .255—This command creates a local pool of addresses named vpnpool.2. I’ll use the PIX command line. crypto dynamic-map cisco 1 set transform-set myset—This command allows you to support secure connections with Setting it up unknown clients. Other than that.1(2) of the software. The only parameter I’ve changed is keyname. The keyname defines the authentication key to share between the PIX firewall and the VPN client. crypto ipsec transform-set myset espdes esp-md5-hmac—This command creates a transform set named myset. crypto map dyn-map 20 ipsec-isakmp dynamic cisco—This command specifies a map name of dyn-map. we previously configured the vpnpool address pool to range from 172.2. and esp-md5-hmac. crypto map dyn-map interface outside— This command tells the PIX which interface to use for the previous command.255. I’ve also tested this configuration on a new PIX 501 firewall running version 6.1. The ipsec-isakmp parameter indicates that the PIX will use IKE to establish IPSec security associations. The 0. My configuration uses esp-des.0. and it also allows incoming IPSec packets to terminate at the outside interface.0. For this configuration.2. a sequence number of 1.0. which allows remote clients to access services on the network behind the firewall. The dynamic keyword tells the PIX to add the dynamic crypto map set to a static crypto map. sysopt ipsec pl-compatible—This command allows IPSec to bypass the firewall’s NAT settings. Note that I’m not including my entire PIX configuration but only those commands required to get the VPN services up and running.16. isakmp identity hostname—This command sets the isakmp identity for the firewall. isakmp enable outside—This command tells the PIX which interface to use to enable isakmp negotiation for IPSec. sysopt connection permit-ipsec—This command changes the system options to allow IPSec connections.0.1 to 172. using the 208 Administrator’s Guide to VPN and Remote Access. shared key. These addresses will be used for VPN clients.1(2) of the PIX firewall management software. Cisco is the name of this map.Now that we’ve covered the basics. followed by the only required parameter.0.16. (The other two are Oakley and Skeme.0 netmask 0. this is a complete configuration for a fully functional Cisco PIX-based VPN. as well as the algorithm to use for them.

the PIX is to use preshared keys. which enables the 1. This application will allow you to set up a connection to your host VPN server if you provide it with the information requested.5.600 seconds). Diffie-Hellman is the first published technique for public key cryptography and asymmetric encryption and is based on the difficulty of calculating logarithmic values. The messages simply inform you that Microsoft has not verified the drivers.isakmp policy command.cisco. If defined as preshare. isakmp policy 10 lifetime 1000—This command specifies how long each security association should stay valid (ranging in value from 120 seconds to 84. If you have a service contract. isakmp policy 10 hash md5—This command specifies the hashing algorithm the PIX will use. you’ll need to allow for the possibility of unknown clients in the configuration. isakmp policy 10 group 1—This command (group 1) tells the PIX to use the 768bit Diffie-Hellman in the IKE policy. which will enable the PIX to use triple DES encryption for the IKE policy instead. you just need to log in to the site to download the software.cisco. The actual software installation is straightforward and asks you the standard Microsoft installation questions. rather. deal with the error messages by choosing Continue Anyway when the messages come up. The current version of the Cisco VPN client is 3. assuming you have a current Cisco Service Contract (http://www. which can be either md5 or sha. an organization can provide secure remote access to almost any internal equipment. Use careful planning and strong keys The client A VPN is a powerful tool.com/register/). The other option is to specify 3des. If you don’t. such as the one provided by Cisco for use with the PIX. isakmp policy 10 encryption des—This command tells the PIX to use 56-bit DES encryption. I don’t recommend doing this. Cisco provides a VPN client for just this purpose. You can set the authentication subcommand to either preshare or rsa-sig. rsa-sig tells the PIX to use RSA signatures. To install the client. double-click on the installation file. The other option is to specify group 2.1 and is available for download from the Cisco Web site (http://www.com/). Once it does so. as well as provide potential client users with an appropriate client. Any keys you use should be strong enough to withstand brute-force attacks. your system may ask to reboot. If you install the client onto a Windows XP workstation. run the client by choosing Start | Programs | Cisco Systems VPN Client Files | VPN Dialer. you can configure your existing Cisco PIX to provide these services. As we’ve shown in this article. After the installation is complete. Once you’ve set up the VPN services on the server. you’ll get a message indicating that you should change your driver signing settings to avoid error messages during the installation. Solutions 209 .024-bit Diffie-Hellman technique. you’ll need to purchase the client or use the version that came with your PIX. you need to allow clients to connect. With a VPN. but you’ll need to do your homework to get the lay of the land before you start. When configuring a client VPN system.

that’s the only answer at present. As with NAT at the client. which provides encryption and optional authentication. which is a requirement for this scenario. and 192. but the PIX ignores it because neither the PIX nor Cisco’s IOS support UDP pass-through. MCSE he Cisco PIX stands on the market as a high-end appliance that offers a number of solutions. Because of the scale of the PIX appliance. troubleshooting such a VPN can be very difficult. you find that the users who are able to connect are being assigned routable addresses from their Internet service providers. you can make use of Point-to-Point Tunneling Protocol (PPTP) connections to a server set up to accept PPTP connections behind your firewall. make use of network resources. You must allow the following traffic past the router: UDP port 500 is the port that IPSec Internet Key Exchange (IKE) uses to negotiate a connection.168. To make it work effectively. you must make sure that certain types of traffic can get past the edge router to their destination: your PIX firewall. In this article. and many of your users are able to connect to the services and 210 Another problem that can occur at the client side is when the client is behind a firewall and attempting to use Edge Services Processor (ESP) over UDP for negotiation. Unfortunately. refer to your router documentation. UDP client problem NAT at the client Suppose you’ve completely configured your PIX for VPN capability. but those who can’t connect are being assigned RFC 1918 addresses. One such solution is that of remote access via VPN. One method of achieving a PPTP connection is to use the Windows 2000 Server Remote Access Services.Eight commonly overlooked troubleshooting tips for the Cisco PIX VPN Jun 14. which provides authentication services for the VPN connection.x. which is used by the PIX VPN services. (RFC addresses are those in the 10. TCP and UDP port 50 passes Encapsulating Security Payload (ESP) traffic. which will provide the required connectivity. 172. Unfortunately. so when Cisco releases an update to the Cisco PIX code. TCP and UDP port 51 passes Authentication Header (AH) traffic. Administrator’s Guide to VPN and Remote Access. this problem should be fixed.x ranges. I will identify eight of the most commonly overlooked problems with your PIX-based VPN and suggest some possible solutions for each.x. Note that ESP and AH require both TCP and UDP ports for proper operation. T An edge router is in the way Many organizations use routers with access control lists on the Internet connection to provide an added layer of security to the internal network. 2002 By Scott Lowe. This can even occur with firewalls that don’t use NAT.x.x. which is not IOS. So some features for one won’t work in the other.x. Until Cisco corrects this problem. The newest Cisco VPN client has support for this feature. At present.) Therein lies the problem. This is because the Cisco VPN Concentrator product does support ESP/UDP connections and both products use the same client. Second Edition . If you need to make these modifications on your edge router. Upon further investigation. but others aren’t. one possible workaround is to use PPTP instead of ESP over UDP. Bear in mind that PPTP is not as secure at L2TP/IPSec. the Cisco PIX code. The UDP check box is present in the current version of the Cisco VPN client even though the PIX doesn’t support this feature. that added level of security could also mean that your new PIX VPN doesn’t work as it is supposed to.16. The Cisco VPN client does have a check box to allow UDP for ESP. IKE allows you to decide whether or not to use automatic key management via Internet Security Association and Key Management Protocol (ISAKMP) or manual configuration to set up a VPN.x. doesn’t support NAT with IPSec.

0 Incoming client IP address pool—VPN client subnet 172. While these programs provide great security.Cisco expects to support ESP/UDP connections in IOS 12. Listing A access-list outbound permit icmp 172. You can verify this with the following commands: access-list vpnclients permit ip 172. However. You’re able to establish a connection to the PIX and even get an IP address The PIX error logging capability is invaluable for troubleshooting problems. disable the software and try to connect to the VPN.0 Solutions 211 . If it works. because it places an additional load on the processor and can disrupt its normal operation.255. leave the software enabled.X mask 255. they are unable to browse the network. especially VPN problems. The crypto map statements in your PIX firewall configuration set up your IPSec parameters.1.0 any any access-group vpnclients in interface outside This creates an access list that allows all IP traffic from the 172. make sure you’ve installed the Client for Microsoft Networks on the remote system.0 Suppose you’ve installed the PIX client software on a remote system to allow your remote clients access to specific network resources. you may not have reapplied the crypto commands to the applicable interface.0 172. Also. If it doesn’t. look at your firewall and make sure you’ve allowed the WINS ports—ports 137 to 139—through your firewall. if possible.16.16. including key exchange. the mapping must be reapplied using the command crypto map mapname interface outside (where mapname is the actual name of the defined map).255. If it works.2. this debugging mode should be used only when you encounter a problem. The PIX interprets this mistake as an attempt to spoof addresses. and you receive the error message IPSEC(ipsec_encap): Crypto Map Check Deny.2. However.16.0 255.255.0 255.16.16. you must enable Internet Control Message Protocol (ICMP) packets through the firewall. they can also interfere when trying to connect via a VPN. Client firewalls Many users have installed programs such as BlackICE or Norton Internet Security on their home computers. These users may also need to browse the network to find the resources they need. Listing A shows a sample access list statement that will accomplish the above.0 255. Internal LAN pool—Internal network IP addresses 172. The example below shows you two IP address pools: the internal LAN pool and the pool of addresses used to assign IP addresses to incoming clients.14. One possible cause could be that your IP address local pool statement on your PIX contains addresses from your internal network.16. Changes to the crypto map statements result in error messages Error messages? Clients connect but can’t ping network resources Suppose you’ve set up your PIX VPN and are attempting to establish connectivity to your internal network. Remote clients are unable to browse the network from the pool of addresses you’ve set up for VPN use on the PIX.255. If you’ve set up a new VPN connection to either support a different set of users or a new site-to-site VPN. Before you even look at the firewall configuration. test your VPN connectivity.255. You can also open specific ports on a service-by-service basis for additional security.1. but currently there are no concrete plans to support it in the PIX.0 network and binds the access-list to the outside interface.2.255. Then. you can’t ping any devices on your internal network. you’ll need to disable the software while using the VPN. to ping through the PIX.255.X mask 255.2. Each time you either modify an existing crypto map statement or add an additional one. Before disabling this security software. It’s best to limit what you debug and try to do it at a period of low activity. However.

) Displays errors that prevent a PPP tunnel from being established or errors that cause an established tunnel to be closed. (The show version will show you the security associations related to IKE. show uauth Displays the PPTP PPP virtual interface AAA user authentication debugging messages. CRYPTO)! %Error in connection to Certificate Authority: status = FAIL CRYPTO_PKI: status = 266: failed to verify CRYPTO_PKI: transaction GetCACert completed Crypto CA thread sleeps! Troubleshooting the PIX VPN services can be troublesome at times. (The show uauth command displays current user authentication information. I have listed both commands in Figure A. which are responsible for performing encryption and decryption. Displays messages about events that are part of normal PPP tunnel establishment or shutdown. CI thread sleeps! Crypto CA thread wakes up! CRYPTO_PKI: http connection opened msgsym(GETCARACERT. Show command show crypt ca cert debug vpdn error debug vpdn event debug vpdn packet 212 Administrator’s Guide to VPN and Remote Access. These are updated with new releases of the Cisco PIX operating system. Debugging command debug crypto ca debug crypto engine debug crypto ipsec debug crypto isakmp debug ppp error debug ppp io debug ppp uauth Description Displays debug messages exchanged with the Certificate Authority.) Displays protocol errors and error statistics associated with PPP connection negotiation and operation. The commands from Figure A are also critical in the troubleshooting of the PIX. show vpdn session Displays active L2TP/L2F sessions. show vpdn pppinterface Displays PPP interface status and statistics.) show crypto isakmp sa Displays messages about IKE-related events. If you run across a particularly perplexing problem. you’ll see the output on the console or on a syslog server—a UNIX server set up to listen to incoming syslog messages to UDP port 514— depending on how your PIX is configured. Second Edition . any problem can be resolved. or to their discussion forums (http://forum. Displays L2TP errors and events that are a part of normal tunnel establishment or shutdown for virtual private dialup networks (VPDNs).com/ eforum/servlet/NetProf?page=main). you may want to consider turning to the Cisco Technical Assistance Center for more help. When you use a debug command. If all else fails… Table A: Each debugging command may not have an equivalent show command. (The show command will show the current settings used by security associations. By reviewing these commands. show vpdn tunnel Displays information about current L2TP/L2F tunnels in VPDN. This output indicates that there was an error at some point in the configuration related to the certificate authority. The PIX also provides the ability to view the information related to many of these areas. you can see that the PIX provides a number of ways to monitor VPN services. you’ll see a sample output from a PIX VPN server.The debug command syntax varies depending on what you’re debugging. Displays the packet information for the PPTP PPP virtual interface. Displays debug messages about crypto engines. Table A shows the available debugging commands related to the VPN on the PIX.cisco. which I find particularly helpful. show crypto ipsec sa Displays IPSec-related events. Below. but with some of these tips and the use of the debug command.

the data stream coming down the T1 to the central office router was twofold. Most features can be easily configured through tabbed menus on the main configuration page. The SonicWALL even includes default firewall rules that allow you to get started immediately. The device chosen by the client was the SonicWALL PRO-VX firewall VPN appliance. The client already had in place a rather elegant VPN solution for LAN-to-LAN connectivity. content filtering. In this network. simple firewall and VPN solution Apr 15. with one interface carrying Internet traffic and the other interface carrying interoffice traffic from remote LANs. Network design options Firewall features The designers of the SonicWALL PRO-VX provided for flexibility in configuration of the firewall and its connectivity options. By default. If you use NAT. our design was a bit more complex because of the client’s existing VPN. ease of configuration is inversely related to its level of security. it is simple to set up the SonicWALL. All users automatically have access to the VPN when their accounts are created. This was possible in part. 2002 By Robert McIntire A recent network project that I worked on combined several elements that made it worthy of documenting. The SonicWALL has several varied and sophisticated features to provide advanced protection for networks. It provided for firewall protection and VPN connectivity. you simply insert the firewall between your Internet router and internal switch. meaning it would provide all the protection the company would need for its private network. setting up the SonicWALL PROVX is quite simple. and DMZ—and a GUI interface for software configuration. The SonicWALL solution is ICSA-certified. With Ethernet interfaces. which was designed by their ISP. The T1 serial interface was logically split at the Cisco router into two subinterfaces. It’s a good thing that ease of In most networks. configuration doesn’t equate with ease of compromising. WAN. antispoofing. rather than a mix of external and private LAN traffic. But this was only a starting point. it blocks NetBIOS broadcasts. and change the default gateway at the workstations to point to the LAN interface of the firewall. In fact. had a certain level of ease in the management category through a Web-based configuration utility. which had been customized by the ISP. I will tell you how we set up the VPN and firewall quickly and easily. and secure remote management. In this article. with the SonicWALL. The next phase of the project was to implement a firewall/VPN solution for network security and remote user access. However. Of course. and among other things. The designers have gone out of their way to make installing and managing this box as simple as possible. Some of the other features provide for distributed denial of service (DDoS) protection. All users have access to the DMZ. With only three Ethernet interfaces—LAN. SonicWALL has simplified the SonicWALL PRO-VX so that: All users on the internal LAN are allowed access to the external network via the WAN interface. because you can configure the SonicWALL to perform NAT or not to perform it. It was our good fortune to work with a device that gave us the options necessary to successfully implement such a design.SonicWALL PRO-VX provides fast. which is essential in a Windows-centric desktop world. the WAN interface of the SonicWALL is publicly addressed and can be hit directly from Solutions 213 . you would normally expect any traffic entering the WAN interface of the firewall to be external.

we assigned the 192.2 Router(config)# access-list 101 permit 51 any host 200. because its address.1. I’ll be heading right back to the SonicWALL.200. We physically connected the firewall in-line between the WAN and LAN with the WAN port connected to the routers’ inside Ethernet port and the LAN port to the local switch.5. This was a nice touch that really simplified the configuration. A fast. With no public address on the WAN interface.1. but it helps to know that they are available for use in demanding environments. However. had been mapped to a legal IP (200. you might wonder how the VPN clients connect to the SonicWALL.2 Router(config)# access-list 101 permit udp any host 200. At this point. The VPN clients could then access the SonicWALL.5 200. this poses a problem. I know that if I’m ever in need of another fast VPN fix. Once we had the ISP insert MX and WWW records for the domain. This address was advertised on the Internet using a static NAT map statement on our Internet router. But sometimes. which then handles NAT.210. simple solution Suffice it to say that this was the quick and easy way to get the client up and running. Keep in mind that our network design is a little out of the ordinary.200.200. since we have private LANs on both sides of the firewall.1. Other static mappings were inserted at the router to map mail and Web traffic from the router’s T1 interface to the appropriate servers on the internal LAN. we left the Cisco router configured for NAT. Some of the steps we took aren’t usually recommended by SonicWALL or most network administrators. Second Edition .168. For security pur- The SonicWALL automatically inserted new access rules to allow IPSec traffic through. we used a separate. 192.210.168. because it required the least amount of change to the existing network configuration. private subnet address allocated by the ISP.the Internet. because the WAN port doesn’t get a public IP address unless you want the SonicWALL to handle the NAT function.200. the WAN interface simply passes outbound traffic to the Internet router.2 eq 500 214 Administrator’s Guide to VPN and Remote Access. VPN configuration on the firewall Router configured for NAT In this design scenario.200.2) on the Cisco router. To make this happen. we applied an inbound Access Control List (ACL) to the outside interface of the router to allow only IPSec tunnel traffic to this VPN-specific address. If you don’t use NAT. Listing A: NAT and ACL statements Router(config)# ip nat inside source static 192.210. poses. The NAT and ACL statements are shown in Listing A.210. as it had been previously.210. quick and easy solutions are a consultant’s best friend.0 address from the LAN subnet to the SonicWALL LAN port and the router Ethernet port. we had one public IP address assigned to the external router interface for connectivity to the Internet and another public IP address dedicated solely to remote VPN client access via redirection.2 Router(config)# access-list 101 permit 50 any host 200. which mapped all IP traffic from this address to the LAN address of the firewall. we were up and running.168. In this case.

Linux does this efficiently and well with lowend hardware. located on the server. you should spend under $100. such as the Linux Router Project. Linksys. 2001 By Vincent Danen he Linux operating system has long been used as a firewall system because it has the flexibility and capabilities to perform both excellent firewalling and routing. Because I run a consulting business that provides domainhosting solutions. The Windows 98 machine used a native firewall product. The cost for all of this? Realistically. Many people have wondered about these products and where they might fit into their network.The D-Link DI-704 cable/DSL gateway Jan 18. I have two desktop machines and one laptop. Until now. While powerful routers such as those from Cisco have always been available. The D-Link DI-704 The D-Link DI-704 is a switching gateway that provides four 10/100 Ethernet ports. Recently. I had a few computers to protect. You can even get away with not having a hard drive and using one of the many Linux-based floppy distributions available. You may already have a Linux machine acting as a dedicated gateway for your firewall and might be wondering why an appliance such as this would be of any interest. Because of this. The rise of these appliances is due to the greater availability of high-speed Internet access through ADSL and cable access. With Linux. you have an efficient firewall to protect your sensitive LAN. I have relied on separate firewalls for each machine. All three computers run Linux-Mandrake. or it can connect to a PSTN/ ISDN network via the COM port. Two of those machines are DNS servers as well. but on the machine itself. so each computer had a firewall installed. Finally. and D-Link have released a number of firewall/gateway appliances for home users. such as 3com. And for that. I have three computers that must be accessible by the public and four that should not be. being ever security-conscious. they are quite expensive and not at all ideal for the home user. I decided to set up the three servers in a DMZ. One of the desktop machines runs Windows 98. but it has worked for me so far. which is cheap enough for the home end user to afford. or Demilitarized Zone. and they provide a number of other services to the general public. It can handle cable and DSL modems via an RJ45 port at the back. protecting your internal network from outside intrusion and providing IP masquerading and routing capabilities that will put your entire LAN on the Internet with a single IP address. many companies. and a 486 machine with about 8 MB of RAM. All three act primarily as Web servers and e-mail servers. as well as the speed with which I installed it. It’s not a large network. However. two network cards. On the inside. much less of benefit. to you. I’ll also give you an overview of the features and configuration of the appliance. Here’s a brief rundown of the features as described by D-Link: Protection of your computer from intruders Shared cable/DSL modem Solutions 215 . T The network Let me first describe the network into which I needed to insert this product. and I’ll explain the benefits of such an item. but it’s larger than that of the average home user and a little more complex. you can transform your old 486 computer into a powerful gateway computer. also at the back of the device. I recently purchased a D-Link DI-704 cable/DSL gateway. There has been a surge of firewall appliances aimed at home users and small businesses. The three servers are quite secure despite the lack of a removed firewall. This was not an ideal situation. So in my scenario. and protect the rest of the LAN with the D-Link gateway. I have one internal print server that also runs LinuxMandrake. I decided to take steps to further protect my LAN. while the other two machines run Linux-Mandrake. All you really need is a small hard drive. My network includes three server machines that need to be accessible by the outside world.

and the D-Link Web site sells it for $149 U. I connected the three servers and the DI-704 router into the hub. Second Edition . I don’t mind saying that this setup bothered me. and were quickly up and running. At this point. the subnet mask. Using this router.Firewall Easy-to-set-up Web-based configuration Broadband router Four-port Ethernet switch External modem port Web-based management Advanced security features Quite a nice little feature list. but because I needed those IP addresses for the other machines so that I could have more than one SSL-enabled Web site available. and I assigned another static IP address to the router. My computers were then plugged directly into the switch and shared the Internet directly. so the downtime on those servers was less than five minutes. Because of this. which is 192.168. or you can allow the gateway to act as a DHCP server as well. which included the static IP address. so I went into the TCP/IP properties and deleted the existing settings. I decided to use the Windows machine to do this. First. It also sells a single-port edition. Configuring the DI-704 Next I had to reconfigure my TCP/IP settings on the local network. The only annoying thing I found about this product was that the four Ethernet ports were located at the front of the box instead of at the back.S. I connected my ADSL modem to a D-Link DE-809TC 10-MB hub. where I had my DMZ. so to speak. It was slow to load. I connected my DSS-8+ 10/100 switch into the DI-704 router. Not so much for security reasons.0. The two devices are relatively similar in the look and size of the appliance itself and the number of Ethernet ports for the internal LAN. an older hub I used when my network was only 10 MB. The cost of the D-Link DI-704 was $230 Canadian. and the DNS settings. I could free up three of those IP addresses for that purpose. but once it was back up. Since the three servers do not talk to each other very often. I had my ADSL modem connected to a D-Link DSS-8+ eight-port 10/100 switch. And since my local network would be able to connect to those computers with only a 10-MB connection anyway. for $99 U. I decided to reuse some old hardware and save myself some money. since each SSL-enabled Web site requires its own IP address. called the D-Link DI-701. I needed to configure the gateway. The three servers had an open road to the Internet. I could fire up Internet Explorer and point it to the default IP address of the router. however. I chose to use the older 10-MB hub for the DMZ instead of purchasing another 10/100 switch for a simple reason: The uplink port on the DI-704 is only 10 MB because you will never find (yet) a residential cable or DSL modem that will give you greater than a 10-MB Ethernet connection. the value of a 10/100 switch is negligible. The time it took was the time I spent plugging everything into the various hubs. I could not easily hide my network cables. Each of the three servers retained their old static IP address. but once it did load. and I connected the computers belonging to my internal LAN into the switch. having a 100-MB connection between them would provide no greater performance than a 10-MB connection. as only the three machines would be able to connect to each other at 100 MB. the network was connected the way I wanted it. Since I had only four computers behind the firewall. I had to reboot the computer in order for the settings to take effect. and since I would be sharing printers and hard drives among them. I decided to assign each computer a static IP address.S. so each machine had its own IP address and was reachable through the Internet. it greeted 216 Administrator’s Guide to VPN and Remote Access. but this is more of an aesthetic problem than anything else. Hardware installation Previously. My ISP provides me with seven static IP addresses. due to the limitation of the uplink port. the gateway address. The D-Link gateway gives you two choices: You can assign each machine a static IP address. Because of this. This time. although that was definitely a factor.1.

Make sure it is something good and something default setting. you can have 100 computers you will remember. Once you’ve ing range at 2 and your ending range at 254. Configuring the operating commit your changes. If you enable the DHCP administrator password.configure the IP address on each computer me with a nice Web page and asked for an behind the firewall.1 and you kept the default settings. you should save all the had wanted to.11 with a subnet mask of the LAN.168.168. to use them all you ing up a terminal would set your startdialer. I gave Windows a new static IP address. Opening a DHCP server for the internal LAN.x.1. In my case.5. If you enable DHCP.x addresses. you can begin to conYou cannot use 1 because that should be the IP figure the rest of the appliance. I means that you can use the DI-704 for very receive static IP addresses from my ISP. up to that maximum of 253 use DHCP with your provider.168. I also modified the LAN IP address to suit my needs. which shows you the internal and external IP addresses of the gateway. and you cannot use Now click the Setup link. you’ll need to 217 Solutions . You can also define The first screen you will see is the informaa domain name for the LAN. The maximum number of computword are annoying at ers that can be sitbest and involve The DI-704 is more than just a simple ting behind the pulling out a null firewall is 253. You can a full network of 253 computers connecting to each other at 100 MB. click the DHCP link. I was at the main configuraaddresses for the IP pool. your internal the firmware revision number and the MAC LAN would be assigned an IP address between address. you also define the WAN subnet mask. The steps to reset the pass.running behind the gateway. you needn’t worry about assign. I gave it ing static IP addresses to each computer on 192. On this screen. below it in such a way that you can easily have There is not much of a difference. the WAN gateway. Once you’ve finished with these settings.5. procommit all your changes permanently. But you can freely use any IP address IP address for the external connection.5. By default. so I large networks if you wish. you’ll This high number of available addresses want to leave it at the default. close your browser. and modem cable and firgateway and firewall product. quite scalable and useful for many networks. but if you disable it.168. systems Next.100 and 192. If you have necessary to make further use of the gateway a dynamic IP address.1 if I At this point. Click the Tools link. way has four 10/100 switching ports.168. so you can 192. This is viding you use a static IP address. address for the gateway. these tion screen. and changes and return to the Tools settings. Once you’ve rebooted the gateway will automatically determine this gateway.1 to 192. Because the gatechanged the WAN type to static IP. where you Since I had done all the work using Windows. you can define the starting and ending default password.5. After entering the server.100. including 10. This means that tion screen.0. changed the password. I determine whether the DI-704 will also act as decided to configure Windows first. which most addresses. In this case. start at 100 and end at 199. the DHCP client in the with your settings.the TCP/IP properties.5. If you in between. Click the Reboot button to reboot the gateway and the primary and secondary DNS servers.5. I could have just ranging from small to large.168.x. information from the DHCP server of your ISP. as well as if you chose a LAN IP address of 192. but I try to avoid the defaults as much as possible. With this change the default administrator password. you can connect any number of 10/100 switches changing it from 192. as easily made the IP address 10. residential cable and DSL services do.199. where you must 255 because that is the broadcast address for indicate whether you have a dynamic or static the LAN. This makes the DI-704 also use other private network classes here.

168. that these ports will be available and open to all machines behind the firewall even though only one computer at a time can use the application.1/. If you find that you cannot connect to any sites on the Internet— or even to your LAN or the gateway—try issuing ipchains –F to flush all of your ipchains rules. gateway. however. Our DNS information hadn’t changed.0. Here you can forward certain ports to various machines. If you run Apache and plan to use it for an intranet Web server. In my case. it will ask you if you wish to perform the actions based on your changes.255. The IP address may differ in your settings. You can also use it to open up a series of ports to a particular machine. if you have the DI-704 serving the IP addresses. you’ll need to change the manual IP address to a DHCP address and leave the IP address. Note that you cannot have the same port forwarded to different machines since you can specify only one IP address per port.5. Finally. Please note. you should be able to ping an outside machine. In my case.0. you should be able to connect to the Internet without a problem. You may also want to issue /sbin/ifconfig just to ensure that your settings are correct. you can specify up to 10 ports to forward.5. you’ll be able to define special applications. Again. If you tell linuxconf to activate the changes. Second Edition . you needn’t change anything here. I’ve found that some versions of linuxconf do not properly reset the settings when you tell it to activate the changes. You may also want to rewrite or remove some of your ipchains rules. tell Windows to obtain the IP address automatically. On both machines. If you enabled the DHCP server on the DI-704. you’ll need to connect to the new address). if you have the gateway serving the IP addresses. Finally. you can have only one machine doing Administrator’s Guide to VPN and Remote Access. Linux is just as simple to reconfigure. You can use the convenient Well-Known Services button to inject certain ports into the configuration.5. you might want to edit your /etc/smb. If you did not. You’ll need to connect to the local IP address of the gateway again (if you changed it. when you return to the command line. Then go into Networking | Routing And Gateways and enter your new gateway address: 192. I used the linuxconf tool and changed the previous static IP addresses to 192.255. Once you do this and enter your new administrator password. I also forwarded port 113 to the Linux machine for AUTH connections. the DI-704 is more than just a simple gateway and firewall product. Once you exit linuxconf. or you can specify your own port ranges.255. Internet games. go to the DNS tab and enter the DNS servers you wish to use. or DNS. go to the Gateway tab and enter the IP address of the gateway. but the subnet mask will remain the same.x and changed the subnet mask to 255.168.168. The only steps left are to change IP addresses anywhere you may have previously defined them. allowing you to use special programs such as video conferencing.168. and I forwarded port 21 for FTP to the same machine. Again. For example. For instance. And that’s it! You should now be able to connect to the outside world through your DI704 gateway. When it comes back up. subnet. reboot Windows once again. If you click the Special AP link. I now must connect to http://192. This allows your machines behind the firewall to be reached via certain definable ports. and you should be up and running. and DNS information blank. so we left that alone.conf file if you use Samba.255. You can use the special Popular Applications pull-down list to copy a series of ports to one of the five definable IDs. I forwarded port 22 to my primary Linux workstation to allow SSH access into the LAN. such as FTP.1. in my case. Remember. The first items you’ll see are the Virtual Server settings.5. it was 192. I found 218 that on one machine I could not connect to the Internet because my ipchains rules were dependent on the old IP address. Advanced DI-704 configuration Now you may want to set up some of the advanced configuration options. you’ll need to change your IP address there as well.1.255. HTTP. These settings are available under Networking | Host Name And IP Network Devices. or your /etc/hosts file. and so on that require multiple ports. click the Advanced link.

and if you are interested in the one-port model.com/products/broadband/di704. This option allows you to configure the gateway from a remote IP address. The first is the address of your DMZ host. With this. And while it may cost more than a Linux-based alternative on old hardware. Other gateway appliances that cost less act as a simple hub. the Web server embedded in the application listens to port 80 on the internal IP address. any computer can make use of it. Conclusion The D-Link DI-704 is. print out all your settings and retain a hard copy. having three servers. Under the Access Control link. read about it on the D-Link Web page at www. you can restrict certain groups of IP addresses from being able to access certain outbound ports. if you so desire. in terms of long-term costs. I strongly suggest you leave this setting disabled. The total time it took me to configure my LAN was perhaps half an hour. Indeed. Unless you have a pressing need to allow this. This capability is useful only if you have one server that needs open access to the Internet. a gem.video conferencing at a time. in my eyes. For more information on the D-Link DI-704. you can define two important settings. providing they know the administrator password. Some ill-behaved appliances may wipe out your settings when you attempt to upgrade the firmware. it’s slightly more expensive than some other similar solutions. If you want. it took me longer to write about it than it did to configure it. you can read about it on its own home page on the D-Link site at www. the benefit is worth the additional expense. Also. Solutions 219 .0. you can define access control for the internal network making outbound connections. the DI-701. One product that apparently suffers from this problem is the Linksys cable/DSL gateway product. and the router would allow all connections to any port on that machine. With this simple appliance. You could restrict all machines behind the firewall or just a specific group from using applications such as telnet and FTP. As I’ve pointed out in this article. When you enable it. there’s no firmware upgrade for the DI-704. Finally. which is what the DMZ allows. One final piece of advice: Once you have everything configured the way you want it. Here you would enter the local IP address for that machine. The final option on this page is the Remote Administrator Host. All in all. it isn’t very useful. Enabling this setting allows a point of entry into your gateway security. In my case.0. but there is for the DI-701. you’ll save on energy consumption since the power usage of this appliance is far less than the power requirements of a computer.dlink. When this is disabled. but the fact that it provides four switching 10/100 ports is worth the cost if performance is important. it will listen to port 88 on both the internal and external IP addresses but will allow connections only from the specified host on the external IP address. so it isn’t as restricted as with the Virtual Server settings. under the Misc Settings link. you could connect your cable or DSL modem directly to the router and have one machine behind the firewall act as your Web server or e-mail server. you don’t have to deal with a complete operating system if anything does go wrong. A quick hard copy “backup” of your settings will save you some time in the unlikely event that this happens to you.dlink. At this time. then any host on the Internet can connect to the server on port 88 to configure the gateway. but if you define the application here. If you leave the IP address set to 0. com/products/broadband/di701. this is a wonderful piece of hardware. which is why I opted to use the 10-MB hub between the ADSL modem and the DI-704 to establish my gateway.0. without the benefit of switching ports.

since it costs less than $200. All that’s required is a cable or DSL modem and highspeed access. I had to use the @Home workgroup name and a unique computer name supplied by the ISP. If you ask me. the EtherFast Cable/DSL Router uses DHCP to feed 192. installation and configuration is a snap. as shown in Figure A.99 and $179. I might add. firewall. Outpost. Beautifully. Network+.com got it to my door in about 12 hours.x addresses to the LAN setup behind it. respectively. and the freedom to use whatever domain or workgroup naming convention I want behind my firewall. In an effort to save processor cycles. Second Edition . at a national brick-and-mortar chain.168. the chief benefit of these EtherFast routers is that they let you share a single IP address among multiple computers. How’s it work? You can configure WAN and LAN settings using a browser interface. a 100-Mbps switch. and eight-port versions. the Linksys four-in-one devices are marketed as Instant Broadband EtherFast Cable/DSL Routers. The biggest benefit The official scoop Officially. the biggest benefit from the router is the fact that I gain a firewall for my “always on” connection. They are available in single-port.x. Figure A If you believe the marketing. and switch services. Assuming you have network adapters in each of your machines. As I hadn’t been using DHCP. In fact. MCP+I. The Linksys device features an easy-to-use yet powerful browser interface.Who said you can’t afford your own router? Nov 3. It took me nine minutes to get the Linksys up and running on my test LAN. However. I’d turned off many Windows 2000 services. The router is simple to configure. That’s particularly handy if you’re using a broadband connection at home. but I’ve tested it. Linksys makes a line of routers you need to check out. including overnight delivery. 2000 By Erik Eckel. Not too shabby.99. corrected it. And that was five minutes too long. 220 Administrator’s Guide to VPN and Remote Access. and it works. Imagine your own LAN feeding off a single device providing router. imagine that device in use on your home LAN. The new eight-port version retails for approximately $230. Then. I was unable to connect to the Internet. and voilà: I was up and running. MCSE H ere’s a cool tool you might not be able to do without. Previously. I discovered the stopped DHCP service about five minutes into the install. If you’re preparing for certification exams or wanting to test network and server configurations from the comfort of your own home. But I was able to purchase my fourporter online for less than $155. No more. The single-port and four-port versions retail for $129. it had been turned off. too. four-port. gateway. I know it sounds too good to be true. When these values were changed.

If you’ve built a small LAN for testing software and practicing for certification exams such as the one shown in Figure B.168. You’ll find each offers similar features and technology. the four-port EtherFast router can support up to 253 users. you can configure port forwarding. and they can talk to one another 10 times faster. I’d had two machines set up using a plain vanilla 10-Mbps hub.Previously. but I haven’t had a chance to try them.” Other options Similar routing devices designed for cable and DSL applications are available. Solutions 221 . but knowing you can should make you feel good about using it with three or four test machines.168. Your other options include the following: Netgear’s RT311 and RT314 Netopia’s R9100 SMC Networks’ SMC7004VBR Expect to pay $150 on up for any of these models. Figure B 192. and IPSec connections.100 Laptop This sample LAN configuration uses the Linksys EtherFast router.102 Desktop One Using the device’s uplink port and hubs you supply.1. You can also elect to place one of your machines outside the firewall as a “DMZ host.1.101 Desktop Two EtherFast Cable/DSL Router 192. and it was getting hit daily by port scans and port probes. you’ll find the Linksys a welcome addition.1 ISP-provided IP address Internet 192. Only one had Internet access.1. It sports traditional RJ-45 jacks and supports both dynamic and static IP addressing. Using the Web-based interface. PPPoE. they’re secure from hacker attacks. You probably wouldn’t want to put that many users behind it on a cable or DSL connection. as all of them rely upon Network Address Translation (NAT) to extend Internet access to additional machines using a single IP address purchased from an ISP. Now both machines boast Internet access.

As illustrated in Figure C. MCP H aving a constant. you can customize the software to suit your needs. shown in Figure A. but what if you need a simpler. Compared to the price of a Linksys hub. by enabling me to look at the IP addresses. As many of you know. Just load SyGate on your point of Internet access computer. status of SyGate server.Sharing Internet access with just one IP address Aug 8. For about $30. Second Edition . Let’s take a closer look Linksys Cable/DSL Router Linksys has made a device called the Linksys Cable/DSL Router. it’s now possible to make this dream a reality. shown in Figure B. SyGate is fairly inexpensive. SyGate's main console uses the familiar Windows tree design. Thanks to new products available from Linksys and Sybergen. network information. It’s set up using the familiar Windows collapsing/ expanding folders tree design. The left pane describes the Internet access computer complete with computer name. The log list is a particular favorite of mine. the next thing on your wish list might be to have multiple computers in your home all sharing this high-speed access through one IP address. allows me to see where the users of these computers have been surfing on the Web. and it’s easily configured. that distributes Internet access with a single IP address. SyGate allows multiple computers to access the Internet using one IP address. for around $100. and it will do the rest. From this screen. 222 Administrator’s Guide to VPN and Remote Access. 2000 By Matthew Mercurio. SyGate’s concept is simple in design. cheaper solution? Introducing SyGate Sybergen’s SyGate product does almost the same thing as the Linksys Cable/DSL Router but is completely software-driven and is considerably cheaper. Configuring SyGate The configuration process is fairly simple. This is great if you have that kind of budget. where the entire configuration takes place. you can have three computers connected to the Internet. The maximum number of computers you can connect using SyGate is 10. After getting this type of rapid access to the Web either through a cable modem or a DSL Internet connection. the log list displays all the computers on the network and. and log list. you can purchase this hub to distribute your access throughout your home. planning how to handle Figure A Figure B This is the Linksys Cable/DSL Router. For about $189 retail. SyGate comes with a main console. its interface is straightforward. lightning quick connection to the Internet in our homes is an appealing idea for many of us.

Figure D SyGate vs. SyGate comes with the ability to either do static IP addressing or issue IP addresses via its own built-in DHCP server. firewall. your decision could come down to how large a Solutions 223 . Once that decision is made. Figure C Other nice features Using SyGate. there are some additional devices—such as a small hub. If you’re a parent and are concerned with your child accessing the Internet when you’re not home. SyGate also requires you to place an additional NIC in your point-ofaccess computer. for example—that you have to buy. Linksys There are a few things you need to know about SyGate before you decide to buy it.the computer addresses is a big part of any network implementation. The Linksys Cable/DSL Router does not. router. but it is an additional purchase. the rest is relatively easy. When choosing between Linksys and SyGate. when comparing SyGate to the Linksys Cable/ DSL Router. SyGate allows you to see where the users on your network have been surfing. comes with a hub. Another minus is that since SyGate is completely software-driven. you are sure of having your needs met because both the Linksys Cable/DSL Router and Sybergen’s SyGate are great products if you want to have several computers sharing Internet access through the same IP address. One drawback is that SyGate does not have its own built-in firewall. this is a great feature. The software also comes with the ability to put a password in place so none of the configurations can be changed. The DHCP module can be configured just like any other DHCP server. First of all. The DHCP configuration page lets you issue IP addresses. and the distribution software built in. The Linksys Cable/DSL Router. on the other hand. No matter which one you choose. you have the ability to ban certain IPs from accessing the Web. In addition. In the final analysis budget you have or how sophisticated you need to be. Figure D shows SyGate’s DHCP configuration page. Deciding on static or dynamic IP addresses is all you really need to do. some of the shortcomings of Sybergen’s product become clearer. Sybergen does offer a firewall product. you can automatically disconnect idle machines from the Web after a specified amount of time. the process is the same for both a business and a home network. With SyGate.

MCP+I. For less than $230. One holds the RJ-45 EtherNet connection to the WAN link.16 x 1. local or remote browser-based administration. Network+. including port security and packet filtering Switching services at 100 Mbps Gateway services. the Linksys EtherFast Cable/DSL Routers provide the following advantages: 224 Your first step The first thing you’ll want to do is ensure you have a data circuit boasting sufficient bandwidth to share. Configuration is fairly straightforward. shown in Figure A An eight-port version (model number BEFSR81) Figure A The Linksys four-port EtherFast Cable/DSL Router device looks like this. In addition to providing routing services. Other benefits include DMZ hosting (the ability to place a machine outside the firewall). Linksys EtherFast Cable/DSL Router features If you’re supporting a small office or branch location where you wish to share (or must share) a single broadband Internet connection. Ultimately. T Firewall services.0 and Windows 2000 Smart Applications. You could go with less if you’re supporting only a few machines. It is used to add more systems than the eight physical ports support. 2000 By Erik Eckel. using an internal IP address range (192. At a minimum.y) The units require only a small amount of desk or shelf space.88 inches.168. It’s important to remember that your LAN connections will be only as fast as the cables and network interface cards (NICs) that you use on your network.31 x 6. I’ll show you how to configure small office or branch office systems to work with such devices. you can deploy one of Linksys’ multifunction network devices quickly and efficiently. In this article. let’s quickly review the device’s features. Another port serves as an uplink connection to a hub. all three versions support up to 253 machines using a single Internet IP address. including port forwarding DHCP services. Several items must be in place. This port supports speeds of up to 10 Mbps. and support for PPPoE (Point-to-Point Protocol over Ethernet). The other eight ports support 10BaseT EtherNet or 100BaseTX Fast EtherNet ports for LAN connections.Share small office broadband pipes using a Linksys router and Win2K Pro Dec 18. All three of the devices can be used with a hub. Second Edition . but first. the data transmission rate will be constrained to 10 Mbps by the NIC. you’ll want to ensure you can make use of these features. If you’re using a 10-Mbps NIC in one machine but 100BaseTX cabling and hubs. The device’s footprint measures 7. the Administrator’s Guide to VPN and Remote Access. support for WinSock 2. The eight-port hub includes 10 RJ-45 ports. you’d want a DSL or cable connection supporting a couple hundred Kbps. Further. Linksys’ cable and DSL routers can do the trick. Before deploying a Linksys router. The device is available in three versions: A single-port version (model number BEFSR11) A four-port version (model number BEFSR41). MCSE he Linksys line of EtherFast Cable/DSL Routers can rescue you from small office networking jams.x. SNMP-enabled internal user access filtering.

You’ll also need to know a few other IP addresses. you’d want to run the /SBIN/IFCONFIG command to identify your Internet IP address. bandwidth you’ll need is dependent on the applications your users run and their needs for remote resources. you should be subscribing to a business-based plan. don’t be surprised to find a copy of TurboLinux bundled with your router. that’s the only difference versus configuration with a static IP address. but transmission speeds are slower) connecting it to the EtherFast router. Many ISPs serve up Internet IP addresses on consumer plans using DHCP. Solutions 225 . Internet access. Write them down. you’ll then receive a static IP address. WORKS WITH LINUX. don’t sweat it. In the event you’re using a DHCP-provided Internet IP address. It’d probably be best to print the addresses out. If you’re using a cable or DSL service for business. etc. In fact. however. You can do so in Windows 2000 by selecting Install. and selecting Internet Protocol (TCP/IP) from the resulting menu. TIP The TCP/IP listing may not appear. Let’s look at how the router is configured when using a single. and then enter it using the Linksys Web interface. e-mail. Each system will also need a category 5 drop (you can use category 3. Next. If you’re still stuck using a Windows 9x machine. since that’s what most small businesses are likely to use. which I’ll cover in a moment. If that’s the case. you can open an X terminal. TOO The Linksys cable/DSL routers work with Linux as well as Windows. Using Linux. In most cases. Secure an IP address You’ll need to reserve an Internet IP address for the Linksys router. Protocol. check all the systems that will be connecting to the EtherFast Cable/DSL Router to ensure they possess functioning NICs. static address. Alternatively. run LINUXCONF.Figure B You must configure each system’s networking settings. Figure C You must specify that an address be obtained automatically. go with WINIPCFG /ALL. learn your IP address. and review the system’s network settings using that interface. at the least. There’s a single check box to be toggled. you’ll have to install TCP/IP. should you purchase one. You can usually run an IPCONFIG /ALL command from a Windows 2000 (or Windows NT) command prompt.

you’re ready to plug in the power supply for the Linksys unit. This action opens the Network And Dial-up Connections applet. You’re ready to begin the software phase of the setup process. You should start by powering down the systems you wish to support via the router. After your machine boots. In case you experience trouble. Right-click the connection you wish to use and select Properties. you’ll plug the additional systems into a hub you supply and the hub into the uplink port. ensure the Obtain An IP Address Automatically radio button is selected. which will prevent the Linksys device from responding. The connection in this example is named Linksys (Internet).Linksys EtherFast Cable/DSL Router hardware setup The router’s setup is surprisingly easy. excellent documentation describing a quick installation is included. Your hardware setup is now complete. 226 Administrator’s Guide to VPN and Remote Access.1. as shown in Figure C. You’ll have to wrestle that IP address back for use by the router (at least until you can access it to change the Linksys device’s default internal IP address). The administration software is Web-based. we’ll use a system running Windows 2000 Professional. If you’re using more than eight (with the eight-port model). Select Internet Protocol (TCP/IP). and click Properties.1 address. After plugging your broadband modem into the router. Make sure you start fresh by depressing the router’s reset button. From the Internet Protocol (TCP/IP) Properties box. A proxy server could have already taken the 192. ensure you’ve turned other Internet sharing proxy services off. select the network connection you wish the router to use. From this applet. In this case. right-click My Network Places and select Properties. as can be seen in Figure B. plug all your systems’ category 5 cables into the router’s RJ-45 ports. Next. System configuration Figure D Figure E You must enter a valid user name and password to configure the router. Second Edition . TROUBLESHOOTING TIP If you can’t access the Web administration tool.168. Click OK twice to close both boxes. Start by powering up one of the systems you’ve connected to the router. You’ll need to keep it depressed for three seconds.

check it. Click Apply. Linksys includes the default value to be entered. Next. Linksys includes the password you must enter the first time you access the Web-based administration tool. By that. I recommend you change it the first time you use the router. Enter the domain name you’d like to use. you’re on your own. you can leave the LAN IP Address entered as is.168. Remember I mentioned earlier that it’s easy to set the router itself to request an IP address? All you need to do is select the Obtain An IP Address Automatically radio button under WAN IP Address. Just be sure to also provide the required user name and password. It requires that the router’s password be entered. Enter the name you’d like to use for your router in the Router Name box. Check with your ISP if you’re not sure. I mean they’re not unique to the World Wide Web. you can enable it. If you’re using PPPoE. and you’re finished with the basic setup.) If not. I recommend you specify an alphanumeric password that’s not related to any of the following: Your birth date Kid names Your address Pet names Your anniversary Hackers try those first. Most likely. As I mentioned earlier.1. choose something others wouldn’t be able to easily guess. you should also change the default password.1. The next thing you see should be the Linksys Setup screen. Select the Enable radio button and specify the first internal IP address the DHCP service should start with when receiving a request. I’ll show you how to do that a little later. Enter the password you wish to use. Change the default password Check your configuration Once you’ve specified the configuration you’d like your router to use. or private. Click the Password tab on the Linksys router’s Web administration tool to reveal the screen you see in Figure F.1. hence the blocked-out addresses.z IP addresses are not Internet IP addresses. and your ISP’s DNS servers.y. Reenter it and then click Apply. double-check to ensure your system’s DHCP service hasn’t been stopped. These values would have been provided when you executed the IPCONFIG /ALL command on the Windows 2000 Professional machine earlier. Unless an internal naming scheme already in place interferes. This is not. Select the Status tab. Don’t forget to specify the total number of DHCP addresses the router should provide. The next thing you need to do is select the DHCP tab within the Web-based software configuration tool.168. Instead. Fire up a browser and enter the following address: http://192. the IP address for your system but the IP address of the router that you’re now configuring. Next. This address range has been preserved for internal.x. or provide the new entries you’ve specified.1 The 192.Linksys EtherFast Cable/DSL Router configuration After you reboot your system to trigger the changes. Enter the values Linksys provides. enter the IP address you wish to use or that you’ve been assigned by your ISP. you’re ready to set up and configure the router. Click Apply. Change the password setting the first time you use the router. and click OK. Don’t make their day. You may not need to provide any values at all. of course. It’ll display the following: Solutions 227 . It should read 192. I don’t want to encourage hacking it. shown in Figure E. The password setting is easily changed. (While I trust the router’s firewall. you’ll want to enter a static IP address. you need to specify the subnet mask. Select Specify An IP Address instead. default gateway. After that. Don’t think there aren’t freaks searching for these routers and trying the default security account settings in an attempt to get in. You’ll be greeted with the screen shown in Figure D. use.

will send a DHCP request to the router. Such integration sets C Check Point apart from both commercial Linux firewall suites and open source security alternatives. 2001 By Todd Underwood heck Point FireWall-1 is the 800-pound gorilla of the commercial firewall industry. Distributed security Check Point divides the implementation of its network security policy into three components: a graphical interface for administration (see Figure A). WAN MAC address The Status tab also provides access to a DHCP table. Then. FireWall-1 is further enhanced with integrated VPN functionality that’s easy to deploy and manage. Hackers will be able to see the router but not the systems behind it. sophisticated. These DNS servers will fulfill name translation services. Have at it Figure F Once you’ve specified the settings you wish to use on the router and configured all your clients. a management server that stores 228 Administrator’s Guide to VPN and Remote Access. Second Edition . The router. so the systems behind the router will be able to access the Internet using their internal IP addresses. It lists all the systems that have received an internal IP address from the router and displays the systems’ host names and MAC addresses. should you wish to review it. will provide DHCP addresses to the systems. you’re good to go. in turn. the systems will be able to contact DNS servers. knowing the address of the router.Router name LAN MAC address LAN IP address LAN subnet mask LAN DHCP server status WAN IP address WAN subnet mask WAN DNS servers Firmware version PPPoE status Clicking the provided DHCP Clients Table button prompts a pop-up screen to appear. Your systems. They won’t even know the router’s there. The table also lists the DHCP address each machine is using. Check Point Software Technologies has ported its popular. and relatively easy-to-administer firewall to the Linux platform. Isn’t that the way it’s all supposed to work? Use the Password tab to access the security account settings. when booted. Check Point offers integrated firewall and VPN on Linux Oct 24.

Most popular firewall packages implement similar technology for tracking connections. Darren Reed’s IP Filter package for various versions of BSD UNIX and the new iptables software for Linux are examples of firewalls that use stateful Figure A Check Point’s GUI displays security policies and provides a simple mechanism for installing them on a gateway. Otherwise.security policies and logs. If the traffic is unfamiliar but allowed. With stateful inspection. This kind of scalability is why many large organizations with extremely complicated networks—GTE Internetworking. you may want as many as four enforcement points. In smaller implementations. two more to satellite offices. such tight integration makes VPN setup much easier by providing a common interface for both firewall and VPN administration. you must still develop a single security policy on your management server. Virtual private networking Check Point offers the most effective integration of VPN and firewall functionality we’ve seen. a new entry is created in the list of existing conversations. it is blocked. blocking or allowing traffic where appropriate. FireWall-1 blocks traffic by means of technology that Check Point calls stateful inspection. If a packet is part of an existing conversation. network conversations already underway. Check Point supports clientto-network VPNs through its SecureClient and SecuRemote applications. one for each connection. suppose you have several wide area network (WAN) connections: one to the Internet. and another to a business partner’s network. Check Point claims that its stateful inspection technology is more sophisticated because it builds state—entries in the list of network conversations—by taking advantage of much more information from HTTP and other protocols higher in the network protocol stack. In general. This terrific infrastructure facilitates affordable telecommuting. You can then install the applicable parts of that security policy for each of your enforcement points. most firewalls perform a similar combination of functions—storing. and an enforcement point—a network gateway that actually implements that policy. Stateful inspection describes traffic according to who initiates the connection. implementing. Check Point examines it and compares it to the set of existing. These two add-on packages are Windows-based apps that let users connect their systems to the firewall network through an encrypted network tunnel to access services on the network. the management server resides on the same box as the enforcement point. Check Point’s approach is unique in that it lets you define more than one enforcement point. and allowed. it can pass. and logging violations of a security policy. and other traffic can be allowed or denied based on existing connections. Check Point’s VPN-1 is merely an encryption add-on to FireWall-1. SecureClient offers the Solutions 229 . for instance— use Check Point for their security needs. In addition to supporting network-tonetwork VPNs. In a case such as this. It also lets you apply security policies to traffic in the VPN—a task that’s nearly impossible when using a separate VPN concentrator located inside a firewalled perimeter. How FireWall-1 inspects traffic packet filtering. To accomplish this with Check Point. For example. and the traffic can pass through the firewall. you can specify rules more easily than you can with basic packet filters. As traffic arrives at the firewall.

Installing and configuring the products will involve some study and a fair bit of planning. cumbersome to manage. and a bit costly. and Solaris). Check Point is unmatched on the Linux platform. A 25user license for FireWall-1 (standalone with built-in management console) costs roughly $4. Protected devices can include print servers. Bottom line Licensing Check Point is one of the only firewall vendors that licenses its software based on the number of protected devices (IP addresses for In porting Check Point FireWall-1 and VPN-1 to the Linux platform. And in case you’re wondering. with discounts for larger numbers of licenses. The Check Point Command Center Enterprise Management Bundle lists at approximately $25. internal interfaces that are visible to the firewall). but it’s also often described as hard to deploy. and a year’s worth of upgrades. support. this is more of an annoyance than a serious hindrance. all traffic is still subject to the rules that are in place. and alerts are sent to the administrator on a regular basis. which includes software. and which users at which client workstations should be allowed to administer the firewall. virtual Web hosts. During installation.added advantage of protecting a workstation from attack so that remote users’ computers cannot become platforms for attacking a company’s network. If you exceed the license maximum. However. or you can install everything on a single server. HP-UX.000. VPN-1 costs about $500 more. it supports only Windows and commercial versions of UNIX (AIX. sensitive corporate documents—is a risky business if there are no safety measures in place to secure the transmission. You can also specify how many nodes to protect. currently. We were somewhat disappointed that Check Point’s GUI does not run on Linux. Then you identify the external interface and specify the security policy that should be in place while the firewall is booting. You cannot add new rules. it’s important to note that Check Point FireWall-1 and VPN-1 are not for the faint of heart. Installation Once you understand Check Point’s security model. However. and routers (along with all of the machines on a company’s network). Second Edition . however. Administrator’s Guide to VPN and Remote Access. Check Point’s text-based configuration program. But for organizations that believe they can benefit from a scalable management infrastructure and integrated VPN functionality. this market-leading security company lends significant credibility to Linux as a viable security platform. The SecuRemote add-on is free. You run a text-mode script that installs some RPM packages and runs cpconfig. High marks for Mangosoft’s VPN alternative Dec 4. 2001 By Brian Hook E 230 veryone knows that e-mailing data over the Internet—specifically. installation is a fairly simple process. you can choose to install a distributed configuration (with the enforcement point and the management server separated). it is not legal to hide IP addresses behind a proxy server or network address translation (NAT) device to circumvent the licensing scheme. The virtual private network (VPN) is routinely cited as a great mechanism for secure file sharing via the Web.000. since any network large enough to warrant a Check Point firewall is likely to employ Windows-based workstations. SecureClient costs $100 per seat. Pricing for FireWall-1/VPN-1 depends upon the number of licenses purchased.

based in New York. According to a cost analysis review by eVision Technologies. an e-business consulting firm.100 a year for recurring maintenance associated with VPNs. According to one VPN expert. and it can be implemented without traditional VPN hardware and maintenance costs. it is synchronized with everyone else. NT. cost-effective solution According to Mangosoft.994 with Mangomind vs. “The data is all kept in sync.” he noted. which provides information services to business customers. MA. The firm estimates that one year would cost a company $2.” said Baber. Mangomind is clearly much less expensive than building a VPN. believes its technology. Mangosoft’s CTO. services provider. “A VPN is required for that. And when they make modifications. said he was very surprised to hear that many executives are still e-mailing critical data without a VPN or fileservice product. That cost difference also does not take into account the additional $5. If you can postpone a ‘build it’ decision. user authentication. But that doesn’t diminish its value.580 with traditional VPN equipment. Mangosoft supports Windows XP. erases those deployment and maintenance headaches and provides a simple and cost-effective alternative for providing secure collaboration outside today’s firewalls. Cost savings can be a critical factor Not a security cure-all technology Yet Davis admits that Mangomind can’t completely replace a VPN. using Mangomind for one year would be nearly one-fifth the cost of a VPN.Mangosoft. and the software automatically synchronizes files if a user is disconnected and then reconnects to the Internet. in Newtown. who recently participated in several VPN focus-group efforts. “It’s just hard getting enterprises to switch over to a secure sharing approach. Solutions 231 .” noted Davis. and file access controls. to choose Mangomind. 95/98. it also doesn’t require extensive end-user training.” he added. $15. said the auto-synchronization feature is valuable. Mangomind is designed for businesses that frequently collaborate with partners. Security features include end-to-end 128-bit encryption of transferred and stored files. and they just don’t think. It really opens a liability if you are sending confidential financials. “We delayed making a decision about building a VPN until Mangomind came along. It’s a file service and nothing more than that. as the file service is still regarded as an important tool. even though it is insecure. For example. And. do so. principal consultant at Salamone Research.” says Salvatore Salamone. “Mangomind is really a best-of-breed file service. A simple. PA. the Mangomind Business Internet File Service is a good VPN alternative that CIOs should consider. But Mangomind is a much simpler thing to use. a Westborough. “They want to send stuff outside the company. “People are in the habit of e-mailing documents. Scott Davis. Me. “One of (the) things that both a VPN and Mangomind do well is let you securely share files. His company. You are in trouble if someone happens to get this before a disclosure date. The lower cost factor is what prompted Greg Baber. and they’re able to take the data they need on a laptop. Inc. Salamone. because it offers a similar Windows user interface. Mangomind lets users set their own access permissions for files and folders. CTO for Internet Publishing Group. according to Mangosoft. and 2000. Mangomind Business Internet File Service. has no infrastructure in-house. and we found it fit our needs almost perfectly.” said Davis. especially for road warriors conducting business away from the corporate office. Baber said setup was easy and that he recommends Mangomind because it eliminates unnecessary costs. In terms of cost. enterprises can’t use Mangomind for intranet-based application use between companies.” said Davis. It’s an extremely cost-effective way to operate.” said Davis.

com e-mail: customerservice@techrepublic.Builder.com | TechRepublic.com | ZDNet.com | CNET.com Phone: 914-566-1866 • 800-217-4339 Product code: B038 ® ® .

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->