Scribd Logo
Upload

Welcome to Scribd!

  • Mạng riêng ảo VPN

    Uploaded by

    Hoài Giang Lê
    50 views38 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views38 pages

    Mạng riêng ảo VPN

    Uploaded by

    Hoài Giang Lê

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    Mng ring o VPN (Phn 1) Gii php VPN (Virtual Private Network) c thit k cho nhng t chc c xu hng

    tng cng thng tin t xa v a bn hot ng rng (trn ton quc hay ton cu).

    Ti nguyn trung tm c th kt ni n t nhiu ngun nn tit kim c c chi ph v thi gian. Mt mng VPN in hnh bao gm mng LAN chnh ti tr s (Vn phng chnh), cc mng LAN khc ti nhng vn phng t xa, cc im kt ni (nh 'Vn phng' ti gia) hoc ngi s dng (Nhn vin di ng) truy cp n t bn ngoi. Khi nim V c bn, VPN l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa. Cc loi VPN C hai loi ph bin hin nay l VPN truy cp t xa (Remote-Access ) v VPN im-ni-im (site-to-site) VPN truy cp t xa cn c gi l mng Dial-up ring o (VPDN), l mt kt ni ngi dng-n-LAN, thng l nhu cu ca mt t chc c nhiu nhn vin cn lin h vi mng ring ca mnh t rt nhiu a im xa. V d nh cng ty mun thit lp mt VPN ln phi cn n mt nh cung cp dch v doanh nghip (ESP). ESP ny to ra mt my ch truy cp mng (NAS) v cung cp cho nhng ngi s dng t xa mt phn mm my khch cho my tnh ca

    h. Sau , ngi s dng c th gi mt s min ph lin h vi NAS v dng phn mm VPN my khch truy cp vo mng ring ca cng ty. Loi VPN ny cho php cc kt ni an ton, c mt m.

    Hnh minh ha cho thy kt ni gia Vn phng chnh v "Vn phng" ti gia hoc nhn vin di ng l loi VPN truy cp t xa). VPN im-ni-im l vic s dng mt m dnh cho nhiu ngi kt ni nhiu im c nh vi nhau thng qua mt mng cng cng nh Internet. Loi ny c th da trn Intranet hoc Extranet. Loi da trn Intranet: Nu mt cng ty c vi a im t xa mun tham gia vo mt mng ring duy nht, h c th to ra mt VPN intranet (VPN ni b) ni LAN vi LAN. Loi da trn Extranet: Khi mt cng ty c mi quan h mt thit vi mt cng ty khc (v d nh i tc cung cp, khch hng...), h c th xy dng mt VPN extranet (VPN m rng) kt ni LAN vi LAN nhiu t chc khc nhau c th lm vic trn mt mi trng chung. Trong hnh minh ha trn, kt ni gia Vn phng chnh v Vn phng t xa l loi VPN Intranet, kt ni gia Vn phng chnh vi i tc kinh doanh l VPN Extranet. Bo mt trong VPN Tng la (firewall) l ro chn vng chc gia mng ring v Internet. Bn c th thit lp cc tng la hn ch s lng cng m, loi gi tin v giao thc c chuyn qua. Mt s sn phm dng cho VPN nh router 1700 ca Cisco c th nng cp gp nhng tnh nng ca tng la bng cch chy h iu hnh Internet Cisco IOS thch hp. Tt nht l hy ci tng la tht tt trc khi thit lp VPN. Mt m truy cp l khi mt my tnh m ha d liu v gi n ti mt my tnh khc th ch c my mi gii m c. C hai loi l mt m ring v mt m chung.

    Mt m ring (Symmetric-Key Encryption): Mi my tnh u c mt m b mt m ha gi tin trc khi gi ti my tnh khc trong mng. M ring yu cu bn phi bit mnh ang lin h vi nhng my tnh no c th ci m ln , my tnh ca ngi nhn c th gii m c. Mt m chung (Public-Key Encryption) kt hp m ring v mt m cng cng. M ring ny ch c my ca bn nhn bit, cn m chung th do my ca bn cp cho bt k my no mun lin h (mt cch an ton) vi n. gii m mt message, my tnh phi dng m chung c my tnh ngun cung cp, ng thi cn n m ring ca n na. C mt ng dng loi ny c dng rt ph bin l Pretty Good Privacy (PGP), cho php bn m ha hu nh bt c th g. Giao thc bo mt giao thc Internet (IPSec) cung cp nhng tnh nng an ninh cao cp nh cc thut ton m ha tt hn, qu trnh thm nh quyn ng nhp ton din hn. IPSec c hai c ch m ha l Tunnel v Transport. Tunnel m ha tiu (header) v kch thc ca mi gi tin cn Transport ch m ha kch thc. Ch nhng h thng no h tr IPSec mi c th tn dng c giao thc ny. Ngoi ra, tt c cc thit b phi s dng mt m kha chung v cc tng la trn mi h thng phi c cc thit lp bo mt ging nhau. IPSec c th m ha d liu gia nhiu thit b khc nhau nh router vi router, firewall vi router, PC vi router, PC vi my ch. My ch AAA AAA l vit tt ca ba ch Authentication (thm nh quyn truy cp), Authorization (cho php) v Accounting (kim sot). Cc server ny c dng m bo truy cp an ton hn. Khi yu cu thit lp mt kt ni c gi ti t my khch, n s phi qua my ch AAA kim tra. Cc thng tin v nhng hot ng ca ngi s dng l ht sc cn thit theo di v mc ch an ton. Sn phm cng ngh dnh cho VPN Ty vo loi VPN (truy cp t xa hay im-ni-im), bn s cn phi ci t nhng b phn hp thnh no thit lp mng ring o. c th l: - Phn mm cho desktop ca my khch dnh cho ngi s dng t xa. - Phn cng cao cp nh b x l trung tm VPN hoc firewall bo mt PIX. - Server VPN cao cp dnh cho dch v Dial-up. - NAS (my ch truy cp mng) do nh cung cp s dng phc v ngi s dng t xa.

    - Mng VPN v trung tm qun l. B x l trung tm VPN C nhiu loi my x l VPN ca cc hng khc nhau, nhng sn phm ca Cisco t ra vt tri mt s tnh nng. Tch hp cc k thut m ha v thm nh quyn truy cp cao cp nht hin nay, my x l VPN c thit k chuyn bit cho loi mng ny. Chng cha cc module x l m ha SEP, cho php ngi s dng d dng tng dung lng v s lng gi tin truyn ti. Dng sn phm c cc model thch hp cho cc m hnh doanh nghip t nh n ln (t100 cho n 10.000 im kt ni t xa truy cp cng lc).

    B x l trung tm VPN s hiu 3000 ca hng Cisco. ( nh: quadrantcommunications) Router dng cho VPN Thit b ny cung cp cc tnh nng truyn dn, bo mt. Da trn h iu hnh Internet IOS ca mnh, hng Cisco pht trin loi router thch hp cho mi trng hp, t truy cp nh-ti-vn phng cho n nhu cu ca cc doanh nghip quy m ln. Tng la PIX ca Cisco Firewall trao i Internet ring (Private Internet Exchange) bao gm mt c ch dch a ch mng rt mnh, my ch proxy, b lc gi tin, cc tnh nng VPN v chn truy cp bt hp php. Thay v dng IOS, thit b ny c h iu hnh vi kh nng t chc cao, xoay s c vi nhiu giao thc, hot ng rt mnh bng cch tp trung vo IP.

    Mng ring o VPN (Phn 2) Hu ht cc VPN u da vo k thut gi l Tunneling to ra mt mng ring trn nn Internet.

    V bn cht, y l qu trnh t ton b gi tin vo trong mt lp header (tiu ) cha thng tin nh tuyn c th truyn qua h thng mng trung gian theo nhng "ng ng" ring (tunnel). Khi gi tin c truyn n ch, chng c tch lp header v chuyn n cc my trm cui cng cn nhn d liu. thit lp kt ni Tunnel, my khch v my ch phi s dng chung mt giao thc (tunnel protocol). Giao thc ca gi tin bc ngoi c c mng v hai im u cui nhn bit. Hai im u cui ny c gi l giao din Tunnel (tunnel interface), ni gi tin i vo v i ra trong mng. K thut Tunneling yu cu 3 giao thc khc nhau: - Giao thc truyn ti (Carrier Protocol) l giao thc c s dng bi mng c thng tin ang i qua. - Giao thc m ha d liu (Encapsulating Protocol) l giao thc (nh GRE, IPSec, L2F, PPTP, L2TP) c bc quanh gi d liu gc. - Giao thc gi tin (Passenger Protocol) l giao thc ca d liu gc c truyn i (nh IPX, NetBeui, IP). Ngi dng c th t mt gi tin s dng giao thc khng c h tr trn Internet (nh NetBeui) bn trong mt gi IP v gi n an ton qua Internet. Hoc, h c th t mt gi tin dng a ch IP ring (khng nh tuyn) bn trong mt gi khc dng a ch IP chung (nh tuyn) m rng mt mng ring trn Internet. K thut Tunneling trong mng VPN im-ni im Trong VPN loi ny, giao thc m ha nh tuyn GRE (Generic Routing Encapsulation) cung cp c cu "ng gi" giao thc gi tin (Passenger Protocol) truyn i trn giao thc truyn ti (Carier Protocol). N bao gm thng tin v loi gi tin m bn nag m ha v thng tin v kt ni gia my ch vi my khch. Nhng IPSec trong c ch Tunnel, thay v dng GRE, i khi li ng vai tr l giao thc m ha. IPSec hot ng tt trn c hai loi mng VPN truy cp t xa v im- ni-im. Tt nhin, n phi c h tr c hai giao din Tunnel.

    Trong m hnh ny, gi tin c chuyn t mt my tnh vn phng chnh qua my ch truy cp, ti router (ti y giao thc m ha GRE din ra), qua Tunnel ti my tnh ca vn phng t xa. K thut Tunneling trong mng VPN truy cp t xa Vi loi VPN ny, Tunneling thng dng giao thc im-ni-im PPP (Pointto-Point Protocol). L mt phn ca TCP/IP, PPP ng vai tr truyn ti cho cc giao thc IP khc khi lin h trn mng gia my ch v my truy cp t xa. Ni tm li, k thut Tunneling cho mng VPN truy cp t xa ph thuc vo PPP. Cc giao thc di y c thit lp da trn cu trc c bn ca PPP v dng trong mng VPN truy cp t xa. L2F (Layer 2 Forwarding) c Cisco pht trin. L2 F dng bt k c ch thm nh quyn truy cp no c PPP h tr. PPTP (Point-to-Point Tunneling Protocol) c tp on PPTP Forum pht trin. Giao thc ny h tr m ha 40 bit v 128 bit, dng bt k c ch thm nh quyn truy cp no c PPP h tr. L2TP (Layer 2 Tunneling Protocol) l sn phm ca s hp tc gia cc thnh vin PPTP Forum, Cisco v IETF. Kt hp cc tnh nng ca c PPTP v L2F, L2TP cng h tr y IPSec. L2TP c th c s dng lm giao thc Tunneling cho mng VPN im-ni-im v VPN truy cp t xa. Trn thc t, L2TP c th to ra mt tunnel gia my khch v router, NAS v router, router v router. So vi PPTP th L2TP c nhiu c tnh mnh v an ton hn. Mng ring o VPN (Phn 3) Phn ny s gii thiu cch ci t mng VPN loi truy cp t xa theo giao thc Tunneling im-ni-im (PPTP). M hnh thc nghim ny dng h

    iu hnh Windows XP cho my truy cp t xa v Windows Server 2003 cho cc my ch. VPN y c n gin ha vi 5 my tnh cn thit ng cc vai tr khc nhau trong mt mng ring o. My tnh chy Windows Server 2003, phin bn Enterprise Edition, t tn l DC1, hot ng nh mt trung tm iu khin domain (domain controller), mt my ch DNS (Domain Name System), mt my ch DHCP (Dynamic Host Configuration Protocol) v mt trung tm chng thc CA (certification authority).

    M hnh VPN truy cp t xa n gin ha vi 5 my tnh - My tnh chy Windows Server 2003, bn Standard Edition, mang tn VPN1, hot ng nh mt my ch VPN. VPN1 c lp t 2 adapter mng. - My tnh chy Windows Server 2003, bn Standard Edition, mang tn IAS1, hot ng nh mt my ch qun l ngi s dng truy cp t xa RADIUS (Remote Authentication Dial-in User Service). - My tnh chy Windows Server 2003, bn Standard Edition, mang tn IIS1, hot ng nh mt my ch v web v file. - Mt my tnh chy Windows XP Professional, mang tn CLIENT1, hot ng nh mt my khch truy cp t xa. y c cc phn on mng Intranet dnh cho mng LAN ca cng ty v phn on mng Internet. Tt c cc my tnh Intranet c kt ni vi mt HUB (my ch truy cp) hoc switch Layer 2. Tt c cc my tnh trn mng Internet c kt ni vi mt HUB hoc switch Layer 2. Ta s dng cc a ch 172.16.0.0/24 cho Intranet; a ch 10.0.0.0/24 cho Internet. IIS1 cha cu hnh a ch IP, s dng giao thc DHCP. CLIENT1 cng dng giao thc DHCP cho cu hnh a ch IP nhng cng c xc nh bng mt cu hnh IP khc c th t trn mng Intranet hoc Internet. Di y l cch ci t cho ring tng my.

    K 1: Cch lp t cho DC1 nh cu hnh DC1 cho cc dch v m n kim nhim, bn lm theo cc bc sau y: 1. Ci t Windows Server 2003, bn Enterprise Edition, lm mt server ring. 2. Xc nh giao thc TCP/IP vi a ch IP l 172.16.0.1 v a ch cho mng cp di l 255.255.255.0. 3. Chy Active Directory Installation Wizard (tp tin dcpromo.exe) cho mt domain mi example.com. Ci t dch v DNS khi c yu cu. 4. S dng trnh qun l Active Directory Users and Computers, nhn chut phi vo domain example.com ri nhn vo Raise Domain Functional Level. 5. Kch chut vo dng Windows Server 2003 v chn Raise. 6. Ci t giao thc DHCP lm mt thnh phn ca Networking Services bng cch dng Control Panel => Add or Remove Programs. 7. M trnh qun l DHCP t th mc Administrative Tools. 8. Nhn vo mc Action => Authorize cho php s dng dch v DHCP. 9. Trong cy th mc, nhn chut phi vo dc1.example.com ri nhn New Scope. 10. Trn trang Welcome ca New Scope Wizard, nhn Next. 11. trang Scope Name, nhp mt ci tn nh Mang Cong ty. 12. Nhn vo Next. Trn trang a ch IP, nhp 172.16.0.10 Start IP address, 172.16.0.100 End IP address v 24 mc Length.

    Khai bo a ch IP. 13. Nhn Next. Trn trang Add Exclusions, nhn Next. 14. Trn trang Lease Duration, nhn Next. 15. Trn trang Configure DHCP Options, nhn Yes, I want to configure DHCP options now. 16. Nhn Next. Trn trang Router (Default Gateway), nhn Next.

    17. Trn trang Domain Name and DNS Servers, nhp vo dng example.com trong mc Parent domain. Nhp 172.16.0.1 trong a ch IP ri nhn Add. 18. Nhn Next. Trn trang WINS Servers, nhn Next. 19. Trn trang Activate Scope, nhn Yes, I want to activate the scope now. 20. Nhn Next. Trn trang Completing the New Scope Wizard, nhn Finish. 21. Ci t Certificate Services lm mt CA gc vi tn Example CA bng cch dng Control Panel => Add or Remove Programs. 22. M Active Directory Users and Computers. 23. Trong cy th mc, chn example.com. 24. Nhn chut phi vo Users, chn Computer. 25. Trong hp thoi New Object Computer, nhp IAS1 trong mc Computer name. 26. Nhn Next. Trong hp thoi Managed, nhn Next. Trong hp thoi New Object Computer, nhn Finish. 27. Dng cc bc t 24 n 26 to thm ti khon my tnh vi cc tn IIS1, VPN1 v CLIENT1. 28. Trong cy th mc, nhn chut phi vo Users, chn User. 29. Trong hp thoi New Object User, nhp VPNUser trong mc First name v VPNUser trong User logon name. 30. Nhn Next. 31. Trong hp thoi New Object User, nhp mt password ty chn vo mc Password and Confirm password. B du User must change password at next logon v nh du Password never expires. 32. Trong hp thoi New Object User, chn Finish. 33. Trong cy th mc, nhn chut phi vo Users, chn Group. 34. Trong hp thoi New Object Group, nhp vo dng VPNUsers mc Group name ri nhn OK. 35. Kch p vo VPNUsers. 36. Nhn vo th Members v nhn Add. 37. Trong hp thoi Select Users, Contacts, Users hoc Groups, nhp vpnuser trong mc Enter the object names to select. 38. Nhn OK. Trong hp thoi Multiple Names Found, nhn OK. Account ca ngi s dng VPNUser c a vo sanh sch nhm VPNUsers. 39. Nhn OK lu cc thay i i vi nhm VPNUsers. Mng ring o VPN (Phn 4) Phn ny gii thiu cch ci t mng VPN loi truy cp t xa theo giao thc Tunneling im-ni-im (PPTP). M hnh thc nghim ny dng h iu hnh Windows XP cho my khch truy cp t xa v Windows Server 2003 cho cc my ch.

    K 2: Cch ci t cho my IAS1, IIS1, VPN1 v CLIENT1 IAS1 IAS1 l my tnh chy Windows Server 2003, bn Standard Edition, cung cp c ch thm nh quyn truy cp RADIUS, cho php truy cp v theo di qu trnh truy cp. nh cu hnh IAS1 lm my ch RADIUS, bn lm theo nhng bc sau: 1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn IAS1 trong domain example.com. 2. i vi kt ni c b Intranet, nh cu hnh giao thc TCP/IP vi a ch IP l 172.16.0.2, mng cp di (subnet mask) l 255.255.255.0 v a ch IP ca my ch DNS l 172.16.0.1. 3. Ci t dch v Internet Authentication Service trong Networking Services mc Control Panel-Add or Remove Programs. 4. M trnh Internet Authentication Service t th mc Administrative Tools. 5. Nhn chut phi vo th Internet Authentication Service ri chn Register Server in Active Directory. Khi hp thoi Register Internet Authentication Service in Active Directory xut hin, nhn OK. 6. Trong cy chng trnh, nhn chut phi vo Clients ri chn New RADIUS Client. 7. Trn trang Name and Address ca mc New RADIUS Client, Friendly name, g VPN1 v li nhp tip VPN1 ln na vo Confirm shared secret. 8. Nhn Next. Trn trang Additional Information ca mc New RADIUS Client, Shared secret, g mt m b mt chia s cho VPN1 v g tip ln na Confirm shared secret. 9. Nhn Finish.

    10. cy chng trnh, nhn chut phi vo Remote Access Policies v chn New Remote Access Policy. 11. Trn trang Welcome to the New Remote Access Policy Wizard, nhn Next. 12. Trn trang Policy Configuration Method, nhp VPN remote access to intranet vo Policy name.

    13. Nhn Next. Trn trang Access Method, chn VPN. 14. Nhn Next. Trn trang User or Group Access, chn Group. 15. Nhn nt Add. Trong hp thoi Select Groups, g VPNUsers trong Enter the object names to select. 16. Nhn OK. Nhm VPNUsers trong domain example.com c thm vo danh sch nhm trn trang Users or Groups. 17. Nhn Next. Trn trang Authentication Methods, giao thc thm nh quyn truy cp MS-CHAP v2 c chn mc nh. 18. Nhn Next. Trn trang Policy Encryption Level, b nh du trong cc Basic encryption v Strong encryption. 19. Nhn Next. Trn trang Completing the New Remote Access Policy, nhn Finish. IIS1 IIS1 chy Windows Server 2003, Standard Edition v dch v Internet Information Services (IIS). nh cu hnh cho IIS1 lm my ch v tp tin v web, bn thc hin cc bc sau:

    1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn IIS1 trong domain example.com. 2. Ci t IIS lm tiu mc thuc Application Server ca Windows Components Wizard trong Control Panel-Add or Remove Programs. 3. Trn IIS1, dng Windows Explorer to mt c ch chia s mi cho th mc gc ca C:, dng tn ROOT vi cc cho php mc nh. 4. xc nh my ch web c hot ng chnh xc khng, hy chy trnh duyt Internet Explorer trn IAS1. Nu Internet Connection Wizard nhc bn th hy nh cu hnh kt ni Internet cho mt kt ni LAN. Trong Internet Explorer, mc Address, g http://IIS1.example.com/winxp.gif. Bn s nhn thy biu tng Windows XP. 5. xc nh tp tin c hot ng chnh xc khng, trn IAS, nhn Start > Run, g IIS1ROOT ri nhn OK. Nu ng, bn s thy ni dung ca th mc gc ca C: trn IIS1. VPN1 VPN1 l my tnh chy Windows Server 2003, Standard Edition cung cp cc dch v my ch VPN cho cc my khch VPN. nh cu hnh cho VPN1 lm my ch VPN, bn thc hin cc bc sau: 1. Ci t Windows Server 2003, Standard Edition cho my vi t cch l server thnh vin mang tn VPN1 trong domain example.com. 2. M th mc Network Connections. 3. i vi kt ni ni b Intranet, t li tn kt ni thnh "Mang Cong ty". i vi kt ni ni b Internet, t li tn kt ni thnh "Internet". 4. nh cu hnh giao thc TCP/IP cho kt ni Mang Cong ty vi a ch IP l 172.16.0.4, mng cp di (subnet mask) l 255.255.255.0 v a ch IP cho my ch DNS l 172.16.0.1. 5. nh cu hnh giao thc TCP/IP cho kt ni Internet vi a ch IP l 10.0.0.2 v mng cp di l 255.255.255.0. 6. Chy trnh Routing v Remote Access t th mc Administrative Tools. 7. Trong cy chng trnh, nhn chut phi vo VPN1 v chn Configure and Enable Routing and Remote Access. 8. Trn trang Welcome to the Routing and Remote Access Server Setup Wizard, nhn Next.

    9. Trn trang Configuration, Remote access (dial-up or VPN) c la chn mc nh. 10. Nhn Next. Trn trang Remote Access, chn VPN. 11. Nhn Next. Trn trang VPN Connection, nhn vo giao dien Internet trong Network interfaces. 12. Nhn Next. Trn trang IP Address Assignment , ch Automatically c chn mc nh. 13. Nhn Next. Trn trang Managing Multiple Remote Access Servers, nhn vo Yes, set up this server to work with a RADIUS server. 14. Nhn Next. Trn trang RADIUS Server Selection, g 172.16.0.2 trong Primary RADIUS server v m b mt chung trong Shared secret. 15. Nhn Next. Trn trang Completing the Routing and Remote Access Server Setup Wizard, nhn Finish. 16. Bn s nhn c message nhc phi nh cu hnh DHCP Relay Agent. 17. Nhn OK. 18. Trong cy chng trnh, m VPN1 (local), sau l IP Routing v k tip l DHCP Relay Agent. Nhn chut phi vo DHCP Relay Agent ri chn Properties. 19. Trong hp thoi DHCP Relay Agent Properties, g 172.16.0.1 trong Server address. 20. Nhn Add ri OK. CLIENT1 CLIENT1 l my tnh chy Windows XP Professional, hot ng nh mt my khch VPN v truy cp t xa n cc ti nguyn trong Intranet thng qua mng Internet. nh cu hnh cho CLIENT1 lm my khch, bn thc hin cc bc sau: 1. Kt ni CLIENT1 vi phn on mng Intranet. 2. Trn my CLIENT1, ci t Windows XP Professional nh l mt my tnh thnh vin c tn CLIENT1 thuc domain example.com. 3. Thm ti khon VPNUser trong domain example.com vo nhm Administrators.

    4. Ri h thng (log off) ri vo li (log on), s dng ti khon VPNUser trong domain example.com. 5. T Control Panel-Network Connections, t cc c im trn kt ni Local Area Network, sau t cc c im trn giao thc TCP/IP. 6. Nhn vo th Alternate Configuration ri chn User configured. 7. Trong a ch IP, g 10.0.0.1. Ti Subnet mask, g 255.255.255.0. 8. Nhn OK lu cc thay i i vi giao thc TCP/IP. Nhn OK lu cc thay i i vi kt ni Local Area Network. 9. Tt my CLIENT1. 10. Ngt CLIENT1 khi mng Intranet v kt ni n vi phn on mng Internet. 11. Khi ng li my CLIENT1 v log on bng ti khon VPNUser. 12. Trn my CLIENT1, m th mc Network Connections t Control Panel. 13. Trong Network Tasks, chn Create a new connection. 14. Trn trang Welcome to the New Connection Wizard ca New Connection Wizard, nhn Next. 15. Trn trang Network Connection Type, nhn Connect to the network at my workplace. 16. Nhn Next. Trn trang Network Connection, nhn Virtual Private Network connection. 17. Nhn Next. Trn trang Connection Name, g PPTPtoCorpnet trong Company Name. 18. Nhn Next. Trn trang VPN Server Selection , g 10.0.0.2 ti Host name or IP address. 19. Nhn Next. Trn trang Connection Availability, nhn Next. 20. Trn trang Completing the New Connection Wizard, nhn Finish. Hp thoi Connect PPTPtoMangCongty hin ra. 21. Nhn vo mc Properties ri nhn vo th Networking. 22. Trn th Networking, Type of VPN, nhn PPTP VPN.

    23. Nhn OK lu cc thay i i vi kt ni PPTPtoMangcongy. Hp thoi PPTPtoMangcongy hin ra. 24. Trong User name, g example/VPNUser. Ti Password, g mt khu ca bn cho ti khon VPNUser. 25. Nhn Connect. 26. Khi kt ni hon tt, chy Internet Explorer. 27. Nu Internet Connection Wizard nhc, nh cu hnh n cho kt ni LAN. Address, g http://IIS1.example.com/winxp.gif. Bn s nhn thy hnh nh ca Windows XP. 28. Nhn Start > Run, g IIS1ROOT ri nhn OK. Bn s thy cc ni dung ca C: trn my IIS1. 29. Nhn chut phi vo kt ni PPTPtoMangcongty ri nhn vo Disconnect. Mng ring o VPN (Phn 5) Phn ny s gii thiu kt ni VPN truy cp t xa theo giao thc L2TP/IPsec. C ch ny cn cc chng nhn bo mt (certificate) trn c my khch v my ch VPN v c p dng khi ngi s dng cn cu trc m kha chung (public key infrastructure) mc cao hn PPTP.

    Trong m hnh thc nghim ny, bn cn: - My tnh chy Windows Server 2003, phin bn Enterprise Edition, t tn l DC1, hot ng nh mt trung tm iu khin domain (domain controller), mt my ch DNS (Domain Name System), mt my ch DHCP (Dynamic Host Configuration Protocol) v mt trung tm chng thc CA (certification authority).

    M hnh thc nghim kt ni VPN truy cp t xa. nh: Microsoft - My tnh chy Windows Server 2003, bn Standard Edition, mang tn VPN1, hot ng nh mt my ch VPN. VPN1 c lp t 2 adapter mng. - Mt my tnh chy Windows XP Professional, mang tn CLIENT1, hot ng nh mt my khch truy cp t xa. - My tnh chy Windows Server 2003, bn Standard Edition, mang tn IAS1, hot ng nh mt my ch qun l ngi s dng truy cp t xa RADIUS (Remote Authentication Dial-in User Service). - My tnh chy Windows Server 2003, bn Standard Edition, mang tn IIS1, hot ng nh mt my ch v web v file. V cc ch cn bn cho m hnh thc nghim, mi bn xem li bi Tm hiu mng ring o VPN (Phn 3). Trong , ch phn on mng Internet ch l m phng. Khi kt ni ra mng Internet ngoi, bn cn t a ch IP thc, c domain thc thay cho example.com. Cch ci t cho IAS1 v IIS1 ging nh trong phn 3. Thc ra, bn cng c th thc hin m hnh rt gn vi 3 my CD1, VPN1 v CLIENT1. DC1 Di y l cch nh cu hnh cho DC1 t ng np cc chng nhn cho my tnh: 1. M Active Directory Users v mc Computers 2. Trong cy chng trnh, nhn p chut vo Active Directory Users and Computers, nhn chut phi vo example.com, chn Properties. 3. M th Group Policy, nhn vo Default Domain Policy, chn Edit.

    4. Trong cy chng trnh, m mc Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings. 5. Nhn chut phi vo Automatic Certificate Request Settings, chn New ri nhn Automatic Certificate Request. 6. Trn trang Welcome to the Automatic Certificate Request Setup Wizard, nhn Next. 7. Trn trang Certificate Template, nhn Computer. 8. Nhn Next. Trn trang Automatic Certificate Request Setup Wizard, nhn Finish. Lc ny, kiu chng nhn s xut hin trong hin th chi tit ca Group Policy Object Editor. 9. G gpupdate du nhc cp nht Group Policy trn DC1. Cp nht Group Policy trn VPN1: g lnh gpupdate ti du nhc lnh. Sau khi cp nht cc chng nhn mi, bn cn phi ngng v khi ng li cc dch v IPsec Policy Agent v Remote Access: 1. Nhn Start > Administrative Tools > Services 2. Trong hin th chi tit, tr vo IPSEC Services > Action, sau nhn Restart. 3. Trong hin th chi tit, tr vo Routing and Remote Access > Action ri nhn Restart. np cc chng nhn trn my ny v nh cu hnh cho mt kt ni VPN truy cp t xa theo giao thc L2TP/IPsec, bn thc hin cc bc nh sau: 1. Tt my CLIENT1. 2. Ngt kt ni CLIENT1 khi phn on mng Internet m phng v kt ni my ny vo phn on mng Intranet. 3. Khi ng li CLIENT1 v ng nhp vo my vi ti khon VPNUser. My tnh v Group Policy c cp nht t ng. 4. Tt my CLIENT1. 5. Ngt kt ni CLIENT1 khi phn on mng Intranet v kt ni my vi phn on Internet m phng.

    6. Khi ng li CLIENT1 v ng nhp vo vi ti khon VPNUser. 7. Trn CLIENT1, trong Control Panel, m th mc Network Connections. 8. Trong Network Tasks, nhn vo Create a new connection. 9. Trn trang Welcome to the New Connection Wizard, nhn Next. 10. Trn trang Network Connection Type, nhn Connect to the network at my workplace. 11. Nhn Next. Trn trang Network Connection, nhn vo Private Network connection. 12. Nhn Next. Trn trang Connection Name, g L2TPtoMangcongty. 13. Nhn Next. Trn trang Public Network, nhn Do not dial the initial connection. 14. Nhn Next. Trn trang VPN Server Selection, g 10.0.0.2 trong Host name or IP address. 15. Nhn Next. Trn trang Connection Availability, nhn Next. 16. Trn trang Completing the New Connection Wizard, nhn Finish. Hp thoi L2TPtoMangcongty xut hin. 17. Nhn vo mc Properties ri nhn vo th Networking. 18. Trn th Networking, trong mc Type of VPN, nhn vo L2TP/IPSec VPN. 19. Nhn OK lu cc thay i i vi kt ni L2TPtoMangcongty. Hp thoi Connect L2TPtoMangcongty xut hin. 20. Trong User name, g exampleVPNUser. Trong Password, g mt khu ty cho ti khon VPNUser. 21. Nhn Connect. 22. Khi kt ni c thit lp, chy trnh duyt web. 23. Trong Address, g http://IIS1.example.com/iisstart.htm. Bn s thy mt thng bo l trang web ang trong qu trnh thit k. Trn thc t, bn phi c mt tn min thc, thay cho example.com. 24. Nhn Start > Run > g IIS1ROOT > OK. Bn s thy cc ni dung ca ni b ( C) trn IIS1.

    25. Nhn chut phi vo kt ni L2TPtoMangcongty ri chn Disconnect. Cc ch : Nu mun thit lp mt ci "ng o" b mt trn mng Internet theo c ch truy cp t xa, bn ch c th s dng giao thc IPSec trc tip khi my khch c a ch IP thc. Do L2TP vi c ch m ha IPSec yu cu cu trc m kha chung (Public Key Infrastructure) nn kh khai thc v tn km so vi PPTP. L2TP/IPSec l giao thc L2TP chy trn nn IPSec, cn c ch truyn tin IPSec Tunel Mode li l mt giao thc khc. Do c c ch thm nh quyn truy cp nn L2TP/IPSec hay IPSec Tunnel Mode ch c th truyn qua mt thit b dch a ch mng NAT (network address translation) bng cch i qua nhiu ci "ng o" hn. Nu dng mt NAT gia im hin din POP (Point of Present) v Internet, bn s gp kh khn. Cn trong PPTP, mt gi tin IP c m ha t trong mt gi tin IP khng c m ha nn n c th i qua mt NAT. PPTP v L2TP c th hot ng vi cc h thng thm nh quyn truy cp da trn mt khu v chng h tr quyn ny mc cao cp bng nhng loi th thng minh, cng ngh sinh trc hc v cc thit b c chc nng tng t. Li khuyn: PPTP l gii php ti u khi khch hng mun c c ch bo mt khng tn km v phc tp. Giao thc ny cng t ra hu hiu khi cc lung d liu phi truyn qua NAT. Khch hng nu mun c NAT v bo mt cao hn c th nh cu hnh cho cc quy tc IPSec trn Windows 2000. L2TP l gii php tt nht khi khch hng coi bo mt l vn quan trng hng u v cam kt khai thc cu trc m kha chung PKI. Nu bn cn mt thit b NAT trong ng truyn VPN th gii php ny c th khng pht huy hiu qu. IPSec Tunnel Mode li t ra hu hiu hn vi VPN im-ni-im (site to site). Mc d giao thc ny hin nay cng c p dng cho VPN truy cp t xa nhng cc hot ng ca n khng "lin thng" vi nhau. IPSec Tunnel Mode s c cp k hn trong phn VPN im-ni-im k sau. Mng ring o VPN (Phn 6) Nh cp phn trc, bo mt ca VPN cn c h tr bng cng ngh th thng minh v sinh trc hc. Micrsoft tch hp mt giao thc khc gi l EAP-TLS trong Windows, chuyn trch cng vic ny cho VPN truy cp t xa.

    EAP-TLS l ch vit tt ca Extensible Authentication Protocol - Transport Layer Security (giao thc thm nh quyn truy cp c th m rng - bo mt lp truyn dn). Kt ni da trn giao thc ny i hi c mt chng nhn ngi s dng (user certificate) trn c my khch v my ch IAS ca mng VPN. y l c ch c mc an ton nht cp ngi s dng. Mc d cng ngh th thng minh hay sinh trc hc vn cn l khi nim mi m Vit Nam, chng ti xin gii thiu cch ci t c gi c th hnh dung nhng g Windows h tr.

    M hnh thc nghim VPN truy cp t xa. nh: Microsoft M hnh thc nghim vn l 5 my tnh vi cc chc nng khc nhau (xem li phn 3, 4 hoc 5 bit thm chi tit). Khi bt tay vo ci t, bn bt tt c cc my (5 my tnh ny kt ni trc vi nhau nh hnh v). My DC1 Bn s nh cu hnh DC1 lm nhim v tip nhn t ng cc chng nhn v ngi s dng. 1. Nhn menu Start > Run > g mmc du nhc > OK. 2. Trn menu File, nhn Add/Remove Snap-in > Add. 3. Di mc Snap-in, kch p vo Certificate Templates > Close > OK. 4. Trong cy chng trnh, nhn Certificate Templates. Tt c m hnh chng nhn s c trnh by trong hin th chi tit. 5. Trong hin th chi tit, nhn vo mu User. 6. Trn menu Action, nhn vo Duplicate Template. 7. Trong hp Template display name, g VPNUser.

    8. nh du chn trong Publish Certificate in Active Directory. 9. Nhn vo th Security. 10. Trong danh sch Group or user names, nhn vo Domain Users. 11. Trong danh sch Permissions for Domain Users, nh du chn cc Read, Enroll v Autoenroll cho php cc chc nng ny. 12. Nhn vo th Subject Name. 13. B du chn trong cc Include E-mail name in subject name v E-mail name. Do bn khng nh cu hnh mt tn e-mail no cho ti khon VPNUser nn bn phi b du ny "pht hnh" c chng nhn ngi s dng. 14. Nhn OK. 15. M trnh qun l Certification Authority t th mc Administrative Tools. 16. Trong cy chng trnh, m Certification Authority > m Example CA > Certificate Templates. 17. Trn menu Action, tr vo New ri nhn Certificate Template to Issue. 18. Nhn VPNUser. 19. Nhn OK. 20. M trnh qun l Active Directory Users and Computers. 21. Trong cy chng trnh, nhn p vo Active Directory Users and Computers, nhn chut phi vo example.com > chn Properties. 22. Trn th Group Policy, chn Default Domain Policy > Edit. 23. Trong cy chng trnh, m User Configuration > Windows Settings > Security Settings > Public Key Policies. 24. Trong hin th chi tit, nhn p vo Autoenrollment Settings. 25. Nhn Enroll certificates automatically. nh du chn trong Renew expired certificates, update pending certificates, and remove revoked certificates v Certificates that use certificate templates. 26. Nhn OK.

    Mt sn phm th thng minh dng "trm x l" GlobalAdmin ca hng Realtime dng cho VPN truy cp t xa. nh: Realtime My ch IAS1 Bn s nh cu hnh cho IAS1 vi mt chng nhn my tnh cho thm nh quyn truy cp EAP-TLS. 1. Khi ng li IAS1 m bo my ny t ng np mt chng nhn my tnh. 2. M trnh qun l Internet Authentication Service. 3. Trong cy chng trnh, nhn Remote Access Policies. 4. Trong hin th chi tit, nhn p vo VPN remote access to Intranet. Hp thoi VPN remote access to intranet Properties xut hin. 5. Nhn vo Edit Profile, chn th Authentication. 6. Trn th Authentication, chn EAP Methods. Hp thoi Select EAP Providers hin ra. 7. Nhn Add. Hp thoi Add EAP xut hin. 8. Nhn vo Smart Card or other certificate > OK.

    9. Nhn Edit. Hp thoi Smart Card or other Certificate Properties xut hin. 10. Cc thuc tnh ca chng nhn my tnh cho IAS1 c hin th. Bc ny xc nh rng IAS1 c mt chng nhn my tnh c ci t thc hin quyn thm nh truy cp theo giao thc EAP-TLS. Nhn OK. 11. Nhn OK lu li cc thay i i vi nh cung cp EAP. Nhn OK lu cc thay i v ci t cu hnh. 12. Khi c hi xem cc mc tr gip, nhn No. Nhn OK lu cc thay i lu cc thay i i vi quy nh truy cp t xa. Cc thay i cu hnh ny s cho php truy cp t xa trong VPN hay truy cp t xa trong Intranet thm nh cc kt ni VPN dng phng php xc nh quyn truy cp theo giao thc EAP-TLS. My CLIENT1 Bn cng np mt chng nhn trn my ny ri nh cu hnh cho kt ni VPN truy cp t xa da trn giao thc EAP-TLS. 1. Tt my CLIENT1. 2. Ngt kt ni khi phn on mng Internet m phng v kt ni vo phn on mng Intranet. 3. Khi ng li my CLIENT1 v ng nhp bng ti khon VPNUser. Lc ny, my tnh v Group Policy c cp nht t ng. 4. Tt my CLIENT1. 5. Ngt CLIENT1 khi phana on mng Intranet v kt ni n vo phn on mng Internet m phng. 6. Khi ng li CLIENT1 v ng nhp vo bng ti khon VPNUser. 7. Trn CLIENT1, trong Control Panel, m th mc Network Connections. 8. Trong mc Network Tasks, chn Create a new connection. 9. Trn trang Welcome to the New Connection Wizard page ca New Connection Wizard, nhn Next. 10, Trn trang Network Connection Type, chn Connect to the network at my workplace.

    11. Nhn Next. Trn trang Network Connection, chn kt ni Virtual Private Network. 12. Nhn Next. Trn trang Connection Name, g EAPTLStoMangcongty trong Company Name. 13. Nhn Next. Trn trang Public Network, nhn Do not dial the initial connection. 14. Nhn Next. Trn trang VPN Server Selection, g 10.0.0.2 trong a ch Host name or IP address. 15. Nhn Next. Trn trang Connection Availability , nhn Next. 16. Trn trang Completing the New Connection Wizard , nhn Finish. Hp thoi Connect EAPTLStoMangcongty xut hin. 17. Nhn vo Properties > th Security. 18. Trn th Security, nhn Advanced > Settings. Hp thoi Advanced Security Settings xut hin. 19. Trong hp thoi Advanced Security Settings, nhn vo Use Extensible Authentication Protocol (EAP). 20. Nhn vo Properties. Trong hp thoi Smart Card or other Certificate Properties, nhn Use a certificate on this computer. 21. Nhn OK lu cc thay i trong hp thoi. Nhn OK lu cc thay i trong Advanced Security Settings. Nhn OK lu cc thay i trong th Security. Kt ni ngay lp tc c khi to v dng n chng nhn ngi s dng va ci t. Ln u tin bn th kt ni, my c th mt vi ln mi hot ng thnh cng. 22. Khi kt ni thnh cng, bn hy chy trnh duyt web. 23. Trong Address, g http://IIS1.example.com/iisstart.htm. Bn s nhn thy thng bo trang web ang trong qu trnh xy dng. Trn thc t, y phi l mt tn min tht. 24. Nhn Start > Run, g IIS1ROOT > OK. Bn s thy ni dung ca ni b ( C) trn IIS1. 25. Nhn chut phi vo kt ni EAPTLStoMangcongty ri nhn Disconnect. Cc my cn li c ci t nh trong phn 4.

    Cc lu khi s dng quyn chng nhn CA (Certificate Authority) ca cc bn pht trin th 3 cho c ch thm nh quyn truy cp theo giao thc EAP-TLS: Chng nhn trn my ch thm nh phi: - c ci t trong kho chng nhn ca my tnh ni b. - C mt key ring tng ng. - C nh cung cp dch v mt m h tr. Nu khng, chng nhn khng th c dng v khng th chn c t trnh Smart Card or Other Certificate trn th Authentication. - C mc ch chng nhn thm nh quyn truy cp my ch, cn c gi l EKU (Enhanced Key Usage). - Phi cha tn min c thm nh y , gi l FQDN, ca ti khon my tnh trong Subject Alternative Name ca chng nhn. Hn na, cc chng nhn CA gc ca cc CA phi c ci t trong kho chng nhn Trusted Root Certification Authorities ca cc my ch thm nh. Chng nhn trn cc my khch VPN phi: - C mt key ring tng ng. - Phi cha EKU thm nh quyn truy cp cho my khch. - Phi c ci t trong kho chng nhn ca Current User. - Cha tn UPN (universal principal name) ca ti khon ngi s dng trong Subject Alternative Name ca chng nhn. Ngoi ra, cc chng nhn CA gc ca cc CA ( pht hnh cc chng nhn my tnh trn my ch IAS) phi c ci t trong kho Trusted Root Certification Authorities ca my khch VPN. Mng ring o VPN (Phn 7) Nu mun cho my tnh mt mng LAN truy cp vo my mng LAN khc, ngi s dng c th dng loi VPN im-ni-im. Phn ny s gii thiu cch ci t theo giao thc PPTP. M hnh thch hp vi cc t chc, cng ty c nhiu vn phng cch xa nhau. Nhng thit b cn dng

    M hnh mt VPN im-ni im. nh: Microsoft Chng ta s dng m hnh thc nghim vi 5 my tnh ng cc vai tr khc nhau. y l con s ti thiu chy c VPN im-ni-im. Trn thc t, quy m ca tng mng LAN v my ch ca VPN s ln hn nhiu, nh thm nh quyn truy cp, kim sot domain, IAS... Gi s mng ny l ca cng ty XYZ vi hai LAN H Ni v TP HCM. My khch u TP HCM ang cn gi ti vn phng H Ni.

    Ngoi ra, mng cn n 4 hub (hoc switch Layer 2) - Mt hub ni vn phng H Ni (my CLIENT1) vi router tr li (ROUTER1). - Mt hub ni vn phng TP HCM (CLIENT2) vi router gi i (ROUTER2). - Mt hub ni router gi (ROUTER1) vi router Internet (INTERNET). - Mt hub ni router gi (ROUTER2) vi router Internet (INTERNET). Ch : - Do m hnh thc nghim ch c 2 my mi mng nh nn cc hub c th c thay th bng cp cho Ethernet.

    - Trong m hnh thc nghim, Windows Firewall c ci t v bt t ng trn cc my khch. Bn s nh cu hnh mt Windows Firewall ngoi l trn CLIENT1, cho php hai my khch lin h c vi nhau. Trn 3 my cn li, Windows Firewall c ci t nhng khng mc nh bt t ng. Ngoi ra, dch v Windows Firewall/Internet Connection Sharing (ICS) cn c tt i trong cc my.

    M hnh thc nghim. nh: Microsoft - Thit lp a ch IP cho cc my, gi nh nh sau: a ch IP cho mng con vn phng H Ni My tnh/Giao din CLIENT1 ROUTER1 (ti Intranet ca H Ni) a ch IP cho cc mng con Internet My tnh/Giao din ROUTER1 (ti Internet) INTERNET (ti ROUTER1) ROUTER2 (ti Internet) INTERNET (ti ROUTER2) a ch IP 10.1.0.2 10.1.0.1 10.2.0.2 10.2.0.1 a ch IP 172.16.4.3 172.16.4.1

    a ch IP cho mng con vn phng TP HCM My tnh/Giao din a ch IP

    ROUTER2 (ti mng Intranet ca TP HCM) 172.16.56.1 CLIENT2 172.16.56.3

    nh cu hnh cho cc my khch CLIENT1 - Cc thuc tnh TCP/IP 1. M Network Connections trong Control Pannel, nhn chut phi vo ri chn Properties. 2. Trn th General, chn Internet Protocol (TCP/IP), nhn vo Properties. 3. Nhn vo Use the following IP address, g 172.16.4.3 cho mc IP address, g 255.255.255.0 cho mc Subnet mask v 172.16.4.1 cho Default gateway. - Thit lp cng ring trn Windows Firewall cc my khch nhn nhau. 1. M Control Pannel, nhn vo mc Security Center. 2. Nhn vo Windows Firewall, trong hp thoi ca chng trnh, nhn vo th Advanced. 3. Nhn vo Settings, chn tip ICMP, nhn vo Allow incoming echo request. 4. Nhn OK hai ln ng Windows Firewall. CLIENT2 - Cc thuc tnh TCP/IP 1. M Network Connections trong Control Pannel, nhn chut phi vo ri chn Properties. 2. Trn th General, chn Internet Protocol (TCP/IP), nhn vo Properties. 3. Nhn vo Use the following IP address, g 172.16.56.3 cho mc IP address, g 255.255.255.0 cho mc Subnet mask v 172.16.56.1 cho Default gateway. - Do CLIENT2 vn phng TP HCM ang ng vai tr l my gi n nn khng cn nh cng c bit cho Windows Firewall. Ngi dng c mc nh sn nh phn ch trn. Ch khi no CLIENT2 tr thnh my tr li th mi cn ci t nh vi CLIENT1. nh cu hnh cho cc router gi v tr li. ROUTER1 - Cc thuc tnh TCP/IP 1. M Network Connections trong Control Pannel, nhn chut phi vo ri chn Properties. 2. Trn th General, chn Internet Protocol (TCP/IP), nhn vo Properties. 3. a. Trn giao din To the Internet, g 10.1.0.2 mc IP address, 255.255.0.0 Subnet mask v 10.1.0.1 mc Default gateway.

    3. b. Trn giao din To Hanoi intranet, g 172.16.4.1 IP address, 255.255.255.0 Subnet mask v Default gateway b trng. - Windows Firewall v Routing and Remote Access khng th chy ng thi trn mt my ch VPN nn nu Windows Firewall c bt ln, bn phi tt i. Nu dch v Windows Firewall/Internet Connection Sharing (ICS) thit lp t ng trc khi nh cu hnh Routing and Remote Access, bn cng phi tt i. 1. Nhn vo Administrative Tools > Services. 2. Trong bng hin th chi tit ca Services, nhn chut phi vo Windows Firewall/Internet Connection Sharing (ICS), chn Properties. 3. Nu Startup Type l Automatic hay Manual, chn li l Disabled. 4. Nhn OK hai ln lu thay i. ROUTER2 - Cc thuc tnh TCP/IP 1. M Network Connections trong Control Pannel, nhn chut phi vo ri chn Properties. 2. Trn th General, chn Internet Protocol (TCP/IP), nhn vo Properties. 3. a. Trn giao din To the Internet, g 10.2.0.2 mc IP address, 255.255.0.0 Subnet mask v 10.2.0.1 mc Default gateway. 3. b. Trn giao din To Hanoi intranet, g 172.16.56.1 IP address, 255.255.255.0 Subnet mask v Default gateway b trng. - Tt Windows Firewall nh vi ROUTER1. nh cu hnh cho router Internet 1. M Network Connections trong Control Pannel, nhn chut phi vo ri chn Properties. 2. Trn th General, chn Internet Protocol (TCP/IP), nhn vo Properties. 3.a. Trn giao din To Router1, g 10.1.0.1 mc IP address, 255.255.0.0 mc Subnet mask. 3.b. Trn giao din To Router2, g 10.2.0.1 mc IP address, 255.255.0.0 mc Subnet mask. 4. Vo Administrative Tools, chn Routing and Remote Access v m trnh Routing and Remote Access Microsoft Management Console (MMC). 5. Nhn chut phi vo INTERNET (local) trong cy chng trnh ri nhn vo Configure and Enable Routing and Remote Access. 6. Nhn Next trn trang Routing and Remote Access Server Setup Wizard. 7. Trn trang Configuration, chn Custom configuration. 8. Nhn Next. Trn trang Custom Configuration, chn LAN routing. 9. Nhn Next. Trn trang Completing the Routing and Remote Access Server Setup, nhn Finish > Yes khi ng dch v.

    Tt Windows Firewall nh vi ROUTER1. Kim tra - Trn ROUTER1, ping a ch IP 10.2.0.2. Vic ny thnh cng. - Trn CLIENT2, ping a ch IP 172.16.4.3. Vic ny khng thnh cng v CLIENT1 khng lin lc c vi CLIENT2 bng phn on mng Internet m phng, cho ti khi kt ni VPN im-ni-im hon thnh. Thit lp VPN im-ni-im theo giao thc PPTP - nh cu hnh VPN cho router tr li 1. Trn ROUTER1, nhn vo Administrative Tools, chn Routing and Remote Access. 2. Nhn chut phi vo ROUTER1 (local) trong cy chng trnh, chn Configure and Enable Routing and Remote Access. 3. Nhn Next trn trang Routing and Remote Access Server Setup Wizard. 4. Trn trang Configuration, chn Remote access (dial-up or VPN). 5. Nhn Next. Trn trang Remote Access, chn VPN. 6. Nhn Next. Trn trang VPN Connection, chn To the Internet, nh du vo Enable security on the selected interface by setting up static packet filters. 7. Nhn Next. Trn trang IP Address Assignment, chn From a specified range of addresses. 8. Nhn Next. Trn trang Address Range Assignment, nhn New. 9. Trong hp thoi New Address Range, lm cc vic sau: a. G 172.16.100.1 Start IP address b. G 172.16.100.2 End IP address c. Chp nhn gi tr 2 hp Number of Addresses 10. Nhn OK. Trn trang Address Range Assignment, nhn Next. 11. Trn trang Managing Multiple Remote Access Servers, chn No, use Routing and Remote Access to authenticate connection requests. 12. Nhn Next. Trn trang Completing the Routing and Remote Access Server Setup, nhn Finish. 13. Nhn OK ng hp thoi yu cu nh cu hnh DHCP Relay Agent. Trng hp ny DHCP Relay Agent s khng c nh cu hnh. - nh cu hnh giao din quay s yu cu trn router tr li 1. Trn trnh Routing and Remote Access, chn ROUTER1, nhn chut phi vo Network Interfaces. 2. Chn New Demand-dial Interface m Demand-Dial Interface Wizard, nhn Next. 3. Trn trang Interface Name, g VPN_TPHCM. Ch : tn trn giao din phi ng nh tn ti khon ngi s dng trn router gi. 4. Nhn Next. Trn trang Connection Type, chn Connect using virtual private

    networking (VPN). 5. Nhn Next. Trn trang VPN Type, chn Point-to-Point Tunneling Protocol (PPTP). 6. Nhn Next. Trn trang Destination Address, g 10.2.0.2 Host name or IP address. 7. Nhn Next. Trn trang Protocols and Security, lm nhng vic sau: a. Chn Route IP packets on this interface. b. Chn Add a user account so a remote router can dial in. 8. Nhn Next. Trn trang Static Routes for Remote Networks, nhn Add. 9. Trong hp thoi Static Route, lm nhng cng vic sau: a. G 172.16.56.0 Destination. b. G 255.255.255.0 Network Mask. c. Chp nhn gi tr 1 trong Metric. 10. Nhn OK. Trn trang Address Range Assignment , nhn Next. 11. Trn trang Dial In Credentials, g mt khu cho ti khon VPN_TPHCM. 12. Nhn Next. Trn trang Dial Out Credentials, lm nhng vic sau: a. G VPN_Hanoi trong User name. b. G ROUTER2 trong Domain. c. G mt khu VPN_Hanoi trong Password. d. G li mt khu ny trong Confirm password. 13. Nhn Next. Trn trang Demand-Dial Interface Wizard, nhn Finish. 14. Nhn OK ng hp thoi yu cu nh cu hnh DHCP Relay Agent. Trng hp ny DHCP Relay Agent s khng c nh cu hnh. - nh cu hnh VPN trn router gi 1. Trn ROUTER2, chn Administrative Tools, nhn vo Routing and Remote Access. 2. Nhn chut phi vo ROUTER2 (local) trong cy chng trnh ri nhn vo Configure and Enable Routing and Remote Access. 3. Nhn Next trn trang Remote Access Server Setup Wizard. 4. Trn trang Configuration, chn Remote access (dial-up or VPN), nhn Next. 5. Trn trang Remote Access, chn VPN > Next. 6. Trn trang VPN Connection, chn To the Internet, nh du vo Enable security on the selected interface by setting up static packet filters > nhn Next. 7. Trn trang IP Address Assignment, chn From a specified range of addresses, nhn Next, trn trang Address Range Assignment, chn New. 8. Trong hp thoi New Address Range, lm nhng vic sau: a. G 172.56.200.1 trong Start IP address. b. G 172.56.200.2 trong End IP address. c. Chp nhn gi tr 2 hp Number of Addresses > nhn OK. 9. Trn trang Address Range Assignment, nhn Next. 10. Trn trang Managing Multiple Remote Access Servers, chn No, use Routing and Remote Access to authenticate connection requests > Next. 11. Trn trang Completing the Routing and Remote Access Server Setup, nhn Finish.

    12. Nhn OK ng hp thoi yu cu nh cu hnh DHCP Relay Agent. Trng hp ny DHCP Relay Agent s khng c nh cu hnh. - nh cu hnh trn giao din quay s yu cu trn router gi 1. Trn trnh Routing and Remote Access, chn ROUTER2, nhn chut phi vo Network Interfaces. 2. Chn New Demand-dial Interface m Demand-Dial Interface Wizard, nhn Next. 3. Trn trang Interface Name, g VPN_TPHCM. Ch : tn trn giao din phi ng nh tn ti khon ngi s dng trn router gi. 4. Nhn Next. Trn trang Connection Type, chn Connect using virtual private networking (VPN). 5. Nhn Next. Trn trang VPN Type, chn Point-to-Point Tunneling Protocol (PPTP). 6. Nhn Next. Trn trang Destination Address, g 10.1.0.2 Host name or IP address. 7. Nhn Next. Trn trang Protocols and Security, lm nhng vic sau: a. Chn Route IP packets on this interface. b. Chn Add a user account so a remote router can dial in. 8. Nhn Next. Trn trang Static Routes for Remote Networks, nhn Add. 9. Trong hp thoi Static Route, lm nhng cng vic sau: a. G 172.16.4.0 Destination. b. G 255.255.255.0 Network Mask. c. Chp nhn gi tr 1 trong Metric. 10. Trn trang Static Routes for Remote Networks, nhn Next. 11. Trn trang Dial In Credentials, g mt khu cho ti khon VPN_Hanoi v g mt khu VPN_Hanoi trong Password. 12. Trn trang Dial Out Credentials, lm nhng vic sau: a. G VPN_TPHCM trong User name b. G ROUTER1 trong Domain. c. G mt khu ti khon ngi dng VPN_TPHCM to ra trn ROUTER1. d. Xc nhn li mt khu trong Confirm password. 13. Trn trang cui cng ca Demand-Dial Interface Wizard, nhn Finish. - Xc nhn chnh sch truy cp t xa trn cc router gi v tr li 1. Trn ROUTER2, trong mc Routing and Remote Access, nhn vo Remote Access Policies. 2. Trong bng hin th chi tit, nhn chut phi vo Connections to Microsoft Routing and Remote Access server, chn Properties. 3. Trn th Settings, chn Grant remote access permission ri nhn OK lu cc thay i. 4. Lp li 3 bc trn vi ROUTER1. - To kt ni VPN

    1. Trn ROUTER2, trong cy chng trnh ca Routing and Remote Access, chn Network Interfaces. 2. Trong hin th chi tit, nhn chut phi vo VPN_Hanoi > Connect. 3. Kim tra tnh trng kt ni ca VPN_Hanoi. - Kim tra kt ni 1. Trn CLIENT2, ti du nhc lnh, g ping 172.16.4.3. y l a ch IP ca CLIENT1. Vic "ping" a ch IP ny s kim tra c my c truy cp c vo mng con H Ni hay khng. 2. kim tra cc gi tin c truyn qua kt ni VPN, ti du nhc lnh, g tracert 172.16.4.3. Ch rng cn phi dng a ch IP ca CLIENT1 ch khng phi tn my tnh v my ch DNS khng c nh cu hnh trong m hnh thc nghim ny. Cn trn thc t, khi c mt my ch qun l tn min, ngi dng c th nhp tn ca my tnh, v d nh xyzhanoi_quangminh, truy cp. Kt qu tng t nh sau y s cho bit kt ni thnh cng: Tracing route to 172.16.4.3 over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms [172.16.56.1] 2 1 ms <1 ms <1 ms [172.56.200.2] 3 1 ms 1 ms 1 ms [172.16.4.3] Trace complete. ngha ca thng bo trn: 172.16.56.1 l a ch IP ca ROUTER2 kt ni ti Intranet ca TP HCM. 172.56.200.2 l a ch IP m ROUTER2 gn cho ROUTER1; a ch IP ny xut hin ngha l cc gi tin ang c truyn qua kt ni VPN im-ni-im. 172.16.4.3 l a ch IP ca CLIENT1. Mng ring o VPN (Phn 8) Phn ny s gii thiu cch ci t VPN kiu LAN ni LAN theo giao thc L2TP/IPSec. y l giao thc c mc bo mt cao nht dnh cho mng ring o v c ngi s dng v my tnh u phi qua giai on kim nh quyn truy cp. Cc cng c kim nh l Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Version 2 hoc Extensible Authentication Protocol (EAP).

    Mt m hnh VPN im-ni-im. nh: Microsoft. C ch ny c mc bo mt cao hn PPTP hay IPSec Tunnel Mode v chng khng c phn thm nh quyn truy cp i vi ngi s dng. Bn c th chn mt trong 2 phng php thm nh i vi my tnh l chng nhn (certificate) hoc mt khu chung, trong phng php chng nhn an ton hn. Tuy nhin, dng mt khu chung l la chn hp l nu bn khng th cung cp cc chng nhn cho gateway ca VPN. Trc khi quyt nh dng cch ny, cn ch nhng im sau: - Tt c cc my khch v gateway phi dng mt m chia s duy nht. - Nu mt khu ny c thay i m bo b mt (thng th cc mt khu nn thay thng xuyn), bn phi i bng tay trn mi my tnh s dng n kt ni ti gateway VPN. - Mt khu chung ny hin th trong giao din cu hnh ca my ch ISA v trong registry, gip xc nh ai truy cp vo ISA. Nhng nu mt chng nhn c ci t ln my ny, n khng c cu hnh truy xut thng tin; do , k t nhp ch c th dng chng nhn khi kim sot c c my tnh. - Di m Unicode ca mt khu c chuyn i sang m nh phn ASCII v m ny c dng n nu kt ni thnh cng. Khi mt khu dng m ASCII khng th gi c i, qu trnh s thay th bng di m Unicode. Tuy nhin, cc thit b khng theo chun Unicode c th t chi, khin cho kt ni khng thc hin c. Tnh hung thc nghim V d: Cng ty XYZ c vn phng chnh H Ni v chi nhnh ti TP HCM, mun lin kt vi nhau bng mng ring o theo giao thc L2TP, dng mt khu chung. Giao thc L2TP cng yu cu y cc my tnh nh khi kt ni VPN im-ni-im PPTP, nhng cc cng on c s khc bit.

    M hnh thc nghim c 2 tng la (firewall), mt vn phng chnh, mt chi nhnh; mt my kim sot DC chy Exchange 2003; mt my khch nm sau tng la ISA ca chi nhnh. Tng la ny chy Windows Server 2003 SP1 v bn ISA Firewall 2006. Quy trnh to lp mng VPN bao gm 7 bc nh sau: - To mng LAN kt ni xa (TP HCM) ti vn phng chnh (H Ni). - To ti khon gi Gateway VPN ti vn phng H Ni. - To mng LAN kt ni xa ti vn phng TP HCM. - To Network Rule vn phng TP HCM. - To Access Rules vn phng TP HCM. - To ti khon gi Gateway VPN ti vn phng TP HCM. - Kch hot kt ni gia cc LAN. K 1: To mng LAN TP HCM ti ISA Firewall vn phng H Ni 1. Trn ISA Firewall ti vn phng H Ni, m cy chng trnh Microsoft Internet Security and Acceleration Server 2006 v m n tn my ch. Chn biu tng Virtual Private Networks. 2. Nhn vo th Remote Sites trong Details > chn th Tasks trong Task > nhn vo Add Remote Site Network. 3. Trn trang Welcome to the Create VPN Site to Site Connection Wizard, g tn ca mng khch trong Site to site network name. v d ny, g VPN_TPHCM. Nhn Next. 4. Trn trang VPN Protocol, bn c 3 la chn v giao thc, chn Layer Two Tunneling Protocol (L2TP) over IPSec. Nhn Next. 5. Mt hp thoi xut hin, thng bo rng bn cn phi to mt ti khon ngi s dng trn firewall ca ISA ti vn phng H Ni. Ti khon ny s c firewall ca ISA ti TP HCM s dng thm nh quyn truy cp cho firewall ca tr s. Ti khon ny phi trng tn vi mng khch to ra trong bc 3 trn. V vy, bn cng nhp tn VPN_TPHCM. Nhn OK. 6. Trn trang Connection Owner, chn my trong danh sch lm nh danh kt ni. La chn ny ch c th thy trong bn ISA Enterprise Edition ch khng c

    trong Standard Edition. Nu c cn bng ti (NLB) trn dy my, bn khng cn t ch nh my kt ni v qu trnh NLB s t ng chn. Trong v d ny chng ta khng dng NLB v ch c mt my trong dy. V vy, hy dng cng mc nh l tn firewall vn phng chnh VPN_Hanoi. Nhn Next. 7. Trn trang Remote Site Gateway, g a ch IP hoc tn min y cho my ch VPN mng khch. Ch y l tnh nng mi trong ISA firewall 2006; bn c bn ch c th nhp a ch IP. Tnh nng ny t ra hu ch khi nhiu vn phng chi nhnh phi dng IP ng; do , cch duy nht kt ni chc chn nht l thng qua dch v tn min. V d, trong trng hp ny l tphcm.xyz.com.vn Nhn Next. 8. Trn trang Remote Authentication, nh du vo Local site can initiate connections to remote site using these credentials. G tn ti khon m bn s to trn firewall vn phng TP HCM cho php vn phng H Ni truy cp. Trong v d ny, nhp tn VPN_Hanoi vo User name. Domain l tn ca firewall ISA Server 2006 ti chi nhnh TP HCM, trong v d ny l ISA2006VPN_TPHCM. Nu firewall ny cng l my ch qun l domain (domain controller), bn s dng tn min thay cho tn my. G mt khu v xc nhn li trong hai tip theo. Nhn Next. 9. Trn trang L2TP/IPSec Outgoing Authentication, chn phng php bn mun dng thm nh quyn truy cp i vi firewall vn phng TP HCM. Trong thc nghim ny, chng ta chn Pre-shared key authentication (mt khu chung) ri g mt khu vo tng ng. Nhn Next. 10. Nhn vo mc Add Range trn trang Network Address. Trong hp thoi IP Address Range Properties, g a ch 10.0.1.0 vo Starting address. G 10.0.1.255 vo Ending address. Nhn OK. 11. Nhn Next trn trang Network Addresses. 12. Trn trang Remote NLB, kim tra NLB c c dng firewall ny khng. Nu c, nh du vo The remote site is enabled for Network Load Balancing. Sau , thm a ch IP vo dy NLB ca chi nhnh TP HCM bng cch nhn vo nt Add Range. Thc nghim ny khng dng NLB nn bn b du trong The remote site is enabled for Network Load Balancing. Nhn Next. 13. Trn trang Site to Site Network Rule, bn c th cu hnh mt Network Rule kt ni vn phng chnh vi chi nhnh. Ch rng firewall ISA lun yu cu bn c Network Rule kt ni cc mng vi nhau. Ngay c khi to ra cc

    mng v Access Rules, kt ni vn khng thnh cng cho n khi bn to Network Rule. Firewall ISA mi gii quyt c trc trc m nhiu ngi gp phi khi dng bn c, nh ISA 2004, l h thng qun hoc khng bit ti vai tr ca Network Rule. Bn 2006 s yu cu bn lm vic ny ngay trong wizard. Chn Create a Network Rule specifying a route relationship chp nhn tn mc nh. (Ch : bn c th chn I'll create a Network Rule later nu mun t to mt Network Rule. Ch rng la chn mc nh dng kt ni mng ca vn phng chnh v chi nhnh). Nhn OK. 14. Mt tnh nng ni bt na trong bn 2006 l trang Site to Site Network Access Rule. Ti y, bn c th cu hnh mt Access Rule cho php cc kt ni t tr s n chi nhnh. Khi chn Create an allow Access Rule. This rule will allow traffic cetween the Internal Network and the new site to site Network for all users, bn c 3 la chn t menu x xung Apply the rule to these protocols. - All outbound traffic: dng khi bn mun cho php tt c cc truy cp t vn phng chnh n chi nhnh. - Selected protocols: Mc ny c dng khi bn mun kim sot cc truy cp t tr s ti chi nhnh. Nu mun hn ch kt ni trong mt s giao thc, chn mc ny ri nhn vo nt Add cho tt c cc giao thc. Ch : lc ny bn khng th kha vic s dng giao thc pha ngi s dng. Bn phi i cho n khi wizard ny kt thc ri ti mc Firewall Policy thay i sau. - All outbound traffic except selected: La chn ny gip bn cho php tt c cc truy cp nhng gii hn giao thc. Nhn nt Add thit lp cc giao thc bn mun kha. thc nghim ny, chng ta chn All outbound traffic. Nhn Next. 15. Nhn Finish trn trang Completing the New Site to Site Network Wizard. 16. Hp thoi Remaining VPN Site to Site Tasks hin ra bo bn cn phi to mt ti khon vi ci tn VPN_TPHCM. Nhn OK. 17. Chn Remote Site Network v nhn vo ng lin kt Edit Selected Network trong ca s Task. 18. Trong hp thoi VPN_TPHCM Properties, th General cung cp thng tin v Remote Site Network. Bn c th tt hoc bt kt ni VPN im-ni-im t th ny.

    19. Trn th Server, ngi dng c th thay i my nh danh kt ni cho kiu VPN im-ni-im. Bn ch c th ch nh mt my duy nht khi NLB khng c bt trn giao din m rng ca tng la ISA. Nu NLB c bt trn giao din ny, n s t ng ch nh my kt ni cho bn. Ch rng bn c th to ra cc dy gateway VPN m khng cn bt NLB. Tuy nhin, trong hu ht cc trng hp, bn nn dng n cn bng ti. 20. Trn th Address, bn c th thay i hay thm a ch mng khch. 21. Trn th Remote NLB, bn xc nh cc a ch IP c ch nh trn gateway VPN mng khch. Bn ch cn cu hnh cc a ch IP nu gateway VPN mng khch c s dng NLB. thc nghim ny, chng ta khng thm cc a ch mi v NLB khng c bt ln tng la ISA ti mng vn phng TP HCM. 22. Trn th Authentication, chn giao thc thm nh quyn truy cp m bn mun trn tng la ISA dng khi lm vic vi gateway mng chi nhnh. Mc nh y l Microsoft CHAP Version 2. La chn an ton nht l EAP nhng phng php ny yu cu bn ch nh chng nhn (certificate) ca ngi dng cho cc ti khon. 23. Trn th Protocol, cu hnh giao thc VPN m bn mun to ra tunnel truyn dn cho mng ring o. Ngi dng c th thay i mt m chung y. 24. Trn th Connection, bn c th thay i cc thuc tnh cho gateway VPN ca mng khch. Ngi dng s thay i c thi gian duy tr kt ni VPN trong khi khng lm vic vi my (trng thi idle). Mc nh l Never drop the connection. ng hp thoi VPN_TPHCM Properties. 25. Nhn phi chut vo Remote Site Network > Site to Site Summary command. Trong hp thoi, bn s thy cc thng tin ci t trn mng chnh v Required site to site settings for the other end of this tunnel (yu cu ci t i vi mng khch). 26. Hon thnh cng on cu hnh bng cch nhn vo Apply lu cc thay i. Nhn OK trong hp thoi Apply New Configuration.

    You might also like