You are on page 1of 246


RESOURCE CD-ROM DISK (“CD”) FROM TECHREPUBLIC. BY reverse-engineer, decompile, disassemble, merge, modify, create IN THE COLLECTION; THE COST OF SUBSTITUTE SOFTWARE,
THE TERMS AND CONDITIONS OF THIS AGREEMENT, IMMEDI- C. You shall not (and shall not permit other persons or entities to) C. THE WARRANTIES AND REMEDIES SET FORTH HEREIN ARE
MONIES PAID, IF ANY. trademark, or other proprietary notices or legends from any portion EXPRESSED OR IMPLIED. NO TECHREPUBLIC AGENT OR
The articles, forms, tools, templates, programs, and other materials of the Collection or any related materials. EMPLOYEE OR THIRD PARTY IS AUTHORIZED TO MAKE ANY
included on this CD and their compilation (the ‘Collection’) are 3. Limited Warranty and Limited Liability MODIFICATION OR ADDITION TO THIS WARRANTY.
by the terms and conditions of this Agreement. TechRepublic owns OF NINETY (90) DAYS AFTER DELIVERY TO YOU. TECHREPUB- 4. U.S. Government Restricted Rights
the title to the Collection and to all intellectual property rights LIC’S AND ITS SUPPLIERS’ ENTIRE LIABILITY AND YOUR EXCLU- The Collection is licensed subject to RESTRICTED RIGHTS. Use,
therein, except in so far as it contains materials that are proprietary SIVE REMEDY SHALL BE LIMITED TO THE REPLACEMENT OF duplication, or disclosure by the U.S. Government or any person or
to third-party suppliers. All rights in the Collection except those THE ORIGINAL CD, IF DEFECTIVE, WITHIN A REASONABLE entity acting on its behalf is subject to restrictions as set forth in
expressly granted to you in this Agreement are reserved to PERIOD OF TIME. subdivision (c)(1)(ii) of the Rights in Technical Data and Computer
TechRepublic and such suppliers, as their respective interests may B. EXCEPT AS SPECIFICALLY PROVIDED ABOVE, THE COLLEC- Software Clause at DFARS (48 CFR 252.227-7013) for DoD con-
appear. TION IS PROVIDED ‘AS IS’ WITHOUT WARRANTY OF ANY KIND, tracts, in paragraphs (c)(1) and (2) of the Commercial Computer
1. Limited License EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITA- Software and the Restricted Rights clause in the FAR (48 CER
TechRepublic grants you a limited, nonexclusive, nontransferable TION, ANY WARRANTY OF MERCHANTABILITY AND FITNESS 52.227-19) for civilian agencies or in other comparable agency
license to use the Collection on a single dedicated computer. This FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE clauses. The contractor, manufacturer, is TechRepublic.
Agreement and your rights hereunder shall automatically terminate RESULTS AND PERFORMANCE OF THE SOFTWARE AND OTHER 5. General Provision
if you fail to comply with any provision of this Agreement. Upon MATERIAL THAT IS PART OF THE COLLECTION IS ASSUMED BY Nothing in this Agreement constitutes a waiver of TechRepublic’s
such termination, you agree to destroy the CD and all copies of the YOU, AND TECHREPUBLIC AND ITS SUPPLIERS ASSUME NO or its suppliers’ rights under U.S. copyright laws or any other feder-
CD, whether or not lawful, that are in your possession or under RESPONSIBILITY FOR THE ACCURACY ON APPLICATION OF OR al, state, local, or foreign law. You are responsible for installation,
your control. ERRORS OR OMISSIONS IN THE COLLECTION. IN NO EVENT management, and operation of the Collection. This Agreement shall
2. Additional Restrictions SHALL TECHREPUBLIC OR ITS SUPPLIERS BE LIABLE FOR ANY be construed, interpreted, and governed under California law.
A. You shall not (and shall not permit other persons or entities to) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL
CD-ROM Requirements
directly or indirectly, by electronic or other means, copy or repro- DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
The TechRepublic Resource CD requires:
duce (except for archival purposes as permitted by law), publish, COLLECTION, EVEN IF TECHREPUBLIC OR ITS SUPPLIERS HAVE
• Windows 98/98SE/ME/NT4/2000 or XP
distribute, rent, lease, sell, sublicense, assign, or otherwise transfer BEEN ADVISED OF THE LIKELIHOOD OF SUCH DAMAGES
• Internet Explorer 5.0 or later
the Collection or any part thereof or this Agreement, and neither the OCCURRING. TECHREPUBLIC AND ITS SUPPLIERS SHALL NOT
• 16 MB of RAM or more
CD nor its contents can be shared over a network for access by BE LIABLE FOR ANY LOSS, DAMAGES, OR COSTS ARISING OUT
• 10 MB of free disk space or more
multiple users without a separate site license agreement. Any OF, BUT NOT LIMITED TO, LOST PROFITS OR REVENUE; LOSS
• Windows-compatible CD-ROM drive
attempt to do so shall be void and of no effect. OF USE OF THE COLLECTION; LOSS OF DATA OR EQUIPMENT;

Administrator's Guide
to VPN and Remote Access,
Second Edition
TechRepublic Credits and Copyrights
Managing Editor, Ancillaries Content Resources Manager
Janice Conard Marilyn Bryan
Track Editors Promotions Manager, Membership
John Sheesley, Jack Wallen, Jr., Jim Wells Megan Hancock
Community Editors Membership Director
Paul Baldwin, Toni Bowers, Bill Detwiler, Dan Scofield
Jason Hiner, Judy Mottl
Director of Community Content
Senior Review Editor Veronica Combs
Rich Crossett
Editor in Chief, TechProGuild and Ancillaries
Review Editors Erik Eckel
Kachina Dunn, Jody Gilbert, Kim Mays,
Geri Perkins, Dennis Ryan
Editor in Chief, TechRepublic
Lisa Kiava
Copy Editors
Vice President, Membership
Susan Craig, Selena Frye, Susan Mitchell,
Jon Pyles
Lauren Mosko, Julie Tonini, Linda Watkins
Vice President, TechRepublic
Editorial Intern
Bob Artner
Lindsay Puckett
Product Manager, Content Management
9900 Corporate Campus Drive
Travis Frazier
Suite 1500
Graphic Artists Louisville, KY 40223
Natalie Strange, Kimberly Wright E-mail:

© 1995-2002 by CNET Networks, Inc. All rights reserved. TechRepublic and its logo are trade-
marks of CNET Networks, Inc. All other product names or services identified throughout this
book are trademarks or registered trademarks of their respective companies.
Reproduction of this publication in any form without prior written permission is forbid-
den. The information contained herein has been obtained from sources believed to be reliable.
CNET Networks, Inc. disclaims all warranties as to the accuracy, completeness, or adequacy
of such information. CNET Networks, Inc. shall have no liability for errors, omissions, or
inadequacies in the information contained herein or for the interpretations thereof. The reader
assumes sole responsibility for the selection of these materials to achieve its intended results.
The opinions expressed herein are subject to change without notice.

ISBN 1-931490-43-0

ncreasingly, leaders throughout the enterprise are recognizing the business benefits of providing
authorized users remote access to electronic data. However, as an IT professional, you know
that the risks associated with transferring data across the Internet far outweigh the benefits of,
say, being able to check e-mail from anywhere in the world. How do you reconcile the need to pro-
vide remote access to sensitive corporate data with the greater need to safeguard it?
The solution for many IT organizations is to create a secure tunnel for data transfer via a virtual
private network (VPN). As you know, VPN technology lets users take advantage of high-speed
Internet access while minimizing the Internet’s attendant security risks. To more thoroughly under-
stand the ins and outs of VPN implementation in today’s enterprise computing environments, look
no further than TechRepublic’s Administrator’s Guide to VPN and Remote Access, Second Edition.
In this updated version of one of our most popular titles, you’ll find expert information and
advice to help you:
X Determine how to provide remote access without compromising data security.
X Set up and administer VPNs within Windows, NetWare, and Linux networks.
X Configure VPN connections with firewalls.
X Optimize VPN and remote access connections.
X Troubleshoot TCP/IP and other data transfer protocol issues.
X Identify and evaluate a wide range of remote access solutions.
As an added bonus, the searchable CD-ROM includes a special chapter of case studies by in-the-
trenches IT professionals, including two pieces on TechRepublic’s own VPN implementation.
If you have suggestions or comments regarding this product, please e-mail us at
Quick Reference
Introduction to VPN and Remote Access ........................................................1
Security ....................................................................................................159
Solutions ....................................................................................................207
Case Studies ......................................................................................CD-ROM
Administrator's Guide
to VPN and Remote Access, Second Edition

Introduction to VPN and Remote Access

Virtual private networks: The current state ..................................................................................................1
Understanding virtual private networking ....................................................................................................5
Going beyond the buzz to understand VPN technology ..........................................................................8
Virtual private networks save money, increase productivity ....................................................................11
How can using a VPN benefit your company? ..........................................................................................13
Understand your organization’s needs before selecting VPN hardware ................................................14
Cost benefit of VPN appliances vs. VPN servers ....................................................................................15
Telecommuting: Balancing the need for speed and security ....................................................................17
Access your home PC from the office ........................................................................................................19

Managing remote access to your network ..................................................................................................23
Understanding and troubleshooting virtual private networking ..............................................................26
Controlling the dial-up bandwidth on your VPN ......................................................................................34
Making the connection with Windows 2000 Professional Dial-Up Networking ................................35
Understanding demand dial connections in Windows 2000 ....................................................................43
Configuring Windows 2000 for demand dial connections ......................................................................46
How to configure Win2K client VPN connections ..................................................................................50
Setting up a VPN with Windows 2000 ........................................................................................................53
Issues surrounding a Windows 2000 VPN implementation ....................................................................58
Setting up a Windows 2000 virtual private network..................................................................................60
Introducing Windows 2000 Routing and Remote Access ........................................................................63
Configuring Routing and Remote Access on your Windows 2000 server ............................................68
Configuring Windows 2000 as a remote access server ............................................................................75
Increasing Windows 2000 RRAS security ..................................................................................................78
Routing and remote access on Windows 2000 Advanced Server ..........................................................82
Optimize inbound client connections for your Windows 2000 VPN servers ......................................85
VPN networking services built for speed....................................................................................................91
Optimal VPN server configuration and management ..............................................................................95
Troubleshoot Windows RAS and VPN connections with these tips ....................................................99
Learn why NAT can cause VPN connection problems ........................................................................102
Create a gateway-to-gateway VPN with ISA Server 2000 ......................................................................104
Troubleshoot ISA Server VPN connections ............................................................................................108
Configure Windows XP Professional to be a VPN server ....................................................................113
How to configure Windows XP client VPN connections......................................................................118
Configure Windows NT to support VPN connections..........................................................................119
Monitoring and troubleshooting VPN connections in WinNT ............................................................124
The Win9x VPN client connection guide ................................................................................................127
Understanding Exchange 2000 Server’s Outlook Web Access..............................................................132
Enabling Web access of Exchange accounts using Outlook Web Access ..........................................137
Enhance Exchange 2000 OWA using front-end servers ........................................................................141
Implementing site-to-site VPN with BorderManager 3.x ......................................................................143
Setting up client-to-site VPN in BorderManager 3.x ..............................................................................148
Serving up NetWare’s Web Manager..........................................................................................................153
Believe it or not: A Linux VPN without kernel recompilation ............................................................155

Configuring VPN connections with firewalls ..........................................................................................159
Securing the Edge: Windows 2000 Firewall/VPN and beyond: The firewall ....................................162
Securing the Edge: Windows 2000 Firewall/VPN and beyond: Tuning the security........................164
Secure Shell: Protecting data in transit ......................................................................................................165
Making the most of OpenSSH ..................................................................................................................170
Protect your VPN by keeping a tight rein on passwords ......................................................................173
TechRepublic’s TCP/IP primer ..................................................................................................................177
Troubleshoot your network errors with TechRepublic’s TCP/IP checklist ........................................180
Troubleshoot Novell TCP/IP network errors with TechRepublic’s checklist ....................................183
Putting the “private” in virtual private networking..................................................................................186
Configuring certificates for an L2TP/IPSec VPN ..................................................................................191
Customize the security of L2TP/IPSec connections ............................................................................196
Troubleshooting L2TP/IPSec VPN connections in Win2K ................................................................199
The Windows NT 4.0 PPTP VPN client connection guide ..................................................................202

VPN services on a Cisco PIX firewall ......................................................................................................207
Eight commonly overlooked troubleshooting tips for the Cisco PIX VPN ......................................210
SonicWALL PRO-VX provides fast, simple firewall and VPN solution ............................................213
The D-Link DI-704 cable/DSL gateway ..................................................................................................215
Who said you can’t afford your own router? ............................................................................................220
Sharing Internet access with just one IP address ....................................................................................222
Share small office broadband pipes using a Linksys router and Win2K Pro......................................224
Check Point offers integrated firewall and VPN on Linux ....................................................................228
High marks for Mangosoft’s VPN alternative..........................................................................................230
More options for secure collaboration ..........................................................................................CD-ROM

Case Studies
Dealing with the growing pains of a site-to-site VPN ................................................................CD-ROM
International VPN can have its challenges ....................................................................................CD-ROM
How to resolve two common VPN problems..............................................................................CD-ROM
A TechRepublic member shares his VPN success story ............................................................CD-ROM
Free VPN solution had a major impact on this company ..........................................................CD-ROM
A VPN case study: A creative solution for a VPN-based WAN ..............................................CD-ROM
Admin finds low-cost VPN solution using Linux........................................................................CD-ROM
Introduction to VPN
and Remote Access
Introduction to VPN and Remote Access
This opening chapter provides an overview of the benefits of virtual private networking, the
technology that makes it possible, and some of the issues that must be considered when planning
a VPN implementation.

Virtual private networks: The current state..............................................................................................1

Understanding virtual private networking ................................................................................................5
Going beyond the buzz to understand VPN technology ......................................................................8
Virtual private networks save money, increase productivity................................................................11
How can using a VPN benefit your company? ....................................................................................13
Understand your organization’s needs before selecting VPN hardware ..........................................14
Cost benefit of VPN appliances vs. VPN servers................................................................................15
Telecommuting: Balancing the need for speed and security ..............................................................17
Access your home PC from the office....................................................................................................19
Virtual private networks: The current state
May 4, 2000
By Scott Lape

virtual private network (VPN) by defi- alike have only begun to scratch the surface of
nition is quite simply secure access to the potential of virtual private networking, its
data and/or resources via a private services, and its capabilities.
network. This private network connects
through public data lines and uses a tunneling VPN from the clouds
protocol and encryption by individuals or It is only appropriate to touch on the benefits
machines for whom the data and/or resource of deploying a VPN prior to delving into its
is intended. technologies. These benefits are not all that
Over the past few years, VPN has become exist, nor do they apply to every organization
one of the most-used acronyms in the history and circumstance. Your actual results and ben-
of the networking industry. Every company efits may vary.
that can possibly justify instituting a VPN solu- Cost seems to drive and control many proj-
tion is chomping at the bit to do so. ects in the networking industry. Technologies
In this article, I’ll discuss the benefits of are available to provide almost any desired or
deploying a VPN and examine the design and required result, assuming that a company’s
technology behind it. pockets are deep enough. Realistically, every
member of every technology team faces some,
The path of least resistance if not many, budgetary constraints. (If you’re a
They (you know—all of those “experts” out hiring manager and your company’s projects
there who know everything) say that VPNs don’t have any monetary or budgetary con-
and related services will have a market of straints, please e-mail me and I will forward
greater than $10 billion by 2001. CEOs, CIOs, you a résumé.) Members of information tech-
networking executives, and even the managers nology departments and their managers are
below them have become very well read in the paid to find and implement better ways to
area of VPNs. Something about the promise reach an end. Better can mean faster or more
of having secure access to a corporate network reliable, secure, or available. Generally, a better
from darn near anywhere in the world is way to reach a similar end equals—whether
tremendously appealing—not to mention the directly or indirectly—less expensive. And
convenience and relatively low expense associ- VPNs may be the answer for many companies.
ated with setting up and maintaining a highly One of the most-known benefits of VPNs
available global network. It seems that in a is access to resources from any point on the
world of nonstandard standards and rapidly Internet. This access could potentially provide
changing technologies, a VPN (which is largely companies that currently manage multiple net-
standards-based) is the path of least resistance work points of entry with the ability to main-
to a highly available, reliable, and secure net- tain a single point of entry. A fast connection
work to which you could potentially connect to the Internet via an Internet service provider
(with the right tools) from a thatched hut in (ISP) could take the place of many, if not all,
the Himalayas. other data lines and remote-access mediums.
On the surface, the high-level benefit of a A single high-speed line could replace the
VPN seems great. One small fact to keep in function of multiple point-to-point connec-
mind: Understanding the benefits and the tech- tions, Frame Relay, ISDN, and analog modems.
nologies of a VPN and how it works is very Each of these connectivity options requires
different than knowing you need one. The only some piece of unique hardware, which in turn
way to truly reap the benefit is to dig into the requires unique management and expense. The
technology and its foundation. Many of the single link could transport all required traffic
above-mentioned professionals and others to and from remote users and remote sites.

Introduction to VPN and Remote Access 1

The most apparent benefits from the reduc- individuals’ homes, VPNs make telecommut-
tion in the number of entry points to a corpo- ing not only an employment alternative but
rate network are fewer potential points of also a selling point to potential employees. The
failure and reduced hardware and administra- labor market is the tightest it has been in his-
tion costs. Another benefit is the ability to take tory. Employers are having a hard time finding
advantage of the inherent redundancy that’s qualified individuals to fill needed positions.
built into the Internet. A properly written Telecommuting via VPNs affords companies
service-level agreement with an ISP could the ability to move outside their local labor
potentially offload some responsibility and market to hire individuals who live virtually
accountability for network uptime. No matter anywhere, without incurring relocation
how high your level of redundancy and plan- expenses.
ning, however, you can’t guarantee that a
worker repairing a phone line in Anywhere, VPN technology
USA, won’t accidentally slice through the Assuming that a VPN is a viable solution for a
wrong fiber-optic cable and drop one or all of company, the two major concerns that many
the core backbones of face are performance
the Internet to its and security. While IP
knees. Catastrophic fail- …an Internet-based VPN consists was designed to be the
ures are just that. All of three pieces: security standard protocol of
the precaution in the the Internet, perform-
gateways, security policy servers, ance and security were
world can’t protect
against these types of and certificate authorities. not necessarily fac-
problems. Luckily, tored into its design. In
though, situations like the early days of the
these are rare. So, using a VPN to reduce your Internet, neither security nor reliable perform-
multiple point-to-point connections is a fairly ance was mandated. Standards have been
safe way to save those resources. introduced to provide the ability to ensure the
All the resources saved usually equate to network performance, security, and availability
dollars. Exactly how many dollars the savings required of a secure VPN.
will turn into is up to debate. Common wis- The major obstacles of transmitting private
dom pegs intranational remote-access savings information over public or shared lines are
estimates in the area of 50 percent. Interna- familiar to most IT managers. Data transmit-
tional estimates of savings are thought to be ted via a VPN must:
close to 90 percent over that of conventional X Maintain its integrity.
remote-access solutions. Site connectivity sav- X Be tamper-resistant.
ings are estimated to be an equally impressive
X Be protected from duplication from
70 percent over point-to-point. These savings
unauthorized parties.
estimates are very generalized. VPNs have the
potential to save many companies money. X Remain confidential until it meets its
However, to say that implementing a VPN will intended recipient.
save every company money would be a mis- VPNs accomplish this by creating tunnels
statement. In the world of technology, there’s along the Internet from the data’s point of ori-
always an exception. gin to the point of delivery. These tunnels are
While potential savings may vary, one state- secure paths through which encrypted data can
ment holds true: Nothing can currently touch travel without being intercepted by unautho-
an Internet-based VPN in terms of global rized parties. Protocol suites have been devel-
availability. This is facilitated by the use of the oped that provide the ability to form VPNs
standards-based Internet Protocol (IP). over the Internet and accomplish the goals I’ve
With the recent explosion of low-cost, listed. Four of these protocol suites are:
high-speed Internet access available to many X PPTP (Point-to-Point Tunneling Protocol)

2 Administrator’s Guide to VPN and Remote Access, Second Edition

X L2F (Layer-2 Forwarding) Task Force). It is a Layer 2 tunneling protocol
X L2TP (Layer-2 Tunneling Protocol) that combines the best of both L2F and PPTP.
It supports the transfer of protocols other
X IPSec (Internet Protocol Security) than IP and is used primarily in remote-access
PPTP is a proposed standard that Microsoft scenarios. Although many believe L2TP to be
has included with Windows 98, with RRAS for a security-based protocol, it doesn’t provide a
NT4, and in a service pack for Windows 95. secure tunnel. Like L2F, it facilitates authenti-
PPTP uses PPP (Point-to-Point Protocol) to cation of both the user and the connection.
provide remote-access services across the For security, L2TP must incorporate IPSec.
Internet via a tunnel. PPP packets are encapsu- IPSec is widely considered to be the best
lated by using a modified version of GRE solution for the implementation of a secure
(Generic Routing Encapsulation) Protocol. VPN. IPSec was originally developed to plug
This encapsulation allows other protocols, the security inadequacies of Ipv4 in the next
including IPX and NetBEUI, to be utilized by generation of IP protocols, IPv6. Adoption of
PPTP. This is one of the main attractions of IPv6 has been slow, and the current need for
PPTP. By design, it functions at the Data Link securing IP packets is great. These two facts
layer (Layer 2) of the Open Systems Intercon- played a large role in the modification of
nection (OSI) model, allowing for transmission IPSec to make it compatible with IPv4 in an
of protocols other than IP. In contrast, IPSec attempt to accommodate the security needs
functions at the network layer (Layer 3) of the of the current version of IP. Support for
OSI model. The main weaknesses of PPTP IPSec headers is optional in IPv4 but manda-
are its lack of support of token-based authen- tory in IPv6.
tication and the inability to provide strong In order for current networking applica-
encryption. PPTP relies on PAP (Password tions to use IPSec, they must incorporate spe-
Authentication Protocol), CHAP (Challenge cial TCP/IP stacks that have been designed to
Handshake Authentication Protocol), and a include the IPSec protocols. IPSec is a Layer 3
Microsoft Windows NT variation that uses security protocol from the IETF that provides
MS-CHAP (Microsoft Challenge Handshake authentication and/or encryption for IP traffic
Authentication Protocol), NT domain-level for transport across the Internet. IPSec affords
security for authentication. the sender of IP packets the ability to authenti-
L2F is a tunneling protocol that encapsu- cate and/or encrypt data at the packet level.
lates PPP packets within IP packets. It allows There are two different methods of using
the use of unregistered IP addresses by hiding IPSec, which were brought about by the ability
the IP address of the remote user from Inter- to separate authentication and encryption
net users. Unlike PPTP, L2F has the ability to application to each packet. The different
work directly with Frame Relay and ATM modes are referred to as transport mode and
(Asynchronous Transfer Mode). L2F uses PPP tunnel mode. In transport mode, the transport
for remote user authentication; however, it layer is the only segment that is authenticated
supports TACACS (Terminal Access Con- or encrypted. Tunnel mode authenticates or
troller Access System) and RADIUS (Remote encrypts the entire packet, which provides
Authentication Dial-in User Service). Where even more protection against unauthorized
PPTP allows only single connections to be access, interception, or attack.
made across tunnels, L2F supports multiple IPSec is built around a number of standard-
connections. Since it functions at the Data ized cryptographic technologies to provide
Link layer (Layer 2) of the OSI model, L2F confidentiality, data integrity, and authentica-
also provides the flexibility of being able to tion. For example, IPSec uses:
handle protocols other than IP. X Diffie-Hellman key exchanges to deliver
L2TP was designed to take over where L2F secret keys between peers on a public net
and PPTP left off and become a standard
approved by the IETF (Internet Engineering X Public key cryptography for signing
Diffie-Hellman exchanges, to guarantee

Introduction to VPN and Remote Access 3

the identities of the two parties and avoid designed to handle only IP packets, PPTP and
man-in-the-middle attacks L2TP are better suited to environments requir-
X Data encryption standard (DES) and ing transmission of IPX, NetBEUI, and
other bulk-encryption algorithms for AppleTalk.
encrypting data VPN design
X Keyed hash algorithms (HMAC, MD5, Aside from the Internet, an Internet-based
SHA) for authenticating packets VPN consists of three pieces: security gate-
X Digital certificates for validating public keys ways, security policy servers, and certificate
IPSec relies on the exchange of secret authorities. The Internet is the foundation and
keys to allow different IPSec parties secure groundwork of a VPN. It provides the large
communications. Key management is a “key” pipes for traversal by the small tunnels created
ingredient of IPSec. There are two ways to by a VPN.
handle these key exchanges and management A security gateway is the gatekeeper of the pri-
within the architecture of IPSec: manual key- vate network. It provides security against
ing and the ISAKMP/Oakley scheme, also unauthorized access to the information on the
referred to as IKE (Internet Key Exchange). inside. It can consist of routers, firewalls, VPN
IKE provides the automation of key manage- hardware, and/or software. In many cases, all
ment and is the result of the combining or most of these functions are provided by the
ISAKMP (Internet Security Association and gateway, or vice versa.
Key Management Protocol), which serves as The security policy server contains the access-
the framework for authentication and key list information, which dictates what and
exchange, with the Oakley Protocol, which who to allow and disallow access to resources.
describes various modes of key exchange. This access list can reside in many places: a
Both manual keying and IKE are mandatory router, firewall, VPN hardware, or RADIUS
requirements of IPSec. server.
As with any other management automation Certificate authorities are the governing body
tools, the benefit of IKE is easy to see. A of key verification. This governing body can
VPN with a small number of sites can use be a database residing inside the private net-
manual keying effectively. VPN encompassing work or can be outsourced to a third party.
a larger number of users and/or supporting The latter provides the best method of key
many remote-access users will benefit from the verification in cases where corporations make
automation provided by the use of IKE. use of extranets.
IKE is designed to provide the following Basic questions that should be answered
capabilities: before settling on the best VPN solution (if
any) for your company include the following:
X It provides the means for protocol
agreement between parties, along with X How many users are at each site?
which algorithms and keys to use. X What are the bandwidth requirements for
X It ensures from the beginning of the each needed connection?
exchange that you’re communicating with X Does the connection need to be permanent
the intended party. or on-demand (dial-up)?
X It manages the keys that are agreed on. X How much traffic will the site generate?
X It ensures that the key exchanges are X Are there times when traffic is higher
handled completely and safely. than others?
IPSec is currently viewed as the best solution X What are the service-level requirements?
to support an IP-based environment. It includes X Are there any problems existing in your
the strong security that the other protocol suites company that will be solved by the
lack: encryption, authentication, and usage of implementation of a VPN?
keys and their management. While IPSec is

4 Administrator’s Guide to VPN and Remote Access, Second Edition

X Why is a VPN better than the next The best solutions are always based on
competing alternative? knowledge. If a VPN is for you, look to the
X Should the VPN be outsourced or built future. Make sure your choice is as scalable as
in-house? you think you’ll need. Also, pay particularly
close attention to any other regulations or
VPN last word requirements that are mandated by much larger
Tremendous advantages accompany the imple- bodies, such as the government. A number of
mentation of a VPN for many companies. In options are available, some geared toward small
many cases, there are also tremendous savings business, some toward much larger. If your
associated with VPN that could make the proj- company is in need of a VPN, there’s a solu-
ect sponsor a corporate hero—not to mention tion that’s right for you—just make sure you’re
the fact that a VPN and a fast Internet connec- very aware of the requirements today and, as
tion at a user’s home are a telecommuter’s always, think scalable.
dream. However, as with any relatively new
technology, there are numerous questions to
be asked and much studying to be done.

Understanding virtual private networking

June 15, 2000
By Talainia Posey

o you have traveling users on your sists of two computers that must communicate
network who wish they could con- and a medium. However, unlike with tradi-
nect to your corporate network from tional networks, this medium isn’t dedicated to
home, a hotel room, or even an airport? the network in question. Often the medium is
Unfortunately, many companies don’t have a the Internet. Because both computers are con-
remote access server (RAS) in place to make nected to the Internet, it’s possible to establish
this possible. Even if your company does have a route through the Internet between the two
a RAS, what are the chances that the line will computers. In the case of a VPN, this route is
be busy when you call? The reasons I’ve just called a tunnel.
listed have all made doing business on the
road difficult. However, by setting up a virtual Introducing the Point-to-Point
private network (VPN), you can access your Tunneling Protocol
corporate network from anywhere that you As you’re probably aware, a network connec-
have access to an Internet connection. In this tion requires the computers on the network to
article, I’ll explain how VPNs work with Win- share a common protocol. A protocol is the
dows 98. language computers use to communicate over
the connection medium.
What is a VPN? For a standard Internet connection, com-
A traditional network consists of two comput- puters use the TCP/IP protocol over a PPP
ers that must communicate with each other. (Point-to-Point Protocol) connection. In the
The two computers are connected by a physi- case of a VPN, this concept is taken a step fur-
cal medium, such as an Ethernet connection. ther. The Windows 98 implementation of vir-
A VPN works on the same principle. It con- tual private networking relies on a protocol

Introduction to VPN and Remote Access 5

called PPTP (Point-to-Point Tunneling Proto- IP datagrams containing encapsulated PPP
col). As you might have guessed by the name, packets.
PPTP is simply an extension of the PPP pro- Under normal circumstances, when a
tocol. PPTP provides a tunnel through the log- remote user tries to access a corporate network
ical connection medium that allows the two via the Internet, the company’s firewall pre-
computers to communicate. vents PPP packets from entering the network.
Because of the way PPTP works, you can This means the private network is inaccessible
use it regardless of the communications proto- to Internet users. However, when the company
col your corporate network normally uses. For loads the VPN services, it can enable certain
example, suppose your corporate network nor- firewall ports that provide a route across the
mally uses Internetwork Package Exchange/ firewall (or router) and allow Internet users
Sequenced Package Exchange (IPX/SPX). who meet specific security criteria to access the
You can set up IPX/SPX on your remote private network from across the Internet.
computer and communicate with your corpo- When a VPN server receives a packet from
rate network using IPX/SPX packets traveling across the Internet, it disassembles the packet.
across PPTP. From this packet, it can derive the name of the
computer the packet was intended for. The
packet also contains the underlying protocols,
The first step in having a secure such as NetBEUI and IPX/SPX. Once this
environment is to have information has been extracted into a usable
form, the packet can be passed from the VPN
strong passwords. server to the destination computer residing on
the private network. As you can see, the VPN
server functions similarly to a gateway.
Virtual private networking Because you can imbed standard network-
over the Internet ing protocols into a packet that’s sent across
Now that you’re familiar with some of the a VPN, all standard networking features con-
basic concepts and terminology associated tinue to work. For example, name resolutions
with VPNs, let’s look at how virtual private by way of a Windows Internet Naming Ser-
networking works in a little more detail. For vice (WINS) server or a Domain Name Ser-
the remainder of this article, I’ll assume that a vice (DNS) server will function just as if the
remote user dialing into the Internet is making remote host were directly plugged into the
the VPN connection. local network.
When establishing a VPN connection over Because name resolution continues to
the Internet, the remote user must make two function, you may be wondering about the
connections. The first connection is to the general DNS requirements. After all, address-
user’s Internet service provider (ISP) by way of ing a computer by name across the Internet
a dial-up session. As I mentioned earlier, this normally requires the name to be registered
dial-up session uses TCP/IP and PPP to com- and globally accessible. However, in the case
municate with the ISP. At the time the connec- of virtual private networking, only the VPN
tion is made, the remote user is automatically server needs a valid globally accessible DNS
assigned an IP address by a Dynamic Host name (with a static IP address). This is
Configuration Protocol (DHCP) server at the because when you send packets from the
ISP’s office. remote computer, the VPN server is as far as
The second connection actually creates the those packets must travel. As far as anything
VPN. It uses some of the Windows 98 code on the Internet knows, the VPN server is the
that’s normally associated with dial-up net- packet’s final destination. It’s not until the
working to establish this connection over the VPN server disassembles the packets that
existing PPP connection. Packets are sent they’re passed on to their true final destina-
across the second connection in the form of tion. Because the packet already resides at the

6 Administrator’s Guide to VPN and Remote Access, Second Edition

local level at the time of disassembly, the VPN security
Internet requires absolutely no knowledge of Given the insecure nature of the Internet,
the name of the computer that’s the true security is a big concern with VPNs. After all,
final destination of the packet. As a matter of you don’t want someone to steal your packets
fact, it’s a bad idea from a security standpoint as they flow freely across the Internet. And
to make the name of that computer accessi- you don’t want your corporate network to be
ble via the Internet. You should place all compromised. Fortunately, the Windows 98
local nodes on your network, as well as the implementation of virtual private networking
VPN server, behind a firewall for protection. is designed to be secure. In this section, I’ll dis-
Virtual private networking cuss some of the aspects of VPN security that
you need to be aware of.
and routing The first step in having a secure environ-
As I mentioned earlier, connecting to a VPN ment is to have strong passwords. When you
involves using two dial-up networking sessions. dial into your ISP, it typically asks for a pass-
The first session establishes your Internet con- word. However, this password grants you only
nection. Once you’re connected to the Inter- an Internet connection—it has absolutely
net, you can establish the VPN connection via nothing to do with your VPN access. Instead,
the second dial-up networking connection. when you establish the VPN session, you’ll be
However, there are a couple of side effects you prompted for a second password. This is your
should know about. usual Windows NT (or Windows 2000) domain
First, when you launch the VPN session, password. The password is authenticated using
the Internet is no longer accessible for stan- the same method that a RAS server uses. You
dard access (Web browsing, e-mail, and so can use Challenge Handshake Authentication
forth) unless the network you’re connecting to Protocol (CHAP), Microsoft CHAP (MS-
can also get to the Internet. If the remote net- CHAP), or Password Authentication Protocol
work doesn’t provide access to the Internet, (PAP) to authenticate Windows NT passwords.
you can’t surf the Web or check your e-mail at Once a user has been authenticated into a
the same time you’re connected to a VPN. Windows NT domain, all the usual security
Second, you should know that establishing a mechanisms continue to apply. For example, all
VPN session kills your connection to any local NTFS permissions and share permissions
networks you might be attached to. For exam- apply to a user who’s connected through a
ple, suppose you’re part of a ten-user work- VPN just as if the user were connected to a
group. Now suppose you establish a VPN network locally.
session to a corporate enterprise network. An added level security comes from encryp-
Once you do, the corporate enterprise network tion. Once a user has specified his or her pass-
will be accessible but your workgroup won’t. word, the remote client and the VPN server
Consequently, you won’t be able to use Win- generate a 40-bit encryption key that can be
dows 98 to route packets between the two used to encrypt and decrypt packets. If you’re
networks. using Windows NT Server with Service Pack
The reason for these routing limitations is 1, 2, or 3, this encryption key changes with
because of the way the PPTP protocol affects every 256 packets. If you’re using Service Pack
Windows 98’s local routing tables. If you 4 or above, the encryption key changes with
absolutely have to connect to the Internet, to a every packet. To further enhance security,
local network, or to both at the same time users in the United States and Canada may use
you’re connected to a VPN, you may be able to 128-bit encryption as opposed to the standard
do so in some cases by using Windows 98’s 40-bit encryption.
Route command. The Route command can be
used to make Windows 98 aware of other IP Firewalls
networks that you’re connected to without the I mentioned earlier that you should always
aid of a router. place your VPN server behind a firewall. A

Introduction to VPN and Remote Access 7

firewall is designed to block all IP ports that cases listed as Protocol 47) before you can use
are unused. This prevents attacks on your net- virtual private networking. If these addresses
work by malicious Internet users. Another aren’t enabled, all VPN traffic will be stopped
function of a firewall is to hide the computer at the firewall and will never even reach your
names and IP addresses used on your private VPN server, not to mention the rest of your
network from Internet users. network.
If you already have a firewall in place, you’ll
have to enable the ports that are used by vir- Conclusion
tual private networking before the VPN server In this article, I’ve discussed VPNs as they
will be accessible from across the Internet. apply to Windows 98. I’ve explained a bit
Remember that virtual private networking about the infrastructure behind a VPN, and I
relies on the PPTP Protocol. PPTP uses TCP discussed some configuration issues you may
port 1723 and ID number 47. Therefore, you encounter when setting up a VPN through
must enable port 1723 and ID 47 (in some Windows 98.

Going beyond the buzz to understand

VPN technology
Oct 5, 2000
By Jason Hiner, MCSE, CCNA

PN is one of those acronyms that tions to your local area network (LAN) for
describes a revolutionary technology commuters and remote office users. How does
few people appear to be using. The it work? VPN essentially takes two systems, or
confusion and misinformation that swirls networks, connected to the Internet and cre-
around VPN (virtual private network) may be ates a secure connection using encapsulation
the reason for this perception. In this article, and encryption. VPN also uses authentication
we’ll focus on VPN, including the basics and routing to further increase security and
about how it works and the definitions of functionality.
some of the buzzwords that surround this When using a client-to-server VPN (see the
new technology. sidebar article), a remote client requests a
VPN is a new way to connect your users to resource from its corporate LAN. The com-
your network. The technology has drawn a puter then dials up an ISP to connect to the
good deal of speculation and criticism about its Internet and creates a logical connection to the
security and reliability. On the flip side, VPN corporate VPN server. This VPN server
has also received its fair share of exaggeration authenticates the client and manages encapsu-
about its merits, including claims that it is des- lation and encryption on the communications
tined to replace all dedicated T1s, frame-relay between the client and the resources on the
circuits, and other proven connections. corporate LAN.

How VPN works Sorting out VPN terminology

So what can VPN really do for you? It can A VPN has its own subset of buzzwords, such
provide low-cost, reliable, and secure connec- as tunnels, PPTP, L2TP, GRE, CHAP, IPSec,

8 Administrator’s Guide to VPN and Remote Access, Second Edition

Figure A depicts a client-to-server VPN where a remote user connects to a corporate VPN server using Point-to-Point
Tunneling Protocol (PPTP). The use of PPTP allows enterprises to extend their own corporate network through pri-
vate “tunnels” over the public Internet. Using this type of interconnection, a company no longer needs to lease its
own lines for wide-area communication. Instead, enterprises can securely use the public networks because the
communication packets are encrypted before they are sent through the tunnel.
Figure B depicts a basic server-to-server VPN. Both of these diagrams show very simplified solutions. In reality,
VPN servers often sit behind a firewall and are part of the corporate network’s “Demilitarized Zone.” Setting up a
VPN usually involves some trial and error on the part of both the clients and the server. Once VPN is up and run-
ning, however, it is typically reliable if you have a dependable Internet connection on both ends.
For more on VPN with Windows products, you can go to Microsoft’s site on virtual private networking
( or read Nortel’s VPN Tutorial at

and other concepts. How do they fit into the PPP, such as CHAP, PAP, and SPAP. For
VPN picture? Let’s start with the most confus- encryption purposes, however, it is best to use
ing concept—tunneling. MS-CHAP, which in turn allows for link
A VPN tunnel is a logical concept for illus- encryption via MPPE.
trating the transfer of private data packets on Around the same time that Microsoft cre-
the Internet, which is mostly full of packets ated PPTP, Cisco created its own L2F protocol
anyone can open and read quite easily. A tun- for VPN. Microsoft and Cisco collaborated to
nel is not a private, dedicated path of electrons produce a single VPN tunneling protocol, and
directly crossing the Internet from one spot to the result was L2TP. Like PPTP, L2TP pro-
another. Hackers can still intercept the packets vides user authentication and data encryption.
in your tunnel. But, without your encryption It also provides mutual computer authentica-
key, the packets are simply a jumbled mess of tion, data authentication, and data integrity.
characters. The tunnel is simply the route While PPTP provides link encryption via
taken by encapsulated packets between the two MPPE, L2TP provides more secure end-to-
networks. Remember that tunneling encapsula- end encryption with IPSec. By using IPSec
tion occurs at the Data Link Layer (Layer 2) of
the OSI reference model. Figure A
In a Windows environment, VPN tunneling
is made possible by one of two protocols— VPN tunnel (logical connection)
PPTP or L2TP. In a UNIX or Linux environ-
ment SSH can be used for VPN. Cisco has a Remote
client Internet VPN Corporate
VPN protocol called L2F, and there are others. LAN
But we will focus on PPTP and L2TP for Win-
dows networks, with an emphasis on Windows
2000, the most comprehensive Windows plat- Figure B
form for VPN.
PPTP provides user authentication and data
encryption following a protocol that has been VPN tunnel (logical connection)
used in Windows NT networks for several
years. It accesses TCP port 1723 for communi- VPN Internet VPN
server server
cation and encapsulates PPP frames for tun-
neling using GRE. For authentication, PPTP Remote Corporate
office LAN
can use the same authentication protocols as

Introduction to VPN and Remote Access 9

both the computer and the user are authenti- Summing it all up
cated. Although L2TP is still a virgin technol- VPN can offer some great advantages over
ogy and Microsoft just began supporting it traditional remote access and dedicated lines.
with the release of Windows 2000, it is clear With the dynamic nature of organizations
that the future of VPN is moving in this direc- these days, remote access users and offices can
tion. For more detailed information on this change very rapidly. Rather than investing in
new standard see Request For Comment 2661 expensive RAS ports and expensive dedicated
at lines (i.e., ISDN and frame-relay circuits), a
Whether you use PPTP or L2TP, there are a company can increase the bandwidth of its
few more core concepts you should under- corporate Internet connection and dynami-
stand about setting up a VPN. You can set up cally support remote VPN servers and clients
a VPN using two general configurations: on an as-needed basis. While this may not be
client-to-server and server-to-server. A server- the ideal solution in every case, it does allow
to-server VPN allows remote office networks companies to be faster and more fluid in set-
to connect to corporate LAN resources. VPN ting up remote access when a new need arises.
servers on both ends of the Internet connec- It also allows for a better use of resources
tion authenticate each other, create the tunnel since different users and connections can con-
between the two networks, and allow a secure nect at different times and thus share the same
exchange between the networks. However, infrastructure rather than requiring separate
keep in mind that the encapsulation and infrastructures. And, for those who are count-
encryption process can add around 30 percent ing, all of this can result in saving some seri-
in protocol overhead. This means that slow ous money.
dial-up connections will be even a little slower.
Nevertheless, they will still function reliably for
file transfer and other basic remote access

PPTP—Point-to-Point Tunneling Protocol MPPE—Microsoft Point-to-Point Encryption

L2TP—Layer-2 Tunneling Protocol IPSec—Internet Protocol Security

TCP—Transfer Control Protocol VPN—virtual private network

GRE—Generic Routing Encapsulation DSL—digital subscriber line

SSH—Secure Shell XML—Extensible Markup Language

L2F—Layer-2 Forwarding ASP—application service provider

CHAP—Challenge Handshake RAS—remote access services

Authentication Protocol
ISDN—Integrated Service Digital Network
PAP—Password Authentication Protocol

SPAP—Shiva Password Authentication


10 Administrator’s Guide to VPN and Remote Access, Second Edition

Virtual private networks save money,
increase productivity
Aug 21, 2000
By L. Pepper Morton

y firm had a client that had been the Internet, the company could reduce its
paying about $20,000 a month in long distance data cost to $20 or $30 per port
long distance data line costs and felt each month. With approximately 120 ports,
that a strategy change could reduce this price this comes to around $3,600 a month versus
tag considerably as well as upgrade the data the $20,000 the client had been paying. This
throughput capability. may sound like a no-brainer, but there were
The client’s strategy in the past was to give other issues to be addressed.
remote branch offices access to a mainframe
system that would give users online access and Applying the VPN concept
transaction process capability. The user would Microsoft changed the way it handles VPNs
have an ADDS dumb terminal located at each with the advent of NT 4.0 when it added rout-
branch. Thus, the client installed remote and ing and remote access service (RRAS). This
local modems and a T1 fractionated into 64k change was designed to enhance the VPN
segments for each branch. connectivity and reliability, but the jury is still
We felt like a change in strategy for the out on the success of the change. In our
company would address a need to upgrade the effort to install the VPN, we worked closely
remote office dumb terminals with Pentium with Microsoft’s technical support staff. We
personal computers and take advantage of the received good response, but the content seems
Internet with the use of a virtual private net- to be a little short.
work (VPN). What follows is a case study in We also did quite a bit of research and dis-
favor of VPN technology. covery. We found that client dial-up connec-
tions worked with little or no problem.
Choosing VPN over frame relay However, network connections do not work
The new strategy for this client was to nearly as well. There are ample products on the
upgrade the remote access user to today’s market that make VPN connections a breeze,
desktop solutions and interface this desktop but they are somewhat costly, especially since
via the Internet to the home office mainframe the technology is supposed to be resident in
via one of two means: RRAS. Since one of our main strategy objec-
X Frame relay tives was to maximize our cost, we continued
down the RRAS path.
X Virtual private network
Eventually, we found that the dial-up con-
The frame relay was ideal; however, the nection into an ISDN pipe via the Internet
one-time cost for the remote and local hard- was fine for clients but not for remote net-
ware was prohibitive. The company did not work connections. The encryption code and
think they could justify the one-time cost, RRAS code take up most of the data line on a
especially if there was a lower cost alternative. 64k ISDN connection, and thus allow no
Thus, the VPN alternative was adopted. room for data transmission.
The strategy consisted of bundling as much Microsoft recommended that a dual-channel
technology into the upgrade so that the com- ISDN line would make a better connection;
pany would be able to maximize the financial however, we went ahead and stepped up to a
leverage of the VPN strategy over three to burstable T1. This would provide a little grow-
five years. ing room for the client and remote network
The cost of the installation and PC pur- connections. RRAS comes with routing built in
chases would be recouped through the long the software and therefore eliminates the need
distance savings on the data lines. By utilizing for a router. An interface card must be installed

Introduction to VPN and Remote Access 11

in the NT server that connects to the ISP X Total cost monthly, fixed: $3,700
incoming T1. X Total cost monthly, variable: approximately
The burstable T1 ended up costing a little $3,000
more than originally anticipated, but it was
So, for a total cost of $6,700 per month, the
still somewhat less than the original cost of
client has enhanced remote users’ ability to use
$20,000 per month.
the system and cut the monthly cost to operate
VPN implementation brings cost by $13,300.
savings, increased productivity The remote desktop users responded by
We implemented these technologies for increasing their individual productivity, and
the client: branch managers reported a noted positive
attitude change.
X T1 interface
The large margin of cost savings will allow
X T1 burstable connection to local provider the client to pay for the desktop Pentium com-
X 36 remote network connections puters and other miscellaneous equipment in
about six months. After six months, the sav-
X 80 dial-up client connections
ings can be added back to the bottom line.
As a result, the client now can accomplish: VPNs are getting easier to install and debug.
X Transaction processing We are amazed at the number of clients who
X Desktop word processing and spreadsheets are afraid of VPN technology and therefore
X Network e-mail have not adopted this off-the-shelf technol-
ogy. This client had a large margin to work
The savings that result from this implemen-
with, and the VPN was a winning choice.
tation are considerable:

A virtual private network (VPN) is a private data network that makes use of the public
telecommunication infrastructure, maintaining privacy through the use of a tunneling proto-
col and security procedures. A VPN can be contrasted with a system of owned or leased
lines that can be used by only one company. The idea of the VPN is to give the company the
same capabilities at much lower cost by using the shared public infrastructure rather than a
private one. Phone companies have provided secure shared resources for voice messages.
A VPN makes it possible to have the same secure sharing of public resources for data.
Companies today are looking at using a private virtual network for both extranet and wide-
area intranet.


Using a VPN involves encrypting data before sending it through the public network and
decrypting it at the receiving end. An additional level of security involves encrypting not only
the data but also the originating and receiving network addresses. Microsoft, 3Com, and
several other companies have developed the Point-to-Point Tunneling Protocol, and
Microsoft has extended Windows NT to support it. VPN software is typically installed as part
of a company’s firewall server.

Courtesy of

12 Administrator’s Guide to VPN and Remote Access, Second Edition

How can using a VPN benefit your company?
Nov 17, 2000
By Ed Engelking II, A+

irtual private networks, or VPNs, have able tool for many organizations. Users simply
become a major networking technol- dial in to a local Internet service provider (ISP)
ogy within just the past few years. and then establish a secure tunnel (with the
Does VPN technology live up to its own hype? VPN) to the office network. Users are then
How can a VPN improve your company? This able to authenticate into their company’s net-
article takes a look at what a VPN is, how it work and browse as if they were in the office.
works, and how it can benefit your company. Imagine finding the perfect hire for a posi-
tion, but that individual can’t relocate. VPN
What exactly is a VPN? enables this employee to have access to the
A VPN is essentially a private data network company network and the vital resources he
that uses existing telecommunications infra- or she needs from a remote location.
structures (regular phone lines, T1 lines, DSL,
cable lines, and so on). Privacy is achieved VPN for road warriors
through the use of a tunneling protocol and One of the greatest benefits a VPN offers is to
security procedures. VPN technology enables individuals who travel extensively. These indi-
company offices or individuals in different viduals need frequent access to the company
locations to securely access a central network network for file sharing, checking e-mail, or
without having to dial directly in to the com- other tasks that depend on connectivity. With
pany network, as shown in Figure A.
Figure A
VPN vs. traditional dial-in access
Connecting remote users via the traditional Connecting to office network dial-in access
dial-in method can be costly. In order for
employees to dial in to the network, the com-
pany needs a leased telephone line for multiple
users to dial in on, as well as call-trafficking
equipment (e.g., modems) to handle the
incoming calls. A company must also consider remote PC
dial-in server
the cost of these toll calls and the time their
users stay connected. While the implementa-
tion of toll-free 800 numbers can alleviate
direct dial-in line corporate network
some of this cost, there is still a significant fee
for having an 800 number. Connecting to office network with VPN
By using a VPN, however, remote users can
connect to an ISP with a local phone number Internet
and from there, tunnel securely to the office
network. With this configuration, the only
ISP server
equipment needed is a VPN server, eliminating
the need for leased lines and call-trafficking
equipment. Toll calls and 800 numbers are also
no longer an issue, as most national or global
ISPs usually have local numbers for almost remote PC VPN server
anywhere in the world.

VPN for telecommuters corporate network

With more people working from home, This diagram illustrates the difference between a dial-in connection and a connection
remote-access VPNs have become an invalu- with a VPN.

Introduction to VPN and Remote Access 13

a laptop, VPN, and global ISP, these road war- directly connect each office unless fiber were
riors can connect to the company network run between the locations, and this would be
from anywhere there’s a phone line. very expensive.
With a VPN, however, each network can
VPN offices around the country connect to the main office’s network and
What if your company’s main office is located then to the other branch offices. All that’s
in Miami, while your branch offices are located needed is an Internet connection, a VPN
in Los Angeles, New York, and Chicago? server for each location, and an IP address
While each branch has its own separate net- to authenticate to.
work, there aren’t many realistic ways to

Understand your organization’s needs before

selecting VPN hardware
Nov 22, 2000
By Ed Engelking II, A+

n “How can using a VPN benefit your X How many users will be connecting
company?” (page 13), I discussed the at the same time?
basics of virtual private networks (VPNs) Will 10 or 100 users be connecting simulta-
and how they could be used in traditional com- neously? Knowing your user base is essen-
pany networks. I also discussed the differences tial for selecting the appropriate hardware.
between general and remote access virtual pri- You wouldn’t want to purchase VPN hard-
vate networks. In this article, I’ll focus on ware that supports a maximum of only 20
some questions to ask before choosing a VPN simultaneous users when you need one that
hardware solution. supports 50.
Questions to ask before investing X Will remote offices connect to your
in VPN hardware Connecting entire remote offices and con-
As with any network solution, VPN hardware
necting individual remote users are two
should be chosen based on the needs of your
entirely different challenges. Maintaining
organization. Ask yourself the following ques-
access for remote offices can be the differ-
tions before buying any piece of hardware:
ence between life and death for your com-
X How many remote access users will pany. How can your employees at your
be connecting? organization’s remote offices work properly
Do you have the infrastructure to support if they can’t access the home network?
multiple remote access accounts? If your
organization has a lot of users who travel X What kind of uptime does your
and/or work from home, the hardware that organization desire?
you purchase needs to be able to connect Not all VPN hardware is created equal.
multiple remote users at one time. While some hardware may be cheaper than
others, it may pay for your organization to

14 Administrator’s Guide to VPN and Remote Access, Second Edition

invest in the more costly hardware, as the X 3Com VPN Solutions
uptime may be generally better. Keep in 3Com offers software solutions for your
mind, however, that the operating system organization’s existing server hardware. You
shares a large role in uptime as well. Without can also find products for mobile users, site-
a stable OS, you won’t be able to maintain to-site, and secure extranet VPN systems.
much of an uptime. X Cisco VPN
X What kind of budget does your organi- If you want top-of-the-line VPN hardware
zation have to purchase hardware? and software solutions, Cisco is your vendor
Ideally, all equipment in every organization’s of choice. However, Cisco’s products can
network would be top of the line. However, be a bit pricey if you have a limited budget.
due to budgeting restrictions, your choices X IBM OS/400 VPN solution for the
can often be limited. Despite this, it is AS/400 server
important that you purchase the equipment IBM offers a VPN solution in its OS/400
that meets your budget. Don’t cut corners operating system, designed specifically for
to add other services. Know what you need its AS/400 server.
to offer your organization’s employees and
The vendors listed here are by far the most
make sure that it is available.
popular and will give you the best value for
Many vendors offer VPN your investment. However, if you want addi-
tional solution options, you can find a list of
solutions links to several other vendors at InternetWeek
Now that you know what to consider when
purchasing VPN hardware, what equipment is
htm). With a clear understanding of what your
available on the market that meets your needs?
organization needs in a VPN solution, you
There are several different vendors that offer
should be able to find what you need from at
VPN solutions. A select few of these vendors
least one of these vendors.
are listed below:

Cost benefit of VPN appliances vs.

VPN servers
May 21, 2002
By Del Smith, CCNA, CCA, MCSE

n increasing number of organizations VPNs can be used to securely carry informa-
are using VPNs to connect branch tion at a fraction of the cost.
offices, telecommuting workers, busi- These cost savings are the catalyst driving
ness partners, and other users to the corporate IT managers and administrators to develop
network. A superior alternative to long-distance end-to-end secure VPN solutions for their
dial-in, leased-line, or Frame Relay connections, organizations. Specifically, these professionals

Introduction to VPN and Remote Access 15

are asking the question, “VPN appliance or closer look at the option of building and
VPN server, which solution provides the using a VPN server(s) for secure Internet
greatest cost benefit?” Here is a look at those communications.
options and a third: managed service Microsoft, Novell, UNIX, AS400, and
providers. Linux are all capable of providing VPN serv-
ices (granted, some are better than others).
Integrated appliance Chances are you run one of these common
When we take a look at the VPN appliances operating systems in your organization today
offered today, we notice two different flavors: and are very familiar with them. This can be a
stand-alone VPN appliances and integrated tremendous cost benefit to organizations that
VPN appliances such as VPN-enabled fire- do not have an existing firewall or router with
walls and routers. With the integrated VPN VPN capabilities.
appliance, we find our first and possibly most The integration of VPN services into the
important cost benefit. Currently, deployed operating system means that IT professionals
hardware firewalls such as the Cisco PIX, who work with these operating systems are
Nokia Checkpoint Firewall, and Watchguard already familiar with how to navigate these sys-
Firebox include optional VPN capabilities out tems and do not have to worry about learning
of the box. a new product. Since most VPN appliances do
Virtually all routers, including Cisco’s access not integrate well with existing networks, using
and modular routers, also include VPN sup- servers for VPN services often means greater
port. The cost associated with this solution is integration with the network, particularly in
often included in the firewall or router. Getting the area of authentication. Microsoft-centric
VPN services going in this scenario often organizations can take advantage of the seam-
means making just a few configuration less integration Windows 2000, and possibly
changes in the firewall or router itself. Since a ISA Server, has to offer when creating VPNs
discussion on VPNs falls within a comprehen- in conjunction with Active Directory, certifi-
sive network security policy, the ability to have cates, and smart cards. Client computers or
an integrated VPN appliance can save thou- sites that run current Microsoft operating sys-
sands in simplified security policy administra- tems will not encounter proprietary VPN
tion, particularly in environments where issues or require an install of separate VPN
multiple firewalls, routers, and VPN gateways client software.
are required. Here’s where the cost benefits of using a
Stand-alone VPN appliances, sometimes VPN server stop. The issues of security, relia-
referred to as VPN concentrators, primarily bility, and cost stand out when evaluating a
find a place in organizations where simultane- server-based VPN solution. There should be
ous VPN connections need to number in the no surprise that a hardware-based VPN solu-
thousands. They provide high availability, high tion brings a greater degree of reliability and
performance, and scalability that is unmatched security than one built around a server operat-
by any integrated appliance or VPN server. The ing system such as Microsoft. The same is true
increase in reliability, capacity, and throughput in the case of firewalls and routers. The cost
is not without its costs, however. Expect to pay associated with maintaining security patches
several times more for an enterprise-level VPN and basic server administration add up on a
concentrator with these capabilities. monthly basis. Additionally, the cost of build-
VPN servers ing a VPN server solution can run in excess of
So far, we have heard how integrated VPN $2,500 once the costs of hardware and soft-
appliances offer impressive cost benefits. From ware are added (although Linux does offer
this, it would seem the question of whether to some exceptions).
choose a VPN appliance or build a VPN The managed option
server would be a rather simple one to answer. Traditionally, VPN solutions could be catego-
To determine if this scenario is true, let’s take a rized in one of only two areas: VPN appliances

16 Administrator’s Guide to VPN and Remote Access, Second Edition

or VPN servers. Today, the introduction of tion and often includes managed firewall serv-
managed service providers has created a third ices and service level agreements as well.
possible solution. Well-known vendors such as VPNs are permitting organizations to estab-
WorldCom, Quest, and AT&T are now offer- lish secure, end-to-end, private network con-
ing regional, nationwide, and even interna- nections over the Internet while reducing
tional managed VPN services. This service communication costs. Implementing and
allows companies to have an enterprisewide maintaining VPNs requires choosing the right
VPN solution without a heavy investment in solution and having an in-depth understanding
infrastructure or personnel. Most managed of public network security issues. Whether you
VPN providers will monitor your organiza- are looking at a VPN appliance, server, or
tion’s VPN connections 24/7 to ensure they managed service provider, performing proper
are available at the times when your remote cost/benefit analyses can be the most impor-
users may need it most. Pricing varies but gen- tant step in a successful VPN solution.
erally starts around $200 per month, per loca-

Telecommuting: Balancing the need

for speed and security
Nov 17, 2000
By Mike Walton

J ay Pultz sits at the center of a home office

that hums with computers, printers, and a
cable modem gateway.
X The unique set of security concerns that
come with broadband access.
X The number of control issues your IT
Pultz works for Gartner, a business tech- department can expect to face and how to
nology advisor based in Stamford, CT. limit those issues.
Because of his background working with
high-speed access issues, Pultz can assure Broadband access: Got to love it
Gartner that his powerful home office isn’t Pultz said he stretches the definition of broad-
a security threat to the corporation. But band when he talks about it in relation to
organizations can’t always rely on a telecom- telecommuting. In his view, broadband is any
muter’s expertise to protect the business. access that involves a connection faster than
Telecommuting carries with it a number what a user can achieve via a normal telephone
of security, connectivity, and productivity connection and a dial-up modem. The tech-
issues. nologies that fall under his definition are DSL,
Here’s how Pultz recommends addressing cable, wireless, and satellite. He limits the dis-
those issues. He urges organizations to con- cussion to DSL and cable because they are
sider three key issues when dealing with broad- most commonly used.
band telecommuters: “I view broadband as an enabler of
X The need to limit the number of ISPs that telecommuting,” Pultz said. Without a broad-
provide your employees broadband access. band connection, telecommuters face substan-
tial productivity challenges. “It’s harder if you

Introduction to VPN and Remote Access 17

have to get access to a number of corporate When telecommuters are using dial-up serv-
resources and the Web to do your work with a ices to access the corporate VPN, they may be
56Kbps modem compared to someone work- online for only a few hours. It is difficult,
ing on the LAN with the same resources.” under those ephemeral circumstances, for a
“Broadband access shrinks the disparity hacker to target the user.
between telecommuters and workers on the Continuous connections made by cable and
company’s LAN,” he said. DSL hookups make it easier for hackers to
“The problem is, when you look at both attack the system.
DSL and cable, they are both kind of local- “If you are a corporate teleworker, it is
oriented technologies that weren’t originally likely that you will have some interesting infor-
designed with telecommuting in mind,” Pultz mation or software on your PC,” Pultz said.
said. “If an enterprise is reasonably large, pro- “You probably have a file labeled, covertly,
viding teleworkers throughout the United ‘passwords,’ which might be of interest if you
States with broadband access is an issue.” are of the hacker persuasion.”
While cable access might be available for “Or you may have software on your machine
some telecommuters in a company, others in that is server-like so a hacker can get access to
different parts of the country may have DSL. your machine as a corporate server and from that
Each may have a different provider. machine, they can get to corporate resources.
“You can easily end up with a situation The corporate network assumes this is a trusted
where you have multiple technologies and mul- machine, but it has actually been infiltrated by a
tiple service providers, and that’s a hard envi- hacker…[who] can use that machine as a back-
ronment for the IT department in the average door to get into the corporate network.”
company to run,” Pultz said. “If you are a “Companies such as Norton and BlackICE
smaller company and your users are all within a offer software firewalls that can protect your
local area or within the footprint of a single telecommuter machines,” Pultz said. “They are
provider, then it is less of an issue.” both very nice, but they have to be configured,
“Another problem is that your telecom- they have to be in place, and the user has to
muters throughout the United States may not not subvert them,” he said. “Unfortunately, it
be able to get broadband of any kind because is easy for the user to look at the firewall tech-
neither cable nor DSL have been fully rolled nology and say, ‘I want to do something the
out,” he said. firewall is blocking now,’ and just turn off the
On the plus side, however, a number of firewall.”
companies are starting to provide nationwide Security for the telecommuter is compli-
service, including: cated by how you separate the home office
X Northpoint environment from whatever else is going on in
the home.
X WorldCom
“This gets into age-old questions like, ‘Can
X Verizon you use your home PC for teleworking?’ and
Finding a single provider for an entire com- that’s something we advise against,” Pultz said.
pany will still be difficult, Pultz said, but there “You don’t know if that is a trusted machine.
are good reasons to try. You don’t know where that machine has been.”
“For purchase power reasons, a limited “You can get into really messy issues [with]
number of suppliers [is beneficial] so compa- confidential information. It may not be Los
nies can maximize the volume discount they Alamos information, but it’s not stuff you
can get for these kinds of services,” he said. want on a home machine.”
Always on, always a danger Limit the impact on your
The second broadband telecommuting issue is help desk
the security concerns created because cable One of the most important decisions compa-
and DSL are essentially always online. nies can make involves the way telecommuters
interact with IT staff for support.

18 Administrator’s Guide to VPN and Remote Access, Second Edition

A typical telecommuting scheme is for the A worker who needs the Internet for com-
company to provide a VPN for telecommuters munication and research is already defined, as
and then have the worker provide their own far as what form of access that worker
modem and cable or DSL service. requires. In this case, a VPN via the Internet
This is how most organizations set up their makes the most sense.
systems, “but the problem is that when those If the teleworker is handling transaction
teleworkers have a problem, they call the IT processing or production work, however, then
help desk,” Pultz said, adding that the help a faster and more secure connection such as an
desk is handcuffed because they don’t know ISDN or T1 connection may be needed. The
how the home PC is configured, how the user costs would have to be weighed against the
is accessing the VPN, or what type of cable productivity of the worker.
modem they are using. “It’s very difficult to “Worker performance also is a gateway to
guarantee a teleworker any level of service.” some potential legal issues with telecommut-
There are some workarounds to these con- ing,” Pultz said. One argument you might hear
cerns, such as providing a company computer could be: “I got a bad performance [review],
that has the corporate hard disk image and set- but I didn’t have a good connection so my per-
tings installed. formance suffered because you couldn’t pro-
vide me a good service compared to my
Decide what type of access counterpart, who has high-speed service,”
is appropriate Pultz said.
IT managers need to make other decisions “I’d still call this kind of an experimental
that will affect support and performance, such phase for broadband telecommuting, with the
as which kind of network access is most exception of a couple of very large corpora-
appropriate for the kind of work the telecom- tions,” Pultz said.
muter does.

Access your home PC from the office

Sep 28, 2000
By Brien M. Posey, MCSE

ow many times have you been at the trators. After all, the primary remote access
office and wished that you could get a method that most administrators have been
file from your home PC? Unfortu- trained for involves using a Windows NT
nately, driving home usually isn’t an option for Server running the Remote Access Service. A
network administrators. Unless you live only a copy of Windows NT Server can be on the
few minutes from the office, the commute pricey side. Fortunately, there are alternatives.
time just cuts too deeply into your hectic One alternative is to set up a copy of a
workday. Fortunately, there’s a solution. In this remote access software package, such as
article, I’ll show you some techniques that you Symantec’s pcAnywhere, at home so that you
can use to remotely access your home PC from can dial in to your PC and control it from the
the office. office. Doing so may be the easiest method
of remote access, but simply running
The options pcAnywhere has its downside. First, you have
In the past, setting up remote access to a home to buy a copy of pcAnywhere, which can still
PC has been too expensive for most adminis-

Introduction to VPN and Remote Access 19

be a bit pricey, although not nearly as expen- would lose a lot of money if you could do the
sive as a copy of Windows NT Server. But the exact same thing with Windows 98 that you
biggest negative in using pcAnywhere for could do with Windows NT Server.
remote access is the performance issue— Perhaps the biggest difference between the
pcAnywhere is true remote access software. two is that the Windows NT Server Remote
This means that from your terminal at the Access Service can be used as a gateway to the
office, you’ll actually see the screen of your underlying network. For example, users can
computer at home. In addition to downloading dial in to the remote access server and use the
files, you can actually run programs on your connection as a gateway from which to con-
home PC. Unfortunately, such power comes at nect to any other server on the network. Win-
a price. Because you’re seeing the actual screen dows 98 offers this capability, but with
image from your home PC, all of the informa- significant restrictions. Unlike Windows NT,
tion about what’s on the screen has to be the Windows 98 dial-up services can be used
transmitted over the modem. Even with a 56- as a gateway only to networks running Net-
Kbps modem, this results in a very slow com- BEUI or IPX/SPX. Because TCP/IP isn’t
puting experience. What makes it worse is that supported as a gateway protocol, don’t plan on
the higher the screen resolution you’re using being able to connect to the Internet by dialing
on your home PC, the more pixel information into your home PC. You can connect to other
must be transmitted across the modem. In PCs on a home network as long as the PC at
essence, the higher the screen resolution at your office, the dial-up server at home, and the
home, the worse the remote access perform- other PCs on the home network that you want
ance will be. to access are all running the same protocol.
There is a happy medium, though. A little- The protocol in use must be either NetBEUI
known component in Windows 98 lets you set or IPX/SPX.
up a Windows 98 machine as a remote access In addition to the fact that you can’t use
server. This arrangement works very similarly Windows 98 as an IP router, you also can’t
to the Remote Access Service that comes with use it as a virtual private network (VPN)
Windows NT Server. What makes this service router. Another important difference is the
so nice is that although you can’t use it to con- number of allowed connections. The Win-
trol your home PC remotely, you can treat dows NT Remote Access Service allows up
your home PC as if it were a network server. to 256 remote dial-in connections, while Win-
For example, you can do things like map net- dows 98 has been limited to a single remote
work drives and upload and download files. access connection.
The other nice thing about using this service
is that it’s included with Windows 98, so Installing a Windows 98
there’s no extra software to buy. All you need dial-up server
is a computer with a modem and a dedicated To set up your Windows 98 workstation as
phone line. a dial-up server, open Control Panel and
double-click the Add/Remove Programs
The skinny on Windows 98 icon. When you see the Add/Remove Pro-
as a dial-up server grams Properties sheet, select the Windows
Although Windows 98 running as a dial-up Setup tab. The Windows Setup tab contains a
server functions similarly to a Windows NT list of available Windows 98 components.
Server running Remote Access Service, there Select the Communications option from the
are some important differences. After all, Win- list and click the Details button. In the result-
dows NT Server was designed to support ing dialog box, select the Dial Up Server
entire businesses, while Windows 98 was check box and click OK twice. Windows 98
designed for basic home use. As you can imag- will now copy the necessary files from your
ine, Windows 98 has much less power than Windows 98 CD.
Windows NT Server. Likewise, Microsoft

20 Administrator’s Guide to VPN and Remote Access, Second Edition

Dial-up server security As you browse the remote computer, the
As you can see, there’s nothing to installing the directory structure will display only shared
dial-up server module. But, as you can imagine, directories and the subdirectories beneath
after you’ve installed the dial-up server, secu- them. For example, if you shared the Windows
rity becomes a concern. After all, without directory, a user with the appropriate access
some security in place, any idiot who owns a could remotely access all the files in the Win-
computer and who knows your phone number dows directory and all the subdirectories
could have unlimited access to your home beneath it, such as the System directory or the
computer or to your home network. Fonts directory. About a year ago, I had to
There are two basic types of security under temporarily set up a dial-up server. During this
Windows 98: user-level security and share-level time, I simply shared the root directory on
security. Of these two types, user-level security each drive. This allowed me to have unlimited
is much more secure. Unfortunately, the reason access to every file on the system by going into
that it is more secure is that it borrows some of a share associated with the root directory of
its security infrastructure from a Windows NT the hard disk that contained the files that I
Server. Therefore, unless you happen to have a needed to access.
Windows NT Server in your basement, user- The biggest thing that you need to remem-
level security really isn’t an option. ber about share-level security is that as you
Share-level security allows you to specify create each share, by default, the share is read-
general, rather than user-specific, access to only. You can change the share to allow full
each share point on the machine, such as a access by checking the appropriate radio but-
folder and its subfolders. Most home com- ton, as shown in Figure A.
puter environments are better suited to using As you can see in the figure, you can also set
share-level security. When you dial in to your a password to the share point. By doing so, any
server, Windows 98 prompts you for a pass- time dial-up clients try to access the share
word. After you enter the password, you’re point, they will be prompted for a password.
connected to the dial-up server. From there,
you can use Windows Explorer or My Com- Figure A
puter to explore the allowed shares on the
remote server.

Setting up share-level security

To set the remote access password, make sure
that File And Print Sharing is installed in
Control Panel’s Network section. Once you’ve
installed File And Print Sharing, go to the
Dial-Up Networking folder and select the
Dial-Up Server command from the Connec-
tions menu. When you see the Dial-Up Server
dialog box, select Allow Caller Access and
then use the Change Password option to set
the password that the remote access server
requires the client to enter upon the initial
connection. If you want to require the pass-
word to be encrypted, click the Server Type
button. The Server Type dialog box contains a
check box that you can use to make the dial-
up server require an encrypted password from
the client. Use the Sharing page to set up read-only access, full access,
or either, depending on the password.

Introduction to VPN and Remote Access 21

You can even set one password for read-only other hand, you went into the share associated
access and another password for full control. with the Windows directory, you’d be able to
The level of access that a remote user gets will navigate to the \Windows\System directory
depend on the password entered. and gain full access to that directory. There-
fore, you must be very careful not to overlap
Watch for overlapping security shares if you’re trying to restrict a remote user
When you create share points, you must also to read-only access.
remember that the security that you apply is
specific to each one. Each share point func- Conclusion
tions as a separate entity. For example, if you When you need to access a file on your home
set the Windows directory to allow full control PC during the course of the workday, having a
and the \Windows\System directory to allow remote access link can save a lot of time and
read-only access, when you browse the remote trouble. In this article, I’ve discussed two ways
system, you’d see both share points. If you to establish remote access for the home PC
attempted to directly access the share associ- running Windows 98.
ated with \Windows\System, you’d just have
read-only access, as you’d expect. If on the


22 Administrator’s Guide to VPN and Remote Access, Second Edition

In this chapter you’ll find the expert guidance you need to install, configure, and administer VPN
solutions within Windows, NetWare, and Linux networks.

Managing remote access to your network ..............................................................................................23

Understanding and troubleshooting virtual private networking ........................................................26
Controlling the dial-up bandwidth on your VPN ................................................................................34

Making the connection with Windows 2000 Professional Dial-Up Networking ............................35
Understanding demand dial connections in Windows 2000 ..............................................................43
Configuring Windows 2000 for demand dial connections ..................................................................46
How to configure Win2K client VPN connections ............................................................................50
Setting up a VPN with Windows 2000 ..................................................................................................53
Issues surrounding a Windows 2000 VPN implementation ..............................................................58
Setting up a Windows 2000 virtual private network ............................................................................60
Introducing Windows 2000 Routing and Remote Access ..................................................................63
Configuring Routing and Remote Access on your Windows 2000 server........................................68
Configuring Windows 2000 as a remote access server ........................................................................75
Increasing Windows 2000 RRAS security ..............................................................................................78
Routing and remote access on Windows 2000 Advanced Server ......................................................82
Optimize inbound client connections for your Windows 2000 VPN servers ................................85
VPN networking services built for speed ..............................................................................................91
Optimal VPN server configuration and management ........................................................................95
Troubleshoot Windows RAS and VPN connections with these tips ................................................99
Learn why NAT can cause VPN connection problems ....................................................................102
Create a gateway-to-gateway VPN with ISA Server 2000 ................................................................104
Troubleshoot ISA Server VPN connections ......................................................................................108
Configure Windows XP Professional to be a VPN server ..............................................................113
How to configure Windows XP client VPN connections ................................................................118
Configure Windows NT to support VPN connections ....................................................................119
Monitoring and troubleshooting VPN connections in WinNT ......................................................124
The Win9x VPN client connection guide ............................................................................................127
Understanding Exchange 2000 Server’s Outlook Web Access ........................................................132
Enabling Web access of Exchange accounts using Outlook Web Access ....................................137
Enhance Exchange 2000 OWA using front-end servers ..................................................................141
Implementing site-to-site VPN with BorderManager 3.x..................................................................143
Setting up client-to-site VPN in BorderManager 3.x ........................................................................148
Serving up NetWare’s Web Manager ....................................................................................................153
Believe it or not: A Linux VPN without kernel recompilation ........................................................155
Managing remote access to your network
May 26, 2000
By Ron Nutter, MCSE, CNE, ASE

re you getting more and more as economical. With both DSL and cable
requests for remote access to your modem, you’re dealing with a connection that’s
network? As I’m sure you’re aware, always on and ready to go. This means that
granting these requests means a greater risk your users will spend less time dialing up and
that unwelcome visitors will access your net- dealing with modem-related problems. The
work. In this article, I’ll discuss a host of ideas disadvantage to both options is that the serv-
that should serve as a starting point for imple- ices are good only to a fixed location (for
menting remote access. example, your house) and can’t be moved easily.
There’s no single solution for protecting Another option is to use a PCS phone,
your network and the valuable data it contains. although that may not be a good long-term
You’ll need to look at all the options I present solution. You have to add a small cable that
here and decide where they’ll fit into your connects to the base of the phone and then to
overall scheme. The only bad decision you can the serial port on your computer. You then add
make is to not make any decision at all. some software, and you can use an already
encrypted digital connection to get a link to
Choosing the right type of your network from just about anywhere that
remote access the PCS provider’s network is available. The
With recent changes in technology, you have current speed runs between 14.4 and 19.2,
several options to choose from. In addition to depending on how close you are to a tower.
using a POTS (Plain Old Telephone Service) Satellite connectivity was once thought to
line to connect to your network, you have such be very expensive and difficult to set up. With
options as xDSL (Digital Subscriber Line), services such as DirecPC and others (DISH
cable modem, PCS (Personal Communications Network has announced that it will offer two-
Service), and even satellite. way satellite Internet service this fall), you can
Depending on the phone company in your now consider using satellite when options such
area, you may hear terms like SDSL, HDSL, or as DSL and cable modem aren’t available. For
ADSL. Don’t be confused—this is a way of example, the way DirecPC works is that you
identifying the specific type of DSL service dial up a conventional ISP (Internet service
and how far away you can be from the CO provider), and then, using software provided
(central office) that provides the service. The with the DirecPC dish, you send the command
main requirements for DSL are: you want to execute (for instance, connecting
X You must be less than 18,000 feet away to a particular Web site). The results can be 10
from the CO. to 20 times faster than you’d experience using
X The CO and your location must obtain the only a dial-up connection. The only thing that
service via copper wire. can disrupt the satellite service is a snowstorm
or heavy rain. Unless you live in an area with
The closer you are to a CO, the higher the
heavy or frequent storms, satellite connectivity
speed of service. If you’re receiving your serv-
is an option worth considering.
ice via a fiber-optic connection, you won’t be
able to get DSL. Don’t publish the number
Cable modem Internet service isn’t as If you’re using a dial-in connection, the num-
prevalent in certain parts of the country ber you use for remote access should be kept
because of the infrastructure requirements a fairly close secret. You should give this num-
placed on cable companies to provide the ber only to those who have to dial in to the
service. The advantage to this option is that it network directly—and then probably only
can be faster than its DSL counterpart and just with a manager’s approval. Depending on the

Administration 23
frequency of staff turnover, you may need to Most large ISPs have modem pools in more
change this number occasionally to help dis- than one city and, in many cases, on a national
courage ex-employees from causing problems or even international level. This means that
on your network. you are no longer tied to one or more banks of
Depending on the type of PBX you have, modems. Therefore, you can concentrate on
you may want to consider using DID (Direct having enough T1 or T3 capacity to handle the
Inward Dial) numbers for controlling remote number of remote users needing to access the
access. This way, you can easily busy out a network.
phone number when a remote user doesn’t
need it any longer. In addition, you can track Using RADIUS
usage for department billing purposes. With The only problem with using an ISP as a
DID, you don’t have to worry about a bunch modem pool is that you now have an addi-
of individual phone lines for all your remote tional layer of management—a user account
users. Instead, have the incoming DID trunk for each user who will be remotely connecting
terminate directly into a digital modem pool. to your network. By using RADIUS (Remote
Authentication Dial-In User Service), you
Using a dial-back remove that layer of management and allow
connection system remote access to your network to be controlled
Years ago, IBM implemented a system called from one point (your network) instead of both
Guardian that was designed for users needing your and your ISP’s networks. When connect-
remote access to corporate information. With ing to the ISP’s modem pool for authentica-
Guardian, the user dials in to a predetermined tion, users can enter something as simple as
number. After properly authenticating to the their e-mail addresses.
system that answered the phone, the user
hangs up and waits for a return call. When the
Consider VPN for secure
call comes, the software answers the call from communications
Guardian, provides an additional layer of There are varying levels of encryption. With
authentication, and then allows the session to each step up the encryption ladder, you gain
continue. more security while delaying access to infor-
The problem with dial-back systems is that mation. Keep in mind that regardless of any
they require the user to be at a predetermined VPN (virtual private network) solution you
number unless the system is configured to choose to implement, the communications can
allow the user to specify the number. That in be unencrypted, given enough time and
itself somewhat defeats the purpose of a dial- resources. You must determine what type of
back system by allowing the call to be redi- barrier can prevent hackers from gaining
rected. With call forwarding fairly common, access to your corporate data.
users may not be where you think they are. You can divide the VPN solutions into two
The advantage of a dial-back system is that camps—hardware- and software-based. Hard-
you can avoid extra long-distance charges ware solutions such as Cisco’s Secure PIX fire-
when calling from a hotel or using an inbound wall can carry a huge amount of VPN-based
800 number. communications. However, a software-based
solution won’t be able to carry as much
Letting the ISP be the because you’re multitasking an existing net-
modem pool work operating system (NetWare, in this case).
The biggest hassle of offering remote access An advantage of software-based solutions,
to your network is managing what could such as Novell’s BorderManager, is that it inte-
become a fairly substantial modem pool. This grates with your existing network infrastruc-
could be an especially expensive proposition if ture and minimizes multiple points of
you implement a digital modem pool that administration. If you need additional levels of
channelizes a T1 into multiple logical modems. authentication (sometimes known as strong

24 Administrator’s Guide to VPN and Remote Access, Second Edition

authentication), you can require that tokens be probably see periodic port probes looking for
used that constantly generate a series of num- the NNTP service running on the computer
bers. The numbers change at periodic intervals they’ve attached to the cable modem. This is a
based on a mathematical formula. method used by the @Home NOC (Network
When designing a secure network solution Operation Center) to ensure no one is running
such as a VPN, you want to avoid having a sin- a Usenet server. Running a Usenet server is a
gle point of failure. Depending on the number violation of the user agreement for the
of remote users you’ll support, having more @Home network.
than one VPN access device running is a good
idea. (For example, if you’re using BorderMan- Mandate antivirus protection
ager as your VPN solution, you may want to for all remote users
have more than one BorderManager server It has been said that any solution is only as
running the VPN service.) This approach good as the weakest link in the chain. So far,
ensures that if one device fails, you won’t lose I’ve discussed using a VPN link for an
all your remote access. While existing firewall encrypted connection to your corporate net-
products can also provide VPN service, you work and a personal firewall to protect the
may choose to run the service on another sys- remote PC. You still have one point of vulner-
tem so that if the firewall is down, your ability: computer viruses from an e-mail
remote VPN users can still gain access to attachment or a file download. There are sev-
your network. eral good solutions—McAfee, Symantec, and
CAI, to mention just a few candidates. At least
Using a personal firewall one vendor, Symantec, has realized that you
While VPNs give you an encrypted link from a may want a solution that involves both a per-
remote user into your network, the possibility sonal firewall and an antivirus software pro-
still exists that hackers can work their way into gram. Symantec offers a bundled solution in
a remote PC connected to your network. They Norton Internet Security. The advantage of a
can then jump onto the encrypted link and go bundled solution is that if there’s a problem,
right into your network with little or no chal- you have one less company to talk to for tech-
lenge. Firewalls were once used only to protect nical support.
access in and out of corporate networks. You More and more corporate networks are run-
can now find a host of products, such as Nor- ning some type of antivirus solution at net-
ton Internet Security and BlackICE, that can work entry points. Nevertheless, running an
provide firewalls on your personal workstation antivirus package on the remote PC introduces
or home network. yet one more safeguard for your network—
As with any solution of this nature, you’ll and one more hurdle that a potential virus
want to have some type of subscription serv- must clear. Just as with the personal firewall
ice to help keep the product current. As hack- option I discussed earlier, you’ll want to have
ers find new tools to gain access to your some type of subscription service available. In
network, you must, in turn, upgrade the tools addition, make sure your remote users under-
you’re using to protect access. You may want stand that they need to periodically check for
to consider learning how hackers access net- updated virus signatures (or you can configure
works and doing the same things in a test lab their workstation to perform that step for
so that you can continue to evaluate new tools them). Running with outdated signatures is
as they become available. almost as bad as not using any antivirus solu-
As you’re testing both the prospective solu- tion at all.
tions and connectivity options, don’t immedi-
ately assume any potential “threats” that are Using Citrix or Windows
identified are actually threats. For example, Terminal Server
remote users using the @Home Internet cable If you’re concerned about rolling out remote
service to access the corporate network will access options to “computer-challenged”

Administration 25
users, you may want to consider using either additional investment in cable modem, DSL,
Citrix WinFrame or Microsoft’s Windows or ISDN access.
Terminal Server. You can think of these The disadvantage is that you potentially will
products as the equivalent of a computer have a single box with two or more processors
running PCAnywhere on steroids. With this with more than 256 MB of RAM in your com-
type of solution, however, you’re getting puter room to support the incoming user ses-
access to a session on the computer running sions. Consider having a second box that users
either WinFrame or Terminal Server and not can access to get to your network. (Citrix
controlling the whole system. An added offers a server farm option that allows multiple
advantage is that if a user has a problem log- servers to be disguised as a single logical
ging on or running a particular application, server. Users never know they’re using a differ-
you can “shadow” the session in question and ent server each time they authenticate to the
walk the user through the problem. network.)
Depending on your configuration, you may
be able to use a fairly inexpensive computer Conclusion
(even an XT, in some cases) to access your net- You’ll need to continually evaluate your net-
work remotely without having to beef up the work to ensure that you have the level of pro-
hardware in the field. That way, neither the tection you need. Don’t ever be content that
application nor the data that’s being accessed you have done everything that can be done to
actually leaves your network—only screens and protect your network and the access to it. Just
keystrokes are passing back and forth. You take things one step at a time, and don’t try to
may also be able to get away with using a regu- implement the whole solution at once.
lar dial-up connection without making the

Understanding and troubleshooting virtual

private networking
Mar 5, 2001
By Debra Littlejohn Shinder, MCSE

t’s easy to understand why virtual private clients’ sites. This can be accomplished in three
networking (VPN) is steadily increasing in basic ways:
popularity—VPNs are flexible and secure. X A direct dedicated connection
In this article, I’ll explain how VPNs work and
X A dial-up remote access connection
how to troubleshoot common client-side con-
figuration and connection problems. X A VPN connection
The last is an attractive alternative for several
Three ways to connect from reasons, including flexibility, cost-effectiveness,
the road security, and ease of implementation.
Over the past few years, it has become more All modern Microsoft operating systems—
and more important for workers to be able to Windows 95 (with the Dial-up Networking 1.3
connect to their company networks even upgrade), 98, Me, NT 4.0, and 2000—include
when at home, on the road, or on location at built-in support for virtual private networking,

26 Administrator’s Guide to VPN and Remote Access, Second Edition

as will the yet-to-be-released Windows XP and Layer 2 Tunneling Protocol (L2TP),
(code name “Whistler”). Tunneling protocols depending on the operating system (see Table A).
and VPN client functionality can be installed
from the Windows installation CD, making a
Encapsulation makes it possible for the pack-
computer running any of these operating sys-
ets to travel across the public network.
tems function as a VPN client. Although
Encryption provides confidentiality for the
Microsoft has made VPN configuration as
contents, creating the element of privacy. It is
simple as possible, even providing wizards in
possible to send unencrypted data through a
the latest versions of Windows, establishing
tunnel, but this would be virtual networking,
and using a VPN connection can still be a lit-
not virtual private networking. Encryption is
tle tricky.
performed by:
VPN overview X Microsoft Point-to-Point Encryption
Before you can effectively diagnose and cor- (MPPE) protocol—with a PPTP tunnel
rect VPN problems, you need a basic under- X IPSecurity (IPSec) protocol—with an
standing of how a VPN works. A VPN L2TP tunnel
connection is made by “tunneling” through a
VPN data encryption is between the VPN
public network (typically the Internet) to reach
client and VPN server. The availability of
a private network. There are three basic com-
encryption depends on the user-level authenti-
ponents involved:
cation method used for the connection.
X Encapsulation
X Encryption
Authentication protocols supported by all
X Authentication Microsoft VPN clients include:
Encapsulation X Challenge Handshake Authentication
The link between the client and the private Protocol (CHAP)
network emulates a point-to-point connection X Microsoft Challenge Handshake Authenti-
by encapsulating, or wrapping, the data packet cation Protocol (MS-CHAP) version 1
(which can use any network transport protocol X Password Authentication Protocol (PAP)
supported on the private network, including
NetBEUI, IPX/SPX, or TCP/IP) inside a X Shiva Password Authentication Protocol
header that contains information for routing (SPAP)
across the public TCP/IP network. Additionally, Windows 2000, Windows 95
Encapsulation is performed by a tunneling with the Dial-up Networking 1.3 upgrade,
protocol. There are two tunneling protocols Windows 98 with Service Pack 1 or later, and
supported by Microsoft for VPN connections: Windows NT with Service Pack 4 or later sup-
the Point-to-Point Tunneling Protocol (PPTP) port MS-CHAP version 2. Only Windows

Table A: Tunneling protocols supported by Microsoft operating systems

Operating system Supports PPTP Supports L2TP
Windows 95 with Dial-up Networking 1.3 upgrade Yes No
Windows 98 Yes No
Windows NT 4.0 Yes No
Windows 2000 Yes Yes
Windows Me Yes No

Administration 27
2000 supports the Extensible Authentication point out differences (where they exist) in
Protocol (EAP). other Microsoft operating systems. As with
any troubleshooting situation, you should first
Troubleshooting common consider the most basic (and easiest to cor-
VPN problems rect) possibilities.
A VPN connection requires that both the
client and the VPN server be connected to Invalid credentials (logon failure)
the Internet. The client connection can be You must have a valid username and password
either via a direct dedicated connection or a that will allow you to connect to the VPN
dial-up connection to the client user’s ISP. server. Otherwise, you will receive this message:
The dial-up connection presents the first Your credentials have failed remote network
point of failure, so it is important to ensure authentication
that the client is properly connected to the You will be prompted to re-enter your user-
ISP. Do this by checking the status of the name and password (and logon domain, if
dial-up connection. Attempt to ping an Inter- applicable). Ensure that you are entering the
net host. If you are able to do so, you have a proper account name and password.
connection to the ISP. If not, you will need to Your user account must be set on the server
troubleshoot your modem configuration to allow remote access (although this is a
and/or Dial-up Networking. server configuration problem, it is one to be
The most common VPN connection prob- aware of if your credentials are rejected by the
lems fall generally into one of the following VPN server). If you’re sure the credentials you
categories: entered are correct, contact the network
X Problems related to the Internet administrator or check the settings on the
connectivity on one or both sides Dial-in tab of the user account properties
X Problems related to VPN server sheet on the server.
configuration Tunneling protocol configuration
X Problems related to VPN client problems
configuration If the VPN server does not support the tun-
This article focuses on the last category, but neling protocol with which the client is
if you are unable to detect a reason for the attempting to connect, the connection will fail.
problem on the client side, the problem may Windows 9x/Me/NT clients support only
lie in one of the other categories. Most VPN PPTP as the tunneling protocol. However,
users will be running the Windows 9x/Me, when you configure a Windows 2000 client,
NT 4.0 Workstation, or Windows 2000 Pro- you have three options: PPTP, L2TP, or Auto-
fessional operating system on the client com- matic. The last is the default (in which case the
puter. Basic considerations are the same, client will try to establish an L2TP connection
although there are some differences in config- first, then try PPTP).
uration dialog boxes. First, I’ll look at configu- If your VPN client is configured to use a
ration of Windows 2000 clients and then different tunneling protocol from that sup-
ported by the VPN server, you will see an
Error 678 message (No answer), as shown in
Figure A Figure A.
This error occurs because there are no ports
on the server configured to answer for the
specified tunneling protocol. You may also get
this message if all the PPTP or L2TP ports on
the VPN server are already in use.
When you use the Network And Dial-Up
You may get an Error 678 message if the VPN server does not
Connections Wizard to create a Win2K VPN

28 Administrator’s Guide to VPN and Remote Access, Second Edition

connection, Automatic will be set as the server Figure B
type (the wizard does not offer you a chance to
select). However, you should check the proto-
col configuration in the Properties box for the
VPN connection, as shown in Figure B, and
change it to Automatic or to the protocol set-
ting for which the server is configured to cor-
rect this problem.
Note that in Windows NT 4.0, only PPTP is
supported, and you must install PPTP as a new
protocol in the Select Network Protocol dialog
box, as shown in Figure C. The VPN connection
is configured by adding a VPN adapter device
from the Port box in the RAS Setup dialog box.
You then create a dial-up networking entry to
connect to the PPTP server.
In Windows 98, you add Virtual Private
Networking as a Communications component
from Add/Remove Programs in the Control In Windows 2000, you can select a specific tunneling protocol.
Panel. Making a VPN connection requires
using two connections: a dial-up connection to
the Internet and a PPTP connection to the pri- tion. Another possibility, if you are able to
vate network. You configure the VPN connec- ping the server by name and address but you
tion with the Make New Connection Wizard cannot establish a VPN connection, is that the
by selecting Microsoft VPN Adapter as the server is filtering GRE packets. Again, this is a
connection device instead of a modem. server configuration problem that cannot be
If the VPN server supports only L2TP corrected from the client side.
connections, you will not be able to establish Authentication method configuration
a VPN with a Windows 9x/Me or Windows problems
NT client. In addition to a common tunneling protocol,
You may also see the same No Answer both client and server must support a common
error message presented above if PPTP filter- authentication method. If the client is not con-
ing is enabled in the server’s RAS configura- figured to use an authentication method that

Figure C Figure D

If there is no common authentication protocol, you will get an Error

919 message.

PPTP must be installed as a network protocol in Windows NT 4.0.

Administration 29
the VPN server supports, you will see an Error Encryption type mismatch
919 message, shown in Figure D. Another reason your VPN connection may fail
In Windows 2000, check the authentication is a mismatch between data encryption
protocols allowed by the client in Advanced requirements on the client and server. In the
Security Settings (Figure E), accessed via the Windows 2000 client’s Advanced Security Set-
Security tab of the VPN connection properties tings, you can choose one of the following:
sheet. X No Encryption Allowed (Server Will Dis-
Note that the Windows 2000 client can connect If It Requires Encryption)
be configured to use EAP or to allow any or
all of the standard authentication methods X Optional Encryption (Connect Even If No
supported by other Microsoft operating sys- Encryption)
tems. If you have chosen to use EAP, you X Require Encryption (Disconnect If Server
can choose either Smart Card Or Other Declines)
Certificate-Based Authentication or MD-5 A mismatch will result in an Error 742 mes-
Challenge. sage, shown in Figure F.
Remote access policies on the VPN server As with authentication protocols, Windows
can also be responsible for this error message. 2000 encryption settings are changed via the
Advanced Security Settings property sheet, as
shown in Figure G.
Figure E Because the default setting is to Require
Encryption, if you get this error message, you
should always check out the possibility that the
VPN server is set not to allow encryption.
“Unreachable Destination” problems
In all of the problems discussed above, the
client is able to contact the VPN server but is

Figure G

The client must use an authentication protocol that is allowed

by the server.

Figure F

You can select No Encryption, Optional Encryption, or

An encryption type mismatch will result in an Error 742 message. Require Encryption.

30 Administrator’s Guide to VPN and Remote Access, Second Edition

unable to negotiate a VPN connection because Figure H
of configuration settings that do not meet the
server’s criteria. Sometimes, you’ll see the
Error 769 message (The specified destination
is not reachable), shown in Figure H.
There can be three causes of this error:
XThe VPN server may be offline. You should
If the destination VPN server cannot be contacted, you will get an
attempt to ping the server to ascertain Error 769 message.
whether it is online.
Figure I
XYou may have entered the wrong server
name or IP address for the VPN server in
the client configuration properties. You
should recheck the entry and ensure you
have the proper name or IP address
XThere may be a name resolution problem if
you are trying to connect by server name.
You should try connecting by IP address
instead of server name.
If you can ping the server by IP address but
not by name, this means that either the server
does not have a registered domain name or the
DNS server on the network is down or not
functioning correctly.
You can determine whether traffic is moving across the
VPN connection by checking its Status sheet.


Note that if the VPN server has a dial-up connection to the Internet, it is likely that the ISP
will assign it a different IP address each time an Internet connection is established. You will
not be able to connect by IP address unless you know the server’s currently assigned
address. More commonly, a VPN server will have a permanent (static) address and a dedi-
cated full-time Internet connection.

Figure J

Connection status is shown in the Status column of the Network And Dial-Up Connections window.

Administration 31
Problems after connecting X The VPN server must be configured to
If it appears that the VPN has connected suc- allow access to the entire LAN, not just to
cessfully, but you are unable to access the VPN server computer. This is a server
resources on the server or LAN, you can check configuration that cannot be corrected from
the status of the connection in several ways. the client side.
A Windows 9x/Me/2000 client will have X If you receive an Error 53 message, (Net-
an icon in the system tray for each remote work path was not found) this may be
access connection. Right-click the icon and because the client cannot resolve NetBIOS
click Status. You will see a status box similar names. Ensure that the client has a WINS
to that in Figure I. In the Activity section, note server assigned. This can be done manually
changes in the number of bytes sent and in the client’s TCP/IP properties or via
received to confirm that traffic is going across DHCP.
the VPN connection.
X Your account may not have the proper per-
The same properties box can be accessed
missions to access the resources on the
via Start | Settings | Network And Dial-Up
Connections. Again, right-click the VPN con-
nection and select Status. In addition, the sta- If you are unable to browse, attempt to
tus for the VPN connection should show as connect to the network shares on computers
Connected in the Network And Dial-Up Con- inside the LAN using the UNC path
nections window, as shown in Figure J. (\\servername\sharename).
At the command prompt, run netstat. This If you are using Windows 9x clients to log
will show a list of active connections, as shown on to a domain, ensure that the workgroup
in Figure K. In the Foreign Address column, name in the Network Identification properties
you can recognize VPN connections by the is the same as the domain name.
appearance of the type of tunneling protocol Undesired disconnections
(PPTP or L2TP) following the foreign address. If you are able to establish the VPN connec-
Note the two active VPN connections in Fig- tion, access resources, and browse the net-
ure K—one to a VPN server named work, but the link is prematurely disconnected, and one to check the following possibilities:
If your connection is established and you X You may have the VPN connection config-
can access the VPN server, but you cannot ured on the client to hang up after a speci-
browse the LAN or access resources on other fied number of minutes of idle time. As
computers, there can be several reasons for the shown in Figure L, you can set this value
problem: from one minute to 24 hours, or to never
hang up (the default). Check this setting
Figure K first if you are getting disconnected at a reg-
ular interval of time.
X Your ISP may have idle time limitation rules
or connect time limitation rules that auto-
matically disconnect you after a specified
period of idle time or a specified period of
time online, even if active.

Firewall and proxy problems

The firewalls and proxy servers that often pro-
tect our networks from unauthorized access
can complicate VPN connectivity. Although
you may be unable to correct these problems
The netstat command will show you all active connections, including VPN connections. from the client side, you should be aware that

32 Administrator’s Guide to VPN and Remote Access, Second Edition

if your client configuration appears to be cor- Figure L
rect and you are unable to establish a VPN
connection, it may be due to firewall or proxy
restrictions or packet filtering rules on the
For example, you may be unable to browse
the LAN if NetBIOS packets are being filtered
by the firewall or router. In this case, the net-
work administrator needs to open UDP ports
137 and 138 and TCP port 139. You cannot
reach a VPN server behind a firewall at all
unless port 1723 is open and protocol 47
(GRE) is allowed.
If you have an active Winsock Proxy client,
you will not be able to create a VPN, because
the Winsock client immediately redirects data
to the proxy server before it can be processed
as necessary by the VPN. You will have to dis-
able the Winsock Proxy client. Microsoft’s
Proxy Server does not support outbound
Disconnections can be caused by an idle time hang-up setting
PPTP requests from internal clients (behind in the Virtual Private Connection Properties dialog box.
the proxy). Gateway-to-gateway VPNs, in
which the proxy server is the VPN client, can
be established. Also, because IPSec does not
work with address translation (which is the way Conclusion
Proxy Server provides Internet access to its Virtual private networking provides a cost-
clients via a single public IP address), you will effective way to take advantage of today’s
not be able to establish an L2TP/IPSec VPN almost universal Internet connectivity to create
from behind the proxy server. a private “tunnel” to a company LAN or other
In Microsoft’s new ISA Server, the Winsock network from a remote location. VPN connec-
Proxy client is called the Firewall client. ISA tion failures and other problems are often easy
clients running the Firewall client software to correct by modifying the client configura-
cannot establish a VPN because outbound tion. In this article, I showed you techniques
PPTP is not supported. However, ISA clients for troubleshooting and correcting common
that are configured as Secure NAT (SNAT) client-side VPN connectivity problems.
clients can be VPN clients.

For more information about Microsoft’s ISA
Server, see

Administration 33
Controlling the dial-up bandwidth
on your VPN
Jan 26, 2001
By Ed Engelking II, A+

anaging available bandwidth via dial- X Bandwidth management
up connectivity was once a relatively By using bandwidth management, a VPN
easy task for network administra- administrator can police the incoming and
tors. Previously, most users connected to a vir- outgoing data from a network and allow
tual private network, or VPN, via the Internet certain amounts of bandwidth to be avail-
using connections that consumed only a small able for differing packet classifications.
amount of bandwidth. With the onset of
broadband communications such as cable and Other forms of bandwidth control
DSL within SOHO environments, however, Depending on the needs of the network
administrators now face the challenge of con- administrator, there are additional ways of
trolling available bandwidth on VPNs. controlling the amount of available bandwidth:
If your telecommuters are burning band- X Traffic shaping
width by using broadband connectivity, how Traffic shaping comes into play when a
can you address this problem? Here are some service provider detects Internet traffic con-
solutions available to network administrators gestion. The amount of incoming and out-
that can help limit and control the amount of going data streams is then lowered via
bandwidth used, both inside and outside of queuing. This causes the bandwidth in use
the network. to fall below the allowed allocation.
Quality of Service for all X Fair bandwidth
Improved firewalls and routers, incorporating Fair bandwidth allows all users on a net-
Quality of Service (QoS), enable the limitation work to obtain equal access to Internet
of bandwidth for incoming and outgoing data, bandwidth. With fair bandwidth enabled,
which in turn increases acceptable perform- applications using large amounts of a data
ance for each employee outside of the office, stream, such as MP3s, will have their band-
no matter the connection speed. width decreased in order to provide fair
access to other employees.
In networking, Quality of Service (QoS) is Guaranteed delivery reserves a section of
a term that indicates a guaranteed band- bandwidth for specific services within a net-
width level. work, such as video teleconferencing,
voiceover IP, and money transactions. It
With QoS integrated within a VPN, an determines which services are high priority
administrator gains full control over the data and allocates bandwidth accordingly.
flowing through the network. Two ways to
maintain this control are packet classification Controlling bandwidth will
and bandwidth management: continue to challenge
X Packet classification administrators
Packet classification groups data by impor- Network administrators must control virtual
tance. The more important the data, the private networking and the resources that
higher its classification, and the better han- are required for it to operate successfully
dling it receives at the expense of other, less in an organization. Because telecommuters
important data on the same network. and remote offices are here to stay, VPN

34 Administrator’s Guide to VPN and Remote Access, Second Edition

administrators will continue to have issues X Access VPNs for the Enterprise—Cisco
with maintaining bandwidth. However, the Systems, 7/3/000
incorporation of new technologies intended to (
supplement QoS will help network administra- cc/so/neso/vpn/vpnsp/justify/avpnn_bc.
tors manage this problem. htm)

Article resources X Quality of Service for Virtual Private

The following resources were used in the Networks—Cisco Systems, 8/28/00
creation of this article: (
X Ashley Laurent Security Newsletter—
Volume 1, Issue 2, 3/3/00 X QoS definition by Webopedia
( (
newsletter/03-03-00.htm) Q/QoS.html)

Making the connection with Windows 2000

Professional Dial-Up Networking
Jun 28, 2001
By Dr. Thomas Shinder, MCSE

id you know Windows NT 4.0 Work- box, and there are no complex protocol and
station had built-in RAS client and interface configurations to make.
RAS server capabilities? It you didn’t, The RAS server feature is also improved. A
then you’re a member of a very large club. Set- Windows 2000 Professional machine can sup-
ting up Windows NT 4.0 Workstation to be a port a single dial-in session from a remote user
RAS client or server was not an easy thing to per interface. However, the operating system
accomplish. As was typical in Windows NT also supports analog, ISDN, VPN, parallel,
4.0, there were multiple interfaces you had to serial, and infrared interfaces. Thus, the
slog through to access the configuration dia- machine can actually handle multiple inbound
log boxes and get things set up correctly. sessions.
When you eventually found your way to the In this article, we’ll look at the dial-up net-
correct interface, the configuration was far working features available in Windows 2000
from intuitive. Professional. These features can be broken
Windows 2000 Professional includes all the down into two major categories:
features of the Windows NT 4.0 Workstation X Outbound access
RAS client and server, and a lot more. The
X Inbound access
configuration interface is wizard-driven; it’s
almost impossible to make a mistake. The Once you understand the features and func-
Windows 2000 Professional Dial-Up Network- tionality of outbound and inbound RAS access
ing client now allows you to call a VPN server on a Windows 2000 Professional computer,
on the intranet or Internet. Unlike in Windows you’ll never want to get near a Windows NT
NT 4.0, this feature is available right out of the 4.0 workstation again!

Administration 35
Windows 2000 Professional Creating a corporate RAS
outbound remote access Dial-Up client
Windows 2000 Professional supports several When a remote user establishes a dial-up con-
types of outbound remote access. These nection to the corporate network, his or her
include: computer is a participant on the network in
X Corporate dial-up RAS client calls exactly the same way as a machine attached via
the local Ethernet. The VPN client can access
X ISP dial-up calls the same resources and print to the same print-
X VPN client calls ers as the locally attached machines. If the user
A wizard guides you through creating each dials in using the option in the logon dialog
type of connection. When you create a con- box for remote access, he or she will not even
nection to a particular location, the object the need to enter credentials to access network
wizard creates is called a connectoid. There are shares and other network resources.
several connectoids seen in Figure A. To create a connectoid to connect to the cor-
porate RAS server, perform the following steps:
Figure A 1. Open the Control Panel and double-click
on the Network And Dial-up Connec-
tions icon.
2. In the Network And Dial-up Connections
window, double-click the Make New Con-
nection icon. This opens the Welcome To
The Network Connection Wizard page.
Click Next to continue.
3. The Network Connection Type page
appears (Figure B). Select the Dial-up To
Private Network option and click Next.
4. The Phone Number To Dial (Figure C) page
allows you to enter the phone number for
The connectoid is an icon located in the Network And Dial-up Connections the corporate RAS server. You can enter the
window; it is used to invoke a particular type of connection.
entire phone number in the Phone Number
Figure B text box, or you can enable the Use Dialing
Rules check box and select the area code
from the Area Code drop-down list box.
After entering the phone number, click Next.
5. The Connection Availability page allows
you to make the connectoid available for
all users or only for yourself. For security
reasons, the connectoid should be available
only to the user who creates it. Many users
decide to save their dial-up password in the
connectoid. Therefore, you do not want it
to be available to other users who might
access the machine. Click Next.
6. The Completing The Network Connec-
tion Wizard dialog box appears and asks
you to name the connectoid. Click Finish
(Figure D).
Choose the Dial-up To Private Network option on the Network Connection
Type page.

36 Administrator’s Guide to VPN and Remote Access, Second Edition

From the connectoid’s icon on the desktop, Figure C
launch the RAS connection. You will see the
Connect Corporate RAS Server dialog box, as
seen in Figure E.
The logged-on user’s name will appear auto-
matically in the User Name text box. If the
user needs to log on with another name, he or
she can manually enter it here. The Save Pass-
word check box allows the password to be
saved with the connectoid. Beware of the
security implications of saving the password
with the connectoid. The phone number to
dial is automatically included, as is the location.
Creating an ISP dial-up and local
network Internet connection
Your company may decide not to allow direct
dial-up connections to a corporate RAS server. Configure the phone number to dial.
Direct dial-up RAS servers can be expensive to
implement and maintain. A more cost-effective
solution is to allow users to dial up an Internet 2. In the Network And Dial-up Connections
connection and then create a virtual private net- windows, double-click the Make New
work (VPN) connection to a corporate VPN Connection icon. This opens the Welcome
server via the dial-up Internet connection. To The Network Connection Wizard page.
Creating an ISP dial-up connectoid is simi- Click Next to continue.
lar to creating the corporate RAS client con- 3. The Network Connection Type page will
nectoid. Perform the following steps to create appear. Select Dial-up To The Internet and
the ISP dial-up connectoid: click Next.
1. Open the Control Panel and double-click 4. The Welcome To The Internet Connection
on the Network And Dial-up Connec- Wizard (Figure F) appears. You have three
tions icon. choices:

Figure D Figure E

Put a check mark in the check box for Add A Shortcut To My Desktop to make
access to the connectoid much easier. Make the connection in this dialog box.

Administration 37
X The I Want To Sign Up For A New an ISP account, he can do better by
Internet Account... option allows the researching local or national ISPs.
user to create a new dial-up account X The I Want To Transfer My Existing
with an ISP. Microsoft provides a list of Internet Account To This Computer...
ISPs. Since your company will have pro- option gives you the opportunity to sign
vided its users with an account, there is up for a new account, even though you
no reason for a user to select this already have an existing one. Avoid this
option. Even if the user does not have option unless you want to transfer to a
Figure F new ISP.
X The I Want To Set Up My Internet
Connection Manually... option is the
preferred option if you already have an
ISP account. This option provides you
the most flexibility when setting up the
Select the third option and click Next to
5. The Setting Up Your Internet Connection
page (Figure G) allows you to connect to the
Internet using a phone line and modem or
via a local area network (LAN) connection.
If you choose the I Connect Through A
Phone Line And A Modem option, subse-
quent pages will ask you for a username
and password, the phone number of the
ISP, the name of the connection, and
whether you want to create a mail account.
Select the third option from the Internet Connection Wizard. All these steps, except for the mail account
step, are the same as when you created a
Figure G
direct dial-up connection to the corporate
RAS server. The I Connect Through A
Local Area Network (LAN) option allows
a machine on a network with a centrally
routed or proxied connection to the Inter-
net to connect to Internet resources. A
large proportion of remote employees have
small home networks. In this example, we’ll
select this option. Click Next to continue.
6. The Local Area Network Internet Config-
uration page appears next (Figure H). The
Automatic Discovery Of Proxy Server
(Recommended) option allows the client
to use a wpad entry contained on either a
DNS or DHCP server. If such an entry is
not made on the internal network, this
option should be left blank. The Use
Automatic Configuration Script option
Connect to the Internet through the LAN.
allows the client to take advantage of

38 Administrator’s Guide to VPN and Remote Access, Second Edition

Microsoft Proxy Server 2.0 or ISA Server Figure H
2000 caching arrays. Since it’s unlikely that
a user will have an enterprise array on his
home network, this option should also be
disabled. The Manual Proxy Server option
is the preferred option for a home net-
work. Select this option and click Next.
7. The second Local Area Network Internet
Configuration page allows you to config-
ure the IP address of the proxy server.
Most home network users will have a sin-
gle proxy or NAT server. Enter the IP
address of the internal interface of the
proxy server and place a check mark in the
Use The Same Proxy Server For All Proto-
cols check box. Click Next.
8. The third Local Area Network Internet
Configuration page allows you to config-
ure addresses on the local network that will
Configure the LAN-connected Internet client to use a proxy server.
bypass the proxy server. Click Next to
Figure I
9. The Set Up Your Internal Mail Account
page offers the user an opportunity to cre-
ate a new mail account. Select No on this
page and click Next.
10. On the last page of the wizard, click Finish
to complete the Internet connection.
The machine is now able to connect to the
Internet through the proxy or NAT server. If
you had created a dial-up connection to the
Internet, a connectoid similar to the corporate
RAS client connection would be created.
Creating a VPN client connection
Windows 2000 Professional supports out-
bound VPN client connections through both
dial-up and LAN interfaces. Unlike in Win-
dows NT 4.0 Workstation, you do not need to Select the type of public network connection.
install a PPTP VPN adapter and go through a
circuitous configuration procedure. A wizard
the ISP automatically before establishing the
walks you through the process of creating the
VPN link.
VPN client connection.
To create a dial-up VPN link, perform the
If the machine is not connecting to the
following steps:
VPN server through a LAN connection, it will
need to dial up an ISP before establishing the 1. Open the Control Panel and double-click
VPN link. Therefore, you need a dial-up con- on the Network And Dial-up Connec-
nectoid configured on the machine. When you tions icon.
configure the dial-up VPN connection, Win- 2. In the Network And Dial-up Connections
dows 2000 Professional will offer to dial up window, double-click the Make New

Administration 39
Connection icon. This opens the Welcome The connectoid for the VPN link will
To The Network Connection Wizard page. appear in the Network And Dial-up Connec-
Click Next to continue. tions window. When you double-click the con-
3. The Network Connection Type page will nectoid, a dialog box will appear asking if you
appear. Select the Connect To A Private would like to establish a link with the ISP
Network Through The Internet option before connecting to the VPN server. After
and click Next. the Internet connection is established, a sec-
ond dialog box will appear asking for creden-
4. On the Public Network page (Figure I), tials to establish the VPN connection to the
you choose whether to connect to the VPN server.
VPN server via a LAN connection or
through a dial-up connection. To create Windows 2000 Professional
the initial ISP link, click the down arrow inbound remote access
under the Automatically Dial This Initial
Connection option and select your ISP
Windows 2000 Professional can also accept
connection. After making the selection,
inbound calls. Unlike Windows 2000 Server
click Next.
machines, a Windows 2000 Professional
5. On the Destination Address page (Figure J), machine can accept only a single inbound con-
type in the Fully Qualified Domain Name nection per RAS interface. Inbound calls can
(FQDN) or IP address of the VPN server. be accepted via serial, parallel, infrared, and
Click Next to continue. VPN interfaces.
6. On the Connection Availability page, To configure the Windows 2000 Profes-
choose to make the connection available sional computer to accept inbound calls, per-
for all users or only for yourself. For secu- form the following steps:
rity reasons, your best option is to make 1. Open the Control Panel and double-click
the connection available only for the user on the Network And Dial-up Connec-
who creates it. Click Next to continue. tions icon.
7. On the final page of the wizard, type in the 2. In the Network And Dial-up Connections
name of the connectoid and click Finish. windows, double-click the Make New
Connection icon. This opens the Welcome
To The Network Connection Wizard page.
Figure J Click Next to continue.
3. Select the Accept Incoming Connections
option and click Next.
4. On the Devices For Incoming Connec-
tions page (Figure K), select the device on
which you want to accept inbound connec-
tions. In this example, we can accept calls
on a modem and an LPT (parallel) port.
Note that we can select and receive calls
on all devices. We’ll select both interfaces,
and click Next.
5. On the Incoming Virtual Private Connec-
tion page (Figure L), you tell the wizard
whether you want to accept VPN connec-
tions on this interface. If you wish to make
VPN connections to the Windows 2000
If you type in a FQDN, the client must be able to resolve the address by using a
public DNS server. Professional computer, the machine

40 Administrator’s Guide to VPN and Remote Access, Second Edition

Figure K Figure L

Select a device for inbound connections. We will allow inbound VPN connections.

should have a dedicated connection to the In the TCP/IP address assignment

Internet. Typical dedicated connections frame, choose whether you want to assign
are xDSL, ISDN, and cable modem con- addresses via DHCP or from a static pool of
nections. However, you can get dial-up IP addresses. If you choose to use DHCP,
modem accounts that allow for dedicated you must be sure you have a DHCP server
connections with true unlimited access. on the internal network on the same net-
Note that the modem will still allow work ID as the internal interface of the
inbound direct dial-up connections with Windows 2000 Professional computer. If
this configuration. Click Next. you choose to use a static pool of addresses,
6. On the Allowed Users page (Figure M), you you will have to configure a From and a To
select which users you want to allow per- address. You must include at least two
mission to make inbound calls. In this addresses. If you try to put the same
example, we’ll select the Administrator address in both boxes, you will get an error.
account and click Next.
7. The Networking Components page Figure M
(Figure N) displays the network protocols
and services used for this connection.
Click on the Internet Protocol (TCP/IP)
entry and then click the Properties button.
8. The Incoming TCP/IP Properties page
(Figure O) allows you to configure how IP
addresses are assigned to inbound callers.
Place a check mark in the Allow Callers To
Access My Local Area Network check box
if you want RAS clients to be able to access
the internal network behind the Windows
2000 Professional machine. If this check
box is not checked, the user will be able to
access resources only on the Windows
2000 Professional machine itself. Allow Administrator inbound access.

Administration 41
The Allow Calling Computer To Specify already in use on the network, the connec-
Its Own IP Address option will allow the tion will fail. Click OK and click Next.
caller to configure his or her own IP 9. On the final page of the wizard (Figure P),
address in the VPN client connection you are informed that the connection will
interface. Be careful with this option. If be named Incoming Connections.
the client tries to use an IP address that is
You do not need to restart the computer.
After you complete the wizard, users can begin
Figure N to make inbound calls to the Windows 2000
Professional computer.

Windows 2000 Professional supports the roles
of RAS server and RAS client. As a RAS
client, it can make direct dial-up and VPN con-
nections. As a RAS server, it can receive a sin-
gle inbound call on each RAS-enabled
interface. The Windows 2000 Professional
computer supports inbound calls to just the
Windows 2000 Professional machine itself, or
to the entire network to which the Windows
2000 Professional machine is attached. RAS
connections are easy to set up because all
inbound and outbound connections are cre-
You can also configure the properties of the other components here.
ated using a wizard.

Figure O Figure P

Configure client IP addressing parameters.

All inbound connections will be accessed through this connection.

42 Administrator’s Guide to VPN and Remote Access, Second Edition

Understanding demand dial connections
in Windows 2000
Dec 25, 2000
By Jim Boyce

hen you configure a Windows 2000 a small bundle in connectivity charges. After
router, you have two options for the data is transmitted and an appropriate idle
establishing connections with other time has passed, Windows 2000 drops the con-
routers or networks: dedicated or demand dial nection. Figure A illustrates a situation in which
connections. Dedicated connections typically demand dial routing would be useful.
use connections such as T1 and frame relay.
Except on rare occasions when a hardware fail- On-demand versus persistent
ure occurs, the connection remains persistent. There are two types of demand dial connec-
Demand dial routing (also called on- tions: on-demand and persistent. An on-
demand routing) forwards packets across a demand connection is nonpersistent and
nonpersistent Point-to-Point Protocol (PPP) remains connected only when packets need to
connection. In general, you can think of be forwarded through the demand dial inter-
demand dial connections as those routing con- face. The previous example of the remote
nections that connect via dial-up means, office is a good example of a scenario where
whether those connections are persistent or an on-demand connection would be the best
not. For example, if you support a remote solution. Any time you have a metered connec-
office that needs to be fed data from your local tion, such as a long-distance POTS call or
servers only once or twice a day, and the con- metered ISDN service, on-demand routing is
nection is metered and incurs charges based on generally the best solution.
connection duration, a dedicated connection The alternative is a persistent connection.
might not make sense. In such a situation, a At first blush, persistent connections might
demand dial connection, which gets used only seem illogical in the context of demand dial
when data actually needs to be transmitted, routing, but you need to remember that
makes more sense and could save the company demand dial routing isn’t simply geared toward

Figure A


Demand Dial

Main Office Satellite Office

Router Router

A demand dial connection can serve a satellite office.

Administration 43
forwarding packets across metered connec- of five would result in a total timeout of
tions, but rather forwarding packets across any 5+10+20+40, or 75 seconds.
PPP dial-up connection. There are, therefore, You can modify the TCP retransmission
scenarios where you’d want the demand dial timer properties to extend the length of time
interface to be persistent. For example, if the that TCP will attempt a connection before
connection uses a local POTS call or flat-rate timing out. For Windows 2000 and Win-
ISDN service where there is no per-minute dows NT 4.0 clients, the initial TCP retrans-
charge, there’s no reason why you should not mission timeout is set by the registry value
have the connection persist. If the connection HKEY_LOCAL_MACHINE\System\
is dropped, Windows 2000 automatically CurrentControlSet\Services\Tcpip\Parame-
attempts to reestablish the connection. ters\InitialRtt. The InitialRtt value is a
Why not make all connections be on- REG_DWORD with a valid range from
demand, even if it doesn’t cost any more for a 0-65535 and it specifies the length of the
given connection to be persistent? Client timeout in milliseconds. A value of 5,000, for
access is the primary reason. The amount of example, specifies an initial timeout of five
time required to establish a demand dial con- seconds. The default value is 3,000.
nection varies depending on the connection The number of connection attempts
media. A POTS call could take 20 seconds or is defined by the registry setting
more to establish a link, while ISDN could HKEY_LOCAL_MACHINE\System\
take less than five seconds. CurrentControlSet\Services\Tcpip\Parame-
This is an important consideration when ters\TcpMaxDataRetransmissions. The
setting up the demand dial connections—you TcpMaxDataRetransmissions value is also a
need to take into account how the client REG_DWORD with a valid range of 0-65535.
applications will handle the connection delay. The default value is five.
If the application supports a variable timeout For Windows 9x and Windows Me clients,
setting, modify the timeout setting to accom- the registry setting MaxConnectRetries speci-
modate the link establishment delay. If fies the number of times TCP will attempt a
increasing the timeout doesn’t address link connection. The default is three. As with Win-
delay in all situations, modify the number of dows 2000 and Windows NT, the default value
connection attempts the application makes. for the initial connection timer is also three
The application’s first attempt will initiate seconds.
the connection sequence, and a secondary
attempt will allow the application to connect One-way versus two-way demand
after the router has time to establish the dial connections
connection. When you’re setting up a demand dial connec-
For all Microsoft Windows platforms, TCP tion, you need to consider whether the con-
sets a retransmission timer when it attempts nection will be one-way initiated or two-way
the first data transmission for a connection. initiated. In a one-way connection, one router
The initial retransmission timeout value is 3 always functions as the calling router and the
seconds. TCP doubles the retransmission time- other always functions as the answering router.
out value for each subsequent connection In a two-way connection, either router can
attempt and by default attempts retransmission function as the calling or answering router.
two times. For example, the first attempt is For both types of connections, the answer-
made at 3 seconds, the second at 3+6 seconds, ing router must be configured with an account
and the third at 3+6+12 seconds, for a maxi- that the calling router can use to establish the
mum timeout of 21 seconds. Increasing the connection. In the case of a two-way connec-
initial retransmission timer to 5 seconds tion, you need to create an account on both
would result in a total maximum timeout of sides of the connection to be used by the
5+10+20, or 35 seconds. Setting the retrans- calling router to authenticate on the answer-
mission count to 4 with a retransmission timer ing router. Since either router can initiate a

44 Administrator’s Guide to VPN and Remote Access, Second Edition

connection, both need to have accounts the known routes from the remote router and
other can use to authenticate and connect. In add them to the local routing table as static
addition, the account name used by the calling routes. The autostatic update is a one-time,
router must match the demand dial interface one-way event, and no additional route
name on the answering router—a requirement updates occur on the interface until you man-
for both one-way and two-way connections. ually perform another autostatic update or
the local router initiates another scheduled
Static routing and autostatic update. We’ll cover performing autostatic
updates updates in the next article.
In addition to authentication considerations, When you’re configuring routes between
you also need to think about routing issues. your routers, consider the impact that the
While you could use dynamic routing (RIP or default route will have on traffic and the
OSPF) over demand dial connections, the demand dial interface. Because the default
routing overhead traffic generated by the route is applied to all traffic not serviced by
routers could nullify the benefit of using another route, traffic routed through the
demand dial connections, including the reduc- default route could cause unwanted connec-
tion of connection charges. This is because the tions. For example, if you configure the default
routers must exchange routing announce- route to be used to initiate the demand dial
ments, causing additional periodic traffic and connection, the connection will dial any time
requiring more frequent connections. the traffic is routed through the default route,
The solution is to use static routes where including when you have traffic bound for a
the number of routes is small, or use autosta- nonexistent or unreachable subnet. For that
tic updates with RIP when the number of reason, you should configure the default route
routes doesn’t lend itself to manually created so that it will not initiate the demand dial con-
static routes. In the case of manually created nection. To do so (or to configure the behavior
routes, simply add the static routes to the for any other route), open the RRAS console,
appropriate interfaces on both sides of the expand the IP Routing branch, and then select
connection. Use the option Use This Route the Static Routes node. Select the route in
To Initiate Demand Dial Connections to con- question and display its properties. Deselect
trol whether or not traffic that applies to the the option Use This Route To Initiate Demand
static route causes the demand dial connection Dial Connections.
to be initiated.
If the static route directs traffic to a primary Demand dial filters and time
subnet that carries critical traffic, you’ll proba- restrictions
bly want the static route to be used to initiate Another issue to consider before you start cre-
the demand dial connection. If the traffic is ating your demand dial connections is whether
secondary, deselect this option to prevent the or not you want to apply filters and time
traffic from initiating the demand dial connec- restrictions to the demand dial connections.
tion. In this latter scenario, the traffic will be In addition to configuring each static route
routed only if the demand dial connection is according to whether or not it can initiate the
already established (caused by traffic through demand dial connection, you can control con-
another route) and will fail if the demand dial nection initiation through demand dial filters.
connection is not active. These filters let you specify criteria for the
Where there are more complex routing source and destination that determines when
requirements not easily satisfied with manu- the demand dial interface can be initiated. As
ally created static routes, using RIP with auto- Figure B shows, you can configure the filters to
static updates is a viable solution. Autostatic allow all traffic that fits the filter criteria to ini-
updates marry the convenience of RIP with tiate the connection or exclude all traffic fit-
the connection control of static routes. Auto- ting the criteria, preventing that traffic from
static updates enable RIP to request all initiating the connection.

Administration 45
Figure B Another consideration is when the demand
dial interface can or should be initiated. By
default, there are no dial-out hour restrictions
on a demand dial interface, so traffic that fits
the route or filter criteria can initiate the con-
nection at any time. In some cases, you might
want to restrict those hours. For example, you
might process data transfers only at night and
want the demand dial interface to be used only
during those hours, preventing routing during
the day as a means of controlling traffic or
reducing costs. In the next article, “Configur-
ing Windows 2000 for demand dial connec-
tions,” I’ll show you how you can configure
each demand dial interface with hour restric-
tions to do just that.

Configure demand dial filters to determine which traffic can initiate a demand dial

Configuring Windows 2000 for demand

dial connections
Dec 28, 2000
By Jim Boyce

n the previous article, I introduced you to X Configuring demand dial initiation filters
demand dial connections in Windows X Setting up dial-out hours
2000. In this article, I’ll show you how you
actually make the connections. X Configuring autostatic updates
X Configuring persistence
Getting started
In general, the process involves several steps: X Enabling demand dial routing and
remote access (RRAS)
X Enabling demand dial routing
First, you must enable demand dial routing
X Setting up remote access on the called for each router that needs to support it. To do
router so, open the RRAS console and connect to
X Enabling demand dial connections on the that router. In the console, right-click the
dial-out hardware server and choose Properties. On the General
X Creating the connection page, verify that the Router option is selected
and then select the option LAN And Demand-
X Configuring accounts and authentication Dial Routing. On a called router, also select the
X Adding RIP and/or creating static routes option Remote Access Server and click OK.

46 Administrator’s Guide to VPN and Remote Access, Second Edition

Windows 2000 will restart the RRAS service to X Phone Number: For non-VPN connec-
accommodate the change. tions, specify the phone number of the
In addition to configuring RRAS to support remote router, including alternate numbers
demand dial, you have to configure the dial-out to dial if the primary is unavailable.
port to support demand dial connections. In X Route IP Packets On This Interface:
the RRAS console, expand the server, right- Select this option to allow IP routing on the
click on the Ports node, and choose Properties. demand dial interface.
Locate the device’s port, click the port, and
choose Configure. Select the Demand Dial X Route IPX Packets On This Interface:
Routing Connections option, and if you also Select this option to allow IPX routing on
want to use the device for incoming remote the demand dial interface.
access calls, select the Remote Access Connec- X Add A User Account So A Remote
tions option as well. Close the dialog boxes Router Can Dial In: If you’re configuring
when you’ve finished. a two-way demand dial interface, select this
option. The wizard will prompt you for the
Creating the demand account properties for the account the
dial connection remote router will use to connect to the
Next, create the demand dial interface. To local router. The wizard automatically uses
begin, install and configure the hardware to be the name specified in the Interface Name
used for the connection, such as the modem property (the first wizard page) as the
and ISDN interface. Then, open the RRAS account name and prompts only for the
console, expand the server, right-click Routing password for the account. The User Name
Interfaces, and choose New Demand-Dial field is dimmed to prevent you from chang-
Interface to start the Demand Dial Interface ing the account name.
wizard. The wizard prompts for the following X Send A Plain-Text Password If That Is
information: The Only Way To Connect: This option
X Interface Name: Specify the name as it allows the router to accept plain-text pass-
will appear in the RRAS console. For easy words if it doesn’t support encrypted pass-
identification, consider naming the connec- words. This option is dimmed for VPN
tion after the remote router. If you’re con- connections.
figuring a demand dial connection for
X Use Scripting To Complete The Con-
incoming calls in a two-way connection,
nection With The Remote Router: Select
give the interface a name that matches the
this option to enable the local router to use
account the remote router will use to con-
a script to complete the connection to the
nect to the local router.
remote router after dialing. You specify the
X Connection Type: Choose between a script after completing the wizard.
physical device (modem, ISDN, etc.) or After the wizard finishes, you have some
VPN connection depending on the require- additional configuration to perform. In the
ments of the remote router. RRAS console, right-click the demand dial
X VPN Options: If you choose to connect interface you just created and click Properties.
through a VPN, the wizard prompts for The General page enables you to configure the
additional properties. Select the VPN type dial-up device used by the demand dial con-
as PPTP, L2TP, or automatic selection. nection. The properties are the same as those
Remember that if you choose L2TP, you’ll you’d configure for a typical dial-out connec-
need to configure certificates and filters. If tion through the Network And Dial-Up Con-
you choose the VPN option, you’ll also nections folder. If you want to use multilink to
need to specify the IP address or DNS improve throughput, select all appropriate
name of the remote router. devices from the Connect Using group. You

Administration 47
configure additional multilink options through demand dial connection, and the settings are
the Options page. just like any other outgoing dial-up connection.
The Options page shown in Figure A lets you If you need to run a script to complete the
configure several connection options. In the demand dial connection, configure the script in
Connection Type group, you specify whether the Interactive Logon And Scripting group.
the connection will be on-demand (demand The final property page, Networking,
dial) or persistent. If choosing Demand Dial, enables you to configure the network services
use the drop-down list to specify the idle time that the demand dial connection will use,
for hanging up. Make sure you specify a length including network protocols, clients, and
of time that accommodates normal idle times server type. Again, these properties are the
during data transmission. Use the Dialing Pol- same as for any other outgoing remote access
icy group to specify the number of redial connection. Configure the settings according
attempts and interval between redial attempts. to the requirements for your data transfer. If
The Multiple Devices group lets you config- the clients use a given protocol, for example,
ure multilink for the demand dial connection. make sure that protocol is enabled for the dial-
From the drop-down list, select the method out connection.
you want Windows 2000 to use to establish
multilink connections. If you choose Dial Configuring filters and hour
Devices Only As Needed, click Configure restrictions
Bandwidth Utilization Parameters to control Next, you’ll need to configure demand dial fil-
dialing and hanging up. Finally, if you need to ters to determine which traffic can initiate the
use callback or X.25, click the appropriate demand dial connection and to restrict (if
button to configure those properties for the desired) the connection to specific hours. First,
connection. open the RRAS console and select the Routing
The Security page is the place to go to con- Interfaces branch. In the right pane, right-click
figure the authentication method(s) used by the the demand dial interface you want to config-
ure and choose Set IP Demand-Dial Filters.
Figure A Click Add and then specify the criteria based
on source network or destination network (or
both), as well as the protocol. Then, click OK.
Add filters as needed and then select one of
the following options:
X For All Traffic Except: Select this option
if you want all traffic except that falling
under your specified filter criteria to be able
to initiate the connection. All traffic that fits
the filter criteria will not initiate the demand
dial connection.
X Only For The Following Traffic: Select
this option if you want only traffic that
meets the filter criteria to be able to initiate
the demand dial connection.
Click OK when you’ve finished creating
the filters.
Next, configure dial-out restrictions if you
don’t want the demand dial connection to be
available all the time. Right-click the demand
dial interface and choose Dial-Out Hours. Use
Use the Options page to configure the connection as demand the resulting dialog box to select the hours that
dial or persistent.

48 Administrator’s Guide to VPN and Remote Access, Second Edition

the demand dial connection is either permitted requests an update from the remote router,
or denied. obtaining all remote routes. If the update
request fails for some reason (the remote
Setting up the routes router is unavailable, for example), the local
If the number of routes you need to manage router won’t be able to rebuild its routing table.
over the demand dial connection is relatively This means that the routes will be unavailable
high and you intend to use Routing Informa- until a successful update occurs. This is one
tion Protocol (RIP) and autostatic updates to minor disadvantage to using RIP instead of
maintain the routes, you need to add RIP. In static routes for the demand dial interface, but
the RRAS console, expand the server, open in most situations it is a manageable risk. Be
the IP Routing branch, right-click General, sure to take this risk into account when you’re
and choose New Routing Protocol. Select RIP developing your routing strategy for the
and choose OK. demand dial connection.
Next, right-click RIP in the IP Routing When you want to initiate an autostatic
branch and choose New Interface. Select the update, open the RRAS console and then
demand dial connection and click OK. Win- expand the server. Open the IP Routing
dows 2000 presents a tabbed property sheet branch and then open the General branch.
that is the same as when you configure RIP on Right-click the demand dial interface whose
any other routing interface. Verify that autosta- routes you want to update and choose
tic Update Mode is selected in the Operation Update Routes. If the demand dial connec-
Mode drop-down list. The other default set- tion is currently active, the route transfer will
tings are correct for connecting to another begin. If not, the local router will initiate the
Windows 2000 RRAS router. If you need to demand dial connection and then request the
tweak the settings to accommodate a different update. Keep in mind that an autostatic update
remote router or your network requirements, transfers routing data from the remote router
make the changes now. to the local router. If you’re updating routes in
If the number of routes for the demand a two-way demand dial connection, you need
dial interface is low, a better solution than to also perform an autostatic update at the
using RIP is to simply create static routes. remote router to update its routes.
Open the IP Routing\Static Routes node in The RRAS GUI interface doesn’t provide a
the RRAS console, right-click the node (or mechanism for scheduling autostatic route
right-click in the right pane), and choose New updates to occur automatically, but you can use
Static Route. Select the demand dial interface the NETSH command from a command con-
from the Interface drop-down list and config- sole to update routes. This enables you to cre-
ure the static route as needed. ate a script containing the appropriate NETSH
If you want traffic destined for the selected commands and schedule that script using the
route to be able to initiate the demand dial Windows 2000 AT command. Here is an
connection, select the option Use This Route example of a script that updates the routing
To Initiate Demand-Dial Connections. Dese- information for a demand dial connection
lect the option if you don’t want traffic des- named RemoteOffice:
tined for the selected route to be able to netsh interface set interface
initiate the connection. When you’re satisfied name=RemoteOffice connect=CONNECTED
with the static route properties, close the dia- netsh routing ip rip update
log box and then repeat the process to create RemoteOffice
any other required static routes. netsh interface set interface
Performing manual and connect=DISCONNECTED
scheduled autostatic updates You can also create a script for NETSH and
When RRAS performs an autostatic route execute that script through the NETSH com-
update, it deletes the existing routes and then mand. For example, save the previous commands

Administration 49
to a text file called RemoteUp.scp. Then, run the For example, assume you have two routers
following command to execute the script: in two locations. At your Headquarters loca-
netsh -f RemoteUp.scp tion, you have a router with an interface name
of RemoteOffice. At your remote location,
Setting up a two-way demand you have a router with an interface name of
dial connection HomeOffice. Therefore, to make the connec-
Up to this point, I’ve primarily focused on set- tion work properly you should create a user
ting up a one-way demand dial connection. account at Headquarters with a user account
Setting up a two-way connection is essentially name of HomeOffice, as well as a user
the same, except you perform the configura- account at the remote site with a user account
tion tasks at both ends of the connection. name of RemoteOffice.
You’ll need to configure the hardware, set up
the connection, configure routes, and perform
Demand dial connections make it easier for
the other tasks explained above.
you to use routing to connect networks with-
One of the most potentially confusing
out having a permanent connection between
aspects of two-way demand dial connections is
them. Windows 2000 lets you create demand
the naming convention you use on both
dial connections with a little bit of work. In
routers. Remember that when you’re naming
this article, I’ve shown you how.
the connections each connection’s name
should be the same as the connection authenti-
cation account on the remote router.

How to configure Win2K client

VPN connections
Nov 28, 2000
By Erik Eckel, Network+, MCP+I, MCSE

ncreasingly, network administrators are X Exam 70-216—Implementing and Admin-
turning to virtual private networking istering a Microsoft Windows 2000 Net-
(VPN) connections to link remote workers work Infrastructure
to LANs. Windows 2000 includes VPN func-
tionality, and even if you’re not using VPNs at Why a VPN?
your organization, you’ll need to be familiar VPNs have caught on quickly primarily for the
with Win2K’s VPN feature if you’re planning following two reasons:
on sitting for any of the following exams: X VPNs permit employees to connect to
X Exam 70-210—Installing, Configuring, office resources from home or other loca-
and Administering Microsoft Windows tions using common hardware.
2000 Professional X VPNs provide secure connections.
X Exam 70-215—Installing, Configuring, By using tunneling protocols, such as PPTP
and Administering Microsoft Windows or LT2P, secure connections can be config-
2000 Server ured between a client’s laptop or home

50 Administrator’s Guide to VPN and Remote Access, Second Edition

machine and a company’s LAN, as diagramed Figure A
in Figure A.
The Windows 2000 Network Connection
Wizard offers two methods for connecting to
private networks. The Network Connection PSTN
Wizard can be reached by clicking Start | Set-
tings | Network And Dial-up Connections |
Make New Connection from within Windows
2000 Professional. The method you select will
depend largely on the telecommunications
technology you have in place.
You should select Dial-Up To Private Net-
work if you plan to use a traditional 56Kbps
modem or ISDN connection. You should
select Connect To A Private Network Through Laptop
The Internet if you wish to use a preexisting VPNs use tunneling protocols to create secure connections through the Public Switched
Telephone Network.
Internet connection. Most likely, if you’re
using a cable modem or a DSL connection,
you’ll choose this option. Figure B
Creating a dial-up VPN
Dial-up VPN connections are created by
selecting Dial-Up To Private Network from
the Network Connection Wizard, as shown in
Figure B.
The wizard will then prompt you to supply
the telephone number of the computer or net-
work you wish to call. If you’re installing the
VPN link on a laptop, you may wish to check
the Use Dialing Rules box. Doing so enables
you to configure different dialing configura-
tions depending upon your location.
Next, you’ll need to specify whether the
connection will be used only by yourself or by
all users of the machine upon which it’s being
installed. Select the default, For All Users, if
everyone using the workstation should have Select Dial-Up To Private Network to begin creating a dial-up VPN connection.
access to the VPN connection. Select Only For
Myself if you wish to make the connection
available only for your user logon. Should you need to change the telephone
Provide a name for the VPN connection number or other settings associated with the
and select Finish to complete the process. If VPN connection, you can do so easily. Just
you wish to create a shortcut for the dial-up click Start | Settings | Network And Dial-Up
VPN connection on your desktop, be sure to Connections, right-click the dial-up connec-
check the Add A Shortcut To My Desktop tion you wish to configure, and select Proper-
box. To connect to the remote system, select ties. Figure C shows the Dial-Up Connection
the connection from Start | Settings | Net- Properties dialog.
work And Dial-Up Connections.

Administration 51
Creating a tunneled connection click Next. Supply a name for the connection,
If you need to create a VPN connection using indicate whether you wish to add a shortcut to
a cable or DSL modem, a LAN, or a WAN the desktop, and click Finish.
connection, in the Network Troubleshooting To connect, double-click the shortcut—if
Wizard you’ll want to select Connect To A you chose to create one—or select the connec-
Private Network Through The Internet. The tion from Start | Settings | Network And
wizard will ask you whether an initial call Dial-Up Connections. Supply your user name
needs to be placed. If it does, select Automati- and password for the network you wish to
cally Dial This Initial Connection and supply access (see Figure D), and you’re ready to begin
the name of the connection you wish to have enjoying the benefits of secure, remote access.
dialed from the provided drop-down box. If If you want to edit the settings for the con-
no initial connection is required, select Do nection, you can do so easily. Just right-click
Not Dial The Initial Connection and click the the connection name and select Properties.
Next button. Here you can modify TCP/IP settings, the IP
Provide the host name or IP address of the or host name of the computer to which you
computer or network to which you want to wish to connect, and other configuration
connect. You can supply the host name in the information.
form, substituting the Several other options can be configured
appropriate name, of course. Or, you can enter using the tabs in your connection’s Properties
the IP address of the machine you wish to dialog, including:
contact, such as Click Next. X Whether you wish to have connection
Just as with a dial-up connection, you’ll be progress displayed.
asked whether the connection is to be used X Whether data encryption is automatically
only by yourself or by all of the system’s required.
accounts. Select the appropriate option and

Figure C Figure D

You’ll need to supply your networking user name and

password for authentication purposes.

A variety of settings can be configured for dial-up connections

from the Properties box. For example, you can specify (or
change) the modem to use by clicking Configure.

52 Administrator’s Guide to VPN and Remote Access, Second Edition

X Which networking components are used by dows logon domain when connecting, and
the connection (such as TCP/IP, Client for whether Internet Connection Sharing should
Microsoft Networks, etc.). be enabled for the connection.
X The type of VPN server being called (you Windows 2000 includes a VPN functional-
can specify Automatic discovery, Layer-2 ity that is more robust and clearer than previ-
Tunneling Protocol [L2TP], or Point-to- ous versions of Windows. Given that more
Point Tunneling Protocol [PPTP]). and more companies are turning to VPNs for
security reasons, you’ll want to understand
Other options you can configure include
how to configure this networking option.
whether the connection appears in the Taskbar
when it’s in use, whether to include your Win-


IP forwarding in Windows 2000 enables a Windows 2000 computer to forward IP packets. For example, a dial-
up server that enables remote users to also access the network uses IP forwarding to forward that traffic. IP
forwarding allows Windows 2000 to, in effect, act as a router. In fact, Windows 2000 Server’s Routing and
Remote Access Service (RRAS) enables a Windows 2000 Server computer to function as a full-fledged router,
complete with support for RIP, OSPF, and other routing protocols.
Enabling IP forwarding is a relatively simple matter on a Windows 2000 Server computer—you just run the
RRAS wizard in the RRAS console. Enabling IP forwarding on a Windows 2000 Professional computer isn’t as
intuitive, but it’s actually easier than on a server, thanks to a simple registry edit. (It’s easier still in Windows NT,
requiring only a change to a check box in the TCP/IP properties.)
1. Open the Registry Editor and then open the branch HKEY_LOCAL_MACHINE\SYSTEM\
2. Look for the setting IPEnableRouter.
3. Set the value to 1 to enable IP routing on all the computer’s interfaces.
Note: As always, we’ll remind you that registry editing can be risky, so be sure you have a verified backup
before you begin.

Setting up a VPN with Windows 2000

Oct 18, 2000
By Jason Hiner, MCSE, CCNA

ave you heard about the magical ben- VPN has become with Windows 2000. At the
efits of the virtual private network? same time, Win2K offers dramatic improve-
Are you ready to test its merits in ments in functionality and security over the
your remote access infrastructure? If so, you’ll bare bones VPN of Windows NT.
be happy to hear that Windows 2000 provides In this article, we’ll examine what hardware
an excellent VPN platform, especially for con- and software you’ll need for your VPN, explain
necting small remote offices and supporting how to configure a VPN server on your cor-
telecommuters from their home offices. You’ll porate network, and show you how to config-
be amazed at how easy the basic setup of a ure telecommuters to make a VPN connection

Administration 53
to the corporate LAN. We’ll focus on the bers of users and remote offices that will be
basics of VPN setup, but we won’t touch on connecting to your VPN server. Also, VPN
advanced topics, such as setting up a server-to- works best if you have an always-on Internet
server VPN with a remote office network, set- connection at your corporate network. If you
ting up Remote Access Policies, or configuring have a dial-up Internet connection, the only
your VPN connection to pass through fire- VPN solution I would recommend would be a
walls and proxy servers. With this in mind, let’s server-to-server connection between your cor-
get started on configuring your Windows 2000 porate office and a remote office.
remote access VPN.
Configuring the VPN server
Preparing the infrastructure Once you’ve dealt with the hardware issues,
The first thing you need to consider is the you need to install Windows 2000 Server and
hardware requirements for your VPN server. the latest Service Pack on your machine. Make
Remember that Windows 2000 by itself sure you don’t install other unnecessary serv-
requires substantial hardware resources. In an ices, such as DNS, DHCP, and IIS. Also avoid
enterprise environment, you will want your loading any additional third-party software,
VPN server to be a dedicated server with except for things that are absolutely necessary
nothing but Windows 2000 Server or Win- such as backup agents.
dows 2000 Advanced Server running on the During installation, you should choose to
machine. For this configuration, I would rec- statically assign IP addresses. You’ll need to set
ommend at least a 450-MHz Pentium III with up one network card with a true Internet IP
at least 256 megabytes of RAM. For a small address and the default gateway of your Inter-
business or branch office with fewer than 100 net router. The other network card should have
users and fewer than 20 remote access connec- an IP address assigned to the local network,
tions, you can use a 300 MHz (or better) Pen- and it should not contain a default gateway.
tium II or Celeron machine with at least 128 You’ll also need to set the domain/work-
megabytes of RAM. group for your VPN server. This setting will
Your server will need to have two network depend on how you decide to do authentica-
cards. One card will connect to the Internet tion. There are three basic options: The VPN
and the other will connect to the local area net- server can authenticate users locally, you can
work. As you’ve probably realized, this means use Windows 2000 domain security, or you can
your VPN server is actually functioning as pass authentication to a RADIUS server. If
more of a VPN router than as a server. It you have the VPN server authenticate users
authenticates the users, creates the secure tun- locally, you’ll want to set up a workgroup just
nel, and then, like any router, allows users to for the VPN server—something like “Inter-
access resources on the subnet to which they net.” If you want to use Active Directory and
are connecting or to another subnet, based on have a Windows 2000 domain controller han-
routing tables. Keep in mind that this can dle authentication, have the VPN server join a
include non-Windows resources such as Net- Windows 2000 domain. If you’re going to
Ware and UNIX servers. have a cluster of VPN servers, you may want
The final major consideration is your Inter- to use a RADIUS server (such as Microsoft’s
net connection. Using a VPN server can mean Internet Authentication Service) to perform
that you’ll be able to get rid of many of your VPN authentication. In this example, we’ll
phone lines that are currently dedicated to have the VPN server authenticate users locally.
RAS. However, in one sense, this is robbing Once you have Windows 2000 Server
Peter to pay Paul because you’ll probably need installed, go to Start | Programs | Administra-
to consider increasing the Internet bandwidth tive Tools | Routing And Remote Access to
at your corporate office. This will depend on pull up the RRAS Microsoft Management
how much bandwidth you have to begin with, Console, shown in Figure A. Then, click on the
what your current utilization is, and the num- icon with the name of your server and click

54 Administrator’s Guide to VPN and Remote Access, Second Edition

Action | Configure And Enable Routing And Figure A
Remote Access. This will launch a wizard that
sets up a new server. Select Manually Config-
ured Server, which will take you into RRAS to
begin your configuration. You may be tempted
to select the VPN option in the wizard, but
please control yourself. The VPN wizard is still
a little quirky, and it’s much better to configure
the few basic VPN settings in RRAS manually
so you’ll know how to troubleshoot and tweak
them in the future.
Start the configuration by right-clicking on
the icon with the name of your VPN server
and selecting Properties. This will bring up the
main options you’ll use to activate your VPN
server. In the General tab, shown in Figure B,
make sure that you have checked the Router
and Remote Access Server selections and that
the LAN And Demand-Dial Routing option is RRAS Microsoft Management Console

selected under Router. Switch to the Security

tab and select Windows Authentication if the Enable IP Routing and Allow IP-based
VPN server is doing its own authentication or Remote Access And Demand-Dial Connec-
if you’re using a Windows domain for authen- tions, and then configure IP Address Assign-
tication. If you’re using a RADIUS server, ment for DHCP or assign a static address pool
choose RADIUS Authentication. As for PPP (in the subnet you want clients to connect on).
and Event Logging, you can leave the default Set the Adapter option to the adapter that con-
settings or tweak them to your preferences. nects to your LAN. The settings in the IP tab
The settings in the IP tab, shown in Figure C, are crucial because they regulate the IP and
are very important. You’ll want to check network information that incoming VPN

Figure B Figure C

General tab in the Properties dialog box Settings in the IP tab

Administration 55
clients will receive. In most cases, I would rec- ports L2TP, so most clients will connect using
ommend using DHCP to assign IP informa- PPTP. While L2TP is destined to become the
tion to your VPN clients. This is especially new standard in VPN, this article will focus on
effective when using the same DHCP server making connections using the simpler and
that clients on your LAN use to receive their more universal PPTP protocol.
IP information. VPN users can also receive
static IPs, as you will see when we get to client Configuring remote clients
configuration. You have now completed all of the basic steps
After completing the VPN server proper- for preparing a VPN server on your corporate
ties, there are only a few more settings to con- network. Now, let’s take a look at how to con-
figure. If you did opt to use DHCP, you’ll need nect a remote client. In this example, I’ll focus
to right-click on DHCP Relay Agent (a con- on the best VPN client, Windows 2000 Profes-
tainer under IP Routing), select Properties, and sional. You can also make good VPN connec-
add the IP address of the DHCP server(s) for tions with Windows NT 4.0 and Windows 98,
your local area network. but they aren’t nearly as fast or as functional as
After that, right-click on Ports and select Win2K Pro. However, before any client can
Properties, and you should see the default con- connect to your VPN server, you need to pro-
figuration of 5 PPTP ports, 5 L2TP ports, and vide their user account with remote access
1 Parallel port, as shown in Figure D. permission.
You can leave the default Parallel port alone, If your VPN server is authenticating users
but you can double-click on the PPTP and locally, set up user remote access permissions
L2TP ports and configure the number of by going to Start | Programs | Administrative
ports you need for these protocols. You want Tools | Computer Management | Local Users
to make sure that there are enough ports for all And Groups | Users and double-clicking a
of your users and remote servers, but you user (or creating a username) that you want to
don’t want to enable more ports than you enable for remote access. Next, select the
need. Keep in mind that Windows 2000 Pro- Dial-In tab and then select the Allow Access
fessional is currently the only client that sup- option, as shown in Figure E. As you get more
advanced with VPN, you can select Control

Figure D Figure E

The Ports Properties dialog box Options in the Dial-In tab

56 Administrator’s Guide to VPN and Remote Access, Second Edition

Access Through Remote Access Policy and Right-click on the Office VPN icon and
use Remote Access Policies for greater control click Properties. This will bring up your client
and security. The Dial-In tab also lets you set VPN options, which you’ll use to troubleshoot
up users to receive a static IP address, rather and adjust settings in the future. Now you can
than receiving their IP information from double-click the Office VPN icon to display a
DHCP when they connect. login screen, shown in Figure G. Enter a user-
On a Windows 2000 Professional machine name and password for a user who has remote
with an Internet connection, connecting to a access permission and click Connect. If you
corporate VPN server is simple. First, click have an always-on Internet connection, this
Start | Settings | Network And Dial-up Con- should bring up a dialog box to follow along
nections | Make New Connection. Click Next with the authentication steps. If you have a
to begin the wizard, and then select Connect dial-up connection, you should see the dial-up
To A Private Network Through The Internet. connection triggered first (you may have to hit
At the next prompt, you’ll need to specify how Connect for that one and then hit Connect
to connect to the Internet. If you have an again for the VPN connection), and then you
“always-on” connection, such as a DSL or will see the dialog box showing the VPN
cable modem, choose Do Not Dial The Initial authentication process.
Connection. If you have a dial-up connection,
choose Automatically Dial This Connection Summary
and select your Internet dial-up connection This article has provided a primer for setting
from the list. Now, you’ll need to select your up a VPN using Windows 2000. We’ve
destination address, which will be the fully focused on VPN as a remote access solution
qualified domain name or IP address of your for telecommuters, but the scope of VPN in
VPN server. Choose whether the connection Windows 2000 extends far beyond the basic
will be accessible for all users or only for your- concepts reviewed here. If you’re ready to
self. Then, name the connection (I suggest pilot a Windows 2000 VPN in your enterprise,
something like Office VPN) and click Finish. I recommend further study on VPN concepts
Now, when you open Network And Dial-up and troubleshooting by consulting Microsoft’s
Connections, you’ll notice the Office VPN VPN Web site (
icon, as shown in Figure F. serviceproviders/vpn_ras/default.asp).

Figure F Figure G

The Network And Dial-up Connections window

The Office VPN login screen

Administration 57
Issues surrounding a Windows 2000
VPN implementation
Nov 28, 2000
By Talainia Posey

f your business has multiple locations, The most common example of a VPN is a
there’s a good chance that sooner or later situation in which two networks exchange data
someone will ask you to link the various through the Internet. For example, suppose a
locations’ computer systems together. When user in Las Vegas needed to access a file from
taking on such a task, you have a couple of a server in Miami. If the two networks were
options. One option is to use a leased line, linked through a VPN, the user could access
such as a T-1 line, to connect the facilities. the needed file just as though the Miami server
Leased lines typically cost big money, however. were sitting in the next room. The end user
If a leased line is out of your league, another would be totally oblivious to the fact that the
option is to create a virtual private network. In file was passing through the Internet to get to
this article, I’ll discuss some of the issues you’ll the Las Vegas office.
face when implementing a virtual private net-
work in a Windows 2000 environment. Issues to consider
At first, the idea of passing files across the
What’s a virtual private Internet may not seem like that big a deal.
network? After all, we all exchange files through e-mail
Virtual private networks (VPNs) are often everyday. However, VPNs work differently
misunderstood. It seems that these days, prac- than e-mail servers. In an e-mail environment,
tically everyone is selling a VPN solution, and it’s up to a user to send specific files to some-
they’re all different. For example, you can buy one else. In a VPN, however, any user with the
VPN solutions from router manufacturers and appropriate permissions may access any file on
firewall vendors. Likewise, there are pure the network without the need for someone to
hardware VPN solutions and VPNs that are send the files to them. To a user on a VPN, the
part of your network operating system, as in remote servers look and act as if they are on
Windows 2000. your LAN.
Each of these solutions works differently. If you stop and think about it, this means
Some of these solutions conform to the stan- that your servers are totally exposed to Internet
dards of a true VPN, and others don’t. users. That’s a very scary thought when you
Because of the variety of virtual private net- consider the insecure nature of the Internet.
working solutions, I’ll begin by discussing vir- Because the Internet is full of people with
tual private networking from the standpoint of questionable intentions, it’s necessary to pro-
a generic VPN solution. Once I’ve covered the tect your servers. This is where the word “pri-
basics of how VPNs function, I’ll discuss vate” in virtual private networks comes in.
implementing a VPN in a Windows 2000 VPNs are designed so that only registered net-
environment. work users may access your network. In a Win-
To understand how a VPN works, let’s dows 2000 environment, this is accomplished
assume you’ve been asked to link two corpo- by using a combination of different protocols
rate networks together, but a dedicated leased and encryption methods. I’ll discuss the
line is too expensive. Instead, you’ve thought specifics of Windows 2000 VPN security a
about using a VPN. In its purest form, a VPN little later.
is nothing more than a method for joining two When it comes to virtual private network-
private networks together by passing data ing, performance and reliability are just as
packets between the two networks through important as security. After all, what good is
one or more third-party networks. security if you can’t even access your own

58 Administrator’s Guide to VPN and Remote Access, Second Edition

data? When it comes to virtual private net- widely supported, PPTP is being slowly
working, the issues of performance and relia- replaced by IPSec-based VPNs. To help you to
bility can be summed up in a single sentence decide which protocol is right for your VPN
that I can’t stress enough: Your VPN is only as installation, I’ll discuss the two protocols in
good as your Internet connections. detail and then compare the two.
To understand why this is so true, consider
how a Windows 2000-based VPN works.
Point-to-Point Tunneling Protocol
PPTP was the original VPN protocol
When packets are destined for a remote loca-
Microsoft introduced. Many forms of Internet
tion, the packets are encrypted and encapsu-
communications use the PPP (Point-to-Point)
lated inside a protocol that’s specifically
protocol. PPTP is merely an extension of PPP.
designed to move the packets safely across the
I mentioned earlier that VPNs rely heavily
Internet. Because of the encryption and
on encapsulation. The way the Windows 2000
encapsulation techniques being used, packets
PPTP implementation works is that standard
flowing across a VPN tend to be larger than
network packets are encapsulated inside PPTP
packets flowing across a conventional network.
packets. The PPTP packets are then passed
A significant amount of bandwidth is required
across the Internet. The advantage of using
for moving these larger packets. Now consider
this method is that it works regardless of the
your Internet connection. Browsing the Web
protocol being used on your corporate net-
involves a relatively small amount of data
works. For example, suppose that your corpo-
exchange. If your Internet connection is too
rate networks use IPX/SPX. If a packet was
slow to comfortably surf the Web, what will
destined for the remote network, the IPX/
happen when you flood the connection with
SPX packet would be encapsulated inside a
VPN packets? I’ll give you one guess.
PPTP packet.
To build an effective VPN, your Internet
When the remote VPN server receives the
connection should be as fast and reliable as
PPTP packet, it recognizes the packet as a
possible. Keep in mind that this rule applies to
PPTP packet and allows the packet to pass
both offices. After all, your VPN is only as fast
through the firewall (assuming that you’ve
as the slowest Internet link involved. There-
opened the appropriate firewall port). Once
fore, if the Las Vegas server from my earlier
the packet gets past the firewall and reaches
example has a T-3 connection, but the Miami
the VPN server, the PPTP shell is stripped
server has only an ISDN link, then your VPN
away. At this point, the remaining data is a true
will be limited to ISDN speeds.
IPX/SPX packet. The IPX/SPX packet con-
Technically, a VPN will work with slow
tains all the usual information, such as the
Internet connections, but you’ll almost have to
sender and recipient. The packet is then placed
use some form of broadband communications
onto the network where it will reach the desti-
to build your VPN. If you’re limited to using
nation PC in the usual manner.
analog modems, communications are faster
and infinitely more secure if the two servers IPSec
dial each other directly rather than having the IPSec is the first standards-based VPN proto-
packets pass through the Internet. The only col. IPSec is actually a collection of several
downside to such an arrangement would be services and protocols that are designed to col-
the charges for the long distance phone call. lectively provide comprehensive security. In a
The slowest practical connection I’ve seen suc- virtual private networking environment, IPSec
cessfully used for a VPN involved using a 128- provides the mechanism through which the
Kbps ISDN link with a static IP address. data is encrypted and decrypted.
While IPSec itself is responsible for estab-
Windows 2000 VPN security lishing a secure connection between the two
There are two protocols you can use for Win-
private networks, Microsoft’s implementation
dows 2000 VPNs. The first is Point-to-Point
takes security a step further. It uses a mecha-
Tunneling Protocol (PPTP). Although still
nism called L2TP (Level-2 Tunneling Protocol)

Administration 59
to better encrypt things like usernames, pass- minimal requirements for the network media
words, and data. since it requires only packet-based point-to-
Not only does IPSec offer the encryption point connectivity.
services necessary for VPNs, it also prevents PPTP, on the other hand, is a proprietary
hackers from launching a replay attack against protocol designed by Microsoft to run on
either network by being “replay proof.” A Windows and Linux platforms. It uses a pro-
replay attack is the process by which hackers prietary encryption algorithm designed by
capture packets and then replay them in order Microsoft and doesn’t support header com-
to gain access to a network. IPSec guards pression. PPTP also requires that the transit
against replay attacks by associating a network support the IP protocol.
sequence number with each packet. If the So which protocol is right for you? It
recipient receives a packet with a sequence depends on your network. If you’re adding an
number that’s already been received, the extra site to an existing Windows-based VPN,
packet is assumed to be fraudulent and is then it may be wise to stick with PPTP. If
therefore discarded. you’re building a brand-new VPN that’s purely
Windows 2000 or that uses non-Microsoft/
Comparing PPTP and IPSec Linux VPN servers, however, IPSec is the pro-
Now you know a little bit about how both tocol of choice.
VPN protocols work. Before you can truly
make an informed decision about which pro- Conclusion
tocol is right for your network, however, it’s In this article, I discussed some of the issues
necessary to understand the differences in the involved in creating a VPN in a Windows 2000
two protocols. environment. As I did, I addressed typical con-
In a nutshell, IPSec is a standards-based cerns, such as cost, security, and reliability. In
protocol that runs on a variety of operating the next article, I’ll discuss the actual process
systems, such as Windows, Macintosh, and of setting up a VPN.
Linux. IPSec uses DES/3DES encryption
and supports header compression. IPSec has

Setting up a Windows 2000 virtual

private network
Dec 26, 2000
By Talainia Posey

I Installing a VPN
n “Issues surrounding a Windows 2000
VPN implementation” (page 58), I dis- Before we begin creating a VPN, let’s review the
cussed some of the primary issues you basic requirements. On one end of the VPN,
should consider when building a virtual private you have a client. This client may be a remote
network (VPN). These issues include such fac- network or a remote user. On the other end of
tors as security, reliability, and cost. In this arti- the VPN, you have the host. The host is a Win-
cle, I’ll describe the process of installing a dows 2000 server that functions as a router
VPN. I’ll also cover some additional issues between the Internet and the private network.
you’ll face during the installation process.

60 Administrator’s Guide to VPN and Remote Access, Second Edition

The server that’s functioning as a router access server under Windows NT 4.0, you’ll
should have a permanent Internet connec- notice (and appreciate) the fact that Windows
tion, such as the type provided through a 2000 doesn’t require you to reboot the server.
leased line. It is possible to implement a VPN When the service starts, you’ll see there are
even if the host relies on a dial-up connection several configuration options available in the
to the Internet. However, I highly discourage Routing And Remote Access console, as
using a dial-up connection. That’s because shown in Figure A.
even if you can manage to stay dialed in 24 At this point, right-click on Routing Inter-
hours a day, 7 days a week, most Internet faces, and then select the New Demand Dial
service providers assign dynamic IP addresses Interface command from the context menu.
to dial-up users. This means the host router When you do, Windows 2000 will launch the
would likely have a different IP address every Demand Dial Interface Wizard. Start by click-
time it connects to the Internet. As you can ing Next. Now, the wizard will ask you for the
imagine, it would be very difficult for remote name of the interface you’re configuring. Many
clients to connect to the host if the host’s IP people choose to name the interface after the
address keeps changing. network it’s attached to or after the function
With that said, let’s look at the process for the interface will provide. For example, you
configuring the host router to provide VPN might call the interface VPN Interface. Once
capabilities. For the purpose of this article, I’ll you’ve entered the name of the new interface,
work through the process of joining two net- click Next.
works through a VPN. As such, both of the Now, Windows will ask you what type of
Windows 2000 servers involved in the process demand dial interface you want to create.
function as hosts and clients. The dual func- Select the Connect Using Virtual Private Net-
tionality of each machine allows VPN traffic work (VPN) radio button and click Next.
to flow in both directions. This arrangement The next screen the wizard displays asks for
allows the free exchange of data between the the type of VPN interface you want to create.
two networks. The choices are PPTP, L2TP, or Automatic
Begin the configuration process by clicking Selection. The type of VPN interface you cre-
the Start button and selecting Programs | ate is really up to you. Microsoft recommends
Administrative Tools | Routing And Remote using L2TP for new VPN installations. So, let’s
Access. When the Routing And Remote use L2TP for the purpose of this article.
Access console appears, right-click on the host At this point, you’ll see a screen that asks
server and select the Enable Routing And for the IP address or host name for the remote
Remote Access command from the context
menu. When you do, you’ll see the Routing
Figure A
And Remote Access Server Setup Wizard. On
the initial wizard screen, click Next to begin
the installation process.
The resulting screen gives you the choice of
several types of routing and remote access.
Even though this server will function as a
VPN router, don’t select VPN just yet. Instead,
select Manually Configured Server and click
Next. The resulting screen will display a sum-
mary of the configuration you’ve chosen. Click
Finish to close the wizard.
When you complete the wizard, Windows
will ask if you want to start the Remote
Access Service. Click Yes, and the service will The Routing And Remote Access console will contain many
be started. If you’ve ever created a remote more options after you’ve enabled the Remote Access Service.

Administration 61
VPN router. As you probably know, the host anyone who knows your host name or IP
name is the remote machine’s registered DNS address to build a VPN that allows access to
name. Therefore, in the space provided you your network.
can enter an IP address, such as On this screen, the wizard will be set to, or a host name, such as techre- automatically create a user account that uses Click Next to continue. the same name as the interface you’re creating.
After you’ve entered the host name or IP For example, if you named your interface
address of the remote router, you’ll see a VPN Interface, then the user account will also
screen similar to the one shown in Figure B. be called VPN Interface. Although this screen
This screen asks what type of packets you plan won’t allow you to change the user name, you
on routing across the VPN link. Again, the can enter a password for the user account.
selections you make will greatly depend on Once you’ve entered and confirmed the
your individual network. As you can see in the account’s password, click Next to proceed.
figure, I’ve chosen to allow IP packets but to The resulting screen gives you a chance to
disallow IPX packets. I’ve also chosen to create enter the credentials for connecting to the
a remote access user account and password so remote network. Remember that when you
that it’s possible for the remote router (or join two networks through a VPN, both net-
remote users for that matter) to access the net- works must be protected. This means you’ll
work through the VPN. When you’ve made have a separate VPN user name and password
your selections, click Next. for each network. Each VPN router must be
Now, assuming you’ve allowed dial-in set up to know the authentication information
access, the wizard will display a screen that for the remote VPN router it will connect to.
asks for some dial-in credentials. At first, this Simply fill in the domain name, user name,
screen may be a bit deceptive. It’s easy to acci- password, and password confirmation for the
dentally assume this screen is designed to give remote router. When you’ve entered this
access to dial-in users. However, its purpose is information, click Next.
to establish a user name and password that can You’ve now finished configuring your VPN
be used to validate the remote router when it router. Click Finish to complete the process.
tries to connect. After all, you don’t want just Remember that you must configure both
routers before your VPN will work.
Figure B Cleaning house
Now that you’ve created a VPN, there are a few
things you need to do to ensure that your net-
work is secure and that your VPN is functional.
Remember that each VPN router is connected
to the Internet. There are countless Internet
users with malicious intent who would just love
to get their hands on your network.
Although the VPN link you’ve just created
is secure, there are other ways to get into your
network from across the Internet. Typically,
hackers exploit unused TCP/IP ports. There-
fore, I strongly recommend implementing IP
packet filtering in a way that will block all
inbound Internet traffic except for VPN traffic
(and any other types of traffic you might
IP filtering is a science in and of itself.
Select the types of data you’ll allow to flow across your VPN link.
Therefore, it’s impossible to thoroughly discuss

62 Administrator’s Guide to VPN and Remote Access, Second Edition

IP filtering in the amount of space I have to The other task you must complete is to
work with. I can, however, show you the basic exchange route information between the
technique. routers and test the VPN link. To do so,
To enable IP filtering, go to Control Panel return to the Routing And Remote Access
and double-click the Network And Dial Up console and navigate to Server | IP Routing |
Connections icon. Now, right-click on your General. Next, right-click on the demand dial
Internet connection and select the Properties interface and select the Update Route com-
command from the context menu. Next, select mand from the context menu.
Internet Protocol (TCP/IP) from the list of Now, perform this task on the other router
installed components and click the Properties as well. To make sure that the route exchange
button. worked, go to the Routing And Remote Access
When you do, you’ll see the Internet Proto- console’s IP Routing | Static Routes section.
col (TCP/IP) Properties sheet. Click the The routes you created should be visible. You
Advanced button to view the advanced should now be able to ping each router from
TCP/IP properties. On the Advanced TCP/IP the other router.
Properties sheet, select the Options tab. Now,
select TCP/IP Filtering and click the Proper- Conclusion
ties button. You can then use the resulting dia- In this article, I’ve explained how to imple-
log box to enable or disable various TCP/IP ment a VPN. As I did, I discussed some
ports. It’s important to point out, however, issues you may encounter during the imple-
that in Windows 2000, it’s impossible to filter mentation phase.
TCP/IP on one adapter but not another. If
you filter TCP/IP on one adapter, you’ve fil-
tered TCP/IP on all the adapters.

Introducing Windows 2000 Routing

and Remote Access
Oct 20, 2000
By Jim Boyce

icrosoft introduced Remote Access starting with an overview of what the service
Services (RAS) early in the Windows can do.
NT product cycle, adding routing
capability through an add-on service for Win- Overview of Windows 2000
dows NT. Windows 2000 integrates these RRAS
services in a single Routing and Remote Remote Access Services (RAS) enables a Win-
Access Service (RRAS) that provides excellent dows 2000 computer to dial and access remote
utility for routing, remote access, and integra- networks, the Internet, and even individual
tion with other Windows 2000 services, as servers or client workstations. RAS is the
well as third-party platforms. In this article, I’ll mechanism you use, for example, to dial out
take a look at RRAS in Windows 2000 Server, from a Windows 2000 computer to access an

Administration 63
Internet service provider or a remote LAN. enabling you to delegate remote access admin-
Windows 2000 RAS supports several connec- istrative authority over specific services or
tion options including modem, ISDN, infrared organizational units (OUs).
connections, parallel and serial port direct con- Windows 2000 RRAS offers several
nections, X.25, and asynchronous transfer authentication options. By supporting
mode (ATM). Windows 2000’s support for tun- Remote Authentication Dial-In User Service
neling protocols, such as PPTP and L2TP, (RADIUS)—either through a non-Windows
enables clients to establish a secure connection 2000 RADIUS server or through the Windows
to a remote network through a public network 2000 Internet Authentication Services (IAS)—
such as the Internet. Windows 2000 RRAS enables you to rely on
The RAS component in Windows 2000 Windows 2000 for routing services while
also enables a computer running Windows offloading authentication and accounting to a
2000 Server to function as a dial-up server, RADIUS server. Windows 2000 also supports
allowing clients to dial into the server to a broad range of authentication protocols
access local server resources, such as files and including Microsoft Challenge Handshake
printers. Depending on the configuration of Authentication Protocol (MS-CHAP), Extensi-
the server, clients can also gain access to the ble Authentication Protocol (EAP), CHAP,
network on which the server resides, accessing SPAP, and PAP. You’ll find good network
LAN resources just as if the client were con- protocol support in RRAS with TCP/IP,
nected locally to the LAN. Windows 2000 IPX/SPX, NetBEUI, and AppleTalk enabling
Server supports an unlimited number of con- Macintosh, NetWare, and UNIX clients to
current connections, subject to hardware con- connect to a Windows 2000 RRAS server in
siderations such as server capacity, number of addition to Microsoft clients.
physical connections (available modems, for
example), and so on. Windows 2000 Profes- New features in Windows 2000
sional computers can also serve as RAS Windows 2000’s RRAS integrates all the fea-
servers but only for one connection at a time. tures in Windows NT RAS and the Routing
A Windows 2000 remote access server sup- and Remote Access Service and adds several
ports the same connection options for incom- more features to improve performance, inte-
ing connections as the outgoing connection gration, and security. One of the most impor-
options mentioned previously. You can also tant additions is the integration of RRAS into
use Windows 2000 RRAS to support incom- Active Directory (AD). You gain the advantage
ing Terminal Services client connections. of AD’s replication, enabling replication of
Windows 2000 RRAS also enables a Win- client account properties throughout the direc-
dows 2000 server to function as a router. Win- tory. Administration is easier too, thanks to
dows 2000 RRAS supports both unicast and the ability to browse multiple RRAS servers
multicast protocols, as well as packet filtering, through AD and manage those servers
connection sharing, demand-dial routing, and through the RRAS console, an MMC snap-in
encrypted authentication for secure router-to- (Figure A).
router connections. A key advantage to using The Windows 2000 RRAS service adds
Windows 2000 RRAS for routing services is its support for both Bandwidth Allocation Proto-
integration with other Windows 2000 services, col (BAP) and Bandwidth Allocation Control
such as Active Directory (AD) and Kerberos Protocol (BACP), which work in concert to
authentication, DHCP, and so on. Integration support multilink connections. Multilink
with AD enables user accounts and remote enables Windows 2000 to bundle multiple
access policies and settings such as callback, connections to provide an aggregate band-
access permissions, and so on to be replicated width equaling the sum of the individual con-
across the domain for redundancy. AD inte- nections. Aggregate two 56-Kbps dial-up
gration also can simplify management by pro- connections, for example, and you get a theo-
viding a single point of administration and retical connection of 112 Kbps (although the

64 Administrator’s Guide to VPN and Remote Access, Second Edition

resulting connection is limited by the FCC- Figure A
imposed limit on 56 Kbps connections, line
quality, and other factors). BACP enables
Windows 2000 to dynamically allocate and
de-allocate connections based on bandwidth
As bandwidth use increases, Windows 2000
can automatically dial additional connections
to accommodate the increase. When band-
width demand decreases, Windows 2000 can
automatically drop connections. Managing the
number of connections in this way can realize Like other Windows 2000 services, RRAS provides an MMC snap-in that lets you manage
a significant cost savings. You can apply all RRAS server properties.
BAP/BACP policies through remote access
policies, tailoring those policies to OUs, Another new feature in Windows 2000’s
groups, or individual accounts. RRAS is support for EAP, which enables addi-
Support for MS-CHAP version 2 is another tional authentication methods to be supported
addition in Windows 2000 RRAS. Version 2 without changes to the operating system or
offers improved security primarily aimed at RRAS. The server and client negotiate the
virtual private network (VPN) connections. authentication method. Protocols currently
MS-CHAP version 2 integrates several changes supported by Windows 2000 include EAP-
for improved security: MD5 CHAP, EAP-TLS, and RADIUS. We’ll
X Stronger encryption: Previous versions of take a look at each of these a little later.
MS-CHAP used 40-bit encryption and the As hinted at previously, Windows 2000
user’s password to create the cryptographic RRAS supports RADIUS for authenticating
key for each session. This resulted in the clients. RRAS can authenticate access against
same key being used for each session unless a Windows 2000 server running the Internet
the password changed. Version 2 uses an Authentication Service (IAS) included with
arbitrary challenge string along with the Windows 2000 Server or any server running a
user’s password to create the session key. standards-based version of RADIUS, includ-
The use of the arbitrary challenge string ing UNIX hosts. Support for RADIUS enables
results in a unique key for each session even a Windows 2000 RRAS server to authenticate
if the user’s password remains unchanged. clients that connect through RADIUS-based
X Mutual authentication: This feature pro- devices such as modem pools. The RRAS
vides for two-way authentication between server can handle RADIUS authentication
the remote client and the RRAS server. itself if IAS is installed on the server or redi-
Bidirectional authentication not only allows rect authentication to another server, whether
the server to authenticate the client’s logon that server is running Windows 2000 IAS or
request but also enables the client to other RADIUS implementation (including
authenticate the server’s authority to service UNIX platforms). One of the primary advan-
its authentication request. tages to using RADIUS—other than integra-
tion with existing hardware or authentication
X Improved transmission security: Windows
servers—is the capabilities provided by
2000 RRAS uses separate cryptographic keys
RADIUS for accounting. Several third-party
for incoming and outgoing data, providing
utilities exist that provide rich account man-
enhanced transmission security.
agement through integration of the RADIUS
X LAN Manager coding no longer sup- logs with database utilities for SQL and other
ported: MS-CHAP version 2 drops support database platforms.
for LAN Manager response coding and Security and administration are important
password encoding for improved security. areas of improvement in Windows 2000 RRAS.

Administration 65
You can apply remote access settings such as provides a wizard to help you configure the
callback, connect time restrictions, allowed ses- server according to its primary function,
sion limits, authentication methods, and other whether Internet connection server, VPN
properties at the user account level, as shown server, remote access server, or router. You can
in Figure B. A better method, however, is to use configure the server manually and fine-tune the
remote access policies to apply remote access configuration to accommodate changes or set-
settings on a group or OU basis. Windows 2000 tings not available through the wizard. You also
RRAS also supports account lockout, which use the RRAS console to configure remote
helps prevent dictionary attacks by locking the access policies.
account after an administrator-defined number
of bad logon attempts. You can also specify the Exploring RAS protocols and
length of time the account is locked out before connection types
it is re-enabled. Windows 2000 RRAS provides support for
One final improvement in Windows 2000 several protocols and connection types, giving
RRAS is the addition of support for Apple- you quite a bit of flexibility in designing your
Talk over PPP, enabling Macintosh clients to remote access structure to accommodate secu-
connect to a Windows 2000 RRAS server rity needs, network topology, or remote server
using native Macintosh protocols. capability. Windows 2000 supports Serial Line
Interface Protocol (SLIP) for dial-out connec-
Managing RRAS through tion to remote servers that support SLIP (such
the MMC as older UNIX-based servers), but it doesn’t
As with other Windows 2000 services, you support SLIP for incoming connections.
manage RRAS through an MMC console snap- Probably the most common connection
in. The RRAS console enables you to fully man- protocol in use today, and one you’ll likely use,
age local and remote RRAS servers (subject to is Point-to-Point Protocol, or PPP. This suc-
access and security restrictions). The console cessor to SLIP offers better reliability and per-
formance and provides good cross-platform
Figure B support. Windows 2000 supports PPP for
both incoming and outgoing connections,
enabling clients to use TCP/IP, IPX, or Net-
BEUI as the network protocol. Macintosh
clients can connect to a Windows 2000 RRAS
server using TCP/IP or AppleTalk. PPP sup-
ports a good selection of authentication proto-
cols, offering options that can accommodate
both client capability and security needs.
Windows 2000 RRAS supports the Micro-
soft RAS protocol, a proprietary Microsoft
protocol for DOS, Windows for Workgroups,
Windows NT 3.1, and LAN Manager remote
access. Microsoft RAS protocol requires that
the client use NetBEUI as the network proto-
col, with the RAS server functioning as a Net-
BIOS gateway supporting NetBEUI, NetBIOS
over TCP/IP, and NetBIOS over IPX. Since
NetBEUI will likely go away in the next OS
release, you should rely on one of the other
You can apply remote access settings at the user protocols instead of Microsoft RAS.
account level, but remote access policies provide better
administrative control, enabling you to define settings at As mentioned previously, Windows 2000
the group or OU level. RRAS also supports Point-to-Point Multilink

66 Administrator’s Guide to VPN and Remote Access, Second Edition

Protocol (PPMP) and Bandwidth Allocation Windows 2000 RRAS also offers good net-
Protocol (BAP). These protocols enable Win- work protocol support for RRAS connec-
dows 2000 to bundle multiple connections to tions, supporting TCP/IP, IPX, NetBEUI,
achieve an aggregate bandwidth. For example, and AppleTalk. For TCP/IP connections,
you can use multilink to combine both B chan- RRAS can allocate IP addresses and related
nels of an ISDN connection to achieve an settings to incoming connections either
effective throughput twice what you’d get with through DHCP or a static address pool. The
a single channel (or even do the same thing RRAS service also allows clients to request a
with two DSL circuits). BAP lets Windows predefined IP address. Unless you’re config-
2000 dynamically manage the connection, uring a router or remote access server for
adding or dropping connections as needed only Microsoft clients that don’t require
according to bandwidth utilization. Internet connectivity or supporting only Net-
For situations requiring secure connections, Ware clients, you’re probably going to settle
Windows 2000 supports Point-to-Point Tunnel- on TCP/IP as the protocol of choice.
ing Protocol (PPTP) and Layer 2 Tunneling Pro- If you do need to support NetWare clients
tocol (L2TP). Both protocols provide a means that use IPX, you can do so through the RRAS
for encapsulating and encrypting data packets service. IPX support enables a Windows 2000
for secure transmission across public networks RRAS server to function as a remote access
such as the Internet. You might use PPTP or server for NetWare IPX clients and also serve
L2TP to connect through the Internet to a VPN as an IPX router to route RIP, SAP, and Net-
server on your LAN, for example, giving you BIOS traffic. In addition to the IPX protocol,
secure dial-up access to your LAN. Why not just the client must be running a NetWare network
dial directly into the LAN? Connection costs are client, such as the Client for NetWare on Win-
a primary reason. The LAN might be located dows 2000 Professional computers or Gateway
outside your local calling area, requiring a toll call Service for NetWare on a Windows 2000
to connect. But connection cost isn’t the only Server computer.
factor. If the LAN already has a direct connec- NetBEUI is a good solution for remote
tion to the Internet, you avoid the need to install access to small LANs and where dial-up traf-
and support dial-up equipment on the LAN fic does not require routing (since NetBEUI
side, plus you eliminate a potential security is a nonroutable protocol). NetBEUI is much
risk—unauthorized clients bypassing the firewall easier to configure than TCP/IP and there-
or proxy server to gain access to your LAN fore results in lower administrative overhead.
through the dial-up back door. Support for the AppleTalk protocol enables
PPTP doesn’t use encryption by default but Macintosh clients to access network resources
can use Microsoft Point-to-Point Encryption shared by other AppleTalk clients on the
(MPPE) to encrypt the PPP frames with LAN, including those shared through Ser-
encryption keys generated with MS-CHAP or vices for Macintosh or by other local Macin-
EAP-TLS authentication. Since PPTP encap- tosh clients.
sulates the data unencrypted by default, you’ll
need to specifically use MS-CHAP or EAP- Enabling RRAS
TLS if you want your PPTP connection to be When you install Windows 2000 Server, Setup
truly secure. automatically installs the RRAS service but
Where additional security is needed, you can doesn’t enable it. This means you don’t have to
use L2TP rather than PPTP. L2TP relies on install the service but you do need to enable
Internet Protocol Security (IPSec) to provide and configure it according to the functions you
encryption of encapsulated data rather than want the RRAS server to perform. The server
MPPE. While this requires that both source can handle incoming remote access connec-
and destination routers support L2TP and tions, manage outgoing remote access connec-
IPSec, it provides a higher degree of security tions, function as a router, or do any
than PPTP. combination of the three.

Administration 67
The first step in getting the RRAS server up servers or configure the server manually. You
and running is to ensure the connections are in have full control over settings after installation
place. For incoming connections, this could and can modify settings as needed if you
mean installing additional network interfaces, choose to let the wizard configure the server
modems, multiport cards, standalone modem for you. You can also configure the server
pools, and so on, depending on the types of manually, and then run the wizard at a later
clients you need to support. The same is true time if you want to change the server’s role,
for outgoing RAS connections, but this typi- although you’ll lose most of your manually
cally involves adding only a network interface configured settings when you do so and you’ll
or installing a modem, ISDN adapter, DLS have to reapply them through the wizard. If
equipment, and so on. Configuring connec- you configure the server using the wizard and
tions for routers typically means adding a net- then decide you want to start over from
work interface where appropriate and scratch, you can disable and then re-enable the
configuring its protocol settings. service to start with a clean slate. To do so, in
Once the interfaces or remote access hard- the RRAS console, right-click the server and
ware is in place and tested, your next step is to choose Disable Routing And Remote Access,
enable and begin configuring the RRAS server. and after the service stops, run the wizard
You’ll find the Routing and Remote Access again to configure the service.
console in the Administrative Tools folder. In
the left pane, right-click the server and choose What’s next
Configure And Enable Routing And Remote At this point you have a basic background in
Access to start the Routing And Remote the Windows 2000 Routing and Remote
Access Server Setup Wizard. The wizard lets Access service with a look at many of its
you choose between four different types of requirements and capabilities.

Configuring Routing and Remote Access on

your Windows 2000 server
Oct 24, 2000
By Jim Boyce

I Configuring a network
n “Introducing Windows 2000 Routing
and Remote Access” (page 63), I discussed
the Windows 2000 Routing and Remote
address translation server
Access Service (RRAS), which provides sup- (Internet gateway)
port for dial-out connections, dial-in connec- The Routing and Remote Access Server Setup
tions, and routing. I also explained the Wizard, which runs when you enable the
connection and network protocols supported RRAS service, gives you five options for set-
by Windows 2000 RRAS, along with security ting up a Windows 2000 RRAS server. The
and integration features. Now, it’s time to start first wizard option, Internet Connection
configuring your RRAS servers, starting with a Server, lets you configure a Windows 2000
network address translation (NAT) proxy. RRAS server to share its Internet connection

68 Administrator’s Guide to VPN and Remote Access, Second Edition

and function as a gateway to the Internet for Figure A
other computers on the server’s local network.
In this configuration, the server sits on both
the public Internet and the private local net-
work, as illustrated in Figure A. The client com-
puters reside on the local private network, and Private network
the server performs the necessary NAT
required to enable the clients to connect to the
Public Internet
Internet. This option actually offers two differ- interface
ent methods to support the Internet connec-
tion. The first method uses Internet Connection
Sharing (ICS), which also is available in Win-
dows 2000 Professional and Windows 98SE.

Private Network
The second method provides essentially the NAT Server
same function but much more flexibility for Workstation
configuration. Before diving into NAT setup,
though, let’s take a minute to get a background
understanding of NAT.
Understanding network address
translation (NAT) Workstation
To configure a NAT server, you need to
understand the different functions that the
NAT enables computers on a private, nonroutable subnet to access the Internet.
NAT server performs. NAT handles three
main responsibilities, each performed by a dif-
ferent RRAS component. Address translation X with subnet mask
is the first function the NAT server performs
by translating IP address and TCP/UDP ports X192.168.0.0 with subnet mask
for packets traveling between the public inter- The third function the NAT server per-
face (the Internet) and the private local net- forms is DNS resolution. Clients submit DNS
work. This is the function that enables clients requests to the NAT server. The NAT server
to reside on a private, nonroutable subnet but then forwards the requests to the DNS servers
still gain access to the Internet. The server configured in the NAT server’s TCP/IP set-
handles the translation, replacing its own IP tings. The NAT server redirects replies to the
address for the client’s address, enabling the requesting client.
packets to be routed back. The server replaces The NAT server performs address transla-
the IP address for incoming packets in the tion through the use of a NAT table. Here’s
same fashion, applying the local address of the how it works: A client on the private network
target client. generates packets for a public node, and the
The second function the NAT server per- server intercepts that traffic (since it functions
forms is address allocation. As in the case of as the default gateway for the client). The
ICS, the NAT server can allocate IP addresses server replaces the client’s IP address with its
to clients that are configured to obtain their own public address and replaces the source
address leases via DHCP. This function isn’t a port with a different, unique port number.
necessity if you want to use a different subnet For example, assume that the server resides
from the default of 192.168.0.n or if you on the public interface and uses a
already have a DHCP server on the network to private interface of A client on
handle address allocation. The following are the private network at requests a
the network IDs reserved for private networks: Web site on a standard TCP port 80. The
X with subnet mask server replaces with
and replaces the port with, say, port 5000. The

Administration 69
server stores the replacement data in the NAT ICMP, PPTP, and NetBIOS over TCP/IP. The
table and sends the packet. When a packet NAT editor analyzes the packet and performs
comes back, it checks the NAT table, reverses the necessary additional translation to send the
the translation according to the data in the packet on its way, doing the same for incoming
packet and in the NAT table, and forwards the packets before passing them to the destination
packet to the correct client. client on the private network. Figure B illus-
NAT works just fine as long as the IP trates the concept.
address and port data are contained in the IP
header of the packet. When the address or
Internet Connection Sharing (ICS)
The first of the two methods that Windows
port data is contained in the body of the packet
2000 offers for NAT services is Internet Con-
(also referred to as the payload), translation
nection Sharing (ICS). ICS is included with
could fail. For example, PPTP doesn’t use a
Windows 2000 Server, Windows 2000 Profes-
TCP or UDP header but instead uses a
sional, and Windows 98SE. In an ICS connec-
Generic Routing Encapsulation (GRE) header
tion, the server shares its Internet connection
with a tunnel ID stored in the GRE header
and acts as a proxy for the clients to enable
identifying the data stream. Certain FTP oper-
them to use the connection as well. That con-
ations, as well as other IP operations, can also
nection could be something as simple as an
have problems with NAT because of the way
analog dial-up connection or a dedicated, high-
the packets are built.
speed connection, such as a T1.
To get around this problem, the NAT
The practicality of the connection depends
server needs a means of determining the
on the type of connection, number of clients,
appropriate address and port information for
and ways in which the clients use the connec-
routing the packets. NAT servers, including
tion. Several clients sharing a 56K dial-up con-
Windows 2000 RRAS, employ NAT editors to
nection to access e-mail is a practical
perform this additional processing. Windows
application of ICS, but sharing a dial-up line
2000 RRAS includes NAT editors for FTP,
such as this to enable Web browsing or con-
current FTP sessions isn’t very practical. Even
Figure B so, ICS presents an easy way to share a single
connection and can provide a layer of security
between the clients and the Internet because
the local clients reside on a nonroutable sub-
NAT Editors net. Here’s why: Enabling ICS on a Windows
(if req.)
2000 Server computer automatically assigns
the IP address to the server’s local
Private network interface, using a Class B subnet mask
Internet Network of The server then allocates IP
addresses to clients when they start up, assign-
ing addresses in the range through
Translation, much like a DHCP server.
You can also configure clients to use static
addresses in that range, if preferred. The ICS
server provides DNS proxy name resolution
NAT Service for the clients and performs the network
address translation necessary for the clients to
use the connection. This network address
Outgoing Traffic
translation and the fact that the local network
Incoming Traffic
resides on a nonroutable private subnet can
provide a layer of protection for the clients,
NAT editors provide additional processing for both incoming and outgoing traffic where helping isolate them from the Internet.

70 Administrator’s Guide to VPN and Remote Access, Second Edition

If you decide to use ICS, you don’t use the When you choose the NAT method in the
RRAS console to configure it. If you select RRAS Setup Wizard, the wizard first prompts
ICS in the RRAS Wizard, the wizard points you for the Internet connection for which the
you to the Network And Dial-Up Connec- server will provide NAT services. You can
tions folder to enable ICS. Simply make sure choose an existing network interface with an
you have two functioning network interfaces, Internet connection or direct the wizard to
one for the local network and one for the create a new demand dial interface. If the
Internet connection (which can be a dial-up server has more than two additional network
connection). Then, open the Network And interfaces, the wizard prompts you to select
Dial-Up Connections folder, right-click the the private interface. If there is only one inter-
Internet connection, and choose Properties. face, the wizard selects it automatically. After
Click the Sharing tab, and then select the you specify the public and private interfaces,
option Enable Internet Connection Sharing Windows 2000 starts the RRAS, and you can
For This Connection. Select the network then use the RRAS console to fine-tune the
interface through which the connection is configuration. If you choose the latter option
shared from the drop-down list, if the server to create a new demand dial interface, Win-
has more than one interface. This is the inter- dows 2000 starts the RRAS and then launches
face that will be assigned the the Demand Dial Interface Wizard.
address. If the shared connection is a dial-up
connection, select the Dial On Demand
Configuring a demand dial interface
A demand dial interface doesn’t remain con-
option to enable the server to automatically
nected all the time but instead connects only
dial the connection when a client attempts to
when a client requests a resource that resides
access an Internet resource. When you click
beyond the interface. Using a demand dial
OK, Windows 2000 automatically reconfig-
interface can reduce costs by reducing connec-
ures the network address of the computer’s
tion time for metered services.
local network interface and begins handling
The Demand Dial Interface Wizard, which
requests from clients for IP address assign-
runs as part of the RRAS Setup Wizard,
ment and Internet access.
prompts you for the following:
ICS provides an extremely easy means of
setting up a shared Internet connection for X Name—This is a friendly name for the
clients and is essentially a one-click procedure. connection as it appears in the RRAS con-
What you gain in ease of configuration, you sole. Choose a name that adequately
lose in flexibility, however, because ICS offers describes the remote connection.
few configurable options. If you need to use a X Connection type—You can choose
different subnet or need to control other between physical devices such as modems
aspects of the connection, you’ll need to use and ISDN adapters or a VPN connection.
the second method, NAT. If you choose a physical device, the wizard
prompts you to select the device, which you
Starting NAT server configuration should already have installed and function-
Although both the ICS and NAT features in
ing, as well as the dial-up number.
Windows 2000 perform network address
translation, NAT provides full control over X VPN protocol—If you choose a VPN
server configuration and is the Internet con- connection for the demand dial interface,
nection sharing option you configure through the wizard prompts you to select the proto-
the RRAS console. You can configure RRAS col, whether PPTP or L2TP. If you choose
to function as a NAT server either through the Automatic Selection, Windows 2000 will
RRAS Setup Wizard or manually. (Skip to the attempt to use L2TP for the connection,
section on completing the NAT server config- and if that fails, it will use PPTP.
uration, if you want to configure the NAT X Server address—For VPN connections,
server manually.) specify the IP address or Fully Qualified

Administration 71
Domain Name (FQDN) of the remote through the wizard.) Open the RRAS console
VPN server. and expand the server in the left pane. Right-
X Protocols and security—The wizard click General, and select New Routing Proto-
prompts for the protocols that should be col. Select Network Address Translation, and
routed through this connection, which click OK. RRAS adds a Network Address
include IP and IPX. You also specify a user Translation node under the IP Routing branch.
account to use for authentication and set The next step is to add the interfaces for NAT.
other security and connection options, such Adding a NAT interface
as password handling and connection After adding the NAT protocol, you need to
scripting. specify the interfaces on which the RRAS
server should perform translation. If you con-
Completing the NAT server figure the server through the wizard, the wizard
configuration prompts you for the two minimum inter-
After you run the wizard and configure the faces—the public Internet connection and the
server for NAT, you’ll probably need to fine- private network interface. However, Windows
tune the configuration. Or, you might have 2000 RRAS can provide NAT services on more
already configured the server for another pur- than one interface. If you have multiple net-
pose, and you can’t use the wizard to configure work subnets, for example, you could configure
the server for NAT (since you’ll lose your cur- the server with a network interface for each
rent configuration). In that case, you can con- and have the server provide NAT for all the
figure the server manually. This section subnets.
explains how to do that, as well as modify the To add NAT interfaces, open the RRAS
configuration for both situations. console and expand the server. Open the IP
Enabling NAT manually Routing branch, right-click Network Address
If you’ve already configured the server Translation, and choose New Interface. Select
through the wizard for a function other than the interface for which you want to add NAT
NAT (such as dial-up remote access) or simply services, as shown in Figure C, and click OK.
prefer not to use the wizard, you can manually Windows 2000 then prompts you to spec-
configure the server for NAT. (You don’t need ify whether the interface is public or private.
to perform this step if you’ve configured NAT Select the option Private Interface Connected
To Private Network to identify the interface
as residing on the private side of the server.
Figure C Select Public Interface Connected To The
Internet if the interface resides on the public
side of the server.
Selecting the latter option enables the
Translate TCP/UPD Headers option. Select
this option to have the server translate TCP
and UDP ports in addition to the IP address
for translated packets. In most cases you’ll
need to select this option to enable NAT to
function properly for the private networks.
The property sheet displays two additional
pages if you select the public interface option:
Address Pool and Special Ports. You can reach
these pages later, if needed, by double-clicking
the public interface. You use the Address Pool
page to configure the range of IP addresses
Add the public and private interfaces to the NAT protocol
through the RRAS console. assigned by your ISP for your network’s use.

72 Administrator’s Guide to VPN and Remote Access, Second Edition

The Special Ports page lets you define special Figure D
translation properties for specific TCP or
UDP ports.
Configuring address ranges
Use the Address Pool tab on the NAT inter-
face’s property sheet to specify the range of
addresses allocated by your ISP to the public
side of your network, as shown in Figure D.
RRAS uses this pool of addresses for mapping
packets to and from the private network. If
your ISP allocated only one IP address, you can
leave this list empty. In this situation, the RRAS
server requests unique TCP and UDP ports
from the protocol stack, using those ports to
translate packets to and from the private net-
work. If you have multiple public IP addresses,
the server leaves the ports as is and only trans-
Specify the range of addresses the NAT server uses for
lates the IP address, selecting a currently translating traffic to and from the private network.
unused address from the pool. If the server
runs out of addresses, it switches to translating puter needs to be accessible to Internet clients,
the ports, just as it does when only one IP select the option Allow Incoming Sessions To
address is available. This Address.
You need to add the address range to the
list if your ISP allocated more than one Configuring special ports
address. Once you’ve done that, you can apply In most cases you can allow NAT to handle
reservations to reserve one or more of the TCP and UDP port translation on its own. In
allocated addresses for other nodes on the special circumstances, however, you might need
public side of your network (for other servers, to direct the server to handle specific ports in a
for example). certain way. For example, if a packet comes in
To do this, first click Add on the Address for a specific port, you might need that traffic
Pool page to open the Add Address Pool dia- redirected to a specific port on a specific pri-
log. Type the starting address of the allocated vate IP address. Here’s an example: Assume
range and the subnet mask. RRAS determines you have a Web server on the private network,
the ending address automatically. Or, you can but it’s using port 8080 instead of the default
specify the starting and ending addresses if you port 80 and you want to map incoming port 80
can’t use a subnet mask to define the range. traffic to port 8080. To do that, you’d configure
Next, click Reservations if you need to a special port so that incoming traffic bound
reserve one or more addresses for other nodes for port 80 is translated to port 8080 on the
on the public side of the network or if you appropriate IP address. You can have the spe-
need to reserve an IP address for use by a com- cial translation apply to all incoming traffic on
puter on the private side of the network. For the interface or only to traffic for a specific
example, you might have a Web server located public IP address.
on the private network and need to reserve a To configure a special port, click the Special
public address for it, mapping the public Ports tab. Select either TCP or UDP from the
address to the Web server’s private address. drop-down list, as appropriate; then click Add.
Finally, click Add in the Reserve Addresses To translate the port for all addresses on the
dialog to open the Add Reservation dialog. public interface, select On This Interface. Other-
Specify both the public IP address to reserve wise, select On This Address Pool Entry, and
and the IP address of the computer on the pri- enter the IP public address for which the special
vate side that will use that address. If the com- translation needs to occur. In the Incoming Port

Administration 73
text box, type the port number to which incom- Add additional port assignments as required
ing traffic is directed. Specify the private IP by the applications you use. A given applica-
address to which the traffic needs to be routed tion could require more than one entry.
and the control destination port on the private
computer in the Outgoing Port box. In the pre-
Configuring address assignment
The clients on the private network must reside
vious example of the Web server, you’d put 80
on the same subnet as the NAT server’s pri-
in the Incoming Port box and 8080 in the Out-
vate network interface. You can configure the
going Port box.
clients for static IP addressing or rely on
Configuring general NAT properties DHCP for address assignment. While you
After you configure each interface as I’ve could install a DHCP server to provide
explained, you need to turn your attention to addresses to the clients, the NAT server can
general NAT service properties. In the RRAS also handle that function, eliminating the need
console, expand the server, right-click Net- for a separate DHCP server.
work Address Translation under IP Routing in To configure address assignment, open the
the left pane, and choose Properties. The Gen- RRAS console and expand the server in the
eral page of the NAT properties lets you con- left pane. Open the properties for NAT under
figure the level of logging by NAT in the IP Routing, then click the Address Assignment
System log. The options are self-explanatory. tab. Select the option Automatically Assign IP
The Translation page lets you specify how Addresses By Using DHCP; then specify the
long the NAT server maintains port mappings address range by entering the starting IP
in the NAT table. There are separate settings address in the range and the subnet mask.
for TCP and UDP. Click Exclude if you need to exclude one or
more addresses from DHCP assignment, mak-
Configuring applications ing those available for other servers or fixed-
The Translation page of the NAT server’s
address nodes on the private network.
properties also lets you configure applications
for NAT. For example, you might run an appli- Configuring name resolution
cation that uses nonstandard ports to commu- The private clients need a server to provide
nicate with a server on the Internet, which is proxy DNS lookup, and the NAT server can
common with Internet games such as Sub- optionally fill that role if no other DNS proxy
space or Diablo. So, you can configure the is available. To configure DNS lookup on the
NAT server to provide the appropriate port NAT server, first configure the NAT server’s
translation, either for UDP or TCP, as needed. TCP/IP properties on the public interface to
To configure applications, open the proper- add the DNS servers the NAT server will use
ties for NAT, click the Translation tab, and for lookup. Then, open the RRAS console, and
then click Applications. Click Add to display open the properties for NAT under IP Routing.
the Internet Connection Sharing Application Click the Name Resolution tab, and select the
dialog. Provide the following information: option Clients Using Domain Name System
X Name—This name serves to identify the (DNS). If you’re using a demand dial interface
application in the RRAS console’s list. to connect to the Internet, select the option
Connect To The Public Network; then select the
X Remote server port number—Specify the
demand dial interface from the drop-down list.
port on the remote server that needs to be
remapped on the private network. What’s next?
X TCP or UDP—Select the port type for the This time around, we looked at network address
remote server port. translation and configured a Windows 2000
X Incoming response ports—Specify the RRAS server to function as a gateway between a
port translations for the ports on the private private network and the Internet. In the next arti-
network. You can specify TCP and UDP cle, I’ll take a look at configuring a remote access
ports separately. server to support incoming connections.

74 Administrator’s Guide to VPN and Remote Access, Second Edition

Configuring Windows 2000 as a
remote access server
Dec 4, 2000
By Jim Boyce

n “Configuring Routing and Remote Remote access is not the same thing as
Access on your Windows 2000 server” remote control. With a remote control applica-
(page 68), I showed you how to configure tion such as Symantec’s pcAnywhere, the client
a Windows 2000 RRAS server to function as a uses the remote control application to log onto
Network Address Translation (NAT) server. and run applications on a remote computer.
In this article, I’ll take a look at configuring a The applications run on the remote computer
Windows 2000 RRAS server to function as a rather than on the client’s local computer. In
remote access server (RAS), handling incom- effect, the remote control application gives the
ing connections for remote clients. client a long-distance keyboard, mouse, and
display for the remote computer.
What is a remote access server? Remote access makes the client’s local com-
The term “remote access server” can refer to puter a part of the remote network. Applica-
a server that performs a range of remote tions run on the client’s local computer, not on
access services, instead of just providing the the remote computer (except when the client
ability for clients to dial into the company executes a network-enabled application).
LAN. Both Windows 2000 Professional and Remote control applications can’t exist without
Windows 2000 Server can act as remote remote access—the client either dials in to the
access servers, albeit with different restrictions remote computer directly or dials in to the
on each platform. LAN. So, if you need to use a remote control
On the Windows 2000 Professional side, application to manage a remote server, for
you can configure a workstation to allow example, you’ll need a remote access connec-
incoming connections through dial-up (one at tion to the server or to the server’s LAN
a time), giving the remote caller the ability to before the remote control application can do
use resources stored on the local computer or anything. Depending on the remote control
on the LAN, depending on how RRAS is con- application, that connection might take the
figured. Under Windows 2000 Server, RRAS form of a public Internet connection, using
can support multiple concurrent remote access the remote server’s and client’s existing con-
clients for those same purposes, essentially nections to the Internet as the means of com-
limited only by the number of available incom- munication.
ing connections. For example, if you have a
modem pool of 48 modems, Windows 2000 Setting up the hardware
Server will support all those connections con- Whether you’re configuring a Windows 2000
currently. Professional computer to enable single con-
A RAS connection that connects the client nections or a Server computer to handle a
to the dial-up server is called a point-to-point modem pool, your first step in setting up a
remote access connection. A RAS connection remote access server is to configure the hard-
that connects the client to the LAN is called a ware for the incoming connections. These
point-to-LAN remote access connection. connections might come in through one or
Regardless of the type of connection, the more modems connected to the computer’s
remote clients can access resources on the communications ports, through a multiport
server or LAN as if their computers were con- communications card handling multiple
nected locally to the server or LAN. For exam- modems, a modem pool/communications
ple, clients can open and save files and use server connected to the LAN, or even a net-
printers, just as they can locally. work interface.

Administration 75
While you can certainly grow the server’s three 64-Kbps channels. ISDN functions in
capabilities later on, you need to determine some ways like a PSTN dial-up connection
your clients’ current needs and plan for that except that the connection is digital rather than
growth. Choosing the right communications analog and provides better throughput.
hardware is a big part of that process. If the Other connection options include X.25 and
bandwidth needs aren’t critical, modems and ATM (Asynchronous Transfer Mode) over
Public Switched Telephone Network (PSTN) ADSL (Asymmetric Digital Subscriber Line).
lines (standard voice lines, or Plain Old Tele- Windows 2000 supports only X.25 smart
phone Service—POTS) are an easy and rela- cards—X.25 adapters that connect computers
tively inexpensive solution. If you’re installing directly to an X.25 public network. ATM is a
multiple lines, choose one number as the pri- standard communications protocol for high-
mary dial-up number and have your communi- speed data links. ADSL is a relatively new
cations provider configure the lines in a hunt communications mechanism that employs
group. If one line is busy in the hunt group, standard copper phone lines to achieve very
the incoming call rolls to the next available high data transfer rates.
line. There are several options for hunt groups In deciding which type of connection is
that can address such problems as a ring-no- right for you, check with your local communi-
answer due to a hung modem. Check with cations provider to determine what services
your provider for details to decide what best they offer. Some services, such as ADSL, may
fits your needs. not be available in your area. If you can’t get
PSTN is certainly not the only option, nor is ISDN or ADSL, for example, you’ll probably
it the best option in terms of performance. have to choose between PSTN and digital 56
PSTN will give you a maximum of 33.6 Kbps Kbps. The speed at which your users need to
for connections. Even though 56-Kbps connect will be the primary deciding factor in
modems are standard nowadays, you can’t sim- your decision, but cost will no doubt be a
ply install individual 56-Kbps dial-up modems major consideration as well.
to PSTN lines and have them connect at the If you choose an external communications
full rate. To support 56-Kbps dial-up connec- device, such as a modem pool, you generally
tions, you’ll need a channelized T1 (24 channels will not use the RRAS service to provide dial-
or dial-up lines per T1) and the appropriate up services for clients. Instead, the device’s
remote access hardware to accommodate the firmware, once configured, handles the task
incoming calls. of assigning IP addresses and performing
If you choose to get a channelized T1, other tasks to service the RAS clients. In this
things can get a bit complicated. Your commu- situation, the server will typically perform
nications provider assigns a phone number to two functions: hosting the configuration-
each channel, and as with the PSTN option, management software for the device or pro-
you’ll want to set up a hunt group for the num- viding authentication services, or both.
bers with a single primary dial-up number. The Depending on the communications device,
communications hardware for this type of the system might use either RADIUS or Win-
connection setup typically takes the form of a dows 2000 integrated authentication. If it uses
network device that contains one or more the former, you can use IAS as the authentica-
communications cards with onboard modems. tion service, which enables the server to
The T1 connects to the device and the device process RADIUS authentication requests from
connects to the network. Depending on the the communications equipment, authenticating
firmware provided with the device, you can users against local or domain accounts. If the
use either Windows 2000 authentication or device relies on Windows 2000 integrated
RADIUS (the IAS service in Windows 2000). authentication, the device’s software will likely
ISDN is a third connection option. Basic Rate include a service that enables the device to
Interface (BRI) provides two 64-Kbps channels, interface with the Windows 2000 authentica-
and Primary Rate ISDN (PRI) provides twenty- tion mechanisms.

76 Administrator’s Guide to VPN and Remote Access, Second Edition

Configuring the RRAS server plays the installed ports in the right pane. You’ll
notice that if you configure the server for
through the wizard remote access through the wizard, RRAS will
After the hardware is set up and functioning,
automatically add 10 VPN ports—five PPTP
you’re ready to configure the server as a RAS
and five L2TP. The other installed communica-
server. You can configure the server through
tions devices (such as local modems) will also
the RRAS wizard or manually. If you choose
show up on the list. Double-clicking a port on
the wizard option, the wizard will prompt you
the list displays a status dialog box containing
for the following information:
line speed, connection statistics, network regis-
X Protocols: Select the installed protocols you tration (address, for example), and other infor-
need to support for remote access users or mation. You can also use this dialog box to
add protocols if they’re not already installed. reset a port, as would be required when a
X Network connections: Select the network modem is hung.
interface to which remote access clients will Right-click Ports in the left pane and choose
be assigned. Typically this is a LAN inter- Properties to configure ports. In the resulting
face. If you have multiple interfaces on the dialog box, select the port you want to config-
server, however, you need to decide which ure and click Configure to set these properties,
one the clients will be placed on. as shown in Figure A:
X IP address assignment: If you’re using X Remote Access Connections (Inbound
TCP/IP as one of the network protocols Only): Select this option to enable incom-
for RAS clients, you need to decide how IP ing remote access connections to the
addresses are assigned to the clients. You selected port type.
can assign addresses through DHCP if a X Demand-dial Routing Connections
DHCP server is available on the network. If (Inbound And Outbound): Select this
no DHCP server is available, the server will option to enable demand-dial connections
assign IP addresses automatically. Or, you for the selected port type.
can specify a range of addresses the server
X Phone Number For This Device: Use
will use to assign address leases to clients. If
this setting to specify the phone number
you choose this latter option, the wizard will
associated with the device. See the following
prompt you to specify the address range.
discussion for more information on config-
X Use RADIUS: You can choose at this uring the phone number.
point to configure RRAS to use RADIUS
X Maximum Ports: Use this setting to spec-
for authentication, specifying the IP
ify the maximum number of connections
addresses or DNS names of the primary
for the selected port type. For example, you
and secondary RADIUS servers, as well as
the RADIUS secret. You can choose not to
configure RADIUS if you’ll be using Win- Figure A
dows 2000 integrated authentication or
want to configure RADIUS properties later.
Whether you use the wizard to configure
the RAS server for incoming connections or
configure the server manually, you’ll use the
RRAS console to configure and fine-tune set-
tings. One of the configuration tasks you’ll
need to perform is to configure the remote
access ports.

Configuring ports
Use the Configure Device dialog box to configure port
In the RRAS console under the server you’ll properties.
find a Ports branch. Clicking the branch dis-

Administration 77
might use this setting to limit the number of specify individual numbers for each port. The
L2TP connections that can be active at one phone number property is also used for the
time. Windows 2000 doesn’t change the Called Station ID property in the remote access
number of ports shown in the RRAS con- profile. If the specified number doesn’t match
sole until you stop and restart the service. the value for Called Station ID in the remote
The phone number property isn’t needed access profile, RRAS rejects the connection.
unless you’re supporting multi-link connections
or restricting users through remote access poli-
The Windows 2000 RRAS service provides
cies to a specific dial-up number. With multi-
many different things for your network. One
link, the phone number is used for
of the most common purposes it serves is as a
BAP-enabled connections, and the server sends
remote access server. In this article, I’ve shown
the phone number of the connection to the
you how to configure Windows 2000 to func-
remote client when the client’s system requests
tion as a remote access server.
another connection. If you’re using a hunt
group for your phone number pool, you needn’t

Increasing Windows 2000 RRAS security

Dec 7, 2000
By Jim Boyce

n the last few articles, I’ve shown you how You configure remote access policies
to configure Windows 2000 for Network through the RRAS console. Open the console
Address Translation and as a remote and click the Remote Access Policies branch.
access server. But now that you’ve set up your By default, remote access permission is denied
remote access server, how do you secure it? In through the Remote Access Policy, Allow
this article, I’ll show you how to set up remote Access If Dial-In Permission Is Enabled.
access policies for your remote access server. Double-click the policy and note that Deny
I’ll also show you how you can create secure Remote Access Permission is selected. This is
connections across the Internet using VPN because there are no other parameters yet
protocols. specified for the policy. If you enabled this
permission, it would allow all users to gain
Configuring remote remote access by default. So, you’ll need to
access policies either modify this policy or create a new one.
In my last article about Windows 2000 RRAS, In this case, I’ll assume you want to modify the
I showed you how to configure the hardware existing policy to allow permission only to
and port settings for your server. In addition to users who belong in a specific user group. For
configuring the hardware and port settings, my example, I’ll create a group called RAS
you need to configure remote access policies. users and grant them permission.
These policies enable you to control allowed First, open the Local Users And Groups
access times, restrict users to specific dial-up console (stand-alone or member server) or
numbers, and configure other Remote Access the Active Directory Users And Computers
Policy settings. console (domain controller). Create a new
group named RAS Users and place in it all

78 Administrator’s Guide to VPN and Remote Access, Second Edition

the users to whom you want to grant remote Figure A
access permission.
Next, open the RRAS console and double-
click the policy to open its Settings property
page. Click Add, select Windows-Groups, and
click Add. Click Add in the Groups dialog box,
select the group, and click Add. Click OK,
then OK again to close the two configuration
dialog boxes and return to the Settings prop-
erty page. Select Grant Remote Access Permis-
sion, and click OK.
The policy you just created allows all users
in the RAS Users group to log in via RAS at
any time. You can modify the Day-And-Time- Configure the Day-And-Time-Restrictions condition to control when remote
access users can dial in.
Restrictions profile to allow RAS access only at
certain times. To do so, open the policy again,
click Day-And-Time Restrictions, and click property set to L2TP to restrict users in that
Edit. Specify the allowed dial-in times in the group to use only L2TP. If they attempt to use
Time Of Day Constraints window, as shown a different tunneling protocol, such as PPTP,
in Figure A, and click OK. Configure other set- Windows 2000 rejects the connections.
tings as needed, and then close the property You configure the priority of policies so
sheet for the policy to apply the change. that RRAS parses them in a specific order.
Now, what happens if you want two sepa- This gives you the ability to move the most fre-
rate groups to have RAS access at different quently used policy to the beginning of the list
times? Simple: You just create two policies. to speed connections and reduce overhead. To
RRAS processes all the remote access policies configure policy priority, open the RRAS con-
if needed, granting access to a caller if the sole, expand the Remote Access Policies
caller’s parameters match at least one policy. So, branch, click on a policy, and use the up- and
a caller might not match the first policy or the down-arrow buttons in the toolbar to change
second but might match the third, and RRAS the policy’s location in the list.
would therefore grant (or deny) access subject
to the properties of the matched policy. Configuring a VPN server
For example, assume you have three groups Virtual private network (VPN) connections
of users: one that needs access from 8:00 A.M. enable clients to establish a secure, private con-
to 5:00 P.M., another that needs access from nection to a remote computer or LAN
5:00 P.M. to midnight, and a third group that can through a public network such as the Internet.
gain access at all hours but must use L2TP for For example, users who travel can connect
security. You create three policies, one for each through a national or local ISP, then connect
situation. Each group of users would belong in through that Internet connection to the office
an identifying group, which I’ll name RAS 1, LAN. Windows 2000 supports two tunneling
RAS 2, and RAS Secure. When you define the protocols, PPTP and L2TP; the latter provides
policies for RAS 1 and RAS 2, each policy has stronger security than PPTP primarily because
two properties (in this example): Windows- of differences in the encryption methods
Group and Day-And-Time-Restrictions. You between the two.
configure the allowed logon times for the Day- Setting up a VPN server is initially not
And-Time-Restrictions property for RAS 1 to much different from configuring a remote
be 8:00 A.M. to 5:00 P.M. and for RAS 2 to be access server, although there are a few addi-
5:00 P.M. to 12:00 A.M. tional steps and considerations. When you run
For the third group, use the Windows- the wizard and select the Virtual Private Net-
Group property along with the Tunnel-Type work option, Windows 2000 prompts you for

Administration 79
essentially the same information as for a Properties. On the General page, select
Remote Access Server, including protocols, Remote Access Server.
network interfaces, IP address assignment X Configure IP addressing and routing—
mode, and RADIUS authentication status. On the properties sheet for the server, click
One difference is when you use the wizard to the IP tab and select Enable IP Routing. If
configure the server for VPN, it creates 128 you didn’t already do so through the wizard,
ports each for PPTP and L2TP. Configuring configure IP address assignment through the
the server for remote access creates only five same property page, configuring the server
ports each. to rely on DHCP, or use a static address pool
Even if you use the wizard to set up a VPN to assign IP addresses to clients.
server, you still have some tasks to perform to
complete the operation. Plus, you might X Configure ports for remote access—You
already have the server configured for another need to ensure that the necessary ports are
RAS purpose and need to configure the server created and configured for remote access.
manually for VPN. If you choose the manual Expand the server in the RRAS console and
method, first perform these tasks: open the Ports branch. Right-click Ports
and choose Properties. Select either PPTP
X Set up the Internet connection—This is
or L2TP and click Configure. Select Remote
the public connection through which
Access Connections (Inbound Only) to
remote clients will gain access to the
enable remote access for the port type. Use
intranet. Verify that the connection is fully
the Maximum Ports spin control to increase
configured and functioning.
or decrease the number of ports. The num-
X Set up the intranet connection—If your ber won’t increase in the ports list, however,
server is multihomed (has a public interface until you stop and restart the service. If you
to the Internet and a private interface to the wish to support both VPN port types,
intranet), configure the intranet connection repeat the process for each.
and verify connectivity with clients on the
intranet. Note that you don’t need a second Configuring the server for
interface to set up a VPN server. A single, PPTP VPN connections
public interface will suffice. Remote clients Although you can begin using the server to
will receive an IP address assignment from service VPN clients at this point, you’ll proba-
the same subnet as the computer’s Internet bly want to ensure a higher level of security
interface. than what you’ll have by default. In particular,
X Set up routing (multihomed systems)— you might want to configure filters to restrict
If the server is multihomed, you’ll need traffic to and from the VPN server, as well as
to configure static routes or use routing define the authentication mechanism(s) to be
protocols to enable routing between the supported.
public and private interface(s). In most In the RRAS console, right-click the server,
situations the wizard will handle these choose Properties, and then click the Security
tasks, but you might have to fine-tune the tab. You can choose between Windows
configuration, particularly if you are using Authentication and RADIUS both for authen-
static routes. If the server has only one tication and accounting. Click Authentication
network interface, you don’t need to con- Methods to specify the authentication meth-
figure any routing properties, since no ods you want to support. You need to use
routing is necessary. either MS-CHAP or EAP-TLS if you need to
X Enable remote access—If you are config- support encrypted authentication.
uring VPN support manually, you’ll need to If your server is functioning only as a VPN
enable RAS on the server. Open the RRAS server, consider applying IP filters to allow
console, right-click the server, and choose only PPTP traffic coming to and from the
server, excluding all other traffic. This will help

80 Administrator’s Guide to VPN and Remote Access, Second Edition

prevent unwanted traffic from being routed Figure B
through your server to your LAN or from the
LAN to the Internet. Filters apply at the inter-
face level, enabling you to configure filters dif-
ferently for each interface, if needed.
In the RRAS console, expand the server
then the IP Routing branch, and click the Gen-
eral branch. Right-click the interface on which
you want to configure filters and click Proper-
ties. The General page is the place to go to
configure filters. To configure the input filters,
click Input Filters and then click Add in the
Input Filters dialog box. Select Destination
Network, and then in the IP Address field,
enter the address of the interface. Specify in the Subnet Mask field.
Configure input and output filters to restrict traffic on the
Select Other from the Protocol drop-down list server to VPN traffic, if desired.
and type 47 in the Protocol Number text box,
as shown in Figure B. Click OK to add the filter.
When the Input Filters dialog box reap- put Filters dialog box and configure the filters
pears, click Add again and add another filter to drop all packets except those that meet the
with the same information as the first. How- filter criteria.
ever, this time select TCP from the Protocol
list, specifying 0 for the Source Port and 1723
Configuring the server for
for the Destination Port. L2TP VPN connections
You’ll need to add one more input filter if As you do for PPTP, you need to configure the
you intend to use the server as a PPTP client. L2TP ports to allow remote access. Open the
Create a third filter using the same basic infor- properties for the Ports branch, select L2TP
mation as the first two, this time selecting TCP from the Ports list, and click Configure. Select
from the Protocol list, specify 1723 as the Remote Access Connections (Inbound Only)
Source Port and 0 as the Destination Port. and then close the dialog boxes.
The last step in configuring the input filters You also should configure filters to restrict
is to specify the action to take for the filter. traffic to and from the server to prevent
Back on the Input Filters dialog box, select unwanted traffic from being routed through
Drop All Packets Except Those That Meet the server. As you do for PPTP filters, you
The Criteria Below, and then click OK. configure L2TP filters through the properties
Next, configure output filters using much for the affected network interface. Start with
the same process you used for the input filters. the input filters. Create the first filter for Des-
On the General page of the interface’s prop- tination Network, the IP address of the inter-
erty sheet, click Output Filters. Create a filter face, a subnet mask of, UDP
for Source Network, specifying the IP address as the protocol, and 500 for both the source
of the interface, entering the subnet mask of and destination ports. Add a second input fil-, setting Protocol to Other, ter using the same information but specifying
and entering 47 as the protocol number. Add a 1701 for both the source and destination
second IP filter for Source Network with TCP ports. Configure the filter to drop all packets
as the protocol, 1723 as the Source Port, and 0 except those that meet the filter criteria.
as the Destination Port. If the server will be Next, create the necessary output filters.
used as a PPTP client, add a third filter for Create the first filter for Source Network, the
Source Network, using TCP, Source Port 0, IP address of the interface, a subnet mask of
and Destination Port 1723. Return to the Out-, UDP as the protocol, and

Administration 81
source and destination ports specified as 500. tion for Tunnel-Type set to PPTP, L2TP, or
Add a second output port with similar settings both, depending on which protocols you’re
but with source and destination ports of 1701. supporting on the server. If you haven’t modi-
Configure the filters to exclude all packets fied the default remote access policy, move it
except those that fit the filter criteria. after the VPN policy. You need to make this
change because the default policy denies access
Configuring RAS policy for to all users.
PPTP/L2TP Finally, configure encryption. Double-click
After you configure the ports and other set- the newly created policy to open its properties,
tings for PPTP and/or L2TP, turn your atten- and then click the Encryption tab. Select the
tion to configuring remote access policies to appropriate options on the Encryption tab,
allow VPN connections (and potentially restrict depending on the levels of encryption you
access only to VPN access). First, create a want to allow for VPN connections according
group (or use an existing group) to give you a to your clients’ configurations.
means of restricting VPN connections to spe-
cific users. Then, open the RRAS console, fol- Conclusion
lowed by the Remote Access Policies branch. In this article, I’ve shown you how to
Create a new remote access policy, giving it an increase security for your remote access
appropriate name such as VPN Access. Config- servers. You can do so using remote access
ure the conditions for the policy to include policies and VPN. On VPNs, you have sev-
group membership so that it restricts access eral different types of protocols to choose
only to users who belong in your VPN users from, including PPTP and L2TP. I explained
group. Then, add a condition for NAS-Port- these protocols and how to configure RRAS
Type set to Virtual (VPN). Add a third condi- to support them.

Routing and remote access on Windows

2000 Advanced Server
Sep 6, 2000
By Matthew Mercurio, MCP

sing new products from Sybergen and
Linksys to share Internet access is BEFORE WE BEGIN
great for the consumer, but these In order to configure the R&R module cor-
products aren’t practical or efficient for a cor- rectly, you must have your DNS server and
porate network. To address this concern, this DHCP server information handy. You
article examines the routing and remote should also have already installed a second
access options available with Windows 2000 network adapter card in the machine. (I’ll
Advanced Server. Windows 2000 Advanced discuss the reason for this later.)
Server allows IT professionals to share Inter-
net access, flatten their networks, and not
compromise connectivity.

82 Administrator’s Guide to VPN and Remote Access, Second Edition

Windows 2000 Figure A
Advanced Server
I have to admit that at first glance, I thought it
was a bad idea to place a Windows 2000 box on
my network just to share Internet access. How-
ever, the Remote and Routing Access module
quickly changed my mind. After the installation
and a lot of experimenting with the many new
modules, it turned out to be a very eye-opening
experience. There are many modules, plug-ins,
and components included in the new network
operating system. For the purpose of this arti-
cle, I’ll focus on the Remote and Routing
Access module. Simplicity is key when it comes
to sharing a single IP for Internet access. The
Routing and Remote Access module installa- The arrows indicate the location of the Windows 2000 Advanced Server
Routing and Remote Access module.
tion was relatively easy, and the configuration
of it was even easier. Let’s take a closer look.
next to the R&R title. If the R&R module is
Remote and routing access up and running, a green arrow pointing
configuration upward will appear.
Once the Windows 2000 Advanced Server is Starting the routing and remote
installed, the easiest way to get to the Routing access setup wizard
and Remote Access (R&R) module is by right- To start the R&R setup wizard, click the
clicking on the My Computer icon on your Action button at the top of the toolbar as
desktop and choosing Manage. Once you are shown in Figure B. Then click Configure And
in the Computer Management window, shown Enable Routing And Remote Access. A dialog
in Figure A, expand the Services And Applica- box will appear reporting that you’ve started
tions tree, and the R&R module, will then be the R&R wizard. Click Next to continue.
visible. On the resulting screen, you will see the
If the R&R module is not running, a red connection choices, as shown in Figure C. From
arrow pointing down will appear on the icon here you can configure various connections,

Figure B Figure C

Click Configure And Enable Routing And Remote Access. For this demonstration, choose Internet Connection Server.

Administration 83
including the popular RAS and VPN connec-
A FEW WORDS ABOUT NAT tions. For this demonstration, choose the first
There are a couple of things to keep in option—Internet Connection Server.
mind when setting up NAT through Routing Using two NICs
and Remote Access. First, you must set up We want the ability to share our Internet con-
a DHCP server before beginning the setup. nection with the rest of the network comput-
Second, you must decide what IP scheme ers, so we will need an additional NIC placed
to assign the inside card. The R&R module in the PC. The R&R module gives you a choice
will use NAT to masquerade your internal to use Internet Connection Sharing (ICS) or
network, and the only visible IP will be the Network Address Translation (NAT). For the
one assigned to you by your ISP. purpose of our demonstration, we will choose
NAT. Assign the outside Internet connection
NIC an IP address assigned to you by your
ISP, and then give an internal IP scheme to the
Figure D second NIC. The R&R module does the rest.
When installing your NICs, be sure to use
unique names for your cards. The naming con-
vention is entirely up to you, but I recommend
using names that will allow you to quickly rec-
ognize which NIC is serving what purpose.
This is especially handy when you happen to
be using the same brand of network cards.
In my case, I have two 3Com 905B cards
installed, so I used Wizard.Home for my exter-
nal card because this is the card that is actually
connected to the outside Internet. I then used
RacerX.Lan to represent my internal LAN.
After you have chosen Internet Connection
Select the Network Address Translation (NAT) routing protocol. Server and clicked Next, you are ready to make
the choice between ICS and NAT. I chose
NAT, as shown in Figure D, and I suggest you
Figure E do the same.
Choose your connection type
The next screen that appears is the Internet
Connection page. Here we have a couple of
choices to make. First, do we want to create a
demand-dial Internet connection? Since we
have a cable modem and a 24/7 connection to
the Internet, our answer is “No.” However, if
you are using a dial-up modem or a modem
pool, then you might want to create a demand-
dial connection. Our second choice is to
decide which NIC to designate as the outside
Internet connection. This is where our naming
convention pays off. Simply choose the card
that is directly connected to the Internet, as
Specify your Internet connection NIC. shown in Figure E, and click Next.

84 Administrator’s Guide to VPN and Remote Access, Second Edition

The final screen, shown in Figure F, will then Figure F
appear, and we are finished. We have set up the
Windows 2000 Advanced Server to act as a
router and share our single IP to use with the
rest of our network.

Wrapping up
I realize that using Windows 2000 Advanced
Server might have a high price tag attached for
a home network user’s solution. However, I
think that not only is this a good large network
solution, but it is also a good SOHO business
solution as well. For the general home user, I
would probably stick to the Sybergen or
Linksys products unless you are planning to do
other things like host a Web or FTP server, in
which case Windows 2000 Advanced Server Click Finish to complete the Routing and Remote Access configuration.
might be the choice for you.

Optimize inbound client connections for your

Windows 2000 VPN servers
Jan 22, 2002
By Dr. Thomas Shinder, MCSE

he Windows 2000 Routing And effective and efficient inbound VPN server
Remote Access Service (RRAS) allows traffic possible for your network. The VPN
you to configure a Windows 2000 Wizard does most of the legwork for you, but
Server family computer as a VPN server. The you’ll do more after you run the wizards.
Windows 2000 VPN server represents a In this article, I’ll explain what you can
tremendous improvement over the VPN focus on to optimize your inbound VPN con-
server functions available in the Steelhead nections. After reading this, you’ll be ready to
release of the Windows NT 4.0 version of the tune your VPN server environment for the
RRAS VPN server. Windows NT 4.0 VPN quickest and most secure inbound connections
server configuration was tedious and difficult, you can get out of your setup.
and the only tunneling protocol supported was
PPTP. You configure the Windows 2000 VPN Client side
server using easy-to-use wizards, and it sup- Most Windows 2000 VPN servers allow
ports both PPTP and L2TP/IPSec as tunnel- inbound VPN connections from external net-
ing protocols. work VPN clients directly connected to the
While the Windows 2000 VPN server is Internet. Implementing a VPN server allows
easy to set up and configure, you should do you to dispose of your modem banks and
several things to make sure you have the most replace them with a single fast connection to

Administration 85
the Internet. Your remote users don’t need to X L2TP/IPSec client connections
make expensive long-distance or 800-number X Simplifying client connection setups using
calls to reach the corporate network. All they the Connection Manager Administration Kit
need to do is establish a connection to a local
ISP and then create the virtual link to the PPTP client connections
internal network via a VPN client connection. The VPN Wizard creates a number of PPTP
On the client side, you can focus on three ports on the external interface of the VPN
areas to optimize client connections: server that accept incoming calls from PPTP
X PPTP client connections VPN clients. PPTP was introduced with the
Steelhead release of the Routing And
Figure A Remote Access Server for Windows NT 4.0
The first version of PPTP got some bad press
because of some well-described security holes.
Although Microsoft patched those holes,
PPTP has suffered from a bad reputation as
an unsecure VPN protocol. However, nothing
could be farther from the truth.
The version included with Windows 2000 is
PPTP 2.0. It closes the holes seen with the ini-
tial version of PPTP and includes a number
of performance enhancements. PPTP is the
fastest of the VPN protocols included with
the Windows 2000 VPN server and the easiest
Windows 2000 VPN protocol to set up and
configure. If you’re a beginner at setting up
Accessing the RRAS’s Properties dialog box Windows 2000 VPN servers, you should use
PPTP as your VPN protocol.
Figure B PPTP is a secure VPN protocol, but the
level of security is dependent on the complex-
ity of the passwords used by VPN clients. If
your VPN clients choose simple passwords,
hackers and other Internet intruders will be
able to break into the VPN server almost as
easily as they could have with the previous ver-
sion of PPTP. Make sure your clients use com-
plex passwords of at least eight characters. The
passwords should contain letters, numbers, and
symbols. Your network policy should be set so
that passwords are changed periodically. Be
careful not to force password changes too
often, though, as users will balk if they have to
change and remember new, complex pass-
words frequently.
The default PPP authentication protocols
are MS-CHAP and MS-CHAP version 2. MS-
CHAP allows downlevel operating systems to
authenticate with the VPN server. To secure
Configuring PPP Authentication Methods your PPP logon credentials, you should disable

86 Administrator’s Guide to VPN and Remote Access, Second Edition

MS-CHAP authentication and require MS- Figure C
CHAP version 2. To disable MS-CHAP
authentication, perform the following steps:
1. Select Start | Programs | Administrative
Tools | Routing And Remote Access.
2. In the Routing And Remote Access con-
sole (Figure A), right-click on your server
name and click Properties.
3. In the server Properties dialog box, select
the Security tab (Figure B) and click the
Authentication Methods button.
4. In the Authentication Methods dialog box,
remove the checkmark from the Microsoft
Encrypted Authentication (MS-CHAP)
checkbox and click OK.
5. Click Apply and then click OK in the
server Properties dialog box. Restart the Restarting the Routing and Remote Access Server after configuring the PPP
Authentication Method
Routing And Remote Access Service.
Right-click on the server name, select All to the number you require. While you’re
Tasks, and click Restart (see Figure C). changing the PPTP ports, you can also change
Each VPN port configured on the VPN the number of L2TP ports:
server requires system resources. If your 1. In the Routing And Remote Access con-
organization requires a maximum of only 10 sole, expand your server name and then
concurrent VPN connections, it makes little right-click on the Ports node in the left
sense to use up resources required to support pane of the console. Click the Properties
128 PPTP virtual interfaces. To ameliorate this command.
situation, change the number of PPTP ports

Figure D Figure E

Changing the number of PPTP listening ports

Reducing the number of VPN ports

Administration 87
2. In the Ports Properties dialog box, click on L2TP/IPSec client connections
the WAN Miniport (PPTP) entry and then If you want the best security Windows 2000
click the Configure button (see Figure D). VPN servers have to offer, you’ll want to use
3. In the Configure Device - WAN Miniport L2TP/IPSec for your VPN client connections.
(PPTP) dialog box, type the number of L2TP/IPSec doesn’t depend on just the user-
desired ports in the Maximum Ports text name and password information to secure a
box (see Figure E). Click OK after making connection. L2TP/IPSec clients require com-
the change. puter certificates to authenticate to the VPN
server. Computer certificates cannot be
4. If you want to change the number of
“guessed” and provide a high level of security
L2TP listening ports, repeat the procedure
for VPN client connections.
by clicking on the WAN Miniport (L2TP)
I know many administrators who balk at the
entry. After you have completed configur-
idea of implementing L2TP/IPSec VPNs. It’s
ing the port numbers, click Apply and
not that they don’t want to use L2TP/IPSec,
then click OK in the Ports Properties dia-
it’s just that they’re unfamiliar with setting up a
log box.
Certificate Server and configuring Group Pol-
PPTP is the best protocol for small to icy to automatically assign client certificates via
medium-size businesses that don’t want to auto-enrollment. Once the VPN client com-
implement a Public Key Infrastructure to sup- puters have computer certificates, creating
port L2TP/IPSec VPN calls. Even if you do L2TP/IPSec connections is a no-brainer.
plan to roll out an L2TP/IPSec VPN solution, You can configure a Certificate Server on
it may actually be easier to allow PPTP and your internal network using Microsoft Cer-
L2TP/IPSec VPN connections to live side by tificate Services. After the Certificate Server
side for a while so that you can implement is installed and configured, Group Policy is
client-side computer certificates and support configured to automatically enroll domain
downlevel operating systems that are in the members and assign machine certificates.
process of being upgraded. Perform the following steps to enable auto-

Figure F

Starting the Automatic Certificate Request Setup Wizard

88 Administrator’s Guide to VPN and Remote Access, Second Edition

1. On a Windows 2000 domain controller, Figure G
select Start | Programs | Administrative
Tools | Active Directory Users And
2. Right-click on your domain name and click
3. In the domain Properties dialog box’s
Group Policy tab, click on the domain
Group Policy object and then click Edit.
4. In the Group Policy window, expand the
Computer Configuration, Windows Set-
tings, Security Settings, and the Public Key
Policies nodes. Right-click on the Auto-
matic Certificate Request Settings node,
select New, and click on Automatic Certifi-
cate Request Settings (see Figure F).
Selecting the Computer Certificate Template for auto-enrollment
5. The Welcome page for the Automatic Cer-
tificate Request Setup Wizard will appear. Figure H
Click Next to continue.
6. On the Certificate Template page, select
the Computer certificate option. (Note
that only certificate templates that are
installed on the Certificate Server will be
available on the Certificate Template page.
See Figure G.) Click Next to continue.
7. On the Certification Authority page (see
Figure H), select the certification authority
(CA) that you want to process the request.
You can select multiple CAs, but only the
first one to receive the request will service
the request. Selecting multiple CAs adds a
measure of fault tolerance to the process.
Click Next.
8. On the last page of the wizard, click Selecting the certification authority to process auto-enrollment requests
9. Open a command prompt on the Note that this method works for machines
domain controller, type secedit /refreshpolicy that are domain members. You can use the
machine_policy, and press [Enter]. You’ll Web-based certificate request interface to
receive notification that the policy will assign machine certificates to machines that are
be refreshed but that it may take some not members of the domain. In this situation,
time to replicate across multiple domain it’s useful to have a PPTP VPN connection in
controllers. place before moving over to L2TP. Users can
10. When new computers join the domain, connect via PPTP, use the Web-based certifi-
they’re automatically assigned a computer cate enrollment form to obtain a machine cer-
certificate. Existing domain members will tificate, and then use L2TP/IPSec connections
receive a certificate after they restart or after they obtain the certificate. Then at some
during a policy refresh. point, you can shut down the PPTP listening
ports and use only L2TP/IPSec.

Administration 89
When VPN clients connect to the Windows 4. On the Networking tab, click the down
2000 VPN server, the default client configura- arrow in the Type Of VPN Server I Am
tion is to negotiate the type of VPN tunnel. Calling drop-down list box, click the
The VPN client will try L2TP/IPSec first and, Layer-2 Tunneling Protocol (L2TP) option
if not successful, try PPTP. You can configure (see Figure I), and click OK. Note that if
the client to use only L2TP/IPSec by configur- you want the client to use only PPTP, you
ing the client connection properties, like so: can select Point To Point Tunneling Proto-
1. Right-click the My Network Places object col (PPTP) and prevent negotiation for an
on the desktop and click Properties. L2TP connection.
2. In the Network And Dial-Up Connections You may get complaints from your users
dialog box, right-click the VPN connection regarding their ability to access the Internet
object and click Properties. after they establish the VPN link to the corpo-
rate network because a new default route is
3. In the VPN connection object’s Properties
added to the VPN client’s routing table. All
dialog box, click the Networking tab.
Internet-bound requests will be routed
through the VPN link and will cause attempts
to browse the Internet or access Internet
Figure I e-mail servers to fail.
This inability to access the Internet while
the VPN link is active is the preferred configu-
ration. You don’t want your clients to access
the Internet at the same time that they access
the internal network; this represents a very
poor security configuration. It would be like
allowing internal network users to add a
modem to their machines so that they can
access the Internet independently of any client
access controls you’ve set on your firewall.

As you work to set up and configure your
VPN, don’t forget that both the clients and the
servers can use some good old-fashioned
tweaking. Although the improvements from
previous versions are significant, the need for
further optimization, as with most Microsoft
Forcing the type of VPN connection to create with the
products, is necessary in order to make the
VPN server best of your VPN server connections.
As VPNs have quickly become the de facto
standard for remote access, it’s critical for sys-
I DON’T SUGGEST THIS, BUT IF YOU HAVE TO… tems administrators to get up to speed on their
If you must allow VPN clients to access the Internet at the same optimization. As VPN technology grows and
time they’re connected to the VPN server, you can configure the stabilizes, so should your knowledge of VPN
VPN client connection object to allow this. The key entry is Use optimization. Getting rid of MS-CHAP ver-
Default Gateway On Remote Network. You’ll find this entry in vari- sion 1, changing the number of L2TP ports,
ous places, depending on the version of VPN client connection enabling auto-enrollment, and configuring
object you’re using. Once you disable the Use Default Gateway On clients to use only L2TP/IPSec are sound ways
Remote Network option, the user will be able to access the Inter- to get your incoming VPN connections zip-
net and the internal network simultaneously.
ping along with speed and security.

90 Administrator’s Guide to VPN and Remote Access, Second Edition

VPN networking services built for speed
Feb 19, 2002
By Dr. Thomas Shinder, MCSE

ust setting up a VPN with RRAS is not outside of the broadcast range of the VPN
enough when working in an enterprise-level interface on the VPN server. To solve the
environment. For ultimate speed and secu- broadcast problem, you must install and con-
rity, you need to optimize both the client-side figure a WINS server on the internal network.
and network-side services. For a review of Also, all servers on the network need to be
methods that you can employ on the client configured as WINS clients, especially servers
side, check out my article, “Optimize inbound that can act as master browsers on their local
client connections for your Windows 2000 subnet. This also includes the PDC or PDC
VPN servers” (page 85). emulator for the network, because they collate
From the server side, there are several serv- and redistribute the browser list.
ices, such as WINS, DNS, and DHCP, you The VPN client obtains the WINS server
should configure on the internal network with address from the VPN server. This address is
your VPN clients in mind. Once you have typically obtained from the internal interface
these services set up correctly, your VPN client of the VPN server. However, if you have mul-
connections will work as if they were directly tiple internal interfaces, you might need to
connected to the internal network via an Eth- manually select the interface that assigns name
ernet cable. Ultimately, that means you’ll get a server addresses. Another option is to have a
lot fewer support calls from your VPN users. DHCP server assign name server addresses to
Here, I will explain how you can optimize the VPN client.
WINS, DNS, DHCP, and the routing table and While the most common method of assign-
addressing infrastructure to improve your ing IP address and name server information to
VPN clients’ speed and security. VPN clients is via automatic assignment by the
VPN server, you aren’t limited to this option.
WINS The VPN client software can be configured
The Windows Internet (network) Naming with static IP and name server addresses. VPN
Server (WINS) resolves NetBIOS names to IP clients can also be assigned IP addresses on a
addresses. I’ve heard people say that if you run per-user account basis. Note that you cannot
a Windows 2000-only network, you don’t need assign name servers based on user account.
a WINS server. This is only partially true. The The WINS server is even more useful for
fact is, you don’t need WINS if you run a Win- allowing clients to connect via a UNC path.
dows 2000 network that doesn’t require any Net- The VPN client will query the internal network
BIOS services. Unfortunately, many popular
network services are dependent on the Net-
The most prominent NetBIOS-dependent WITH A DHCP SERVER
service is the browser service. The browser Keep in mind that VPN clients are RAS clients, so they never
service is responsible for populating the directly communicate with a DHCP server—not even when you
browser list, which appears as a list of network have configured the VPN server to obtain IP addresses from a
resources (computers) in the Network Neigh-
DHCP server. However, your VPN clients can obtain DHCP
borhood or the My Network Places applica-
options by configuring a DHCP relay agent on the VPN server
tion. Because the browser service is a
NetBIOS-dependent service, it depends on itself. DHCP options such as WINS and DNS server addresses
local subnet broadcasts to communicate with can be assigned this way. One thing you cannot assign to RAS
other browser service participants. clients via DHCP options is a default gateway. The VPN clients will
This creates a problem when your VPN always be assigned a default fault and host route to the IP address
clients need to browse to resources on subnets of the tunnel server’s virtual IP address.

Administration 91
WINS server that was assigned to the VPN providing IP addressing information to your
interface on the client, and the WINS server internal network clients. That same DHCP
will return the IP address of the server on the server or servers can be used to assign IP
internal network. addresses to your VPN clients. You can create
custom scopes for your VPN clients to make it
DNS easier to control the IP address assignment to
If you construct your network well, you’ll have these machines.
relatively little use for NetBIOS-dependent
applications. The majority of applications used A NOTE ABOUT SCOPES
on current networks aren’t tied to the Net-
A scope is a collection of IP addresses that
BIOS interface; they are native TCP/IP-based
belong to a particular network ID. When a
applications. These applications and services
use DNS for host name resolution. Although DHCP server is configured with a scope, it
DNS doesn’t populate the browser list, it per- can service requests for IP addresses from
forms a host of other valuable functions for clients on that network ID.
your VPN clients.
For VPN clients to access Web, FTP, e-mail, The DHCP server can be on the same net-
and news services on your internal network work as the internal interface of the VPN
using FQDNs, you want to ensure that DNS is server or on a remote network. If you need to
configured on the internal network. If you are use a DHCP server on a remote network, you
running a Windows 2000 Active Directory net- must configure a DHCP Relay Agent, which
work, you already have a DNS infrastructure in acts as a router for DHCP messages. The
place. If you aren’t running Active Directory VPN server will be able to obtain addresses
or DNS on your internal network, you’ll find for the DHCP clients by taking advantage of
that name resolution will proceed much faster the DHCP message routing capabilities of the
and more reliably after installing DNS and DHCP Relay Agent, which is why the DHCP
configuring the VPN client to use the internal Relay Agent is considered a routing protocol.
network DNS server. Installing and configuring the DHCP Relay
Agent on the VPN server is easy. In the RRAS
console, expand your server name and then
expand the IP Routing node. Right-click the
DNS FUNCTIONALITY General node and select New Routing Proto-
When setting up your VPN clients to use col. In the New Routing Protocol dialog box,
the internal network DNS infrastructure, click on the DHCP Relay Agent entry and
you should test the configuration before click OK.
allowing your users to connect to the VPN. The DHCP Relay Agent will appear in the
You can quickly test the VPN client DNS left pane. Right-click the DHCP Relay Agent
functionality using the Nslookup tool. Cre- node and select New Interface. Click on Inter-
ate a dial-up connection to the VPN server nal and OK. In the DHCP Relay Properties
and then open a command prompt. Type dialog box, leave the defaults—unless you
nslookup and the fully qualified domain want the DHCP packets to hop more than
name of an internal network host, such as four routers—and click OK. Right-click the
DHCP Relay Agent node and open its proper- Nslookup should
ties sheet. In the DHCP Relay Agent Proper-
return the proper internal network address
ties dialog box, type in the IP address of the
DHCP server and then click Add and OK.
The DHCP Relay Agent will now forward
DHCP DHCP messages to the DHCP server you
If you work on a network of any appreciable entered in the Properties dialog box.
size, you probably already have a DHCP server Note that if you place the DHCP server on
a remote network, the server should have a

92 Administrator’s Guide to VPN and Remote Access, Second Edition

NIC installed with an IP address for each net- interface is easier to use and leads to fewer
work ID for which it has scopes. If you try to mistakes in configuration.
logically multihome the server, all the Large networks that allow multiple paths to
addresses will be served from the scope internal network resources don’t lend them-
matching the primary IP address bound to the selves to static routing table entries. These net-
network interface. Each interface is connected works require that you use a routing protocol.
to the same physical segment. The Relay Agent The Windows 2000 RRAS supports both the
will allow assignment from the appropriate Routing Information Protocol version 2
scope, but DHCP clients on the same physical (RIPv2) and Open Shortest Path First (OSPF).
segment as the multihomed DHCP server can RIPv2 is the easiest to configure; it requires
receive addresses from any of the scopes. little or no configuration after it’s installed.
RIPv2 supports Variable Length Subnet Mask-
MULTIHOMED DHCP SERVERS ing (VLSM) and password protection for shar-
You can multihome a DHCP server so that ing routing information with its neighbors.
it supports scopes on multiple network IDs. OSPF is a more powerful routing protocol that
However, the server must be physically, provides a great array of routing options, but it
instead of logically, multihomed, because is more complex to configure and shouldn’t be
considered a “plug and play” routing protocol
the DHCP server service will bind only the
solution. While RIPv2 is much easier to set up
primary IP address on each interface. The
and configure, it doesn’t scale well, because it’s
primary IP address is the IP address on
a broadcast-based protocol.
the top of the list of IP addresses found in Once the VPN server has routing table
the Advanced tab of the TCP/IP configura- entries for all the subnets on the internal net-
tion for the interface. work, the VPN clients will be able to reach all
segments on the internal network.
Routing tables Gateway configuration on
When you have a single network segment on the VPN client
your internal network, you don’t have to worry The default Microsoft VPN client configuration
about router issues. The VPN clients can be sets the client to use the default gateway on the
assigned IP addresses on the same network ID remote network. When you select this option, a
as the internal interface of the VPN server and new default gateway is set on the VPN client,
reach all resources on the local network seg- which represents a host-based route that sends
ment. However, problems arise when the inter- all nonlocal packets through the VPN interface.
nal network has multiple subnets. The change in the default gateway on the client
If the internal network has multiple net- can cause some sticky issues.
work IDs and VPN clients need to reach For example, suppose the client is a laptop
resources on these multiple network IDs, con- computer that isn’t connected to a network
figure the routing table on the VPN server. that establishes a link to the Internet using a
The VPN clients take advantage of the router dial-up modem interface. The modem creates
table on the VPN server to reach resources on a connection to the ISP, which creates a default
remote networks. route on the laptop so that all nonlocal packets
If there are only a few internal subnets, and are sent to the ISP’s router. When the user
only a single path to each subnet, you can con- establishes the VPN link, a new gateway with a
figure the routing table on the VPN server lower metric is created on the laptop’s local
manually. The routing table can be configured routing table. All nonlocal packets are routed
using either the Route Add command or by through the VPN interface, which makes it
using the Routing and Remote Access console. impossible for the laptop to access the Inter-
I recommend you use the RRAS console to net and the internal network through the VPN
create new routing table entries, as the GUI interface at the same time.

Administration 93
This should be considered a good thing. It X Click Add | Remove Windows
isn’t very wise to allow VPN clients to bridge Components.
their Internet and VPN connections because X Click Networking Services.
the client can act as a gateway for Internet
intruders to access the corporate network. X Select the Rip Listener check box.
This is akin to allowing your corporate net- X Click OK.
work users to attach modems to their desktops After the RIP listener is enabled, the
and connect to the Internet while still con- machine will listen for RIP version 1 broad-
nected to the corporate network. You don’t let casts. So if you’re using only RIPv2, the RIP
your internal network desktop users do this, listener will not use routing table entries. The
and you shouldn’t allow it on your VPN Windows 2000 RRAS server can be configured
clients either. to issue RIP v1 and v2 broadcasts to support
However, a workaround for this problem machines configured as RIP listeners.
would be to manually create static routing table
entries on the laptop computers after the VPN VPN CLIENTS CANNOT BE
link is established. The reason for this is that if
you use DHCP to assign an IP address to the
Machines connected to the internal net-
VPN clients, you never know what the gateway
work can be configured as RIP listeners,
address will be for the client’s VPN connec-
tion. To get around the dynamic address because the RIP listener software listens
assignment issues, you can assign a static IP on the physical interface. The RIP listener
address to a user’s account on the Dial-in tab doesn’t listen on the virtual interface. Even
of the user account properties. A far superior if the RIP routing protocol is installed on
solution is to configure the VPN client the VPN server, it will not be able to share
machines to use the corporate Proxy/Firewall routing table information with VPN clients.
servers to access the Internet. Then, you force The RIP listener isn’t an answer to the
the VPN clients to conform to the corporate routing table problems that dial-up modem
Internet security policy. clients have when connecting to the VPN
When a machine connected to the routed server over the Internet.
corporate network needs to create a VPN link
to a VPN server on an external network—or
even on the intranet if you are using VPNs to Conclusion
segregate your security zones—you may have The Windows 2000 Routing and Remote
another issue. The default gateway will change Access Service may make it easier to create a
to the VPN interface and the machine will no VPN server; however, getting the internal net-
longer be able to access remote subnets on the work tuned up to support your VPN clients
corporate network. The solution is to enter takes a bit more effort. The tips in this article
routing table entries for all the subnets on the should help you appreciate the importance of
machine connected to both the VPN and the having WINS, DNS, and DHCP servers on
corporate network. You can create static rout- the internal network to support the VPN
ing table entries; however, on a large network, clients, and how VPN clients handle routed
this is unfeasible. A better solution is to enable internal networks. With this information, you’ll
a RIP listener on the machine. be ready to begin that VPN rollout that your
To enable a RIP listener on a client boss has been bugging you to get started.
machine, do the following:
X Open Control Panel and click Add |
Remove Programs.

94 Administrator’s Guide to VPN and Remote Access, Second Edition

Optimal VPN server configuration
and management
Mar 18, 2002
By Dr. Thomas Shinder, MCSE

hough it isn’t difficult to set up a Win- centralizing the management of VPN client
dows 2000 VPN server for use, a gen- connections. To make the most of RRAS poli-
eral setup doesn’t allow for optimal use cies, run your Windows 2000 domains in
of the server’s resources. However, there are a native mode. This allows you to configure the
number of configurations that you can imple- policies on a granular basis by configuring the
ment to help that server reach its full potential. properties of user accounts. Figure A shows the
On the client side, you can enable MS-CHAP available options when a Windows 2000
version 2, change the number of L2TP ports, domain is run in native mode.
enable auto-enrollment, and configure clients Note that Deb Shinder’s user account is
to use only L2TP/IPSec. allowed dial-in access based on the Remote
On the server side, a couple of simple but Access Policy. The extant Remote Access Pol-
powerful actions allow you to optimize con- icy can be specific to a particular VPN server,
nections: using Routing and Remote Access or if you decide to use RADIUS for authenti-
Service (RRAS) policies and configuring IP cation and accounting, you can have a single
address and name server assignments. Doing Remote Access Policy apply to all VPN
both of these things allows you to increase servers.
your VPN server’s efficiency and blow the To configure an RRAS policy to optimize
socks off your users. your VPN environment:
Using RRAS policies 1. In the Routing And Remote Access con-
RRAS policies allow you to simplify and opti- sole, expand your server name and click on
mize all of your RRAS server connections by the Remote Access Policies node in the left

Figure A Figure B

Administration 95
pane. You can create a new RRAS policy condition, a Windows group membership
or edit the existing RRAS policy. To edit condition, and a Network Access Server
the existing RRAS policy, double-click on port type condition. In this example, con-
the Allow Access If Dial-In Permission Is nections are accepted at any time on any
Enabled policy in the right pane of the day of the week, users must be members
RRAS console. of the TACTEAM\Domain Admins
2. In Figure B, you can see that several condi- group, and the connection type must be a
tions must be met to allow a connection to VPN connection. Only after all these con-
the RRAS VPN server: a day and time ditions are met will the Grant Remote
Access Permission option be activated.
Figure C (This option is seen in the If A User
Matches The Conditions frame.) To add a
condition, click the Add button.
3. The Select Attribute dialog box appears
next (Figure C). To allow only L2TP/IPSec
VPN tunnels for the Domain Admins
group covered in this policy, for example,
select the Tunnel-Type attribute and click
the Add button.
4. In the Available Types column in the Tunnel-
Type dialog box, select the Layer Two Tun-
neling Protocol (L2TP) entry and click the
Add button. The entry will then move to
the Selected Types column (Figure D).
5. The condition now appears in the pol-
icy’s properties dialog box (Figure E). Click

Figure D Figure E

96 Administrator’s Guide to VPN and Remote Access, Second Edition

Figure F Figure G

Deselecting MS-CHAP forces the server to use MS-CHAP version 2

for the Remote Access Policy.

Edit to change the profile settings for In the above example, I set some stringent set-
this policy. tings on connections made by domain admins.
6. In the Edit Dial-In Profile dialog box, click You might want to create other policies for dif-
the Authentication tab (Figure F). The ferent groups of users, which require different
default settings allow both MS-CHAP VPN tunnel types, time of day requirements,
and MS-CHAP version 2. Deselect the and levels of encryption.
Microsoft Encrypted Authentication Configuring IP address and name
(MS-CHAP) check box. server assignments
7. Select the Encryption tab. Since domain There are two ways VPN servers can assign
administrators will carry out the most addresses to clients: via a DHCP server or via
security-sensitive operations, you might a static address pool.
want to force 128-bit encryption for all To assign addresses via DHCP, it is impor-
their sessions. Deselect the Basic and tant to note that your RAS VPN client never
Strong check boxes, leaving only the directly communicates with the DHCP server.
Strongest encryption option selected The VPN server obtains the IP addresses used
(Figure G). This will force 128-bit encryp- for VPN client assignments during VPN
tion on all connections matching the con- server boot-up. If the VPN server uses all the
ditions of this Remote Access Policy. Click available addresses it obtained during boot-up,
Apply and OK to accept the changes you it will obtain extra blocks of IP addresses from
have made to the policy’s profile. the DHCP server ad libitum. The RRAS server
8. Then, click Apply and OK to accept the doesn’t assign any DHCP options. However,
changes you made to the RRAS policy. you can install a DHCP Relay Agent on the
RRAS server to assign a limited set of DHCP
You can create multiple RRAS policies to
options to VPN clients.
meet the specific needs of your organization.

Administration 97
A static address pool can be configured on To configure address assignment:
the VPN server, and IP addresses can be 1. Right-click the server name in the Routing
assigned to VPN clients from this pool. If you And Remote Access console and click
choose the static address pool option, make Properties.
sure internal network clients are not using the
2. Click on the IP tab (Figure H). The default
addresses in the pool. You’ll also make life
setting is to use DHCP for IP address
simpler if you choose a range of addresses
assignment. If you need to use a static
that are on subnet—on the same network ID
address pool, select the Static Address
as the internal interface of the VPN server.
Pool option and click Add to add a range
You don’t need to use DHCP options to
of IP addresses. The Enable IP Routing
assign name servers to VPN clients, because
check box should be selected if you want
the RRAS server will automatically assign
the VPN clients to access servers on the
WINS and DNS server addresses to VPN
internal network. If it’s not selected, VPN
clients based on the WINS and DNS server
clients will be able to access only resources
settings on the internal interface of the VPN
on the VPN server itself. The Allow IP-
server. This name server assignment takes
Based Remote Access And Demand-Dial
place during the Internet Protocol Connection
Connections option must be selected if
Protocol (IPCP) negotiation process. If you
you want the VPN server to assign
have multiple internal interfaces on the VPN
addresses to the VPN clients.
server, you can manually select which interface
will be used to assign name server addresses to 3. The RRAS server determines which inter-
VPN clients. face should be used to assign name server
settings; however, it sometimes gets things
Figure H wrong. If it does, click the down-arrow on
the Adapter drop-down list and manually
select the adapter that should be used for
WINS and DNS server assignments to
VPN clients. The VPN clients will be con-
figured with WINS and DNS server
addresses that are configured on the inter-
face you select. Click Apply and OK to
accept the changes.

Using RRAS and configuring IP addresses
and name server assignments allows you to
further tune the settings on your Windows
2000 VPN server and create a VPN environ-
ment that meets the requirements of your
organization. Doing so can make your job go
a little smoother and your end users happy

98 Administrator’s Guide to VPN and Remote Access, Second Edition

Troubleshoot Windows RAS and VPN
connections with these tips
Oct 19, 2001
By Carol Bailey, MCSE+I

anaging remote access servers itself. But a quicker and more elegant solution
can be among the most high- is to run the RAS Server Monitor (Rassrv-
maintenance activities that any mon.exe) from the Windows 2000 Resource
administrator has to juggle. Simply put, tons of Kit (
things can go wrong that prevent a user from dows2000/techinfo/reskit/default.asp),
connecting, stop a user from accessing network which, unfortunately, works only with Win-
resources, or slow down the user’s connection. dows 2000 RAS servers and not with NT4
However, many of these problems are RAS servers.
beyond the administrator’s immediate control, You can have the utility running perma-
such as client configuration difficulties, hard- nently on your workstation so that you can
ware problems at the remote user’s end, issues quickly check the server’s status with the util-
with the user’s ISP (if connecting over a VPN), ity’s GUI, or you can run it on another com-
and Internet bandwidth problems. puter and leave it to collect the monitored
In my experience, once a RAS server is up information to file. You can then check the
and running, subsequent reported problems information ad hoc. If you have multiple RAS
tend to be user-related issues rather than servers, you should have multiple instances of
server problems. Nevertheless, you can bet the RAS Server Monitor—one for each server.
users will contact you and complain about This utility produces three files, which all
problems with the RAS server(s). And when have the base name of the server (name or
they do, you usually have to confirm that address) that you provide when you load the
everything is working as expected on the utility, with the extensions .webstatus, .userlist,
server side before they will doubt their end of and .userdetails. The .webstatus file is designed
the connection. to be posted on a Web server, so you can pub-
I’ve had many frantic calls from remote lish the current status of your RAS server on
users complaining that the RAS server is down your company intranet. This includes informa-
and must be fixed immediately because it is tion such as the number of currently con-
imperative for them to do their work, and only nected users, total calls, total bytes transferred,
after I’ve proved that the problem is not with and the total and peak number of connections.
the RAS server have they looked a little closer The .userlist and .userdetails files provide more
to home and found the problem. details on each connection made and include
So what can you do to streamline the trou- information such as user name and worksta-
bleshooting process? I’ve put together some tion name, the IP address allocated and type of
tips that can help with this time-consuming port used, the number of bytes transferred,
exercise. the first and last connection, the connection
duration, and the line speed.
Gather timely information As a background task, you can also config-
When a user complains that the RAS server is ure the RAS Server Monitor to alert you if it
down, the most obvious thing to check is that detects problems, so that you will know about
the server is running and that the RAS service them before a user contacts you. The first
is started. Most admins check this by pinging alerting service monitors whether the RAS
the server and then connecting to the server to service is up by sending the MprAdmin-
verify that the RAS service is up. PortEnum API to the server you specify. A
Of course, you can do this from your work- failure to respond means the service or server
station rather than physically on the server is down. You configure the alert (for example,

Administration 99
send an e-mail message or log an error) by My first tip here would be to make sure that
running a program of your choice when the you know how the administration modes work
number of failed responses continues over a for Remote Access Policies, use the simplest
period of time. By default, this time period is policies you can, bear in mind the order of
10 minutes. processing, and document your choices (per-
The second alerting service monitors for haps with a flowchart to show their decision
inactive RAS connections over a specified time criteria for allowing connections).
period. Obviously, there may be legitimate rea- My second tip—particularly when using
sons for this inactivity (for example, overnight multiple RAS servers—is to centralize authen-
hours and quiet periods during popular vaca- tication with Windows 2000’s Internet Authen-
tion times), but on RAS servers that are usually tication Service (IAS), even if you have to load
busy during the day, it could indicate that it on the same machine as Win2K RRAS. This
there’s a problem with the line(s), which would is because IAS will record which Remote
not be detected by the service API monitor. Access Policy is being used with each connec-
tion in the Event Log, which makes it much
Does the user have dial-in easier to troubleshoot policy problems.
If you’re running RAS servers in a native- Is your firewall preventing VPN
mode Active Directory domain, you can use users from connecting?
the new permission Control Access Through If you have VPN connections using PPTP, you
Remote Access Policy on all user accounts so will need to allow TCP port 1723 and IP pro-
that dial-in permissions are always kept cen- tocol port 47 to pass through your firewall. If
trally on your RAS servers as part of your you are using L2TP/IPSec, you will need UDP
Remote Access Policies. However, if you are port 500 and IP protocol port 50 to pass
still using NT4 RAS servers or your Active through the firewall. If you are using AH as
Directory is not in native mode, you will need well as ESP in your IPSec policies, you will
to grant the dial-in permission on each user also need IP protocol port 51 to pass.
account. You can use the Windows 2000 Resource
It can be quite tedious and time-consuming Kit utility PPTP Ping to confirm that this pro-
to individually check this on multiple accounts. tocol is working between client and server.
One way to ease the burden a bit is to make it a Simply install pptpsrv.exe on the RAS server
regular administrative task to use the Resource and install pptpclnt.exe on the client. Issue the
Kit tool RASUsers to output a list of all users command pptpclnt <ip address of VPN server>
on a server or domain that have been granted on the client. If the protocol reaches the
this right. You can then import this informa- server, the server will display a successful mes-
tion into a database or spreadsheet, making it sage. If port 1723 is blocked or if port 1723 is
very quick to search and confirm whether a open but protocol 47 is blocked (the most
user account has been granted that right. common configuration mistake with firewalls),
this will be reported as an error since there will
Are Remote Access Policies be no connectivity taking place.
preventing users from In the early stages, when you are testing
connecting? your VPN server, the simplest way to check
Windows 2000 Remote Access Policies are the viability of the VPN server itself is to
great for granular control of user permissions eliminate the firewall by setting up a client
and connections. However, they can also be a VPN connection over Ethernet rather than
pain to support, and they can get so complex over the Internet. If this doesn’t work when
that it’s difficult to figure out which policy is there is no firewall between the server and the
being used, and thus, which condition is client, you can’t blame the firewall for the con-
responsible for a failed connection. nection problem.

100 Administrator’s Guide to VPN and Remote Access, Second Edition

Are certificates preventing from the information produced by Rassrv-
mon, which can help provide trend analysis to
L2TP/IPSec users from help you determine whether reports of poor
connecting? performance are linked to high usage.
When it comes to troubleshooting L2TP/
IPSec connections, I would put problems with Prevent user misconfiguration
certificates at the top of the list of potential problems
problems. Verify that both client and server If possible, discourage or prevent most users
have a Certificate Authority (CA) in common from changing their RAS settings if their con-
and that both have been issued with a valid figuration is working. (Windows 2000 Local
computer certificate from this CA. If the cer- Group Policies are fantastic for enforcing this.)
tificates have been issued outside Active Direc- However, when a user has to configure a con-
tory, it’s particularly important to ensure that nection from scratch, this is another matter.
the certification path has been installed and You may find that deploying preconfigured
the system date/time is correct on both connections with a dialer program is a worth-
computers. while investment of time.
Windows 2000 Server now ships with Con-
Are there performance problems? nection Manager Administration Kit (CMAK),
There are a hundred and one reasons for con-
which allows you to preconfigure remote
nections not going as quickly as users would
access connections for your users and cus-
like, but one of my tips is to give remote
tomize the configuration with your own com-
clients LMHOSTS and/or HOSTS files that
pany logos, etc. You can include a static
contain the domain name and the main
address book for your RAS server details or, if
servers, such as domain controllers, WINS
you think your RAS server details may change,
servers, and any servers the user needs for
you can supply the phone book as an auto-
network resources. This should reduce any
matic download that will update clients with
problems that might be caused by name reso-
any changes. You’ll find details for using
lution issues.
If you think poor performance could be
due to overstressing your RAS server, use the
Performance Monitor counters to keep an eye
on memory and processor metrics. PPTP will Contingencies
incur more processing than PPP (because of Many network admins prefer VPN connec-
the encryption), and L2TP/IPSec will be tions over dial-up modems these days because
higher still (because of the IPSec processing). they have many cost advantages and it’s easier
If you suspect the additional stress of run- to run multiple simultaneous connections,
ning L2TP/IPSec is responsible for poor per- which eliminate the need for modem banks.
formance, look to see whether you are using However, consider keeping some PPP ports
3DES encryption on most connections (the in case users have problems connecting over the
default for 128-bit versions). If so, consider VPN—for example, if their ISP is having prob-
disabling the default L2TP/IPSec policy and lems. Because these dial-up connections use
configuring your own policy that uses DES Point-to-Point rather than the Internet, they also
rather than 3DES. You could also invest in a offer a more secure medium, which means that
network card that offloads some of the IPSec you may consider configuring them with lower
processing. security options, such as CHAP authentication
The RAS Server Monitor also provides sta- for non-Windows clients and no encryption for
tistical information you might find useful here, better throughput. If you are using Windows
such as peak connection time, total connect 2000 Remote Access Policies, you can easily
time, and total bytes transferred. You can use configure the security settings for these different
its sister utility, Reportgen, to provide reports connections based on the port type being used.

Administration 101
Summing up tus, verifying dial-in permission and Remote
Running a trouble-free RAS service isn’t easy, Access Policies, firewall configuration, cer-
but I hope these tips and tools will help you tificate verification, performance improve-
streamline troubleshooting this important ments, preconfiguring connection details for
service. The tips have included gathering users, and having some contingency plans to
timely information on your RAS servers’ sta- call upon.

Learn why NAT can cause VPN

connection problems
Nov 8, 2001
By David Davis, MCSE+I, CCNP, SCSA

any a network administrator has col (L2TP), and IP Security (IPSec) are the
tried to set up a virtual private net- most popular protocols for securing VPN
work (VPN) client from a worksta- traffic.
tion with a nonroutable (private) IP address X NAT is based on RFC1631 (http://www.
only to find out—amid much frustration— and is typi-
that the network address translation (NAT) on cally used to connect a private network to a
the Internet router keeps the VPN client from public network, such as connecting your
making the connection. We’re going to look at company network to the Internet. For more
the reasons behind this common problem and information, refer to Cisco’s article “How
see what you can do about it. NAT Works” (
Important concepts warp/public/556/nat-cisco.shtml). Keep
in mind that to function, NAT doesn’t just
First, here are four basic concepts you need to
understand: swap IP source and destination addresses,
but it may also swap TCP source and desti-
X Encapsulation involves wrapping a header
nation ports, change the IP and TCP header
around a data unit, typically an IP packet.
checksums, change the TCP sequence and
Encapsulation can also be referred to as
acknowledgment numbers, and change IP
tunneling. For instance, IP packets get
addresses contained in the data payload.
encapsulated in a frame-relay header when
they traverse a frame-relay WAN. VPN protocols
X Encryption provides a way to secure sensi- Now we need to look at a few of the impor-
tive data by translating it into private code. tant differences between the two VPN tunnel-
It can then be decrypted only by using a ing methods:
secret key or a password. X IPSec and L2TP—These two open proto-
X A VPN encapsulates and encrypts packets cols are popular across multiple platforms.
to send a private network’s data over a pub- However, they usually encapsulate and
lic network (such as the Internet) to another encrypt the IP datagram, which contains the
private network. Point-to-Point Tunneling IP source and destination addresses. This
Protocol (PPTP), Layer 2 Tunneling Proto- can make them troublesome for NAT.

102 Administrator’s Guide to VPN and Remote Access, Second Edition

IPSec can work in two different ways: trans- on a Cisco router, you can get around the
port and tunnel. Transport mode is between VPN-NAT issues by selecting the traffic that is
a client and a server. Tunnel mode is to be NATed and making sure that that traffic
between two IPSec tunneling gateways (for is not NATed but encapsulated and encrypted
instance, two routers or servers). In trans- in the IPSec header.
port mode, the application headers, In other words, you want the traffic bound
TCP/UDP headers, and data are encrypted, for true Internet destinations to be NATed,
leaving the IP headers exposed. The and you want the traffic destined to travel
authentication data is calculated based on through the IPSec tunnel to be tunneled, not
the values in the IP header (among other NATed. On Cisco equipment, this is accom-
things). In tunnel mode, the entire packet plished using an access control list.
(including the IP headers) is encrypted and Let’s return to our original scenario of the
new IP headers are appended. troubled network administrator who config-
X PPTP—This Microsoft propriety protocol ures a workstation with a private IP address
does not encapsulate or encrypt the IP data- and tries to use a VPN client to go through a
gram, which makes this protocol compati- NAT-enabled router. We’ll assume that the
ble with NAT, or “NAT friendly.” Windows administrator is using an IPSec-based VPN
2000 RRAS (Routing and Remote Access client (not PPTP). Because this is from a client
Services) uses this VPN protocol by default. to a server, this means that the admin is using
If you are using NAT, choosing Windows IPSec in transport mode.
2000 VPN (RRAS) services with PPTP can Remember that in transport mode, the IP
greatly simplify your VPN-NAT issues. header is not encrypted but exposed. However,
the authentication data is calculated based on
NAT and VPN the values in the IP header (among other
NAT is supposed to be transparent to what- things). When the packets arrive at the NAT
ever applications it works with. Many NAT router, the IP headers are modified (NATed).
and VPN dilemmas are created by this Upon arriving at the VPN server, the authenti-
assumption. NAT can break a VPN tunnel cation data in the packet is invalid because the
because NAT changes the Layer 3 network IP header information was modified by NAT.
address of a packet (and checksum values), So the VPN server drops the packet, and the
whereas the tunneling, used by an IPSec or VPN client never gets connected.
L2TP VPN gateway, encapsulates/encrypts To deal with this issue, VPN product ven-
the Layer 3 network address of a packet with dors are beginning to build IPSec NAT tra-
another Layer 3 network address, stripping it versal capabilities into their products. Different
off on the other side. standards and vendor implementations are
In other words, after a packet goes through being used to make this work. Most rely on
the NAT process, it has a different network some kind of IPSec encapsulation into UDP
address. But after a packet goes through the packets. Because the IPSec packet is now
IPSec or L2TP VPN tunneling process, it has encapsulated, NAT devices do not affect the
the same network address. This concept is packet’s IP header information, and the IPSec
invaluable when setting up and troubleshoot- authentication data is still valid. Thus, a con-
ing NAT and VPN together. nection can be made.
As I said, choosing PPTP can often elimi-
nate the NAT-VPN issues created with IPSec
Final word
This is a complex topic that should not be
and/or L2TP. However, if you are trying to
taken lightly. Understanding how NAT and the
create a tunnel through the Internet between
different VPN implementations do what they
two Cisco routers (or other non-Microsoft
do is crucial. You should also check with your
devices or operating systems), you will likely be
router and VPN vendors for specific solutions
using IPSec. If you are using IPSec with NAT

Administration 103
that their products may have for dealing with X “Configuring Router-to-Router Dynamic-
NAT and VPN interoperability. to-Static IPSec with NAT”
Cisco provides the following sample net- (
work configurations and scenarios that can 707/ios_804.html)
help to better understand and manage NAT- X “Configuring IPSec Router-to-Router,
VPN issues: Pre-shared, NAT Overload Between
X “Configuring Router to VPN Client, Private Networks”
Mode-config, Wild-card Pre-shared Key (
with NAT” 707/overload_private.shtml)
X “Configuring IPSec Router-to-Router with
NAT Overload and CiscoSecure VPN Client”
X “Configuring an IPSec Tunnel through a (
Firewall with NAT” 707/ios_D.html)
X “Configuring a Router IPSec Tunnel
Private-to-Private Network with NAT
and a Static IP Address”

Create a gateway-to-gateway VPN with

ISA Server 2000
Sep 24, 2001
By Dr. Thomas Shinder, MCSE

irtual private networks (VPNs) allow VPN link, the computer becomes a member to
you to connect to private network the private network. The client then will be
resources over the Internet. The VPN able to access resources on the network, such
link mimics the connection you would have if as printers and shares, just as if it were directly
all devices were directly connected to your pri- connected.
vate LAN. The difference is that instead of A less common, but important, implemen-
connecting directly to the private network, tation of VPNs is to use them to connect
devices connect first to the Internet and then entire networks to one another. The VPN link
establish the virtual link that creates the con- acts like a routed connection that allows clients
nection to your private network. on both sides to access resources on the oppo-
The most common implementation of site side. Communications move through the
VPNs is allowing a client computer, such as a Internet but are protected by the encryption
Windows 2000 Professional notebook, to provided by the tunneled connection.
make a connection to the Internet and then You need a VPN server on each end of
establish the VPN link. After establishing the the link to create this type of VPN. The

104 Administrator’s Guide to VPN and Remote Access, Second Edition

configuration is most frequently referred to as routers to forward Internet-bound traffic to
a gateway-to-gateway VPN. The gateway-to- the internal interface of the ISA Server. In
gateway VPN allows messages to be routed addition, you will need to configure the net-
from one network to the other with a secure work routers to forward traffic destined for the
encrypted tunnel over the Internet. network ID of the remote network on the
Configuring a gateway-to-gateway VPN in other side of the VPN to the internal interface
Windows 2000 is not for the faint of heart. In of the ISA Server.
this article, we’ll look at how to make the
process of creating the gateway-to-gateway Configuring the VPN connection
VPN easier by using ISA Server 2000 (ISA When using ISA Server to create the gateway-
Server). ISA Server makes it easy to create a to-gateway VPN connection, you must use two
gateway-to-gateway VPN with VPN wizards wizards:
that actually work. X The Local VPN Wizard
X The Remote VPN Wizard
Preparing for the VPN The Local VPN Wizard is run at the loca-
A lot of people have trouble getting a VPN to
work correctly the first time they implement tion that will receive the calls from remote
one. The main reason is that they forget that a VPN servers. This wizard is usually run on the
gateway-to-gateway VPN is just like any other ISA Server at the central office, after which it
routed connection. The ISA Server acts like a will be ready to accept calls from an ISA
router; therefore, you have to configure your Server at a remote, branch office.
network to support a routed infrastructure. The Remote VPN Wizard is run at the
In a routed network, you need to address remote location—the location initiating the
issues related to: calls. The Remote VPN Wizard uses informa-
tion collected by the Local VPN Wizard to
X DNS host name resolution
create the connection.
X NetBIOS name resolution
If the two networks host different internal COMMUNICATIONS
network domains, you need to configure DNS The Local VPN Wizard is run on the
to support name resolution for both sides. You machine that will accept inbound calls from
can do this in a number of ways. You could the remote VPN server. However, you can
make DNS servers on each side secondary tell the Local VPN Wizard to allow both
servers of one another. You could also create sides to initiate a call.
referral records for nonlocal domains on each
of the DNS servers that point to the DNS on
Running the Local VPN Wizard
the opposite side of the link.
The first step is to run the Local VPN Wizard.
NetBIOS name resolution is handled by a
Perform the following steps to configure the
WINS server. Since the connection is a routed
local VPN Server:
link, NetBIOS name broadcast queries will not
traverse the VPN. Make sure there is a WINS 1. Open the ISA Management console.
server on each side of the link. You should Expand your server or array and right-click
configure the WINS servers to be replication the Network Configuration node in the
partners if you wish to resolve NetBIOS left pane. Click the Set Up Local ISA VPN
names for machines on the opposite side of Server command.
the VPN. 2. On the Welcome To The Local ISA Server
In a single-segment network, all machines VPN Configuration Wizard page, click
will have the internal interface of the ISA Server Next to continue.
set as their default gateway. On a multiple- 3. The ISA Server Virtual Private Network
segment network, you will need to configure (VPN) Identification page will appear.

Administration 105
In the Type A Short Name To Describe 5. Use L2TP Over IPSec.
The Local Network text box, type a short 6. Use PPTP.
(less than 10 characters is safe) name for
the local network. In this example, we’ll 7. Use L2TP Over IPSec, If Available.
call it local. In the Type A Short Name To Otherwise, Use PPTP
Describe The Remote Network text box, In this example, we will select Use L2TP
type in a short name for the remote net- Over IPSec, If Available. Otherwise, Use
work. In this example, we’ll call it remote PPTP (Figure B) because it gives us the most
(Figure A). Click Next. flexibility in establishing the connection. Gen-
erally, you will want to use IPSec for your gate-
4. The ISA Server Virtual Private Network
way-to-gateway tunnels, but it is helpful to
(VPN) Protocol page will appear. You
have PPTP available for initial testing. You can
have three choices:
remove the PPTP packet filters after you have
confirmed that your VPN is functioning and
Figure A that your IPSec configuration works properly.
Click Next.
1. The Two-Way Communication page will
appear next. If you wish to allow both ends
to initiate a call, put a check mark in the
Both The Local And Remote ISA VPN
Computers Can Initiate Communication
check box. If you do not, only the remote
VPN server will be able to initiate a call. In
the top text box, enter the IP address of
the FQDN of the remote ISA Server. In
the bottom text box, enter the NetBIOS
name of the computer or the NetBIOS
name of the domain (if the machine is a
domain controller). In this example, we will
allow bidirectional initiation of calls. We
Naming the VPN connection
will use as the FQDN

Figure B Figure C

Selecting the tunnel type Configuring bidirectional call initiation

106 Administrator’s Guide to VPN and Remote Access, Second Edition

Figure D Figure E

Configuring access to the remote network IP addresses Configuring the local network IP addresses

of the remote gateway and type in the Figure F

domain name of the remote VPN server,
TACTEAM (Figure C). Click Next.
2. On the Remote Virtual Private Network
(VPN) Network page, enter the IP address
range of the remote network. If you do
not want access to all computers on the
remote network, enter the IP addresses of
the individual machines that you want
access to. To add the address ranges, click
the Add button. In this example, we’ll
allow the local network to access all the
machines on the remote network ID (Figure D). Click Next.
3. The Local Virtual Private Network (VPN)
Network page will appear next (Figure E).
Select the external address of the ISA Naming the configuration file and creating a password

Server to which the remote ISA Server will

connect. Confirm that the entries for the
5. On the final page of the wizard, click the
local network ID ranges are correct and
Details button to review the changes made
click Next.
to your machine. If the Routing and Remote
4. The ISA VPN Computer Configuration Access service has not been started, the wiz-
File page will appear. You’ll use this file to ard will start it and make the configuration
create the remote VPN server. Type a path changes noted in the Details. Click Finish.
and file name in the File Name text box.
Then, type in and confirm the password Running the Remote VPN Wizard
(Figure F). You can save this to a floppy Running the Remote VPN Wizard is simple
disk to carry with you to the remote site or because you already made all the configuration
you can save it to the hard disk and e-mail decisions when you ran the Local VPN Wiz-
it to an administrator at the remote site. ard. To run the Remote VPN Wizard, perform
Click Next. the following steps:

Administration 107
1. Open the ISA Management console, Details button to see the changes that will
expand your server or array, and right-click be made to the server. You may also wish
on the Network Configuration node in to select the check boxes that will open the
the left pane. Click Set Up Remote ISA Help files on how to configure demand-
VPN Server. dial interface and IP packet filters. Click
2. On the Welcome to the Remote ISA Finish to complete the wizard.
Server VPN Configuration Wizard page, Once the Local and Remote VPN Wizards
click Next. have been run, users on either side of the
VPN will be able to initiate a demand-dial con-
3. The ISA VPN Computer Configuration nection to the remote network. You can con-
File page appears next. Type in or browse to
figure the demand-dial interface to drop the
the file name. After selecting the file, type
connection after a period of idleness or to be a
in the password (Figure G) and click Next.
permanent connection.
4. The Completing The ISA VPN Configura-
tion Wizard will appear (Figure H). Click the

Figure G Figure H

Running the Remote VPN Wizard Completing the Remote VPN Wizard

Troubleshoot ISA Server VPN connections

Jun 24, 2002
By Dr. Thomas Shinder, MCSE

hen working with ISA Server con- server or VPN gateway, but they can’t help
figured to run a VPN, trouble- you resolve VPN problems. By learning about
shooting the VPN problems can the problems you might face and how to fix
be one of the most difficult tasks you’ll them, however, you’ll be better prepared to
encounter. The ISA Server’s VPN Wizards do face the challenge should problems arise. In
most of the work when creating the VPN this article, I’ll show you how to identify and

108 Administrator’s Guide to VPN and Remote Access, Second Edition

troubleshoot problems with ISA Server VPN VPN client. LMHOSTS files are an inferior
connections. solution because they aren’t dynamically
updated. If machines on the internal network
What kind of problems can use DHCP for IP address assignment, the
I expect? LMHOSTS file will be worthless. However, if
Most ISA Server VPN problems are related to you use static addresses for network servers,
VPN server or VPN client configuration and the LMHOSTS file can be a viable alternative.
not to the actual ISA Server setup. This is
because the ISA Server software does very lit- DNS
tle in relation to VPN connections. The only An alternative to NetBIOS name resolution is
thing the ISA Server does when you run the DNS host name resolution. VPN clients can
ISA Server VPN Wizards is create the packet use a DNS server that is manually or dynami-
filters to support the VPN protocols. The cally assigned to them. They can query the
Routing And Remote Access Service (RRAS) internal network DNS server to resolve host
handles all other components of the VPN. names on the internal network. The problem
Some common VPN configuration and most VPN clients run into when it comes to
management errors you may encounter hosting name resolution on the internal net-
include: work occurs when the VPN clients try to
resolve unqualified names on the internal net-
X Name resolution issues
work. This becomes an issue when the VPN
X IP addressing problems client wants to use DNS host name resolution
X VPN client configuration problems to resolve the NetBIOS names on the internal
X VPN gateway issues
When the VPN client sends an unqualified
X Authentication and encryption errors request to the DNS server on the internal net-
Once you get a handle on these areas, you’ll work, the DNS resolver on the client typically
be in good shape to have a smoothly running appends the VPN client’s domain name to the
ISA Server VPN server. request. If the client is configured with an
inappropriate domain name or no domain
Name resolution name at all, the request for name resolution
Name resolution issues are common with ISA will fail. If the internal network DNS server is
Server running a VPN server. The biggest configured to use a WINS server for name res-
problem occurs when the ISA Server adminis- olution, the request may succeed. But in that
trator doesn’t have a network infrastructure to case, you should just assign a WINS server
support the ISA Server solution. You can eas- address to the VPN client in the first place.
ily handle the problem by installing and config- When using ISA Server, VPN clients get
uring the appropriate network services. their name server addresses from the settings
NetBIOS on the internal interface of the VPN server or
If you have problems with NetBIOS name from a DHCP server on the internal network.
resolution, the obvious solution is to configure If you configure a static address pooling for
a WINS server. A WINS server is required if the VPN clients, the clients obtain their name
you want your VPN clients to resolve the Net- server address from an internal interface on
BIOS names of machines on the internal net- the VPN server. If the VPN server had multi-
work, because the VPN client cannot use ple internal network adapters, you’d need to
NetBIOS broadcasts to resolve NetBIOS choose the one that has the name server
names on the internal network. addresses that you want assigned to the VPN
You can manually or automatically config- clients. You can configure which adapter to use
ure the VPN client with an address of a VPN for name server assignment by looking at the
server on the internal network. An alternative Properties page of the VPN server. Click the
is to configure an LMHOSTS file on each IP tab on the Properties page. Make sure the

Administration 109
Adapter field at the bottom of the IP tab is set network and that they aren’t assigned to a
to Internal, as shown in Figure A. scope on any of your DHCP servers.
You can also use a DHCP server to assign
DHCP addresses to VPN clients. The RRAS server
Your other option is to use a DHCP server on
will obtain addresses from a DHCP server
the internal network. When your ISA Server is
when the RRAS server starts up. The server
configured to run as a VPN, make sure you
will obtain more addresses when needed, how-
install and configure the DHCP Relay Agent
ever, the RRAS server doesn’t retain any
on the VPN server computer. VPN clients
DHCP options. The only way to assign DHCP
never directly communicate with a DHCP
options, such as WINS address, DNS address,
server because the VPN server doesn’t pass
and domain name, to VPN clients is to install
broadcast messages from VPN clients to the
and configure the DHCP Relay Agent on the
internal network. The DHCP Relay Agent will
VPN server.
proxy for the VPN clients and allow them to
You can assign VPN clients on-subnet and
receive DHCP options.
off-subnet addresses. On-subnet addresses
One thing that definitely won’t work with-
are those that match the same network ID as
out a WINS server is the browser service. If
the internal interface of the ISA Server. On-
your users need access to a network server
subnet addresses are easiest to manage,
browser list, you must install a WINS server
because VPN clients have a valid IP address
and configure the VPN clients to obtain the
for the network ID that the VPN server is
WINS server address.
directly attached to.
IP addressing You can also use off-subnet network
VPN clients can get an IP address from a static addresses for the VPN clients. In this instance,
address pool or from a DHCP server on the the VPN clients are assigned IP addresses that
internal network. You can configure a static are not on the same network ID as the internal
address pool in the same dialog box seen in interface of the ISA Server. This can be a use-
Figure A. Make sure that the addresses in the ful security measure. If the network routing
static address pool aren’t already in use on the infrastructure isn’t set up to support the off-
subnet addresses that you assign the VPN

Figure A Figure B

Select the interface that you want to assign name server Select the VPN interface on which you want to use the Web
addresses. Proxy service.

110 Administrator’s Guide to VPN and Remote Access, Second Edition

clients, the only resources the VPN clients will Figure C
be able to access are on the VPN server itself.
Whether you use on-subnet or off-subnet
addressing on the VPN clients, it’s critical that
you configure the routing table on the VPN
server with the appropriate network IDs on
your internal network. If there are networks
you don’t want the ISA Server to reach, leave
them out of the routing table, but all other
networks must be included in the routing table.
If you use off-subnet addresses for VPN
clients, you must configure the routers on
the network to forward responses to the off-
subnet network ID to the internal interface of
the VPN server.
In general, it is a good idea to configure the
VPN clients to use off-subnet addresses.
Doing so will prevent rogue VPN clients from
accessing the internal network. Enter the IP address, port, and credentials when you use
the Web Proxy service.
VPN client configuration
Windows VPN client software is configured Either intentionally or out of curiosity,
slightly differently, depending on the operating users may harpoon network security by dis-
system. However, there is one setting common abling the Use Default Gateway On Remote
to almost all versions—the Use Default Gate- Network option. When users disable this
way On Remote Network option. This is the option, a network route is added to the VPN
default option. When selected, all packets for client’s routing table, but it isn’t a default route.
nonlocal networks are forwarded to the ISA The route sends requests for the classful net-
Server’s VPN interface. This prevents VPN work ID the VPN client was assigned for its
clients from accessing the Internet and the VPN interface.
corporate network at the same time. Let’s look at an example of a dial-up VPN
You can still allow VPN clients to access client. The VPN client is assigned the IP
the Internet through the ISA Server by config- address, and a default route for net-
uring the VPN client’s browser to use the Web work ID is configured on the VPN
Proxy for the VPN connection. At the client, client. All packets for that network ID (and all
launch Internet Explorer and select Internet subnets of that network ID) are sent to the
Options from the Tools menu. When the VPN server. All other nonlocal packets are
Internet Options screen appears, click the sent to the ISP’s remote router. The VPN
Connections tab. On the Connections tab, find client then has a direct link to both the Inter-
an entry for the VPN connection (see Figure B). net and the corporate network and can
Select that connection and click the Settings become a gateway between the Internet and
button. the corporate network.
You can configure a proxy server address A good way to prevent users from torpedo-
and port number in the connection’s Settings ing internal network security is to design the
dialog box. Put in the IP address of the outgo- IP addressing and routing scheme so that if
ing Web requests listener and port 8080, as users are able to set their VPN clients to not
shown in Figure C. You’ll also need to include Use The Default Gateway On The Remote
the credentials required by the Web Proxy Network, they still won’t be able to access
service if you’re requiring authentication for anything other than resources on the VPN
outbound access. server itself.

Administration 111
The best way to do this is to assign the machine to never redial a connection. The
VPN clients off-subnet IP addresses. For gateway-to-gateway VPN router configuration
example, the internal interface of the VPN should have a passive side that receives calls
server is connected to network ID and an active side that makes calls. On the pas-
and the VPN clients are assigned IP addresses sive side, remove the dial-up credentials from
in the range. With this setup, the demand-dial interface configured by the
those VPN clients configured not to use the VPN Wizard.
VPN server as their default gateway will be Remember that your VPN gateway solution
able to access resources on the VPN server, creates a routed connection to the remote net-
but they won’t be able to access resources any- work. You should treat the connection between
where else on the internal network. the networks like you would any other routed
This is because when the client is config- connection. Configure your routing infrastruc-
ured not to use the default gateway on the ture to send packets for the appropriate net-
remote network, the actual default gateway on work IDs to the network on the other side of
the client points to the ISP (the Internet) or the VPN gateway. This will prevent one of
whatever default gateway the client already has the most common communication failures
set up. Any nonlocal requests—including between networks joined by the VPN gateway.
those for network ID—will be for- Design your network services infrastructure
warded to the existing default gateway, which to support the routed networks. Place WINS,
obviously won’t work in getting to subnets on DNS, DHCP, and directory services with this
the VPN network. Even though the VPN routed architecture in mind. I often see ques-
server contains the proper routing table entries tions from ISA Server administrators who
to forward requests to the network IDs on the wonder how to deal with NetBIOS and host
internal network, the off-subnet VPN client name resolution for hosts on the other side of
won’t be able to take advantage of them the network. You handle this problem as you
because they are not using the VPN server as would with any other routed network solution.
their default gateway. Since the link between VPN gateways is not
always reliable, you should install and config-
VPN gateways ure redundant services on each side of the link
ISA Server includes a couple of nice wizards and configure them to replicate with one
that allow you to create a local and remote VPN another, using mechanisms appropriate for
gateway. Gateways can join a remote office to a each network service.
local corporate network. The Local Wizard is
run on the machine receiving the call from the Authentication and encryption
remote office VPN server. The Remote Wizard Your ISA Server configured to run VPN sup-
is run at the VPN server at the branch office. ports both PPTP and L2TP/IPSec VPN con-
These wizards work fine, except for a small nections. ISA Server does not support pure
problem with allowing both sides to initiate a IPSec VPN tunnels. This can create a problem
connection. Only the remote office should when you want to configure a pure IPSec tun-
have the capability to call the central office. If nel between the ISA Server computer and a
you configure both sides with the ability to dial third-party hardware VPN device. The only
one another, you’ll end up with a potential race solution is to configure the third-party device
condition when the VPN connection is to use L2TP/IPSec. If you do decide to use
dropped. Each server will try to dial the other L2TP/IPSec, make sure that you configure
simultaneously, preventing either from accept- compatible IPSec policies. Windows 2000 cre-
ing an incoming connection. ates a default L2TP/IPSec policy.
You can prevent this problem by allowing You can disable the default IPSec policy and
only the central office to dial up the connec- use an alternate policy. This will help if you
tion. After configuring the VPN gateways, go want to use a preshared key between the VPN
to the local VPN server and configure the server and the black box, or you can configure

112 Administrator’s Guide to VPN and Remote Access, Second Edition

a new IPSec policy to be used for your L2TP ent on password complexity. If you’re able to
connections. implement a secure password infrastructure,
There is one major ISA Server configuration then PPTP VPNs can be as secure as
issue to take into account when implementing L2TP/IPSec VPNs.
an L2TP/IPSec VPN: The Internet Key
Exchange (IKE) required for the IPSec con- Solve those VPN trouble spots
nection requires that you allow fragmented ISA Server is built with VPN connectivity in
packets through the ISA Server. If you config- mind. In the majority of instances, ISA
ure the ISA Server to block fragmented pack- Server configuration is not the problem. The
ets, all L2TP/IPSec VPN connection attempts primary issue is either with the VPN configu-
will fail. This creates some risk because there ration in RRAS or with problems with the
are known exploits that take advantage of underlying network infrastructure. When you
packet fragmentation. Because of this, you know the main areas that can cause ISA
might want to configure PPTP VPN connec- Server’s VPN to fail, you can fix the problems
tions instead. PPTP security is highly depend- as they appear.

Configure Windows XP Professional

to be a VPN server
Mar 18, 2002
By Dr. Thomas Shinder, MCSE

or the Small Office/Home Office usability features available to Windows Me users
(SOHO), Windows XP Professional and adding the powerful networking features
VPN features are a real boon. Traveling available in Windows 2000. The combination lets
users with laptops or handheld computers will you, the support professional/net admin, create
inevitably want files on the home network; you the ideal remote access solution for the SOHO.
just can’t bring everything with you. This is The Windows XP Professional remote
where the beauty of the Windows XP Profes- access server capabilities are very similar to
sional computer connected to an always-on those available in Windows 2000 Professional.
connection such as DSL or cable modem A Windows XP computer can accept a single
shines. That always-on link can be used to incoming connection on each interface that
accept incoming VPN connections and allow can accept a connection. For example, a Win-
your mobile users to access shared folders and dows XP machine can accept incoming con-
files on your private network. nections on each of the following interfaces:
In this article, I’ll explain how to configure a X Dial-up modem serial interface
Windows XP Professional computer to accept
X Infrared interface
incoming VPN connections and discuss some
tips on improving the remote access experi- X Parallel port interface
ence for the VPN client computer user. X VPN interface
While it’s unlikely, a Windows XP Profes-
Windows XP’s all-in-one sional machine with the above configuration
VPN solution could conceivably accept up to four simultane-
Windows XP Professional is designed as the ous RAS connections. However, the typical
one-stop solution for the SOHO, taking all the

Administration 113
configuration consists of a single RAS client interface cards; one is directly connected to the
connection, either through a dial-up modem Internet and the other is connected to the
interface or a VPN interface. internal LAN. In addition, the external inter-
face of the machine is configured for Internet
Create an incoming connection Connection Sharing (ICS). While ICS changes
with the New Connection Wizard the IP address of the LAN interface of the
Like Windows 2000 Professional, Windows ICS computer to through 16, it’s
XP Professional includes a New Connection easy to change the IP address to one that fits
Wizard. I’ll show you how to use the New the existing network environment. The IP
Connection Wizard to create the new VPN address of the LAN interface of the ICS com-
server interface. In this example, I’ll assume puter was changed to through 24 to
the Windows XP Professional machine is not a fix the preexisting network configuration.
member of a Windows NT 4.0 or Windows
2000 domain. The machine has two network RUNNING ICS AND INCOMING
I have been able to run ICS and incoming
VPN connections on the same interface.
However, to prevent problematic configu-
ration issues, you should configure the
VPN interface before you configure ICS on
the same computer.

How to create the VPN server

interface, step-by-step
1. Click Start | Control Panel.
2. In the Control Panel, open the Network
Connections applet.
3. In the Network Connections window
The Network Connections window
(Figure A), open the New Connection Wizard.

Figure B Figure C

Configuring XP to accept incoming connections

114 Administrator’s Guide to VPN and Remote Access, Second Edition

4. On the Welcome To The New Connection 8. On the Incoming Virtual Private Network
Wizard page, click Next. (VPN) Connection page, select the Allow
5. On the Network Connection Type page, Virtual Private Connections option (Figure E)
select the Set Up An Advanced Connec- and click Next.
tion option (Figure B). 9. On the User Permissions page (Figure F),
6. On the Advanced Connection Options select the users that are allowed to make
page, select the Accept Incoming Connec- incoming VPN connections. Click Next.
tions option (Figure C) and click Next. 10. On the Networking Software page, click
7. On the Devices For Incoming Connec- on the Internet Protocol (TCP/IP) entry
tions page (Figure D), you can select (Figure G) and click the Properties button.
optional devices on which you want to 11. In the Incoming TCP/IP Properties dialog
accept incoming connections. box, place a check mark in the Allow

Figure D Figure E

Note that you are not presented with any of the network interfaces on the

Figure F Figure G

Any user that isn’t selected won’t be able to initiate an incoming Configuring TCP/IP properties

Administration 115
Callers To Access My Local Area Network tions. First, note that you can create PPTP
check box (Figure H). This will allow VPN or L2TP/IPSec VPN connections. Figure K
callers to connect to other computers on shows the connection status dialog box of a
the LAN. If this check box isn’t selected, Windows XP VPN client connected to a
VPN callers will be able to connect only Windows XP VPN server. Note that MPPE
to resources on the Windows XP VPN 128-bit encryption is automatically enabled
server itself. and that Microsoft CHAP v2 is used for
12. On the Completing The New Connection authentication.
Wizard page, click Finish to create the If you want the VPN client to access
connection. resources on the internal network, the IP
address assigned to the VPN client should be
After the Incoming Connection is com-
on the same network ID as the internal inter-
plete, right-click on the connection in the Net-
face of the Windows XP VPN server com-
work Connections window and click the
puter. In addition, all the machines on the
Properties command (Figure I).
internal network should have a default gateway
Note that on the General tab of the Incom-
set using the IP address of the internal inter-
ing Connections Properties page (Figure J), no
face of the Windows XP VPN server.
devices are listed. The comment No Hardware
In the unlikely event that the SOHO has
Capable Of Accepting Calls Is Installed isn’t true,
multiple network segments, the routing table
since you can now create VPN connections to
on the Windows XP VPN server needs to be
both network interface cards. In practice, there
configured with paths to the various internal
is no point in creating a VPN connection to
network IDs. You can use the ROUTE ADD
the internal interface card.
command to create these routing table entries.
VPN server optimization tips Small networks that use a Windows XP
The New Connection Wizard made it easy to Professional machine for a VPN server proba-
create the VPN server interface, but you can bly won’t have network services such as WINS
still do more to optimize your VPN connec- or DNS. If name resolution on the private

Figure H Figure I

Granting LAN access to callers

Accessing the properties of the VPN server link

116 Administrator’s Guide to VPN and Remote Access, Second Edition

network is an issue for the VPN client, then Figure J
you should create a LMHOSTS file, a simple
text file that contains name and IP address
mappings. For example, the following line
could represent an entry in an LMHOSTS file: DEFIANT

When you save the LMHOSTS file to the
folder, make sure that the file doesn’t con-
tain a file extension. To prevent Notepad
from appending a file extension to the file-
name, when you save the file in Notepad,
put quotes around LMHOSTS.

The VPN client must be configured with an

IP address or host name for the Windows XP
VPN clients will call only the external IP address of
Professional VPN server. If the Windows XP the Windows XP Professional VPN server.
Professional client has a dedicated link to the
Internet and a static IP address, you can use
that IP address in the VPN client configura- Figure K
tion interface. However, if the Windows XP
Professional VPN server is assigned an IP
address via DHCP, you’ll have to use an Inter-
net host name and a method of registering the
host name dynamically. A couple of services
you might want to look into are TZO and
DYNDNS. Both of these services will let you
dynamically register a computer’s IP address
into the public DNS database.

Windows XP Professional provides simple
VPN server capabilities that let you connect
single VPN clients to your internal network,
one at a time. If the Windows XP Professional If both machines had machine certificates from the
same Certification Authority installed, an L2TP/
computer has a dedicated connection to the IPSec VPN link could have been negotiated.
Internet, you can connect to that computer
from virtually anywhere in the world using a
VPN link. The VPN server setup is simple and
can accept calls from any Windows PPTP or
L2TP/IPSec client.

Administration 117
How to configure Windows XP client
VPN connections
Apr 25, 2002
By TechRepublic Staff

PNs have caught on quickly with nection Wizard. In the wizard, you’ll find four
small and medium-size businesses, selections (instead of the five in Windows
primarily for three reasons: 2000 Professional). The connection type you’ll
1. VPNs permit employees to connect to select is Connect To The Network At My
office resources from home or other loca- Workplace. Then, the next window will ask
tions using common hardware. you to specify the type of connection you’re
creating. Select the Virtual Private Network
2. VPNs provide secure connections.
Connection option and click Next. The next
3. The cost to set up and maintain a VPN is two screens will ask for the company name
low compared to other networking con- and the IP address of the VPN server. Once
nection solutions. you’ve clicked through these screens, you’ll be
In this article, we’ll describe the process of greeted with the final screen, which will ask if
setting up a VPN client connection within the you’d like to add a shortcut to this connection
Windows XP operating system. to the desktop. If you want a VPN icon, click
If you’re configuring laptops for remote Yes; choose No if you don’t. Click Finish.
VPN connections via DSL modem, LAN, or
WAN connectivity, navigate through Start | DIAL-UP
Control Panel | Network And Internet Con- If you’re connecting via dial-up, there are
nections and click the Set Up Or Change Your only two differences. In the New Connec-
Internet Connection link. Once the Internet tion Wizard, under the Network Connection
Properties window opens (Figure A), click the screen, you’ll select Dial-up Connection
Setup button, which will open the New Con-
instead of Virtual Private Network connec-
tion, and you’ll enter a phone number
Figure A instead of an IP address.

If you need to change the telephone num-

ber or other settings associated with the VPN
connection, you can do so easily through the
Properties window (see Figure A).

Connecting to the VPN

To connect, double-click the shortcut—if you
chose to create one—or select the connection
by clicking Start | Connect To and selecting
the name of the connection you created. Sup-
ply your User Name and Password for the net-
work you wish to access (see Figure B) and
you’ll be ready to start enjoying the benefits of
secure, remote access.
If you want to edit the settings for the con-
nection, you can do so from the Properties
window. You can modify Dialing and Redialing
You can configure a variety of settings for dial-up and VPN options, Security options, TCP/IP, and

118 Administrator’s Guide to VPN and Remote Access, Second Edition

Advanced options, such as Firewalling and Figure B
NAT. Several other options can be configured
on the tabs in your connection’s Properties
window, including:
X Changing security settings of individual
X Selecting privacy settings for Internet zones.
X Configuring a proxy server.
X Associating programs with a specific service.

XP makes VPN a cinch

Windows XP includes a VPN functionality
that is more robust and clearer than in previ-
ous versions of Windows. Given that more
and more companies are turning to VPNs for
security reasons, you need to understand how Supply your networking User Name and Password for
authentication purposes.
to configure this networking option.

Configure Windows NT to support

VPN connections
May 31, 2002
By John Sheesley

n the good old networking days, life as a Even though you’re still running Windows NT,
network administrator was simple. The you can deploy a VPN for those users in need
only users you had to worry about con- by using NT’s RAS. In this article, I’ll show
necting to your network were the ones in your you how it’s done.
building. Users at other locations had their
own networks with another network adminis- AUTHOR’S NOTE
trator to take care of them. Users working You can configure NT to act as a VPN for
from home or on the road couldn’t access net- both dial-up and Internet connections. For
work resources, but had to transport floppies, the purposes of this article, I’ll show you
so you didn’t have to worry about them either. how to configure NT to act as a VPN for
Not any more. Nowadays, users are scat- users who are coming in over the Internet.
tered all across the globe, and they all want
access to your network with the same ease and
rights as if they were in the office next door to VPN on Windows NT
you. That’s where VPNs come in. Deploying a If you want to deploy a VPN on your network
VPN doesn’t mean that you have to upgrade to and you already run Windows NT, then you
Windows 2000 or wait for Windows .NET. don’t necessarily have to invest in a hardware

Administration 119
VPN or upgrade to Windows 2000. You can Configuring Windows NT for
deploy a VPN solution using NT’s RAS. Doing
so is almost as easy as deploying a VPN using
VPN support
Configuring Windows NT for VPN support is
Windows 2000.
a fairly easy task. By default Windows NT con-
However, because Windows NT is older
figures its RAS to allow connections via dial-
than Windows 2000, you don’t gain all of Win-
up. To set up a VPN that will allow access
dows 2000’s additional features in the Win-
from the Internet, you must add PPTP. First,
dows NT VPN. Some of the things missing
right-click Network Neighborhood and select
from Windows NT’s VPN include:
Properties. When the Network Properties win-
X Support for L2TP dow appears, click Protocols.
X Policy support for remote access Click Add on the Protocols screen. You’ll
X Support for an Internet Key Exchange then see the Select Network Protocol screen
appear. Select Point-to-Point Tunneling Proto-
X Support for IPSec
col and click OK. Your server will prompt you
X Active Directory integration to insert the Windows NT Server CD. Do so
That said, NT’s VPN solution is still very and wait while it copies the files to your server.
robust and secure. For security, NT’s VPN When the files finish copying, NT will begin
uses Point-to-Point Tunneling Protocol configuring PPTP. You’ll then see the PPTP
(PPTP). NT uses either 40-bit or 128-bit Configuration screen, shown in Figure A.
encryption keys to encrypt traffic that travels The first thing you must do to configure
to and from the server, with the actual encryp- PPTP is set the maximum number of connec-
tion level depending on the software used by tions that you want to allow via VPN. You can
the VPN client. For authentication purposes, specify anywhere from 10 to 256 connections.
PPTP can use any of the following protocols: Oddly enough, you can’t directly type the num-
X Password Authentication Protocol (PAP) ber of connections in the Number drop-down
list box. Instead, you must select the number
X Shiva Password Authentication Protocol
of connections from the box. You can speed
up the process somewhat by pressing the first
X Challenge Handshake Authentication Pro- number of the connection you want. So, if you
tocol (CHAP) want to connect 50 users, you would press 5
X Microsoft Challenge Handshake Authenti- twice, which will cause the list box to scroll
cation Protocol (MS-CHAP) first to 5 and then to 50. You would press 5
You can support up to 256 simultaneous three times to scroll to 51, and four times to
logons to your Windows NT server over the scroll to 52, and so on. Click OK to close the
VPN. Once connected, users have the same window after you’ve set the number of con-
rights on the network as if they were con- nections you want.
nected via a LAN. Next, NT will prompt you to install the
RAS service. Click OK to close the Setup

Figure A Figure B

You must specify the number of PPTP connections.

Make sure RASPPTPM is selected as the default device.

120 Administrator’s Guide to VPN and Remote Access, Second Edition

Message window informing you of this to Figure C
continue. NT will then begin copying the RAS
files to your server. When it’s done, you’ll see
the Add RAS Device screen, shown in Figure B.
To allow remote connections, make sure
VPN1-RASPPTM is selected in the RAS
Capable Devices drop-down list box. You can
add other devices later if you want, such as
dial-up modems. Click OK to continue.
You’ll then see the Remote Access Setup
screen. On this screen, you can see any RAS
connections your server is prepared to handle.
Select VPN1 and click Configure. When the
Configure Port Usage screen appears, make
sure that the Receive Calls Only radio button is
selected. This will ensure that users don’t
attempt to use the RAS to connect to external
resources. Click OK if everything looks correct.
Next, click Network to configure the net- The Network Configuration screen controls network
work settings for the remote connection. settings for the connection.
You’ll see the Network Configuration screen
appear, as shown in Figure C. Figure D
The Server Settings pane contains the selec-
tions for network protocols the client will be
able to use once connected to the VPN. NT
will display the protocols currently running on
your network. You should select only proto-
cols necessary for the users to get their work
done. Chances are you’ll use only TCP/IP, so
deselect any other protocols.
To configure the protocol, click the Config-
ure button. You’ll then see the RAS Server TCP/
IP Configuration screen, shown in Figure D. On
this screen, you make selections that dictate
how NT will assign the TCP/IP address for
the remote user.
The Allow Remote TCP/IP Clients To
Access box allows you to control the type of
access that remote users have. You can limit This screen allows you configure the protocol for the user.

them to resources only on the VPN server by

selecting This Computer Only. To allow users reason, you can select the Allow Remote
to access any network resource, select Entire Clients To Request A Predetermined IP
Network. Address check box. Click OK once you’ve
You can either use DHCP to assign network made all of your selections
addresses or assign addresses from a static When you get back to the Network Configu-
pool. From an administrative standpoint, it’s ration screen, double-check the other selections.
easiest to use DHCP. That way you don’t have To secure communications between clients
to worry about overlapping addresses or filter- and the server, select the Require Microsoft
ing rights based on TCP/IP addresses. If users Encrypted Authentication radio box. Don’t
need a particular static IP address for some worry about selecting the Enable Multilink

Administration 121
check box. This is used primarily by dial-up This increases security on your network and
clients to maximize throughput. Click OK to allows you to rest easy knowing that not just
close the Network Configuration window. anyone can get in through your VPN.
After you return to the Remote Access To allow a user to use the VPN, you have two
Setup screen, you can click Continue to close choices: You can either change the user’s rights
the screen and finish the configuration. NT within User Manager For Domains or you can
will copy more files to your server and config- use the Remote Access Admin utility. Let’s
ure the RAS service based on the selections look first at the User Manager For Domains.
you made. When the configuration finishes, Start the User Manager For Domains by
NT will display an informational screen telling clicking Start | Programs | Administrative
you what utilities to use to administer RAS. Tools (Common) | User Manager For
Click OK to shut down the window. You’ll Domains. When the utility starts, select the
then have to restart your Windows NT Server. user to whom you want to grant VPN rights.
After the server restarts, reapply the last Select Properties from the User menu. When
Service Pack you applied to your server and the User Properties screen appears for the
restart it again. After this last restart, you’ll be user, click the Dialin button.
ready to start using RAS. You’ll then see the Dialin Information
screen appear. Select the Grant Dialin Permis-
Allowing users to access RAS sion To User check box. Make sure the No
Just because you install RAS and VPN support Call Back is set in the Call Back box. This box
on your server, doesn’t mean your users can is only useful for users that dial in to a modem,
use it. By default, Windows NT denies every- and it won’t work if users are connecting via
one the ability to access the server via VPN. VPN. Click OK to close the Dialin Informa-
tion screen and then OK again to close the
Figure E User Properties screen.
You can also use the Remote Access Admin
utility. To start the Remote Access Admin util-
ity, click Start | Programs | Administrative
Tools (Common) | Remote Access Admin.
You’ll then see the Remote Access Admin
Window appear. This window lists the avail-
able RAS Server and other information for the
RAS server, which I’ll discuss more below.
To grant a user the right to use the VPN,
select Permissions from the Users menu.
You’ll then see the Remote Access Permissions
screen, shown in Figure E.
To allow a user to use the VPN, scroll
You can control user rights using the Remote Access Admin through the Users list box until you find the
user you want. Click the Grant Dialin Permis-
sion To User check box to allow access to the
Figure F
VPN. Again, make sure that No Call Back is
also selected.
Unfortunately, there’s no easy way to select
multiple users at once. You must select each
user one at a time. Alternatively, you can click
the Grant All button to give VPN rights to
every user on your NT server and then scroll
through the User list box and remove the
You can control the Remote Access Service using Remote Access Admin.
check from the Grant check box. If you want

122 Administrator’s Guide to VPN and Remote Access, Second Edition

to quickly remove access to the VPN from Figure G
every user, click the Remove All button.

Other Remote Access

Admin tasks
The Remote Access Admin utility, shown in
Figure F, gives you full control over the RAS,
and thereby the VPN. As you can see, Remote
Access Admin lists the servers that can sup-
port VPN, along with the maximum number
of connections and current number of logged
on connections. Remote Access Admin has a
static display. It doesn’t change as users log on
and log off. To refresh the screen, select
Refresh from the View menu.
You can start or stop the RAS from the
Server menu. To stop the service, select Stop
Remote Access Service. To start it, select Start
Remote Access Service. You can also pause
access without unloading the service by select-
The Port Status screen shows you detailed information about
ing Pause Remote Access Service. a user’s session.
To view detailed information, double-click
the server. You’ll then see the Communica- Figure H
tions Ports screen appear. From this screen
you can do the following:
X Disconnect the user from the VPN by click-
ing Disconnecting User
X Send a message to a specific user by select-
ing the user and clicking Send Message
X Send a message to all users by clicking Send Remote Access Admin shows information about logged on users.
To All
X View detailed information about the con- If you want to view information about a
nection by clicking Port Status user account, highlight it and click User
If you click the Port Status button, you’ll Account. You’ll then see the screen shown in
see the Port Status screen, shown in Figure G. Figure H. While it doesn’t show detailed infor-
Here you can see detailed information about mation about permissions and such, it does
the user’s connection, including such things as show information about user rights in general,
how much bandwidth the user can use, how along with callback and password information.
many packets have been transmitted, and the
user’s VPN IP address.
VPNs on NT: Virtually Painless
Remote Access Admin also allows you to Networking
view user information. To do so, select Active Even though you’re still using Windows NT,
Users from the Users menu. You’ll then see you don’t have to be left out in the cold when it
the Remote Access Users screen. This screen comes to deploying such things as VPNs. Using
looks similar to the Communication Ports NT’s RAS, you can quickly deploy a VPN for
screen except that rather than showing con- your network. Users can dial in and have the
nections, it shows connected users. Like the same rights as if they were connected locally,
Communications Ports screen, you can send and you can administer their access without
messages or disconnect users from this screen. learning any new operating systems.

Administration 123
Monitoring and troubleshooting VPN
connections in WinNT
Jun 12, 2002
By Rick Vanover

W Rights issues
indows 2000 Server has been on
the market for more than two years, The rights needed to access an NT VPN
and its successor, Windows .NET, server are assigned by the Grant Dialin Per-
is just around the corner. But many enterprises mission To User option in each user account.
have consolidated around Windows NT Server This option simply states whether this NT
4 as a back-end infrastructure. That includes account can access the Remote Access Service
using NT as a first-generation, PPTP-based (RAS). This option is assigned in each user
VPN server, even though VPN was a very new account from within the User Manager For
technology back when NT was released in the Domains administrative tool, as shown in
mid-1990s. Figure A.
Of course, supporting an NT VPN server If a user does not have this option
requires the administrator to be diligent in enabled on the account, the connection will
monitoring and optimizing the VPN and to be not be established and the user will be told
able to troubleshoot issues that appear in the that dial-in permission does not exist for the
day-to-day administration of an NT VPN selected account. This will also generate an
server. Event 20082 of source Remote Access in the
Event Log of the Remote Access/VPN
Troubleshooting server.
In supporting VPN clients, I have found most
Microsoft provides a nice list of all RAS-
issues to be related to the client-side configura-
related error codes and a description for
tion, but some important server-side issues
each in Knowledge Base article Q117304
must be considered as well. In terms of VPN
troubleshooting, we’re going to take a look at
rights issues, connection types, networking
Windows NT, unfortunately, does not allow
setup, and client configurations.
the dial-in right to be assigned to a local or

Figure A Figure B

Enable Dialin Permission for users who will make VPN


Use the Grant All button to enable RAS/VPN permissions for all users.

124 Administrator’s Guide to VPN and Remote Access, Second Edition

global group. You can bypass this limitation Figure C
somewhat by using the Remote Access
Admin administrative tool. The Remote
Access Admin will allow you to assign the
dial-in right to all users, as shown in Figure B.
If you take this approach, you’ll need to
watch the situation carefully. This option does
not allow you to select a number of users and
assign the right—it assigns all listed users the
right to dial in. It also lets you revoke all users.
Using the Remote Access Admin console to
give all users dial-in rights is most useful if
you are using your Windows NT VPN server
exclusively for remote dial-in (including VPN),
where the only accounts on that computer are
the dial-in accounts (not the domain
Connection types
Supporting VPN clients entails an assortment
of responsibilities, and depending on your situ-
ation, you may have a mix of how users con-
Set the allowed number of incoming VPN connections.
nect to your VPN server. If you are supporting
telecommuters, users needing occasional
remote access, and/or site-to-site VPNs, you gateways can affect the reliability of your VPN
will be dealing with different connection types. solution.
While it is likely that the VPN server will On the server, be sure that you have enough
not be changing ISPs frequently, I have learned VPN connections enabled for the number of
to have the clients connect to the VPN’s fully potential VPN users that will be connecting.
qualified domain name instead of an IP This setting is configured in the properties of
address. That way, if you do change ISPs, you the Point-To-Point Tunneling Protocol within
don’t have to reconfigure all of your client the Network applet of the control panel on
configurations. For example, have the client the VPN server, as shown in Figure C.
connect to “” and make sure Another concern related to connection
that your DNS records are modified accord- types and networking setup comes up when
ingly during your ISP change, which will make users try to use a nonstandard ISP to connect
an ISP change easier for everyone involved. their VPN. A nonstandard ISP is one that adds
Users tend to change ISP connections fre- items into the Network applet of the control
quently. Various dial-up, broadband, satellite, panel. I have had many issues with ISPs that
wireless, and other connections may cause you add protocols or adapters into the client net-
headaches in trying to support VPN users. working setup. When supporting users, you
Make an effort to be aware of how your VPN should provide or recommend a good ISP for
clients are connecting to the Internet (and then dial-up access in order to save yourself a lot of
to your VPN server). Also, try to provide or headaches down the road. If you have a user
recommend the best solutions based on your who is having trouble accessing the VPN, ask
experience. whether any software was installed that may
Networking setup have affected the network stacks, such as spe-
The networking of a VPN can be a frequent cial client software from the ISP.
trouble spot. Topics like RAS setup, ISP net- For the VPN client, an important consider-
working issues, name resolution means, and ation is whether the VPN connection will

Administration 125
authenticate the client to be part of the Win- The downloaded page will then be sent back
dows domain or authenticate it on the VPN down the VPN tunnel to the client. Obviously,
server and simply give it a connection to the most of the time you’re not going to want this
internal network. This setting is configured on to happen.
the VPN client, and it varies slightly with dif- But if you do want to enable this setting—
ferent versions of Windows. Generally, you for example, for tracking all Internet traffic
can configure this setting by selecting (or not from a company laptop—on a Win2K client,
selecting) the Include Windows Logon go to the Properties of the VPN connection
Domain in the Properties dialog box for the and select the Networking tab. Then, select
VPN connection in the Network/Dial-up TCP/IP, click Properties, click Advanced, and
Connections applet. Figure D shows an example select the Use Default Gateway On Remote
of what this looks like using Windows XP as Network check box, as shown in Figure E.
the client operating system. (Windows 2000 Name resolution is also an important part
looks almost identical to this.) of supporting a VPN client. The easy option is
Another important aspect of the VPN to have RAS use DHCP assignments for VPN
client setup is the default gateway. If the client connections. This option will usually give the
VPN connection is set up to use the default clients the same network resolution services
gateway on the remote network, all Internet that DHCP connections on the internal net-
traffic will be routed through the VPN con- work are entitled to use and will greatly sim-
nection. For example, if someone makes a plify the work of an admin.
VPN connection from a home machine, any
time that person tries to access an Internet site,
Client configurations
Client VPN problems can be tough to diag-
the request will be sent over the VPN tunnel
nose. I have found client troubleshooting
to the company network and out the Internet.

Figure D Figure E

Set up the client to use the gateway of the remote network.

Select whether you want the connecting client to be part of the Windows

126 Administrator’s Guide to VPN and Remote Access, Second Edition

issues generally not to be related to VPN/ active connections have been online, and
PPTP but to changes on the end user’s PC. provides statistics on the number of bytes
This can include problems with: transferred.
X Virtual hardware devices (modems in par- X Use WINS/DHCP Admin—This tool
ticular) not operating correctly. lets you determine whether you have a
X Bogus DHCP leases/assignments requiring DHCP lease reserved for a VPN client.
a manual release/renew. X Reevaluate VPN strategy—If the VPN
X Installed software that has modified the solution is a trusted VPN (all TCP ports
networking stack of Windows. open) to all clients, consider adding TCP/IP
security (Advanced Properties of TCP/IP
X Settings that have been accidentally changed
from the Network applet of the control
on the VPN connection itself.
panel) for the explicit ports needed to the
While diagnosing these problems is chal- VPN server’s internal interface.
lenging, getting the VPN to work again is usu-
ally fairly easy. One trick I’ve relied on is MICROSOFT RESOURCES
creating two identical PPTP connections on Microsoft provides detailed information
the client computer. I put one on the desktop about client and server PPTP connections
as a shortcut and keep one untouched. Since
on Windows NT Server 4. You can down-
the end user does not utilize it, I can use it as a
load these documents from the Microsoft
support tool. This setup allows you to tell if
Web site (
the settings of a PPTP connection are inhibit-
ing the user from authenticating and/or con- ntserver/techresources/commnet/
necting correctly. default.asp).

Monitoring Final word

Monitoring the VPN connections is important
The Windows NT 4 VPN server is still in use
to ensure that they are working correctly and
in many organizations, and keeping the con-
are not being abused. Here are some ways you
nections working correctly will ease your
can monitor your VPN server:
administration worries. The tips provided here
X Use Remote Access Admin—This should be a valuable companion for trou-
configuration applet shows you current bleshooting and monitoring your NT 4 VPN
connections, lets you see how long the servers and their connecting clients.

The Win9x VPN client connection guide

Jun 5, 2002
By Dr. Thomas Shinder, MCSE

PN Servers go a long way toward sav- multiple dial-up RAS servers was compounded
ing money for companies with remote by the long distance charges or costs incurred
access clients. In the not-so-distant from 1-800 numbers. VPN servers remove this
past, companies that wanted to give road war- cost-rich hardware/telco layer and allow you to
riors access to corporate internal network support dozens and even hundreds of remote
resources needed to install modem banks and access calls with a single VPN server and high-
multiple phone lines. The cost of installing speed Internet connection.

Administration 127
Most of the articles I see on the Internet X A Y2K fix for the VPN DHCP client
focus on how to set up and configure the VPN component.
server. This makes sense, since most of the X Fixes that improve the stability of the PPTP
complicated work in setting up a VPN connection.
client/server solution is done at the VPN
server. However, configuring VPN clients is X Support for internal ISDN adapters.
not always a piece of cake. This is especially X Multilink support.
true when dealing with legacy VPN client oper- X Support for PPTP connections over a
ating systems, such as the Windows 9x line. “LAN” or dedicated connection (such as
We’ll look at how to configure your Win9x DSL or cable).
computers to be VPN clients that connect to
Check out Microsoft Knowledge Base arti-
Windows NT 4.0 VPN servers. You can use
cle Q297774 (
the same procedures to configure the Win9x
clients to connect to Windows 2000 VPN
SD=MSKB&) for full details on DUN 1.4.
servers. The only major difference between
There are several versions of DUN 1.4, one
connecting to Windows NT 4.0 and Windows
each designed for Windows 95, Windows 98,
2000 VPN servers is that the Windows NT 4.0
and Windows 98SE. Information about the
VPN servers do not support the L2TP/IPSec
updates and files for download can be found in
VPN protocol. However, this doesn’t pose
Microsoft Knowledge Base article Q285189
much of a problem for our Win9x VPN
clients, because the only VPN protocol sup-
?scid=kb;en-us;Q285189). Be aware that
ported by Win9x operating systems is the
you will need to restart the computer at the
Point-to-Point Tunneling Protocol (PPTP).
end of the DUN 1.4 installation.
Windows 9x Dial-up Networking
Service 1.4 (DUN 1.4) Windows Me does not require the DUN 1.4
Before getting into the nuts and bolts of con-
Dial-up Networking update.
figuring the Win9x VPN client, you need to
familiarize yourself with the latest update to
the Win9x Dial-Up Networking Service, DUN Configuring the Windows 9x
1.4. There are several reasons why you’ll want VPN client
to download and install DUN 1.4, including: The procedure for configuring the Windows
X Support for 128-bit encryption. 9x VPN clients is very similar, with only very
minor differences between each version.
Prior to configuring the PPTP VPN client
Figure A connection on the Win9x client, make sure
you have an Internet connection to the Inter-
net VPN server. The Internet connection
device can be an analog dial-up modem,
ISDN terminal adapter, a DSL line, or a
cable connection.
Let’s use the Windows 95 client as an exam-
ple of how to configure all the Win9x clients.
Perform the following steps on your Windows
95 computer:
1. Click Start | Programs | Accessories.
Point to Communications, and then click
on Dial-up Networking.

128 Administrator’s Guide to VPN and Remote Access, Second Edition

2. The Dial-up Network Wizard Welcome address on your VPN server that is listen-
dialog box will appear (Figure A). Click ing for incoming VPN connections. If
Next to continue. you do not have a DNS entry for your
3. On the next page, type in a name for the VPN server, enter an IP address instead.
connection in the Type A Name For The Click Next.
Computer You Are Dialing text box. 5. On the last page of the wizard (Figure D),
Click the down arrow in the Select A you’ll be told that you’ve done everything
Device drop-down list box and select the right and that you’ve created a new con-
Microsoft VPN Adapter option (Figure B). nection. After clicking Finish, the connec-
DUN 1.4 added this feature to your Win- toid will appear in your Dial-Up
dows 95 computer. Click Next. Networking folder.
4. On the Make New Connection page, type 6. Return to the Dial-Up Networking win-
in the IP address or the Fully Qualified dow. You should see the icon for the VPN
Domain Name (FQDN) of the VPN connectoid you just created, and another
server that the Windows 95 computer will connectoid for an ISP connection if you
connect with (Figure C). If you use an require a dial-up connection to access the
FQDN, make sure that there is an entry in Internet (Figure E).
the public DNS that resolves to the IP

Figure B Figure C

Figure D Figure E

Administration 129
protocols, the client will attempt to negotiate
NOTE each one selected.
You must create the dial-up connection When you click on the TCP/IP Settings
separate from the VPN connection. button at the bottom of the Server Types tab,
you’ll see what appears in Figure H. Most VPN
Further tweaking with VPN Properties servers will automatically assign IP addressing
You might want to do some further tweaking information to the VPN client. Therefore, you
of the VPN connection. Right-click the VPN should leave the default settings Server
connectoid and click Properties. On the Gen- Assigned IP Address and Server Assigned
eral tab (Figure F), you can change the name or Name Server Addresses as they are. The Use
IP address of the VPN server. This is conven- IP Header Compression option should be set
ient because, if the name or address of the if the VPN server supports this option.
VPN server changes, you don’t have to create a The most interesting option is the Use
new connectoid. Just change an existing one. Default Gateway On Remote Network. When
You can make many customizations on the this option is selected, the VPN client uses the
Server Types tab (Figure G). By default, the Log VPN interface as the gateway for all nonlocal
On To Network and Enable Software Com- network addresses. If the client dialed in to an
pression options are enabled. For connections ISP first, the ISP assigned the computer a
that support MS-CHAP, check the Require default gateway at the ISP to allow the client
Encrypted Password box. If you want to use access to the Internet. However, when the Use
MS-CHAP version 2, the client will negotiate Default Gateway On Remote Network option
MS-CHAP version 2 with the VPN server is enabled, the VPN client is assigned a new
first. If the server does not support MS- default gateway, which is the VPN server’s
CHAP version 2, the client will drop down to VPN interface. The end result is that the VPN
support MS-CHAP version 1. Also, make sure client cannot access the Internet once it con-
that data encryption is enabled. If you want to nects to the corporate VPN.
optimize connection speed, uncheck protocols If this option is disabled, the VPN client will
that you do not use. If you do not disable the be able to access both the internal corporate
network and the Internet at the same time. This

Figure F Figure G

Set high encryption for the link.

130 Administrator’s Guide to VPN and Remote Access, Second Edition

creates the possibility that the VPN client will Figure H
be able to route packets from the Internet to
the internal network. Allowing the VPN client
to access the Internet through the ISP and also
the corporate network through the VPN at the
same time is poor security practice. This is akin
to allowing users on the internal network to
plug modems into their computers and thus
bypass corporate Internet access policies.
The Windows 98/98SE VPN client
Configuring the Windows 98/98SE client
works exactly the same as configuring the Win-
dows 95 client. The interfaces are virtually
identical after installing DUN 1.4. The only
difference you’ll see is found in the Connec-
tions menu in the Dial-up Networking win-
dow. In the Dial-up Networking window, click
Connections and then click Settings (Figure I).
Windows 98/98SE allows you to configure
a redial value and a wait interval before redial- LAN Manager Passwords and Require Secure
ing. This option isn’t available in the Windows VPN Connections are enabled by default.
95 dial-up networking. You also have the LAN Manager password authentication is
option to be prompted before a dial-up con- inherently insecure and should always be dis-
nection is established. This is helpful when you abled. The secure VPN connection option will
use dial-up networking to map network drives force 128-bit encryption. If the VPN server
via the VPN interface. does not support 128-bit encryption, the con-
Click on the Security tab and you’ll see what nection attempt will fail. If this option is not
appears in Figure J. Both Disable Sending Of enabled, the client will first negotiate 128-bit

Figure I Figure J

Administration 131
encryption. If the negotiation fails, it will fall PPTP NLB cluster, confirm that only the vir-
back to 40-bit encryption. tual IP address appears on the external inter-
face of each of the cluster members.
Some final thoughts on If a WINS server is manually assigned to a
troubleshooting NIC, the PPTP VPN client will not be able to
There are a handful of troubleshooting issues obtain a WINS server address on the PPTP
you should be aware of before finalizing your VPN interface. This is in spite of the fact that
VPN client/server solution. Many ISPs do not the WINS address is configured only on the
allow incoming GRE packets into their net- NIC. Note that manually setting a DNS server
works, or they require that the user pay extra address on the machine’s NIC will not prevent
for a “business account.” If the VPN client the PPTP VPN client from obtaining a DNS
cannot establish a VPN connection with the server address from the VPN server.
corporate VPN server, the user should contact You may run in to issues when users plug
his ISP to determine if GRE connections are directly into the corporate network with an
allowed for the user’s account. Ethernet card while at work, and then go
Windows 9x clients will not be able to con- home and try to connect to the same network
nect to VPN NLB server clusters if the NLB through the PPTP VPN interface. The user
interface still has the actual IP address config- may need to run the winipcfg utility from the
ured on the cluster servers. Only the virtual IP Run menu to renew the IP address. If that
address can be listed on the external interfaces does not work, the NIC may need to be
of the cluster members if you expect to con- removed before the VPN user can connect to
nect down-level clients to a PPTP VPN NLB the network remotely.
cluster. If the VPN client fails to connect to a

Understanding Exchange 2000 Server’s

Outlook Web Access
Mar 22, 2001
By Jim Boyce

M Overview of Outlook Web Access

icrosoft introduced Outlook Web
Access (OWA) in Exchange 5.0 to OWA provides a means for clients to connect
enable clients to access their to an Exchange server through a Web browser
Exchange Server mailboxes through a Web to access their mailboxes. Clients can send and
browser. Microsoft has made some significant receive messages, manipulate their calendars,
improvements in OWA in Exchange 2000 and perform many—but not all—of the tasks
Server to provide better performance, the abil- they can perform when connecting to mail-
ity to support a larger number of users, and boxes through an Outlook or Exchange client.
improved functionality for clients. In this arti- Exchange 2000 Server includes some addi-
cle, I’ll explore OWA to give you an under- tional features not provided by OWA in
standing of how it works and how to Exchange Server 5.x. Some of these features
implement it. are added through OWA itself and others in
combination with Internet Explorer 5.0.

132 Administrator’s Guide to VPN and Remote Access, Second Edition

OWA isn’t meant to be a complete replace- You can view and modify existing items as well
ment for Outlook or the Exchange client, as create new appointments. OWA doesn’t give
which provide full access to Exchange Server you the same level of access to your Calendar
and its features. However, OWA is useful for folder as Outlook or the Exchange client, but
enabling roaming users to access the most the ability to view your schedule and add new
common mailbox features when they don’t appointments is certainly useful. OWA also lets
have access to their personal Outlook installa- you access your Contacts folder through the
tion. OWA can also be a useful means for giv- Web. You can view and modify existing con-
ing UNIX, Linux, and Macintosh users the tacts as well as add new ones. Other new fea-
ability to access Exchange Server mailboxes tures include support for ActiveX objects,
and participate in workgroup messaging and public folders containing contact and Calendar
scheduling. Finally, OWA is a good alternative items, multimedia messages, and named
for those users who don’t need the full range URLs—rather than globally unique identifiers
of features offered by Outlook and can save (GUIDs)—for objects.
the administrative and support overhead—as Even though OWA is a useful tool for
well as licensing costs—to deploy Outlook. accessing your Inbox, Calendar, and Contacts
folders, it doesn’t offer all the capabilities pro-
OWA’s features vided by the Outlook client. For example,
E-mail is inarguably the primary function of
OWA provides access to your Tasks folder
Exchange and Outlook, and OWA naturally
(and to all your other folders as well), but it
supports e-mail access. Clients can connect to
doesn’t enable you to create new tasks. Like-
the Exchange server, view the headers in the
wise, you can view the Journal but you can’t
inbox, read those messages, send new mes-
add new Journal entries. OWA doesn’t provide
sages, reply, and forward or delete messages.
the means to use your mailbox offline. Other
Although giving clients access to the inbox
features not supported by OWA that are avail-
without requiring an Outlook or Exchange
able through Outlook and the Exchange client
client is certainly an important aspect of
are timed delivery and expiration for messages,
OWA, an added benefit is the ability to delete
spelling checker, reminders, and Outlook rules
messages without downloading them. Outlook
for processing messages.
gives you this ability through its Remote Mail
feature, which enables you to download only Client options
message headers and not message bodies. This OWA supports any Web browser that sup-
is useful when you have a corrupted message ports JavaScript and HTML version 3.2 or
that is causing your Outlook client to hang or higher. This includes Internet Explorer 4.0 or
you have a message with a large attachment later and Netscape 4.0 or later. However,
that you want to delete rather than download. some features rely on Internet Explorer 5.x,
You can simply connect to the mailbox with including the previously mentioned drag-and-
your browser, select the message header, and drop editing and shortcut menus, as well as
delete the message, all without downloading it native Kerberos authentication. In addition,
to your client computer. browsers that support DHTML and XML
OWA in Exchange 2000 Server adds a few offer a richer set of features than those that
new features for messaging. For example, both do not. For example, Internet Explorer 5.x
the current and previous versions support offers an interface to OWA that is much
rich-text messages, but OWA 2000 supports closer to the native Outlook client, including a
HTML-based messages as well. You also can preview pane and a folder tree for navigating
access embedded objects in messages, another and managing folders.
feature not supported by 5.x. Two new fea-
tures in OWA 2000 rely on Internet Explorer
A brief overview of the OWA
5.0: drag-and-drop editing and shortcut menus. architecture
In addition to its messaging features, OWA OWA in Exchange Server 5.x uses Active
enables clients to access their Calendar folders. Server Pages (ASP) to provide communication

Administration 133
between the client and the Exchange server. and offers alternative means of accessing
The server uses the Messaging Application Exchange data.
Programming Interface (MAPI) to handle
messaging requests. The reliance on ASP
Authentication options
OWA provides three options for authentication:
essentially makes OWA a feature of Internet
Information Server (IIS) rather than Exchange X Basic: This option uses clear text and sim-
Server. ple challenge/response to authenticate
Under Exchange 5.x, OWA functions pri- access. Although it offers the broadest
marily as a Web site hosted under IIS that uses client support, it also offers the least secu-
ASP to process client requests and then uses rity because passwords are transmitted
HTTP to communicate with the Exchange unencrypted.
server (which uses MAPI to manipulate the X Integrated Windows: This option uses the
message store). The combination of ASP and native Windows authentication method
MAPI imposes a performance overhead that offered by the client. On Windows 2000
limits OWA’s capabilities in Exchange Server systems, for example, Internet Explorer
5.x and reduces the number of users a server uses Kerberos to authenticate on the server.
can support through OWA. Other Windows platforms use NTLM
Exchange 2000 Server uses a different rather than Kerberos. Security is better than
architecture that improves performance and Basic authentication because passwords are
thereby increases the number of users that a encrypted. The browser uses the client’s
server can support. OWA in Exchange 2000 Windows logon credentials to authenticate
Server no longer uses ASP but instead relies on the server, eliminating the need for the
on HTML and DHTML. The client browser client to enter the credentials again when
still uses HTTP to connect to the site, but connecting to OWA.
rather than having to process a client request, X Anonymous: You can use anonymous
IIS simply passes the request off to the access on public folders to simplify adminis-
Exchange server and transmits replies back to tration.
the client. OWA, rather than residing on IIS, is
In addition to these three authentication
now integrated within Exchange 2000 Server
mechanisms, OWA supports the use of Secure
as part of the Web Store.
Sockets Layer (SSL) to provide additional secu-
The Web Store provides a single store for
rity for remote connections.
multiple data elements, including e-mail mes-
sages, documents, Web pages, and other data. Topology considerations for
The Web Store supports several important fea- deploying OWA
tures, such as off-line access and remote client If you host only one Exchange 2000 Server
access, and supports multiple protocols, computer, there really aren’t many considera-
including HTTP, WebDAV, and XML. The tions for deploying the server. In a multiserver
Web Store isn’t specifically targeted at support- environment, however, you need to give some
ing access through OWA. Instead, the Web careful consideration to how you will structure
Store offers a richer set of features and capa- your Exchange environment. When you pro-
bilities for storing and accessing data through vide access to your Exchange servers through
means other than just Outlook. For example, HTTP (OWA), IMAP, or POP3 to users on
Microsoft originally included Web Store access the Internet, you should use a front-end
in Outlook XP (the next release of Outlook) server/back-end server scheme. The front-end
to enable Outlook clients to use HTTP to server sits on the Internet, either outside the
work with their message store, but dropped it firewall or inside a perimeter firewall. It
due to performance problems. Through its accepts requests from clients on the Internet,
support for multiple protocols and APIs, the uses Lightweight Directory Access Protocol
Web Store opens up additional avenues for (LDAP) to query the Active Directory for the
developers to extend Exchange functionality location of the requested resource (mailbox,

134 Administrator’s Guide to VPN and Remote Access, Second Edition

for example), and passes the request to the passes the request to the appropriate back-end
appropriate back-end server. server using HTTP port 80. Because the front-
A front-end server is a specially configured end server always uses port 80, SSL and encryp-
Exchange 2000 server. A back-end server is tion are never used between the two, even
just a normal Exchange 2000 server. You don’t though the client might be using SSL to commu-
have to do anything to configure a server as a nicate with the front-end server. It also means
back-end server. Any server not configured as that back-end servers that listen on a nonstan-
a front-end server is by default acting as a dard port can’t function with front-end servers.
back-end server. Instead, clients must connect to these servers
One of the advantages to using a front- directly, specifying the appropriate port number.
end/back-end topology is that you have to The back-end servers handle the traffic
expose only one namespace to the Internet from the front-end server like any other HTTP
because that front-end server functions as the traffic, sending responses back to the front-
point of entry of sorts for your back-end end server. The front-end server then passes
Exchange servers. For example, users might the traffic back to the client, acting as a proxy
connect to to for the HTTP traffic. Clients never know that
access their mailboxes. If you didn’t have a a server other than the one they specify in the
front-end server, each user would have to URL when they connect is actually handling
know the name of the server hosting his or the messaging requests.
her mailbox and enter the appropriate URL. Clients can use one of two methods to
By providing a single point of entry, you make connect to their mailbox through a front-end
it much easier to expand and rearrange the server: either authenticate on the server (pro-
back-end server configuration without affect- viding implicit authentication on the back-end
ing your users. In situations where you have a server) or use explicit logon at the back-end
high volume of traffic through the front-end server. In the former, clients can specify the
server, you can set up multiple front-end URL of the front-end server without their
servers to handle the traffic. account name. In the latter, clients add their
Front-end servers also offer a performance account name, as in http://mail.techrepublic.
advantage in situations where you need to use com/jboyce. You would also use explicit logon
SSL to provide additional security between the when you need to access a mailbox that isn’t
client and server. The front-end server can be your own but for which you have access per-
configured for SSL and perform the associated missions. In the case of explicit logon, the
encryption and decryption, removing that load front-end server extracts the user portion of
from the back-end servers. This frees up addi- the URL and combines it with the SMTP
tional processor time for the back-end servers domain name to construct a fully qualified
to process messaging requests from clients. SMTP address. The front-end server then
The ability to place the back-end servers looks up the address in the AD and forwards
behind a firewall is another extremely impor- the request to the back-end server for the user
tant reason to use a front-end server. The based on the information it finds in the AD.
front-end server hosts no mailboxes and there- As you begin planning how you will deploy
fore doesn’t expose the mail system to intru- and manage your Exchange servers in light of
sion. By configuring the front-end server to OWA, keep the front-end/back-end topology
perform authentication prior to relaying requirements in mind. Decide what strategy—
requests to the back-end servers, you consider- including placement of front-end servers to
ably reduce the risk of denial-of-service firewalls—makes the most sense for your
attacks on your back-end servers. organization.
When a request comes in to a front-end
server, the server uses LDAP to query the Configuring OWA
Active Directory to determine the location of You configure OWA using the Microsoft
the requested data. The front-end server then Exchange Manager and Active Directory Users

Administration 135
And Computers consoles. You also can config- end server. Open the Exchange System Man-
ure certain aspects of OWA through the Inter- ager and locate the server in the Servers
net Services Manager console, although branch under the server’s administrative group.
changes you make through the Exchange Sys- Right-click the server and choose Properties to
tem Manager overwrite changes you make open its property sheet and then click the
through the IIS console. In general, you General tab. Select the option This Is A Front-
should use the Exchange Manager and Users End Server and click OK. You need to restart
And Computers consoles for most configura- the Exchange and IIS services or restart the
tion tasks, using the IIS console only for those server for the change to take effect. Because
tasks not available through the other consoles. the back-end servers handle requests from the
Typical configuration tasks you would perform front-end server like any other request, there is
include specifying which users can access their no configuration needed at the back-end
mailboxes through OWA, which authentication server to enable it as such.
methods to allow, and which public folders are Keep in mind when you designate an
exposed to clients. Exchange server as a front-end server as
explained above that you are directing the
Controlling user access server to forward all HTTP, POP3, and IMAP4
By default, all users are enabled for OWA
traffic to the back-end server(s). The front-end
when you install Exchange 2000 Server. In
server can still host an information store and
many situations, you might want to limit the
even user mailboxes, but these mailboxes are
users who can use OWA. You do so through
accessible only through MAPI. Because the
the Active Directory Users And Computers
server forwards all HTTP, POP3, and IMAP4
console. Open the console and choose View,
traffic, you can’t access the front-end server’s
Advanced Features.
store through any of these protocols.
Expand the Users branch and locate a user
for whom you want to deny access through Conclusion
OWA. Click the Exchange Advanced tab and Sometimes your users need to access e-mail on
then click Protocol Settings. Select HTTP, click the network but don’t have access to Outlook
Settings, and deselect the Enable For Mailbox or Outlook Express to do so. To solve this
option. Configure any other settings as needed problem, Microsoft created Outlook Web
for the user and close the user’s property sheet. Access in Exchange 5.0. As with most things,
Configuring a front-end server Microsoft improved the feature in Exchange
If you intend to use a front-end/back-end 2000. In this article, I’ve given you a quick look
topology, you need to tweak one setting on the at OWA in Exchange 2000.
front-end server to make it function as a front-

136 Administrator’s Guide to VPN and Remote Access, Second Edition

Enabling Web access of Exchange accounts
using Outlook Web Access
Jan 18, 2001
By Troy Thompson, MCSE

o you have traveling users who want It’s a good idea to test your server’s configu-
to access their Exchange e-mail from ration by starting small. Give only about 100
the road, but you don’t want to go users OWA and monitor your server to make
through the trouble of setting up VPN access sure it can support them. You may need to add
for them? You can solve this problem by using more resources to the server or add more
Microsoft’s Outlook Web Access (OWA) for servers to handle the full load.
Exchange server. In this article, I’ll explain Each client requires a compatible browser to
some of the limitations of OWA, as well as connect to the ASP on the OWA server. Inter-
how to install it. net Explorer 3.02, 4.0, or later (or any browser
that supports frames, such as Netscape Naviga-
What does OWA do? tor) will work, but it’s recommended that you
OWA provides secure access to e-mail on your use Internet Explorer 5.0. Otherwise, you may
Microsoft Exchange server using a Web experience problems accessing your folder list.
browser. This allows your organization to have
identical clients on all platforms, including OWA features
UNIX workstations. It also makes it inexpen- Outlook Web Access has many features,
sive to access mail since you can download including the following:
browsers for free from the Web. X Basic e-mail: You can use the Microsoft
Although the Web browser performs some Exchange Server global address book, send
processing on the client computer, the OWA and receive file attachments and hyperlinks,
server handles most of the processing that’s set message priority, request delivery, read
normally performed by the client. The server receipts, and create folders.
processes includes MAPI sessions, client logic,
X Calendar and group scheduling access:
state information, address resolution, render-
You can create one-time and recurring
ing, content conversion, and RPC communica-
appointments in a personal calendar, access
tions with the Exchange server. Because of
day and week views, see free and busy times
this, the server on which you install OWA must
for multiple users, and automatically send
meet the following server requirements:
and respond to meeting requests.
X Pentium 6/200 single or dual processor
X Public folder access: You have access to
X 256 MB of RAM, minimum custom views in table format, and you can
X High-speed network connection to the group and sort messages in a folder.
Microsoft Exchange server
X Microsoft Windows NT Server 4.0 operat-
OWA limitations
OWA will not allow you to use advanced
ing system with Service Pack 4 or later
e-mail features. It isn’t supposed to replace
X Microsoft Internet Information Server (IIS) the Outlook client. The following are features
(Microsoft Exchange Server 5.0 supports not available when using OWA:
only IIS 3.0. Microsoft Exchange Server 5.5 X Offline use: You must be connected to
supports IIS 3.0 and later.) Microsoft Exchange Server to view infor-
X Active Server Pages (ASP) mation.
X Active Server components or Outlook Web X E-mail: You do not have access to personal
Access components address books, spell checking, or digital

Administration 137
X Calendar and group scheduling: You are ASP sessions that are open on the IIS/
without the monthly view and other cus- Outlook Web Access Server.
tomized views of your calendar; you also X The Sessions Time Out counter for
cannot view details with Free/Busy, drag Active Server Pages: This shows the num-
and drop to move appointments, or track ber of ASP sessions that have timed out.
acceptance of meeting attendees.
X The Messages Rendered counter for the
X Public folder access: Outlook views are MSExchangeWEB component: This
not in table format. shows the number of messages opened by
X Collaboration applications: You cannot clients and helps classify the user profile.
use Outlook 97 forms, use Microsoft Another recommendation is that you
Exchange Server digital encryption and sig- should dedicate one or more servers, other
natures, or synchronize local offline folders than your Microsoft Exchange Server, to IIS
with server folders. and Outlook Web Access components. How-
ever, if Outlook Web Access and Microsoft
Capacity planning Exchange Server are not installed on the same
The number of ASP requests per second that computer, Windows NT Challenge/Response
the server can process determines the load (NTLM) authentication is not supported.
placed on IIS by Outlook Web Access. Before The Outlook Web Access server will actu-
installing Outlook Web Access throughout ally perform most of the work for connected
your organization, you should use Perfor- clients. Supporting one client connection is the
mance Monitor to measure the overall number same as running an instance of Outlook on
of ASPs processed per second. If the Perfor- the Outlook Web Access server. Because of
mance Monitor counters are consistently too this, the Outlook Web Access server will run
high and users frequently get “server too busy” many active MAPI sessions to Microsoft
messages, you should consider adding addi- Exchange Server. Even though a single con-
tional Outlook Web Access servers. Some nection will not consume many resources,
counters to keep track of in Performance many sessions will. If the number of clients
Monitor are listed below: increases, you can always add more Outlook
X The Requests Per Second counter for Web Access servers to load balance.
Active Server Pages: This should be
between 10 and 15. When this counter Installing OWA
exceeds 15 ASP requests per second, the The installation of OWA is straightforward.
server will respond more slowly to user You use the Exchange Server CD to start the
requests, it will start to queue incoming installation. Choose to set up Exchange and its
user requests, and CPU usage will reach components and then choose Add/Remove.
100 percent. On the next screen you will be presented with
the components to install or uninstall, as
X The Requests Executing counter for
shown in Figure A.
Active Server Pages: If requests are exe-
Be sure that everything you want to install
cuting but the IIS server is idle, you should
or have already installed has its check box
restart the IIS server.
selected. If you deselect any box, that compo-
X The Requests Queued counter for nent will be uninstalled. Click Continue and
Active Server Pages: This should be follow the directions that appear.
between one and 20.
X The Requests Total counter for Active
OWA security issues
If Outlook Web Access clients access Microsoft
Server Pages: This shows the total number
Exchange Server over an Internet connection,
of ASP requests started.
Microsoft recommends that you implement a
X The Active Sessions counter for Active firewall. There are two ways to implement a
Server Pages: This shows the number of firewall with the OWA architecture:

138 Administrator’s Guide to VPN and Remote Access, Second Edition

X Between IIS/OWA and Microsoft Figure A
Exchange server
X Between the client and the IIS/Outlook
Web Access server
Outlook Web Access can be configured
to use the following methods of user
X Anonymous
X Basic (clear text)
X Basic (clear text) over Secure Sockets
Layer (SSL)
X Windows NT Challenge/Response
I’ll discuss each method and its advantages
and disadvantages below.
To add support for OWA, select Outlook Web Access from the Options list.
Anonymous authentication allows users to use
OWA without specifying a Windows NT user X Users can access an unlimited number of
account name and password. The user has the resources, even if those resources are not
rights of the default anonymous account, on the user’s OWA server.
which is usually named IUSR_ComputerName. The disadvantages are:
Anonymous authentication provides access X Basic authentication is not secure because it
only to resources that are published anony- transmits passwords across the network as
mously, such as public folders and directory unencrypted information. If you choose
content. this method of authentication, you should
The advantages of this type of authentica- also use Secure Sockets Layer, which
tion are: encrypts all information passing through IIS.
X All browsers support Anonymous authenti-
X Users are prompted for a username and
X Users are not prompted for credentials.
X Users must be granted the Log On Locally
The disadvantages are: right on IIS.
X Anonymous authentication is not secure.
X Users can access only the Global Address Basic (clear text) over Secure
List and public folders that are configured Sockets Layer
for anonymous access. Basic authentication over SSL requires users to
specify a valid Windows NT user account name
Basic (clear text) and password before they can use OWA. The
Basic authentication requires the user to spec- username and password are then transmitted as
ify a valid Windows NT user account name encrypted information over the network to the
and password in order to use OWA. Both the IIS/OWA server. Using Basic over SSL authen-
user name and password are transmitted as tication also allows users to access resources
clear text over the network to the IIS/Outlook that are not on the user’s OWA server.
Web Access server. The advantages of this type of authentica-
The advantages of this type of authentica- tion are:
tion are: X Almost all browsers support Basic over SSL
X All browsers support Basic authentication. authentication.

Administration 139
X Users can access all Microsoft Exchange X Not all browsers support NTLM
Server resources. authentication.
X Basic over SSL authentication is much Other security issues
more secure than Basic authentication For increased security, you should not use the
without SSL. Save Password feature in Internet Explorer—
The disadvantages include: especially if the computer is shared among
X Due to the encryption, performance can users. Also, it is a good idea to disable local
be reduced. caching on the browser. If caching is not dis-
X Users must enter a valid username and abled, the messages accessed during the previ-
password. ous OWA session may still remain on the local
disk, which makes it possible for someone to
X Users must be granted the Log On Locally
see another user’s messages.
right on IIS.
Users should be instructed to log off from
Windows NT Challenge/Response their OWA session instead of just closing their
(NTLM) Authentication browsers. If an OWA session is not properly
NT Challenge/Response requires users to shut down when the client is finished connect-
specify a Windows NT user account name and ing to the server, the abandoned sessions will
password before they can use OWA. The user- continue to consume server resources until
name and password are sent from the browser they are timed out. Even if users log off from
to the IIS server as encrypted information. their OWA sessions properly, the server may
The limitation of NTLM is that all resources still perform poorly because ASP memory
the user can access must reside on the same cleanup happens as a background process.
server as IIS and OWA. NTLM authentication
is not supported if IIS/OWA and Microsoft
In this article, I’ve shown how Outlook Web
Exchange Server are located on different Access gives you additional functionality for
computers. servicing your e-mail needs. It makes it easy
The advantages of this type of authentica- for users to check messages from anywhere in
tion include: the world using a browser—no additional
X NTLM authentication is relatively secure. client software is needed. Since it is simple to
X Users are not prompted for a username or install and maintain, it is well worth the time
password. and effort required to set it up.
The disadvantages include:
X Users can access resources only on the
IIS/OWA server.

140 Administrator’s Guide to VPN and Remote Access, Second Edition

Enhance Exchange 2000 OWA using
front-end servers
Mar 20, 2002
By Del Smith, CCNA, CCA, MCSE

icrosoft Outlook Web Access vides to users. Users don’t need to remember
(OWA) is a tightly integrated com- URLs specifying exactly which servers their
ponent of Exchange 2000. In fact, mailboxes are on. Additionally, with a single
as part of the default setup of Exchange 2000, namespace, mailboxes can be moved between
no customization is needed to run OWA. back-end servers and users can still use the
However, if your organization requires more same URL.
performance, reliability, and security than an The other benefit is seen when allowing
“out of the box” OWA solution provides, a OWA access via a secure firewall connection
front-end server may be just what you need. or DMZ. As Figure A illustrates, only the front-
I’m going to show you how to go beyond the end server is exposed on port 80 to the Inter-
basic setup of Exchange 2000 OWA to net. Since this server does not contact user
explore ways your organization can leverage mailboxes or data, it provides an additional
the key benefits of a front-end/back-end level of security.
(FE/BE) OWA architecture. Any server running Exchange 2000 Enter-
prise Edition can become a front-end server.
Using an FE/BE topology The only change needed is the selection of the
Are you already running multiple Exchange This Is A Front End Server check box in the
2000 servers in your organization? If so, server’s Properties dialog box, shown in Figure B.
Microsoft recommends using the FE/BE After making the change, you must restart
server architecture to deploy OWA. With this the Exchange and IIS services or restart the
topology, the front-end Exchange 2000 server computer. The change essentially tells the
sends HTTP requests to a back-end Exchange Exchange 2000 server to redirect all HTTP
2000 server running OWA. The front-end traffic to a back-end server that contains the
server first performs a lookup in AD to deter- user’s mailbox.
mine which back-end server should receive the As a general rule, one front-end server is
request and then relays the request to the recommended for every four back-end servers.
appropriate server. Of course this is just a rule of thumb. The
The obvious benefit here is the single, con- actual number of front-end servers needed
sistent namespace the front-end server pro- will depend on the number of users, the type

Figure A


Back-end servers

Laptop Exchange 2000

Firewall front-end server Firewall Exchange 2000
Server A
Exchange 2000 Exchange 2000
Server B Server C

An FE/BE topology

Administration 141
of users (light vs. heavy), and the average decryption processing, which improves net-
length of sessions. Front-end servers do not work performance by removing SSL process-
need large or particularly fast disk storage but ing tasks from back-end servers. As an added
should have specs similar to a Web server, measure of security, you should make SSL
including fast CPUs and adequate memory. connections to the front-end server mandatory
by disabling access without it, as we’ve done in
Securing communication Figure C.
between servers You should also note that HTTP communi-
The front-end server handles authentication in cation between the front-end and back-end
one of two ways. Either the server is config- servers is not encrypted. Front-end servers do
ured to authenticate users, or it is set up to for- not support Windows Integrated Security
ward the request anonymously to the back-end (which includes both NTLM and Kerberos
Exchange 2000 server. The recommended authentication). They also do not support using
configuration is to have the front-end server SSL to communicate with back-end servers. All
authenticate users. of these factors lead to the conclusion that SSL
Exchange 2000 front-end servers support on the front-end is the best solution.
only HTTP 1.1 basic authentication between
client computers and front-end servers, as well
OWA logon for front-end servers
Typically, users must enter their username in
as between front-end and back-end servers.
the format domain\username when logging on to
Basic authentication allows for just a weak
a front-end server. However, you can config-
form of encoding when sending usernames
ure the front-end server to assume a default
and passwords across the network, so the use
domain so that users do not need to type their
of SSL is highly recommended.
domain name. Just modify the Exchange and
This is where another benefit of FE/BE
Public virtual directories and manually enter
architecture comes in. When using SSL, front-
the default domain name, as shown in Figure D.
end servers can handle all encryption and

Figure B Figure C

Requiring SSL on the front-end servers

Configuring a front-end server

142 Administrator’s Guide to VPN and Remote Access, Second Edition

After making this change, make sure that Figure D
the System Attendant service is running so
that the configuration settings replicate from
the directory to the IIS metabase or simply
restart Exchange System Attendant to force
replication. After replication is complete, users
can log on with just their username and pass-
word; no domain name is required.
An additional option for authentication is to
configure a User Principal Name (UPN) logon
for users. This allows users to enter their e-mail
address as their username. To configure UPN,
Entering a default domain name for user logons
enter a backslash in the Default Domain text
box shown in Figure D. After you configure
this in the properties of the virtual directories pack, the control that the back-end server is
on all front-end and back-end servers, users referencing might not exist. As a result, OWA
can authenticate using as won’t work for users whose mailboxes are on
their username. (Note that Exchange SP1 is the upgraded back-end server. Just make sure
recommended if you decide to use this feature.) that you upgrade all front-end servers first so
that users see templates from the back-end
Service pack install order server. These templates reference the previous
The order in which you apply Exchange 2000 versions of the controls, which still exist on
service packs in an FE/BE OWA architecture the front-end server because the files are ver-
is important. Always remember to upgrade sioned and not removed in an upgrade.
every front-end server in the organization
before you upgrade any back-end servers. This Summary
is because of the way OWA’s templates and When deployed properly, an OWA solution
controls were designed. A problem arises using front-end/back-end architecture can be
when the servers run different versions of more reliable, result in greater performance,
service packs. and provide tighter security than the generic
If a template on a back-end server refer- setup offered by default on Exchange 2000.
ences a control on a front-end server, and the Use this topology to take your OWA to the
front-end server is running a previous service next level.

Implementing site-to-site VPN with

BorderManager 3.x
Feb 28, 2001
By Ron Nutter, MCSE, CNE, ASE

unning point-to-point data circuits than just a firewall or a method of controlling
(also known as private lines) between access to the Internet—you also have the abil-
your company’s locations can be very ity to establish a virtual private network
expensive, especially if one or more of those (VPN), which will use the Internet to connect
locations are overseas. BorderManager is more your locations. All you will need to do is install

Administration 143
a data circuit to a local ISP and a BorderMan- Master Server Configuration option. A mes-
ager server at each location. sage will appear indicating you can have only
In this article, we will walk through the one master VPN server in the network. High-
steps of setting up a site-to-site VPN. The first light Continue and press [Enter].
step involves setting up a master VPN server The first thing that you will need to do is tell
(each VPN configuration will have only one BorderManager what the TCP/IP addresses
master VPN server). Although we will be set- are for the public card and for the VPN net-
ting up just a two-site VPN in this article, each work. Highlight Configure TCP/IP Addresses
additional site you add to your VPN will be a and press [Enter]. You will need to enter the
slave server. We will be using NetWare 5.1 with TCP/IP address and subnet mask for both the
Support Pack 2a applied and BorderManager public and VPN tunnels. The public TCP/IP
3.5 with BorderManager Support Pack 2 address and mask are the same as the ones you
applied. defined on your BorderManager server.
The VPN address and subnet mask will
Before you start take a little thought before you proceed. This
One thing you will want to think about before address has to be unique on your network; the
beginning to implement a site-to-site VPN is address in this range can be used anywhere
whether to implement VPN services on your else on the network—anywhere, that is, except
existing BorderManager server or implement a on the other BorderManager server (which
server dedicated solely to the VPN links will use a different address out of the range
between locations. If you put the VPN serv- defined by the subnet mask that you enter for
ices on your existing BorderManager server, the VPN tunnel). Once you have entered the
you will need to be very careful about when required information, press [Esc], highlight
you reboot the server, as this will take your Yes, and press [Enter]. A series of messages
entire VPN down. If you implement a dedi- will shortly appear indicating the NDS schema
cated VPN server, you should be able to is being extended and the base VPN configu-
reduce the amount of downtime from reboots, ration is set up.
as you shouldn’t be working with this server In order for the VPN to work, you will need
significantly on a day-to-day basis. to have some type of encryption setup. High-
A fault tolerant network (one that can han- light the Generate Encryption option and
dle problems thrown at it and keep running press [Enter]. You will be prompted to enter a
basically undisturbed) might be accomplished random seed to be used to generate the key.
by implementing a dedicated VPN server at Enter a random string of letters and numbers
each location and then making the Border- and press [Enter]. Don’t worry about remem-
Manager server you already have a slave VPN bering this string. (This doesn’t have to be the
server. Before implementing this type of solu- same on each server.)
tion, I recommend setting up a proof of con- When the encryption generation process is
cept system to make sure that everything will complete, you will see a message on the server
work as expected. screen to that effect. You will be returned to
Establishing site-to-site VPN on the VPN master server screen. Highlight the
Authenticate Encryption Information option
the master server and press [Enter].
At this point, we will assume that you already You will see a screen on the server showing
have NetWare 5.1 and BorderManager installed a string of numbers and letters. This is known
on the server that will be your master VPN as the digest, the information used by the
server and that the appropriate Support Packs servers to set up the VPN between sites. You
have been installed. Type LOAD VPNCFG at will need to have this information ready for the
the server’s console prompt and press [Enter]. network administrator at the other end of the
When the VPNCFG main menu screen VPN connection (if you aren’t going to do the
appears, highlight and press [Enter] on the install yourself) so that the admin will know

144 Administrator’s Guide to VPN and Remote Access, Second Edition

that the setup is enabled correctly. Press [Enter] Figure A
to return to the main VPN menu screen.
You need to export the information neces-
sary so that the slave VPN server will know
how to talk to the master VPN server. Put a
blank floppy in the server’s A: drive. Highlight
the Copy Encryption Information option and
press [Enter] to continue. The default path
should be A:\. Unless your server’s floppy
drive is something other than A:, accept the
default and press [Enter].
Once the information is copied to a file,
you will see a message on the server’s console
screen. The name of the file it creates is
Minfo.vpn. You have the option of e-mailing
the Minfo.vpn file to the administrator at the
other end of the connection, mailing the You must configure TCP/IP on the slave server.
floppy, or going to that location yourself.

Setting up the site-to-site VPN will appear asking you to verify the path to the
Minfo.vpn file.
on the slave server Let’s assume you are doing the slave VPN
Now that the master VPN server is set up, we
install yourself and have brought this file on a
can move on to the slave VPN server. Load
floppy. Insert the floppy into the slave server’s
the VPNCFG NLM on the slave server. High-
floppy drive and press [Enter]. After the
light the Slave VPN Server Configuration
Minfo.vpn file copies, you will see a digest
option and press [Enter]. Highlight the Con-
screen displayed. This information should
figure TCP/IP Address option and press
match exactly what you saw on the master
[Enter] just as you did on the master VPN
VPN server. If this matches, highlight Yes
server. When you do, you’ll see the screen
and press [Enter].
shown in Figure A.
You will next be asked to enter information
As with the master VPN server, you will
to help randomize the Diffie-Hellman public
need to enter the TCP/IP address and subnet
and private keys that will be generated on this
mask for the public card and the VPN tunnel.
server. This information will be used on the
In the case of the slave VPN tunnel, you will
master VPN server to actually build the VPN
need to do something a little different. For
connection between servers. Enter the requested
example, if you entered a TCP/IP tunnel
information and press [Enter]. A screen will
address on the master VPN server of
appear when the VPN information has been
with a subnet mask of, you will
created, and another screen follows when
need to use the same subnet mask on the slave
NDS has been extended to handle this task.
VPN but with a different TCP/IP address. In
The next step involves copying the VPN
our example, we would use something like
information from the slave server to a floppy for the TCP/IP address of the VPN
so that the master VPN server will know how
tunnel on the slave VPN server. Press [Esc],
to set up the VPN tunnel between servers.
highlight Yes, and press [Enter] to continue.
Highlight the Copy Encryption Information
Your next step will be to generate the
option and press [Enter]. You will be asked to
encryption information necessary for this
verify the drive and path to the Sinfo.vpn file
server to be able to participate in the VPN.
that will be created. Press [Enter] to continue.
Highlight the Generate Encryption Informa-
One thing to note at this point is that if you
tion option and press [Enter]. A pop-up box
will have multiple slave servers in your VPN

Administration 145
configuration, you will want to rename the sites will have to go through the master site
Sinfo.vpn file to another name descriptive of before they will be able to talk to other slave
the site it is for. This will make the process eas- sites. The disadvantage with this solution is
ier if you have to tear down and recreate the that it will produce additional traffic at your
VPN for some reason. Once the VPN file has master VPN site. With the Ring option, each
been copied to the floppy, you will see a mes- VPN site will have connections to two of its
sage on the server telling you about renaming neighbors. This solution is fine if most of the
the file. traffic will be between adjacent systems but
could cause delay because of additional hops
Completing the VPN setup in produced by this configuration when the most
NetWare Administrator distant systems need to talk to each other.
To complete the site-to-site setup, you will need Both the Star and Ring options could suffer
to go into NetWare Administrator. Double- communication problems if a critical part of
click on the NDS server object that is running the system were to go down. With the Full
BorderManager. Click on the BorderManager Mesh option, you should still be able to talk
Setup tab and then click on the VPN tab on the between systems even if one or two are down.
BorderManager Setup properties screen. High- If the master VPN server is down, you should
light the Master Site To Site option and click on still be able to talk, but you won’t be able to
the Details button. When the VPN Master add or remove slave VPN servers until the
properties screen appears, click Control master VPN server is back online.
Options. On the Control Options properties Once you have selected the options on the
screen, you will need to select what protocols Control Options screen and clicked OK, you will
you want to cross the VPN. be presented with a screen that will allow you to
You will also want to choose the topology add the slave VPN server to your VPN network.
you want for your VPN, as shown in Figure B. From the VPN Master Server properties screen,
You have a choice of three topologies: Full click Add and browse the floppy containing
Mesh, Star, and Ring. With Full Mesh, all the the Sinfo.vpn file. Double-click on Sinfo.vpn
VPN sites can reach all of the other sites (or the file name you have renamed it to).
directly without having to go to the master After NetWare Administrator reads the file,
VPN site first. With a Star topology, all slave you will see a digest info screen containing a

Figure B Figure C

You must choose your topology in NetWare

You can monitor your VPN on the VPN Member Activity screen.

146 Administrator’s Guide to VPN and Remote Access, Second Edition

series of letter and number combinations. The Depending on the way you have imple-
information on this screen should match what mented filtering in BorderManager, you may
was displayed on the digest screen on the slave need to temporarily unload the filters to do
server when you created the encryption infor- this next series of tests. After you have added a
mation. Click Yes to proceed. When the Adding slave VPN server to your network, first try
Server To VPN screen appears, click Yes to pinging the TCP/IP address of the VPN tun-
enter the info read from the Sinfo.vpn file. nel on your end. Next, ping the TCP/IP
The VPN Members screen should now be address of the VPN tunnel on the server you
visible. TCP/IP RIP is enabled by default. just added and finally the TCP/IP address of
Leaving this option enabled will allow the the private card on the slave VPN server. If
remote sites to seamlessly route over your net- your pinging fails to get a response at any
work without your having to enter static routes point in this process, this indicates a communi-
within NetWare Administrator. If you will be cation problem that should be addressed
connecting other companies (and other NDS before proceeding.
trees) into your VPN, you may want to deselect Another screen to check periodically is the
TCP/IP RIP and go with static route map- VPN Member Activity screen, shown in Figure C.
pings to help prevent access to parts of your This screen is reached from the sync status
network by the other companies that will be screen mentioned earlier. Highlight the VPN
connecting to you. server that you want to check and click on the
Click OK to save this configuration and Activity button. When the VPN Member
return to the VPN Master properties screen. Activity screen appears, you will see what is
When the VPN Master screen appears, you going on with a particular slave VPN server
will see the slave VPN server you just added (what protocols are being used, how many
appear in the list of VPN servers. Click on the packets are being sent/received, etc.).
Status button and check the sync status of the
VPN servers. Any time you add another slave Conclusion
VPN server or make significant changes to the As you can see, setting up a site-to-site VPN
network and have what appear to be commu- isn’t that hard. As with any other network addi-
nications problems, this is a good screen to tion, take a few moments to document what
check to make sure that all the servers are up- you have done and the TCP/IP addresses
to-date with the information about the rest of being used for the VPN tunnel and make a
the network. Congratulations, you now have a copy of the .VPN files you used to create the
VPN up and running. VPN in case you need to tear down and
re-create the VPN. If you haven’t already
Monitoring the VPN started doing so, have the individual responsi-
Monitoring the VPN is something that should ble for the slave VPN servers keep a log of
be done periodically even if things are going changes made to the servers so that if things
well. Any time you add a server to the VPN, stop working, you will have a base from which
you will see a message appear on the master to start when figuring out the problem.
VPN server console screen telling you that a
server has been added. A similar message will
appear on the slave VPN servers.

Administration 147
Setting up client-to-site VPN in
BorderManager 3.x
Jan 12, 2000
By Ron Nutter, MCSE, CNE, ASE

rotecting the data on your corporate port won’t be able to help if you call in with
network is becoming more important a problem. You will want to assign an IP
each day. For Web site access, you can address from a different range than the one
use SSL (Secure Socket Layer) on your Web that is being used currently on the private
server to provide a layer of protection. How- card(s) in your BorderManager server. For
ever, you still need to find a way to allow example, if you have and
access to files on the network and access to using a subnet mask of that’s
server-based services that don’t support SSL. bound to private cards in your BorderManager
(Yes, Virginia, there are a few server-based server, you should use something like
services that don’t support SSL.) In this article, with a subnet mask of It will
I’ll take you through the steps of setting up give the virtual private address that you are
the client-to-site VPN function in Border- assigning to the VPN tunnel part of the con-
Manager 3.x. figuration, which gives the client VPN traffic a
place to route. It also ensures that the traffic is
Setting up the server side of VPN handled properly for the encryption and
The process of setting up client-to-site VPN decryption that occurs as a part of the client-
in BorderManager begins with establishing an to-site VPN process. Once you have entered
Rconsole session to the server that’s running the IP addresses and subnet masks for the
BorderManager. At the console command public and private side of the VPN part of
prompt, type VPNCFG (or load VPNCFG if BorderManager, press [Esc], highlight Yes,
you’re using NetWare 4.x) and press [Enter]. A and press [Enter] to save the configuration.
message will appear indicating that there can If you haven’t progressed to the point with
be only one master server. Highlight Continue BorderManager that you’ve configured packet
and press [Enter]. When the Master Server filters, you’ll probably receive an error message
Configuration screen appears, highlight Con- saying that VPNCFG can’t configure packet
figure IP Address and press [Enter]. Highlight filters. This problem happens because the out-
Not Configured beside Public IP Address, going packet filters are disabled, but it’s a nor-
enter the IP address that is currently assigned mal occurrence when packet filters haven’t
to the public card in your BorderManager been configured or when packet filters have
server, and press [Enter]. You also will need to been created. To clear this error, you’ll need
enter the subnet mask that matches the IP to load the filter configuration NLM
address of the public card. Finally, enter the IP (FILTCFG.NLM) in order to check the exist-
address and subnet mask to be used for the ing filters, enable outgoing RIP filters, and
VPN tunnel of the configuration. select the menu option that will update the
I’d like to point out two things that aren’t changes you made. Press [Enter] to acknowl-
made clear in the BorderManager documenta- edge the error screen. A secondary message
tion. You must use both the IP address and will follow to indicate that VPNCFG can’t add
subnet mask that are currently bound to the the filters it needs in order to operate. Press
public card in the server that’s running Bor- the [Enter] key to continue.
derManager. Although it may be possible to Change to the console command prompt
bind a secondary IP address to the public and type filtcfg (or load FILTCFG if you’re
card, this approach isn’t recommended; it may using NetWare 4.x) and press [Enter]. High-
result in sporadic operation of the client VPN light Configure TCP/IP Filters and press
function of BorderManager, and Novell Sup- [Enter]. When the TCP/IP screen appears,

148 Administrator’s Guide to VPN and Remote Access, Second Edition

highlight Outgoing RIP (Routing Information After starting NWADMIN, double-click the
Protocol) Filters and press [Enter]. When you NDS server object that’s running BorderMan-
see the Outgoing RIP Filter screen, highlight ager. Then, click the BorderManager Setup
Disabled beside the status options and press button and click the VPN tab. The Master Site
[Enter]. Then, highlight the Enabled option To Site box should be checked. Click the box
and press [Enter]. beside Client To Site and click Details. To pass
Now, press [Esc] until you are given the IPX traffic over the VPN connection, enter a
option to exit FILTCFG; then highlight Yes unique IPX address; then click OK. A series of
and press [Enter]. Return to VPNCFG.NLM’s messages will appear on the console prompt
Master Server Configuration screen, highlight screen of the BorderManager server. You
the Generate Encryption Information option, should see several waiting for timestamp messages.
and press [Enter]. When you see the Enter Depending on the level of activity on your
Random Seed box, enter a random string of BorderManager server, these messages may
characters (maybe something like your Admin repeat themselves several times before you see
password!) and press [Enter]. A screen will a timestamp completed message for each NLM
appear and indicate that the encryption infor- (VPMASTER.NLM and BRDSRV.NLM).
mation is being generated. Factors affecting After you see these messages, you can continue
the amount of time that this process will take with the BorderManager VPN configuration.
include the length of the random key that you Before proceeding to the client portion,
entered, the speed of the processor on the you’ll want to restart the BorderManager
BorderManager server, and the number of server and make sure that everything relating
currently pending requests that the server is to the VPN service loads and initializes cor-
processing. When the key generation is fin- rectly. Although restarting the program is a
ished, a message will appear on the screen to requirement for BorderManager only when
inform you of its completion. Press [Enter] to you’re running on NetWare 5, it’s a good idea
proceed. to restart on NetWare 4, too—just to make
At this time, the VPN attributes will be sure that everything is OK so far.
added to NDS. When that process is complete,
another message will appear. Press [Esc] when Setting up the client side of
the process is complete, and you’ll see a mes- client-to-server VPN
sage indicating that VPMASTER.NLM was To minimize problems, you should use Novell
loaded successfully. Press [Enter] to proceed. client version 3.1 or later. The latest VPN client
Next, highlight the Update VPN Filters option is BM3VPD04.EXE, which was released
in VPNCFG.NLM and press [Enter]. A series around mid-September of 1999. After running
of messages will tell you that the NLM is the self-extracting executable, go to the disk 1
checking to see if the filters it needs have been directory and run SETUP.EXE. During the
set and that the NLM is updating the VPN fil- installation, you will be asked to choose Dial-Up
ters. When this process has finished, press VPN, LAN VPN, or both. You will use the
[Enter]. Now, highlight the Display VPN Dial-Up VPN when you come in over a regular
Server Configuration option and press [Enter]. dial-up connection. The LAN VPN connection
Verify that all the information you entered is is a recent addition to the client VPN portion of
correct and that all the key lines indicate Con- BorderManager. It allows you to use an existing
figured. Press [Esc] until you’re prompted to connection, such as a DSL connection or cable
exit VPNCFG.NLM. Highlight Yes and press modem, to gain access to your network over an
[Enter] to continue. Now, you can terminate encrypted connection instead of having to put
the Rconsole session; the server side portion of up with a slower async connection.
the client-to-VPN setup is pretty much com- One quick check is in order before you try
plete. The remainder of the VPN setup will to establish that first encrypted connection to
take place on a workstation running NWAD- your network. Double-click on either of the
MIN and using the BorderManager snap-in. VPN options, which were added during the

Administration 149
installation of the VPN client software. Now, give you an idea of what kind of changes to
click the NetWare Options tab. If you can click your container and/or personal login scripts
on only the Enable IPX check box and the may be necessary to allow users to get in and out
other options are not available, you have a of your network quickly.
client-level problem that will need to be Make sure that your users know that while
addressed. The best way to fix this problem is they are logged in, they won’t be able to
to uninstall the VPN client, uninstall the exist- browse the Internet or access resources that
ing NetWare client and network card driver, are off of your network. If you do, Border-
and reinstall the network card driver and Nov- Manager won’t have to field requests from the
ell client software first, followed by the VPN VPN users who are routed over the same con-
client software. After you reboot the software, nection on which they are coming into your
the problem should be resolved. If you still network.
have a problem, you’ll want to get a copy of When the users click OK to establish the
the Novell UNC32 executable, which will take VPN connection, they will see a progress box
the de-installation under the VPN
process one step fur- Status tab of the
ther by removing all You may find that you have more VPN client. As each
entries that were cre- demand for the VPN service than you step of the login/
ated in the Windows authentication
have resources to handle the need.
registry by the Nov- process is com-
ell client software. pleted, users will see
the following mes-
Establishing a connection with sages: Connecting For Authentication, Authenticating
the LAN VPN option NetWare User, Authenticated NetWare User,
The first time you invoke either of the VPN Enabled IP Encryption, Enabled IPX Encryption
options, you will have a few extra things to (which you’ll see only if you’re going to estab-
remember. You will need to enter your Net- lish an IPX connection to your network), and
Ware user name, password, context, and the Performing NetWare Login. Keep in mind that
public IP address of the BorderManager while you are using the LAN VPN client, you
server to which you will be connecting. In the won’t be able to access anything that is off
context field, don’t include a leading period your network. It’s actually a good thing, but
when you enter the specific NDS context of your users may become a little confused when
the user account that you are using to log in. they try to reach another Web site while they’re
While the software should be able to handle it, getting their e-mail from your Exchange or
I received error messages when I used a lead- Groupwise server.
ing period.
Before clicking OK to start the login process, Establishing a connection with
click the NetWare Options tab. Your options are the dial-up VPN option
Enable IPX, Login To NetWare, Clear Current Using the dial-up VPN is fairly simple. It can
Connection, Run Scripts, Display Results Win- use your existing setup to call your ISP and
dow, and Close Script Results Automatically. build an encrypted connection to your Border-
Before turning remote access over to your users, Manager server. You begin the process by
you may want to try logging in over a regular double-clicking the Dial-up VPN Client icon,
dial-up and a DSL-type connection. Testing which appears on the desktop next to the
them will help you determine how long it will VPN installation program. Click the NetWare
take your users to log in to the network and Login tab and fill in the NetWare user name,
allow you to anticipate the kinds of questions/ password, NDS contact, and server IP address.
calls that you will probably get when they start When entering the NDS context for this user,
using this access. One option that I would rec- don’t include a leading period before the con-
ommend you start with is Run Scripts. It will tainer name, or you may have a problem

150 Administrator’s Guide to VPN and Remote Access, Second Edition

logging in. As I mentioned earlier, you’ll want Once all the statements in the login script
to enter the public IP address of your Border- have been processed and all the icons in the
Manager server. NAL window have been displayed, try estab-
Now, click the NetWare Options tab and lishing a VPN connection and deselecting the
make sure that the Enable IPX option is Process Login Script option. If your Border-
selected. For your first time dialing up, you may Manager server is running on NetWare 5, you
want to leave all the options enabled in order to might consider deselecting the IPX Only
get an idea of what you may want to deselect option to minimize the amount of negotiation
when you put the client VPN process into pro- that occurs in setting up an encrypted link for
duction use. You may want to think about not more than one protocol.
using Novell’s Application Launcher if you have The first time that you establish a dial-up
a lot of icons for distributing available applica- connection to your BorderManager server, you
tions to your users. Since some dial-up users can will be presented with an Authenticate VPN Client
sometimes expect a response from the server message with a series of numbers and letters
just as if they were attached directly to it, con- that will look something like 4D DD F2 93 7A
trolling the applications that they can access CD CD BB 23 57 BB AA 23 3D F3. This infor-
remotely may be worthwhile. You can use either mation should match what is available by click-
a separate NDS container or a special group to ing the Digest button in NWADMIN. If the
limit the applications that are available to information doesn’t match, you may want to try
remote users. either reestablishing the connection or verifying
The next step is to click the Dial-up tab. that everything is configured correctly on your
Click on the drop-down box beside the dial-up BorderManager server. Otherwise, the VPN
entry name and make sure the correct Dial Up connection may not work correctly, if at all.
Networking address book entry is selected. Suppose that you have users who want to
Enter the correct dial-up user name and pass- access the Internet before or after they use the
word for the Dial-up Networking (DUN) con- encrypted link into your network. In that case,
figuration that you are using. If you normally you may want to have them use the regular
don’t use DUN but use software provided by DUN icon to establish the connection to the
the ISP to establish your connection, you may ISP and then the LAN VPN icon to make and
want to talk to your ISP’s tech support folks to break the connection to your corporate net-
see if you need to do something differently. work. That way, they won’t have to reestablish
For example, those who use Netcom as their a nonencrypted connection to use the remain-
ISP would have to use us,ppp,username—instead der of the Internet.
of just a user name if they used DUN to
establish the connection. Optimizing the client
Now, click the VPN Status tab and click OK VPN connection
to begin the process of establishing the con- If you’re using the Single Sign-on fea-
nection to your BorderManager server via your ture of BorderManager and loading the
ISP. The progress screen will flash the number CLNTRUST.EXE and DWNTRUST.EXE
that is being dialed. Once the connection has files from the login script (a container, per-
been made to the ISP’s modem pool, the mes- sonal, or profile script), you might want to
sage will change to Authenticating Dial up user consider having your users type in a special
(ISP) and then to Authenticating NetWare User. If login ID in order to bypass that part of the
you get an NDS-309 message just after the login script. You also can make them part of
connection is made, you may want to recheck a group that bypasses that part of the login
your BorderManager server and make sure that script. Since they’re coming in over an
it has been restarted, as indicated in the Border- encrypted connection, there won’t be any
Manager VPN installation instructions. Also, benefit to having them run these files.
make sure that the login name, password, and Depending on how involved your login
NDS context have been entered correctly. scripts are at a container level, you may want to

Administration 151
set up a special NDS context through which that you are looking at the most current infor-
the remote users will log in—thus minimizing mation about the connection. Watch the up
lengthy login times. It will give you a way to and down arrows on this screen as connec-
administer ZEN application objects, too. (You tions are being made. Different colors are used
really don’t want your users to load the applica- to indicate problems, progress in establishing
tions that they’ll use over a slower dial-up con- the connection, or activity levels on the
nection while they’re on your network, do selected connections. Click the Help button to
you?) This approach can help you restrict learn what the colors mean and how to inter-
access into the network via BorderManager pret the information that they are giving you.
VPN by modifying the rule that you set up ear- As you turn the VPN function into produc-
lier, which limited use only to those who are in tion use, you may find that you have more
the container that is eligible for VPN access. demand for the VPN service than you have
resources to handle the need. By default, the
Monitoring client VPN idle time that a connection is allowed to have
connections before the connection is broken is 15 minutes.
Now, double-click the NDS in NWADMIN You can change this amount of time by click-
upon which BorderManager is running. When ing the Timeout button and decreasing or
the BorderManager screen appears, click the increasing the timeout value. Once the connec-
BorderManager Setup button. Select the VPN tion is dropped, users will have to restart the
tab and click the Details button. A list of VPN client function and log in again to the
servers currently configured for VPN will network in order to continue their work. If
appear, with each server listed by name and you want to see a step-by-step log of what
public IP address. occurs as a connection is established, authenti-
To see what is happening with the VPN cated, or broken, begin by clicking OK and
function on a particular server, highlight the closing out the VPN Member Activity screen.
name of the server in the list and click the Sta- When you return to the previous screen, click
tus button. A synchronization status screen the Audit Log button.
will appear, and you’ll see the server you just When the Audit Log screen appears, the
selected listed again with a status that should end time will be the current time for the work-
show as up to date. To see the current VPN station upon which NWADMIN is running,
connection status, click the Activity button on and the start time will be approximately nine
the Synchronization Status page. You’ll see hours before that time. Your only option in
several boxes of information on this screen this version of the BorderManager snap-in is
that cover everything from global parameters to use the up and down arrow on the time box
relating to the overall VPN connection to to adjust the date and time. Once you’ve
those items that are protocol specific. When selected the desired date and time ranges, click
this screen comes up, it will show only server- the Acquire button, and the information will
to-server-based connections by default. You’ll be extracted from the BorderManager logs.
need to click the Clients button to change the You’ll see a step-by-step record of what
view to the Client to Site VPN view. In the occurred while the connection was being
upper left-hand corner of the VPN Member established or broken. Using the check boxes,
Activity screen, you’ll see a listing of the cur- you can filter what is presented, and you won’t
rently active connections. Each connection will have to suffer from information overload.
show the user’s NDS login name with an up or Several messages will appear on the server
down arrow for both IP and IPX protocols. console screen as connections are made and
This screen is good to watch while users are broken. On incoming connections, you’ll see an
trying to establish a VPN connection and are incoming WAN connection first as the request
complaining that they can’t get through. Since comes through and then a message when the
this screen is somewhat static in nature, you’ll connection is authenticated. The final message
need to use the Update button to make sure will appear when the authenticated connection

152 Administrator’s Guide to VPN and Remote Access, Second Edition

is disconnected or stopped. These messages CSAUDIT.NLM, you’ll need to restart the
give you a quicker view of VPN usage without server after the new NLMs are copied and in
your having to go into NWADMIN and place. You’ll have to update these NLMs so
drilling down to the view that you want. that the filters needed by BorderManager and
the VPN function can be updated and accessed
Avoiding problems in correctly. Verify that you are using the latest
BorderManager NetWare Service Pack and the latest service
If you’re running BorderManager 3.0 on Net- pack for your version of BorderManager.
Ware 5, there are a couple of steps that you We’ve walked you through the basics of set-
need to take in order to keep things running ting up client-to-site VPN in BorderManager.
smoothly. You’ll want to copy these files: The service itself is fairly straightforward to
X IPFLT31.NLM from the directory created set up and should be trouble free—as long as
by the NetWare 5 SP3A—Products/ you take your time setting things up. Using the
NOBM3.5/SYSTEM client-to-site VPN function allows you to use
X CSAUDIT.NLM from the Products/ the ISP’s modem pool and national data net-
NOBM/SYSTEM/CSAUDIT.NLM work without having to build your own.
Place both NLMs in the SYS:SYSTEM
directory. Since BorderManager depends on

Serving up NetWare’s Web Manager

Aug 1, 2000
By Steven Pittsley, CNE

ow about a server management tool manually load the Web Manager, type LOAD
that requires no installation, allows NSWEB at the server console. Figure A shows
you to perform administrative tasks the Web Manager screen that’s displayed on
from any Web browser, and costs you the server. As you can see, very little can be
absolutely nothing? You say it sounds too accomplished here. Your only options are to
good to be true? Well, in this instance, it really restart or shut down the Web Manager.
is true. The NetWare Web Manager is installed
automatically during NetWare 5.1 installation, Accessing Web Manager
requires no initial configuration, allows you to To access the NetWare Web Manager, launch
use a Web browser to perform management your Internet browser of choice and type a
tasks, and is a standard piece of NetWare 5.1. URL that uses the following syntax:
In this article, you will learn about some of the https://servername:2200
outstanding features of this great new utility. An example of this would be https://
The NetWare Web Manager consists of a The default IP port
set of NLMs that run on the server. During is 2200, but you can change this. You can ver-
NetWare 5.1 installation, the command to load ify the IP port from the Web Manager screen
the NLM is added to AUTOEXEC.NCF. To on the file server, which is shown in Figure A.

Administration 153
Once you enter the URL, you must log in as 2. The Global Settings section allows you to
a user with Admin rights. After being authenti- select where you obtain directory service.
cated, the Web Manager General Administra- Your choices are Local database, LDAP
tion screen will be displayed in the browser directory server, and NDS.
and will look similar to Figure B. 3. The Users and Groups section provides
Using Web Manager you with rudimentary NDS management
You are given the following four choices under capabilities. NetWare Administrator still
the General Administration heading: has much more functionality, but this util-
ity works well for making basic changes.
1. Admin Preferences will provide you with
Web Manager administration functions. 4. Cluster Management provides you with
You can turn on/off SSL, shut down Web basic cluster administration capabilities.
Manager, change the IP port, set logging
options, and view access and error logs. Navigation
You can return to the Web Manager General
Figure A Administration screen by clicking the Server
Administration link in the upper-right corner
of any of these screens. From the Web Man-
ager’s main page, you have access to each of
the Web servers installed on the network, as
well as the NetWare Management Portal and
NDS management. If a server is running, the
On button will be lit, and if the server is
stopped, the Off button will be lit. Clicking
these buttons will either stop or start the
You can access the Web server configura-
tion screens by clicking the button located next
to the On and Off buttons. The file server
The Web Manager screen enables you to restart and shut down the Web Manager.
name that is displayed on the button indicates
where the Web server is installed. The Web
server configuration pages are easy to navigate
Figure B
and provide you with excellent functionality.
The most exciting feature of the NetWare
Web Manager is the ability to access it from
virtually any workstation on the network,
regardless of the client software that’s running
on the computer. Thus, if you are working in a
remote area that has an NT domain, you can
still manage your NetWare server. A traveling
administrator will love the easy access and
powerful capabilities of the NetWare Web

The Web Manager General Administration screen enables you to perform administrative

154 Administrator’s Guide to VPN and Remote Access, Second Edition

Believe it or not: A Linux VPN without
kernel recompilation
Oct 26, 2001
By Jack Wallen, Jr.

ou read correctly. Until today, I would would like the executable binary file to be
never have believed it myself. Having placed, and whether you’d like the VPN serv-
dealt with the likes of FreeS/WAN ice to start at boot time. It’s that simple.
and PoPToP, I know how difficult it can be to Once you’ve installed the application, start
have to recompile a kernel, attempt to load in the VPN service with this command:
the proper modules, and then (and only then) /etc/rc.d/init.d/vpnclient_init start
hope the application will work with both your
client and your VPN server. Configuration
Just when you thought it was unsafe to Configuring Cisco’s vpnclient can be tricky if
tread the VPN waters, along comes Cisco to you’re not sure where to put the configuration.
save the day for Linux client users. The new When you install the application, you’ll notice
Cisco vpnclient is not only amazingly simple to a sample.pcf file in the vpnclient directory. (All
use, but it’s also secure and reliable. In this arti- user profiles must have the .pcf format.) This
cle, I’ll install, configure, and run an instance file is what you’ll base your configuration on
of Cisco’s new vpnclient for Linux. and is also mirrored in the /etc/CiscoSystemsVP-
NClient/Profiles/ directory. The latter file is the
How to obtain and install one that the application actually uses. The file
vpnclient is laid out in the MS Windows .ini format,
This VPN client package is included in the which is similar to other Linux configuration
VPN Solutions package and supports the Intel formats, such as smb.conf. It looks like this:
version of Red Hat Linux 6.2 (or glibc >= [main]
2.1.1-6 libraries) using kernel >= 2.2.12. Description=sample user profile
Unfortunately, you can’t get this package with- Host=
out buying the VPN Solutions package, but it’s AuthType=1
well worth the purchase if you want both a GroupName=monkeys
rock-solid VPN server and a killer client EnableISPConnect=0
The first step of the installation is to
unpack the package. The release I tested was Username=chimchim
vpnclient-linux-3.0.8-k9.tar .gz. To unpack this SaveUserPassword=0
file, run the command: EnableBackup=0
tar xvzf vpnclient-linux-3.0.8 BackupServer=
-k9.tar.gz EnableNat=0
which will create a new directory called, simply CertStore=0
enough, vpnclient. CertName=
The next step is to cd into the newly created CertPath=
directory with the command:
cd vpnclient
Now you’re ready to run the install. The instal- DHGroup=2
lation of this package is quite simple. As root, ForceKeepAlives=0
run the command: The minimum configurations you’ll need in
vpnclient_init your .pcf file are [main], Host, AuthType, Group-
You’ll be asked a few questions regarding the Name, and Username. The [main] configuration
location of your kernel source, where you simply demarcates the main section of the

Administration 155
configuration file. The Host option sets the IP Client statistics
address (or URL) of the VPN server. The The vpnclient application comes with a statis-
AuthType configuration is set to either 1 (pre- tics command that allows you to view infor-
shared keys) or 3 (digital certificate that uses an mation about your connection. The
RSA signature). The GroupName is the name of command syntax is:
the IPSec group used on the VPN server. The vpnclient stat [reset] [traffic]
Username is the string that identifies the indi- [tunnel] [route] [repeat]
vidual user.
The arguments offer the following information:
Other configuration options that can be
added are: X reset: Restarts all connection counts from
X UserPassword: This is the password used
for authentication. X traffic: Displays a summary of bytes
X SaveUserPassword: A 0 means the pass- X tunnel: Displays IPSec information
word is displayed in clear text in the profile, X route: Displays configured routes
and a 1 means the password is encrypted X repeat: Keeps a visible, continuously
within the profile. refreshing display of various statistics,
X EnableNAT: A 0 disables NAT, and a 1 including reset, traffic, tunnel, route, and
enables NAT. repeat
Once you’ve changed these configurations,
save the file and you’ll be ready to start up the Hurdles
application. What would a network administrator’s job be
without hurdles? Actually, Cisco’s vpnclient
Establishing a connection tool has only one small hurdle to get over.
Establishing a connection with Cisco’s vpnclient When running any sort of security protocol,
is very simple. Let’s say you’re using the profile such as ipchains or iptables, the vpnclient can
named Mooch.pcf. To bring up a connection with cause the Linux kernel to lock up tight. A
this profile, you’d run the command (as root): couple of situations cause this problem. The
vpnclient connect Mooch first is when you have CONFIG_NETFIL-
Depending on your profile configuration, you TER enabled in your kernel. If you have
may be asked for the following: this enabled, you’ll have to recompile your
X Group Password kernel and disable CONFIG_NETFILTER.
If you’re not sure whether CONFIG_NET-
X User Name FILTER is set, you can run the following
X User Password commands:
X Domain cd /usr/src/linux-2.4.2/arch/i386
grep CONFIG_NETFILTER defconfig
Eventually, your client will establish a con-
nection with the server, and your command If you see this line:
prompt will not come back to you.You can kill # CONFIG_NETFILTER is not set
this running connection in two ways. The first then you are good to go.
method is to open another console, su to root, The second situation arises when you’re
and run this command: running any sort of firewall on the client
vpnclient disconnect machine. For stability’s sake, you’ll want to
The second method is to press [Ctrl]C. This shut down your firewall, flush both the input
assumes the console window running the and the output chains, change your input policy
command has focus. If that particular win- to ACCEPT if it’s set to DENY, and then
dow does not have focus, put your cursor in start your connection.
the window and click the left mouse button. To make this task quicker, I whipped up a
The client will disconnect from the server shell script that, when run as root, drops the
with either of these methods. firewall, changes the input policy, and starts the

156 Administrator’s Guide to VPN and Remote Access, Second Edition

VPN connection. The script looks like this After gaining a secure connection to Tech-
(using the Mooch connection configuration): Republic’s Cicso VPN server, I ran my
#!/bin/sh ip_chains_script, only to watch the machine
/sbin/ipchains -F soundly lock up after the first few packets
/sbin/ipchains -P input ACCEPT passed through. The takeaway? Don’t worry
vpnclient connect Mooch about your firewall while you’re using Cisco’s
I saved the file in the /etc/rc.d/ directory vpnclient; it will only leave you rebooting your
with the name vpn_connect. To start the VPN machine over and over.
connection, I ran this command:
It’s about time Linux found itself with a simple-
The connection started without locking up the
to-use VPN solution. I’ve used this vpnclient to
machine. Simple.
connect to TechRepublic’s Cisco VPN server,
After your connection is made, you won’t
and it works like a charm. Other than the one
have to bring your firewall back up until the
firewalling issue, it performs flawlessly. Kudos
session is over. This assumes that you trust
to Cisco for finally offering a multi-platform
everyone on your VPN network. If you do
VPN solution that any mid-level computer
not trust everyone on your VPN network, use
user can set up and run.
caution when trying to start a firewall on the
host machine of the vpnclient application.


Administration 157

158 Administrator’s Guide to VPN and Remote Access, Second Edition

The articles in this chapter explain some of the issues you may encounter when configuring VPN
solutions to work within a network’s existing security infrastructure. You’ll learn to troubleshoot
problems that arise when configuring VPN servers to make connections through firewalls,
routers, and proxy servers.

Configuring VPN connections with firewalls ......................................................................................159

Securing the Edge: Windows 2000 Firewall/VPN and beyond: The firewall................................162
Securing the Edge: Windows 2000 Firewall/VPN and beyond: Tuning the security ..................164
Secure Shell: Protecting data in transit..................................................................................................165
Making the most of OpenSSH ..............................................................................................................170
Protect your VPN by keeping a tight rein on passwords ..................................................................173

Configuring VPN connections with firewalls
Nov 8, 2000
By Jason Hiner, MCSE, CCNA

he process of setting up connections familiar with the ports needed by the VPN
or a virtual private network (VPN) has server. However, the other two options have
been greatly enhanced and simplified benefits as well.
by software solutions for Windows NT/2000, Placing a VPN server in front of the fire-
NetWare, and Linux/UNIX, as well as by wall can lead to greater security in some cases.
hardware solutions offered by vendors such as Remember that a VPN allows users who are
Cisco and CheckPoint. external to the network to feel like they are sit-
However, configuring VPN connections to ting on a machine inside the network. A hacker
pass through firewalls, proxy servers, and who hijacks a connection to a VPN server that
routers continues to bring many network is inside the firewall will be able to do some
administrators to their knees in exasperation serious damage. However, if you have a dedi-
and submission to the gods of the network cated VPN box that sits outside the firewall
cloud. Thus, we are going to review how to and that is only capable of sending VPN traf-
configure VPN servers to make connections in fic through the firewall, you can limit the dam-
concert with your stoic network defenders. age a hacker can do by hacking the VPN box.
This option also allows you to limit the
VPN server geography resources authenticated VPN users can access
One of the first decisions a network engineer on the local network by filtering their traffic at
has to make when configuring a VPN server is the firewall. However, one vulnerability with
where to place it in relation to the network’s this scenario is that the traffic between the fire-
firewall. As Figure A shows, there are essentially wall and the VPN server is not encrypted.
three options for placing a VPN server. The third option is to co-locate your VPN
The most common approach is to place the server on the same box as your firewall. In this
VPN server behind the firewall, either on the
corporate LAN or as part of the network’s
Figure A
“demilitarized zone” (DMZ) of servers con-
nected to the Internet.
Geography is extremely important when VPN Server in Front of the Firewall
configuring and troubleshooting VPN connec-
tions that pass through firewalls. It lets you
know which interfaces on the firewall will need
filters assigned to them to allow VPN traffic. VPN
Corporate VPN server client
We’ll talk about filters at length in the next sec- LAN Firewall
tion. The thing to understand about geography
VPN Server Co-Located with the Firewall
and firewalls is that filtering occurs on the fire-
wall’s external interface—the interface that
connects to the Internet.
As I mentioned above, the most common VPN
Corporate VPN server client
place for a VPN server is behind the firewall, LAN and firewall
often in a DMZ with mail servers, Web
VPN Server Behind the Firewall
servers, database servers, and so on. The
advantage of this placement is that it fits
cleanly into the network’s current security
infrastructure. Also, the administrator is VPN
already familiar with how to route traffic Corporate VPN server client
through the firewall and only has to become LAN Firewall

Security 159
case, the VPN server is still logically behind the A packet filtering firewall is usually placed
firewall, but depending on its capability and uti- on a router and is managed through basic
lization, it can complement a firewall very well, access control lists, which can be challenging
since both are essentially performing routing to configure and manage. Here’s a common
functions. This works nicely, since in most VPN problem to watch out for: Many admin-
businesses, firewall/proxy services use more istrators set up their VPN servers, configure
resources during the daytime hours, and VPN their firewalls, and discover that they still can’t
services use more resources during the connect. They eventually realize that the ACL
evenings. However, keep in mind that having on their Internet router is filtering the VPN
multiple services functioning on one box traffic and dropping the packets.
always involves management and troubleshoot-
ing challenges.
Application filtering
An application gateway firewall involves what
Understanding firewall and is commonly known as proxy services and
filter functionality functions at the higher layers of the OSI refer-
ence model. This type of firewall offers more
There are two types of filters and three types
of firewalls to be aware of when configuring extensive, customizable features, such as user-
VPN connections. Filters come in two basic level access control, time-of-day access con-
flavors: trol, and advanced auditing and logging.
It typically readdresses traffic so that it
X Packet filtering
looks like it’s coming from the firewall rather
X Application filtering than from the internal machine. In this man-
A firewall can engage in packet filtering, ner, these firewalls act as a “proxy” on behalf
application filtering, or both. Filtering involves of the internal network instead of providing a
accepting or denying TCP/IP traffic based on direct connection between internal and exter-
source and destination addresses of packets, nal networks, as you have with simple packet
TCP/UPD port utilization and other TCP/IP filtering firewalls. It also focuses on managing
headers information, and specific user and and controlling access to TCP/IP applications
computer details in advanced firewalls. such as FTP, HTTP, rlogin, and so on.
Packet filtering Packet filtering and application
A packet filtering firewall merely examines filtering
traffic at the network layer (Layer 3 of the OSI Stateful inspection firewalls combine packet
reference model) and accepts or rejects it filtering and application filtering. They also
based mainly on source and destination employ a more secure firewall technique called
addresses. Although a packet filtering firewall dynamic packet filtering. With regular packet
can do some blocking based on TCP and UDP and application filtering, a port such as port
port numbers, in most cases, it isn’t the best 80 for HTTP is opened by the firewall and
solution. However, packet filtering does pro- remains open for incoming and outgoing traf-
vide speed, simplicity, and transparency. fic. This presents a network vulnerability that
Another important VPN troubleshooting tip hackers can exploit.
deals with network address translation. If the However, stateful inspection firewalls open
Internet router or any router between the fire- and close ports as they are needed for traffic,
wall and the VPN server is providing NAT, it drastically decreasing vulnerability to external
will probably break the VPN tunnel and cause attacks. Most popular firewalls, such as
your connection to fail. The VPN server should Microsoft Proxy Server 2.0, Network Ice’s
have an Internet IP address on the external ICEpac, and the leading UNIX solutions, use
interface and not an internal IP address assigned dynamic packet filtering.
by a DHCP server or hiding behind NAT. Most
of the time you will get this Internet IP address Allowing VPN traffic
from a subnet assigned to you by your ISP. Now that you can see how various firewalls
function, hopefully you can identify several

160 Administrator’s Guide to VPN and Remote Access, Second Edition

places on your network where your VPN con- yourself servers, such as Linux, you’ll need to
nection could be tripped up. Let’s see what fil- be aware of the GRE port. Microsoft solu-
ters you need to set up on these firewalls in tions such as Proxy Server 2.0 and the forth-
order for VPN traffic to pass through them. In coming Internet Security and Acceleration
terms of protocols, we’ll cover VPN connec- Server 2000 have predefined “PPTP receive”
tions made using PPTP or L2TP over IPSec. and “PPTP call” filters. These generally work
We will begin with VPN filters at Layer 3 of pretty well.
the OSI reference model and work our way up Remember, you’ll need to be aware of the
to Layer 7. geography of your VPN server in relation to
When we look at receiving VPN traffic at your firewall. For example, if your VPN server
Layer 3 we need to examine both the router is behind your firewall, which connects to the
that provides Internet access and the VPN Internet via a Cisco router, and you are receiv-
server’s external interface. In some cases, the ing connections only from individual VPN
VPN server may have an external interface clients (and not from remote servers), you’ll set
that connects directly to the Internet, such as up a firewall filter to accept incoming traffic on
an ISDN adapter. The router and/or the port 1723 or simply select the predefined
VPN external interface must be configured “PPTP receive” with a Microsoft solution.
to accept TCP/IP connections from the You’ll also need to go into the Cisco router and
VPN clients and/or VPN servers that will be make sure that there are no access control lists
connecting to it from the Internet. Thus, the filtering the VPN traffic.
access control lists (which manage filters at As for L2TP with IPSec, the same princi-
Layer 3) must be configured to allow incom- ples apply, but it uses UDP port 1701 for
ing traffic from the IP addresses of these L2TP and UDP port 500 for IPSec’s IKE
clients and servers. For remote VPN servers (Internet key exchange). IPSec also uses IP
that are connecting, this will probably be a Protocol port 50 for ESP (encapsulation secu-
real IP, which will be easy to configure. How- rity payload)—the equivalent of GRE for
ever, for remote clients who are probably PPTP—but it doesn’t require a filter because
using a dial-up connection to an ISP and get- the ESP header is typically removed by IPSec
ting a different IP address each time, this is during routing before it hits the firewall.
more challenging. If you have a restrictive IP
access policy in place, you can get the range Conclusion
of IP addresses this client could use from his Hopefully, the principles we reviewed here will
or her ISP or figure it out by deduction after enable you to better understand where your
a few connections. The other option is to VPN connection could be running into snags
allow access to all IP addresses by default in connecting through firewalls, proxy servers,
and let upper-level filters accept or deny their and routers. We didn’t try to provide a step-
packets based on application criteria. by-step how-to on configuring firewalls and
When we get to Layer 7 (the application filters because of the vast configuration dif-
layer), we need to look at setting up filters to ferences in the various hardware and software
allow PPTP or L2TP with IPSec traffic based platforms, as well as the myriad different net-
on the ports that they use. PPTP uses TCP work typologies that are possible. However,
port 1723, as well as IP protocol ID 47 for you should be able to locate information on
GRE (generic route encapsulation) tunnel configuring filters and access control lists for
maintenance. For the most part, if you are your specific hardware and software platforms
using a commercial firewall solution, you’ll on the vendors’ Web sites. It also wouldn’t
need to worry only about setting up the PPTP hurt to offer a sacrificial NIC or 100baseT
filter for port 1723. But if you’re working with cable to the networking gods before attempt-
more complex firewall systems and do-it- ing your configuration.

Security 161
Securing the Edge: Windows 2000
Firewall/VPN and beyond: The firewall
Jul 25, 2001
By Robert McIntire

hile companies continue to spend Since Internet connectivity had to be main-
money on higher speed Internet tained throughout the process, we decided to
connections, it’s only reasonable install a new server, rather than performing the
that they should expect more for their budget MS upgrade process on the previous Proxy
dollars. In an effort to stretch those dollars, server. The LAN clients needing Internet
many companies are implementing VPNs for access would not be deterred during our
remote access by employees. Also, they are upgrade, as the old system would stay online
escalating the security on these connections until the new system was installed and tested.
to ensure that only those who should have At that point, the LAN clients’ browsers would
access can actually gain access to their private simply need to be changed to point to the new
networks. Proxy server. Fortunately, the client already
Although it may seem overly ambitious, had a service network set up at the Internet
we’ll be tackling several different yet related router with enough free public address space
issues in this article. The overall topic envelops to accommodate both gateways simultane-
a case study of a recent networking project in ously. We installed two NICs in the new server,
which I was involved. The general idea was to one for the Internet connection and the other
upgrade the client’s Internet security and pro- for the internal LAN. Both NICs were stati-
vide for VPN remote access. Additionally, the cally addressed with appropriate addresses for
remote clients would then be connecting to a the respective networks.
terminal server inside the firewall on the LAN. When configuring the internal NIC, the
As if this weren’t enough, we also had to WINS and DNS info were provided, but the
address secure authentication schemes in a default gateway was left blank. This is standard
rather custom fashion. We were fortunate to operating procedure when configuring most
find that Microsoft provided many of the fea- firewalls. Microsoft required that Service Pack
tures and options that we required to complete 1 be installed prior to the ISA software. We
this project. You’ll see that, with a little ingenu- decided to apply Win2K Service Pack 2, as it
ity and a bit of customization, you, too, can was the most current at the time. Then we
secure your network. installed ISA. (You have the option of
installing just the firewall, just the caching
Firewall upgrade process server, or integrated mode, which includes
In this first part, we’ll address the primary both functions.) We chose to install it on a
piece in this puzzle: the firewall upgrade. For- member server so that we could utilize some
tunately, the client had decided to upgrade of the domain-based features to control con-
from MS Proxy Server 2.0 to MS Internet tent access. During the install, you’ll be asked
Security and Acceleration (ISA) Server 2000. several questions. We went with the default
This fairly new product is actually a firewall/ values, as most of them seemed appropriate
cache server and is certified by ICSA. At the (and we could change them later, if necessary).
time of this writing, you can download a time- After completing the installation, we
limited evaluation copy from the Microsoft checked for product updates on the Microsoft
Web site ( ISA site. There was a security alert with a
isaserver/evaluation/demonstration/). Now, patch, which we then applied. Although Win-
with the plugs out of the way, let’s turn our dows 2000 doesn’t seem to require a restart
attention to the installation considerations. after such operations, we recommend it after

162 Administrator’s Guide to VPN and Remote Access, Second Edition

installing the firewall software, as well as any inbound access. You can push e-mail through
other OS patches. Essentially, the ISA install ISA to your internal SMTP server and allow
did several things on our system. For one external Internet clients access to internal Web
thing, it installed and configured RRAS and servers. In Microsoft terminology, this is
packet filters to allow only some basic ICMP known as Publishing. Once you publish your
packets. Basically, it adheres to a deny-all e-mail server, you’ll be able to receive e-mail
model (except for ICMP). The one oddity from the Internet. There are also packet filters
about this is that the default, installed filters included that you can activate to funnel SMTP
seem to allow pings from internal clients to and WWW traffic.
pass through the firewall but do not allow a
response to outside sources attempting to ping Testing the firewall
the external firewall interface. This may be a At this point, we wanted to ensure both con-
bit of a problem when testing connectivity nectivity and security. We made sure that inter-
with your ISP. nal clients could ping Internet sites by address
and name. This ensures that NAT is working
Configuring the firewall correctly and that connectivity and name reso-
After the initial installation was complete, it lution are functioning properly. After this, we
was time to perform any custom configura- used a port scanner to check security at the
tion for this site. We needed to allow traffic external interface. After scanning it, we felt
appropriate to the client’s site (i.e., HTTP, very good about the product, as it seemed to
HTTPS, FTP, etc.). You’ll want to check the be a black hole for TCP/IP packets. The only
routing tables on your server after the instal- thing that passed was specifically what we had
lation is complete to insure that no unex- allowed.
pected routes have been added. Locally
speaking, you’ll want to verify the LAT table, Conclusion
especially if you allowed the install process to The good thing about ISA Server 2000 is its
generate the LAT. It’s automatically set up to familiarity, as it seems quite similar to Proxy
perform logging, so you’ll want to make sure Server 2.0. However, it is a true and tested fire-
that enough disk space is available to do so. wall platform, unlike Proxy Server. Unfortu-
You may also want to consider a separate nately, the ISA server appears to provide no
hard drive for logging. facility for printing a configuration report.
The first thing we did to configure our fire- Microsoft does provide the ability to save the
wall was to create an opening for basic Web configuration to a proprietary file type to use
and FTP traffic. To do so, we created a group in case a restoration of your ISA server is nec-
of users by internal IP address range. We then essary. All in all, the installation process is easy
created a rule allowing the aforementioned and straightforward, and the default configura-
traffic and associated our group with the rule. tion appears solid.
Now that we have client access on the out-
bound, let’s look at how we can provide basic

Security 163
Securing the Edge: Windows 2000
Firewall/VPN and beyond: Tuning the security
Jul 30, 2001
By Robert McIntire

n the article “Securing the Edge: Windows we began to move in the right direction. We
2000 Firewall/VPN and beyond: The fire- assisted the client in writing a security policy
wall” (page 162), we took an initial firewall that addressed the issue, but we all agreed that
installation a step further and implemented a the best manner in which to implement it was
client access VPN. We implemented authenti- at the system level. The bottom line was that
cation but, due to client requirements, we then we had to authenticate the physical computers
had to go above and beyond. The client’s con- gaining access to the VPN. After this initial
cerns about strong authentication led us computer authentication process, the remote
toward several potential solutions. PC would be connected to only the actual
VPN system. From here, they would need to
Extra strength authentication connect to the terminal server inside the
One of the additional parameters designated VPN/Firewall perimeter system. To do so, the
for securing the VPN was an extra level of remote user would run the terminal client and
authentication. The client company wanted enter the IP address of the internal terminal
not only the usual domain logon but also a server. When connecting to this server, they
remote form of logon. We could have chosen would then be confronted with the actual
to use RADIUS (IAS, in Microsoft speak) to domain logon. At this point, we had satisfied
authenticate users. In so doing, we could actu- the security constraints set by the client, at
ally create the remote users in a local database least on paper. Now, how did we implement
on the IAS server, rather than having the IAS this model?
server refer to the domain database for user
verification. That would provide for the Verifying the computer
remote logon, and then users would actually The overriding concern when considering
log on to the domain during the second part of how to verify the computer identity was
the connection process—the terminal server whether or not we wanted to deal with the
session. complexity of implementing MS Certificate
Another option that was considered was to Services. This service is now provided with
perform the remote logon by having users log Windows 2000. With it, you can generate your
on locally to the actual VPN server using a own computer-based certificates for verifying
specific remote access account. In so doing, user and computer identity. To do so, we
they would not be exposing the domain logon would have to create our own root certificate
process to prying eyes. At worst, exposure authority (CA) and then a subordinate CA.
would be limited to the VPN system. We Then the issue would arise about which
experimented with these and several other servers to install it on.
combinations until we realized that we were Since it’s a good idea to secure the root CA,
looking at things from the wrong angle. We we decided to install it on a domain controller
shelved these as secondary options because well inside the network. Some experts recom-
they didn’t really give the client what they were mend taking the root CA offline so that there
looking for. is no chance of compromise, but we didn’t
It turns out that the reasoning behind the have the luxury of an extra server. The subor-
extra level of authentication stemmed from an dinate CA was installed on the Terminal
underlying issue. The client was concerned server. When deciding to use Certificate Ser-
about users sharing passwords for remote vices, we had to determine how to use it in a
access. Now that the cat was out of the bag, productive manner, yet provide only the features

164 Administrator’s Guide to VPN and Remote Access, Second Edition

we needed. With the myriad of features and (and Q259880), we made a few adjustments
options available with MS Certificate Services, and successfully connected.
this was no small task.
Eventually, we chose to install the CA as a Conclusion
standalone. This configuration is used for gen- Keep in mind that this was not the only way to
erating certificates to external clients. And, fulfill the need for Internet access and security.
although the certificates were not external to At each juncture in this overall process, we had
the company, we wanted to treat them as such several options. One option was to use an
during the initial connection process. Then we external CA like VeriSign. In this way, we
requested and issued certificates for each would have an internal CA, which would refer
remote client and the VPN server. Microsoft to an external root CA provider for certificate
provides a Web interface for CA servers that verification. Then again, we could have chosen
allow other systems to request certificates by to use IAS for RADIUS authentication. But,
simply connecting to the CA via a browser given the client’s specifications and preexisting
using the http://ca_server_name/certsrv constraints, things turned out well as the proj-
URL. After installing the certificates, we next ect evolved.
had to modify the authentication method at Looking back over the scope of the project,
the VPN server. Extensible Authentication I would make only a few recommendations.
Protocol (EAP) facilitates the use of certifi- Among these, I highly suggest supplementary
cates and thus had to be configured. On the documentation, like the Windows 2000
VPN system, we had to change the authentica- Resource Kit. Unfortunately, the Microsoft
tion method in the remote access policy that Web site is a little thin on specific information
was created by the VPN setup wizard. Under regarding custom configurations like these.
the RRAS console, we simply edited the profile And the Windows 2000 Help system does not
to include EAP and then again in the local sys- provide the depth needed to effectively com-
tem properties (within the Security tab). At plete such a project. Last but not least, plan it
that point, we configured our test client to also carefully. If you specify all of the needs and
use EAP under the VPN connection icon’s requirements before you start the implementa-
properties. Then came the moment of truth. tion phase, it’ll make the process much
We tried to connect and were immediately smoother.
rejected. After double-checking the details

Secure Shell: Protecting data in transit

Mar 3, 2000
By Vincent Danen

f you’re a network or systems administra- a network environment as a simple firewall or
tor, one of your top considerations for any as a server providing such services as HTTP,
computer should be security—whether it’s FTP, and Telnet.
local security or network security. Since Linux
is a networked operating system by design, Why Secure Shell?
chances are that the computer is being used in Often, it’s convenient to administer remotely,
and Linux supports remote administration.

Security 165
With such programs as Telnet and rlogin, an tem could become compromised. As regular
administrator staying at home can work on and users, they may not get very far, but once they
configure a remote Linux machine at the office have access to your system, there are a number
across the Internet. With more and more com- of holes they may exploit, like programs that
panies choosing Linux as a server, as a compo- have the suid or sgid bits set for other users (like
nent of their Internet sites, or even as their root). They may even make attempts to learn
gateway to the Internet, remote administration the root password of the system. Once an
happens all the time. unwanted guest has access to your system, you
Linux is very secure. With a little bit of should view your entire system as compro-
work and through the use of firewalls, IP mas- mised. What if they installed a packet sniffer or
querading, and TCP Wrappers (which prevent keyboard monitor on your system? The root
unwanted guests from launching services), you password could then be obtained quite easily.
can make a computer that runs Linux virtually But by then, it’s too late. You can plug the
invulnerable to any attacks across the Internet. hole and change the user’s password, but the
Unfortunately, the same cannot be said about exposure has already occurred. Your system is
the Internet itself. compromised. The best way to deal with this
Most protocols transmit data in clear-text situation is to prevent it from happening in the
format, which means that there is no encryp- first place. Clear transmission is fundamentally
tion or “scrambling” of the network data. a bad idea, and it should be avoided like the
Anyone who’s curious can “listen” to your net- plague. Conscientious system or network
work traffic as it goes from point A (let’s say administrators should avoid it even on local
the system administrator at home) to point C networks. The Internet is not the only place
(the server at work). Because of the nature of that harbors curious individuals.
the Internet, without a direct dial-in connec-
tion to your server, your network traffic will Just what does Secure Shell do?
probably be routed through point B (a host To guard against vulnerability and to protect
out on the Internet) or even multiple point Bs. your day-to-day network data, I highly recom-
It’s possible that you’ll have a few, or even a mend installing and using Secure Shell (SSH).
few dozen, hops between your system and the SSH is a client/server suite of programs that
one you’re trying to reach. To find out how encrypts data prior to sending it and that unen-
many hops exist between you and any given crypts data once it is received. Every packet in
destination, give the program traceroute a try transit, whether across a local LAN or from
(which is usually located in /usr/sbin). It will point A to point C in the above illustration, is
tell you how many hops and how long of a encrypted and safe from packet sniffers and
delay between hosts it will take to reach your other network monitors that may pose a secu-
final destination. rity risk to similar programs. SSH is a suitable
Keep in mind that, if there are a dozen hops alternative for programs like Telnet, rlogin, rsh,
to the machine you’re trying to reach, there are rcp, and rdist. SSH was designed to provide
also a dozen points of interception. Anyone strong authentication and secure communica-
with a packet sniffer or other network-monitor- tion over insecure networks (as noted in the
ing tool can see and intercept your network Secure Shell RFC).
data. If this is the case, not only can they view Secure Shell supports a number of encryp-
your network data, but they can maintain a tion algorithms, such as:
local copy of it, view it later, and possibly glean X BlowFish: A 64-bit encryption scheme
passwords from it. If you think that you are developed by Bruce Schneier
protected just because you require a password X Triple DES: The Data Encryption Stan-
for access, think again. Once this type of inter- dard, which was developed in 1974 by IBM
ception occurs and someone has obtained a and is used by the U.S. government for
user password to your system, your entire sys- encrypting nonclassified data

166 Administrator’s Guide to VPN and Remote Access, Second Edition

X IDEA: The International Data Encryption is also a copy program called scp. Secure Copy
Algorithm, a powerful block-cipher provides a secure means to copy files from one
encryption algorithm that operates with a machine to another, much like the rcp program.
128-bit key, which makes it far more secure Since SSH is based on keys to authenticate
than Triple DES between client and server, it includes some key
X RSA: The Rivest-Shamir-Adelman algo- management programs like ssh-add, which will
rithm, a widely used public-key/private-key register new keys for the ssh-agent program.
cryptographic system This program is used to perform RSA-style
authentication over networks when you’re
SSH’s multi-algorithm support is quite
using SSH. In other words, it allows remote
extensive and user-definable. If you feel more
hosts to access and store your RSA private key.
comfortable using IDEA than using RSA, you
Finally there is ssh-keygen, which is the key gen-
can use IDEA quite easily without changing
erator for SSH. It generates an RSA key that is
how SSH works.
used by sshagent to authenticate both locally
Besides providing encryption for network
and remotely.
data, SSH can also be used to protect against
As you can see, SSH can offer a complete
IP Spoofing, which occurs when a remote host
replacement for insecure programs like Telnet
sends out packets that pretend to come from
and rlogin. In its most basic form, SSH pro-
another (trusted) host. It can protect against IP
vides a method to secure remote logins and in-
Source Routing, which involves a host pre-
transit data and provides a way to protect files
tending that an IP packet comes from another
and documents transmitted from one machine
(trusted) host. It protects against DNS Spoof-
to another. SSH is, however, quite versatile and
ing (when an attacker forges name server
can be used for more than that task alone. SSH
records). It prevents manipulation of data by
can be used as an effective “tunneling” mecha-
people in control of intermediate systems (the
nism and can secure far more than just remote
hosts through which IP packets “hop”). And
logins and file transfers. The only catch is that,
finally, it can also protect against attacks based
because SSH is client/server-based, both the
on listening to X authentication data and
remote host and the local machine must use
spoofed connections to an X11 server.
SSH. SSH for Linux is a freely available pro-
Despite all of this functionality, using SSH
gram. You can obtain the binary programs
for remote connections does not require an
from ZEDZ (
enormous learning curve. Using it is quite sim-
redhat/i386) or the source code itself from
ilar to using simple Telnet. Authentication and
the SSH site (
session encryption are completely transparent,
The benefits to compiling your own version
and there is no apparent slowdown of infor-
of SSH are the various options that you can
mation in transit beyond perhaps the seconds
set during compilation and that you can cus-
when the session authenticates.
tomize to secure your network further. A num-
How does it work? ber of the compilation options can be set in
SSH is a suite of programs designed to secure the configuration files if you choose to go with
connections between two computers, one as a binary distribution.
client and one as server. To accomplish this An important configuration option that can
task, it comes with a number of programs, be specified only at compilation is whether or
including the client program, ssh. The client not SSH will use TCP Wrappers. There are two
program is very much like a Telnet client in different schools of thought on this issue, but
every respect, and it allows you to perform any it boils down to how your system is configured
console-based commands on the server. The and how you want to customize things. SSH
server itself, sshd, listens on TCP Port 22, and can be independent from the rest of your sys-
when it receives a connection request from a tem in terms of which hosts are allowed to
valid SSH client, it starts a new session. There connect, or it can use TCP Wrapper support,

Security 167
which enables SSH to allow and disallow con- it has to generate the key immediately before it
nections based on the hosts defined in can authenticate a session. Consequently, the
/etc/hosts.allow (specified authorized hosts) session initiation will take a few seconds longer
and /etc/hosts.deny (specified unauthorized than necessary. Normally, sshd keeps a gener-
hosts). TCP Wrappers is an excellent security ated RSA key in memory so that it can
tool that works similarly to a firewall. The two respond to client requests immediately. The
configuration files are used to select services RSA key is usually re-generated hourly (which
and to authorize or “unauthorize” specific can be changed in the configuration), and it is
hosts or domains from using those services. never written to the disk—so as to preserve
SSH can use this tool, or it can use its own the key’s integrity. Because of this added
form of allow/deny authorization (when com- security, running the daemon stand-alone is
piled without TCP Wrappers support). recommended.
There are a number of other options that
What are the specifics? can be used by the SSH daemon on the com-
Once you’ve decided which method you’re mand line. These options include the number
going to use (source or binary) and you have of bits to use in the server key (by default, it’s
installed SSH, the suite of programs will 768 bits), how often sshd regenerates the server
become available to you. To any systems key (by default, it’s once an hour), alternate
administrator, I recommend disabling all run- ports to listen to (by default, it’s TCP Port 22),
ning Telnet servers completely. This disabling and more. The configuration file for the dae-
can be done by commenting out the Telnet mon, /etc/sshd_config, permits more options
field in /etc/inetd.conf so that the Inetd to control how the daemon operates.
super-daemon will never open a Telnet session The SSH client program, ssh, also has a
when an incoming request on TCP Port 23 is number of command-line options, as well as
received. By the same token, you should also its own configuration file, /etc/ssh_config.
disable the rlogin and rsh suite of programs Some of the options on the command line
(rshd, rlogind, rexecd, and rexd). The system will allow you to select which cipher (encryption
not be secure until all of these programs are method) to use, which user to log in as (if not
disabled or, preferably, removed completely. the current user), and so forth. It will connect
You can then decide whether sshd will be a to the remote SSH server and initiate an inter-
persistent service (started on its own and con- active Telnet-like session. In fact, it is so trans-
tinually running) or whether Inetd will start it parent that, beyond the login, you will think
upon request. If you want Inetd to start the that you’re sitting in front of the server itself.
SSH daemon when required, add the following The Secure Copy program should be used
to your /etc/inetd.conf (if you have TCP whenever you need to transfer one file to
Wrapper support enabled): another. It is not an interactive copying pro-
ssh stream tcp nowait root gram, like FTP, but it’s very similar to the cp
/usr/sbin/tcpd sshd -i program that’s used locally. It allows you to
or if you have TCP Wrapper support disabled: select which cipher you want to use on the
ssh stream tcp nowait root command line, but it uses a unique syntax to
/usr/bin/sshd sshd -i copy files. The syntax is:
There is little real benefit to running sshd scp user@host1:[/path/filename]
from Inetd. The SSH daemon does not take user@host2:[/path/filename]
much memory or CPU when idle, so there is or it can be abbreviated to
no need to worry about wasted resources if it scp [/path/filename]
is not used very often. The side effect to using user@host2:[/path/filename]
Inetd, however, is that SSH must generate a SSH can also be used as a tunneling pro-
server key prior to responding to the client, gram to create rough Virtual Private Networks
and this action can take a few seconds because or to allow remote users to access a remote

168 Administrator’s Guide to VPN and Remote Access, Second Edition

X11 server securely. Beyond that, however, the wrote an excellent SSH extension for Tera
uses for SSH are virtually endless because of Term Pro that makes the Telnet client fully
its built-in tunneling and forwarding capabili- SSH-compliant. TTSSH (the SSH extension)
ties. It can be used to provide secure RPC ses- can be obtained from the TTSSH home site
sions, which are useful in securing NIS (
services. It can be used to run encrypted PPP There are also two ports of SSH (command
sessions on top of a standard SSH session. It line) to Windows from the SSH site (http://
can also be used to communicate with outside and from Gordon Chaffee
entities from behind a firewall, because of its (
TCP forwarding options. It can be used to hnt). There is yet another SSH client for Win-
provide encrypted access to POP3 servers so dows in the works, and it’s called Free FiSSH.
that, by tunneling it via SSH, you can securely It is not currently available to the public but
download e-mail that would otherwise be should be soon. You can find more informa-
transferred in clear-text (unless the server sup- tion on the official FiSSH site (http://pgpdist.
ports APOP or a similarly encrypted POP3
protocol and only if your client program sup- For Macintosh, there is NiftyTelnet, which
ports the same protocols). supports SSH natively and can be obtained
from Jonas Walldén (http://www.lysator.
To Linux and beyond
For the Linux user, Secure Shell is an excellent For those who use Java, there is also a Java-
suite of programs. Unfortunately, in the real based SSH client called MindTerm that can
world, not everyone uses Linux. So, does this run stand-alone or within a Web browser. It
fact limit SSH’s usefulness at all? Definitely would be useful for operating systems that
not! Within a heterogeneous network, or even come without a direct version of SSH but that
for the administrator who uses Linux as a use Java.
server at work and runs Windows at home, It should be apparent that SSH is not only a
there are SSH clients for other platforms, as useful solution to many security issues, but
well. You can obtain various commercial SSH almost a necessary one. SSH has been quite
client implementations (called F-Secure SSH) popular for many UNIX and Linux system
for Windows and Macintosh systems from administrators for years, and the ever-increasing
DataFellows ( number of clients for other operating systems
However, commercial alternatives have an proves that the usefulness of SSH is not lim-
associated cost. If you want free alternatives, ited to UNIX and Linux alone. Unfortunately,
you can take a look at some of the programs there are no free servers for many operating
listed below. systems, so anyone who plans on using SSH
For Windows, Tera Term Pro (http://hp. needs to do so with a UNIX or Linux server. That is yet another reason for using a stable
html) is useful. It is a popular Telnet client for and free platform, like Linux, in a networking
Windows, but it doesn’t come with SSH sup- environment.
port natively. Robert O’Callahan, however,

Security 169
Making the most of OpenSSH
Mar 7, 2001
By Vincent Danen

f you run Linux in a networked environ- The first step is to create your private and
ment and don’t yet know what OpenSSH public keys. To do this, simply run the command:
is, you have no idea what you’re missing. If ssh-keygen
you use telnet and still don’t know what This will work for any OpenSSH or SSH 1.x
OpenSSH is, then you are in dire need of a lit- server. If the remote server uses SSH 2.x, you
tle education. OpenSSH is an open source and will want to run this command instead:
free implementation of the SSH (Secure Shell) ssh-keygen -d
protocol. With it, you can connect to comput-
Because SSH 2.x uses a different algorithm,
ers across a network or the Internet in a com-
it will create a DSA key instead. If you connect
pletely secure fashion, with everything from
to various servers, some using OpenSSH and
passwords to the text you type encrypted. If
others using SSH 2.x, you can run both com-
you’ve been using telnet and have never given
mands. Since both keys are saved in different
OpenSSH a try, you need to stop right now
files, they can peacefully coexist. SSH 1.x and
and try it.
2.x are both commercial implementations of
This article, however, is not about how to
SSH and are not free, unlike OpenSSH itself.
install OpenSSH, or even about the basic uses
Once you have completed this command,
of OpenSSH. While in its most basic form
you will have a file called /home/user/.ssh/
OpenSSH can be used for secure remote logins
identity and another called /home/user/.ssh/
and secure copying of files to and from remote The first is your private key, and the
computers, there is far more that OpenSSH can
second is your public key. If you use the -d
do. In this article, we will explore some of the
option, these files will be /home/user/.ssh/
more advanced features of OpenSSH and dis-
id_dsa and /home/user/.ssh/
cover how to make using it simpler and more
Now that you have your keypair generated,
you need to secure your private key. (If your
Key-based authentication private key ever becomes compromised, you
Typically, when you connect to a remote site, will have to recreate your private key, so take
you need to supply a password. This is true for pains to ensure it does not become so.) The
remote logins and for copying files securely. easiest way is to change the permissions of the
The password is required to authenticate you file so they are readable and writable only by
so that the remote system knows that you are you and no one else. Run the following com-
who you say you are, and that you have appro- mand to change the permissions:
priate access to the system. chmod 600 ~/.ssh/identity
OpenSSH also uses a key-based method of This will make sure that only the user who
authentication, which means that you can created the keypair has access to the file. The
make use of password-less connections to the next step is to distribute your public key to the
remote machine. If you connect to a remote servers you will be connecting to via SSH. This
system often, this may be the best method for is easily done since you should already have
you to make use of, because it offers the bene- access to the remote system. Simply copy your
fit of fewer keystrokes and is just as secure as new ~/.ssh/ to the remote system and
using password authentication, especially if place it into the ~/.ssh directory on the remote
you use strange and convoluted passwords system. For instance, if your user name is joe,
(which you should). Using this method, you but on the remote system it is joedoe, you will
have to enter your password only once, at the have to copy /home/joe/.ssh/ on the
beginning of your session. local system to /home/joedoe/.ssh/authorized_keys

170 Administrator’s Guide to VPN and Remote Access, Second Edition

on the remote system. Once you have done wise authenticated. If you want to list the
this, you must make the authorized_keys file key(s) that are currently stored in memory, you
world-readable and writable only by you by can do so using:
doing: ssh-add -l
chmod 644 ~/.ssh/authorized_keys and you can also remove an identity from the
on the remote machine. Now, the system memory by using:
authorized_keys file can hold more than one ssh-add -d
public key. If you connect to the remote
machine by multiple computers, you can Port forwarding
include the public key for each user on those OpenSSH also provides a method to tunnel
computers in the remote authorized_keys file protocols securely using port forwarding. What
by inserting the contents of the local ~/.ssh/ this means is that you can create a secure con- file into it. nection to a remote computer and transfer
Once this is completed, you are almost files, mail, or any other TCP/IP service
ready to begin. The next step is to make use of through the SSH connection by connecting to
the ssh-add and ssh-agent programs. These a local port which travels through the SSH
programs will allow you to store your key in “tunnel.” At the remote end, they will connect
memory once you have entered the passphrase from the secure SSH port to the unencrypted
that ssh-keygen prompted you for. If you did (normal) port, and all data will be encrypted.
not enter a password when you generated your This entire operation is seamless for your
keypair, you will still need to run these pro- client connections. Of course, the remote
grams; you simply won’t be asked for a pass- server must also run SSH in order for this to
word. The first thing you will need to do is run work. You can easily determine whether the
the ssh-agent program using the shell’s eval remote system runs SSH either by trying to use
command. The ssh-agent program is an the SSH client to connect to it or by telneting
authentication agent that will run in the back- to the standard SSH port (22) on the remote
ground and seamlessly handle requests to con- machine. If the connection is permitted, the
nect to remote sites. Run the following remote server runs SSH. If it is denied, the
command: remote server does not run SSH, and you will
eval $(ssh-agent) not be able to connect to it securely.
You will then see a message that displays The syntax for port forwarding is as fol-
the ssh-agent’s PID number. Once that has lows, and it may seem a little complicated at
been printed to the screen, run the ssh-add first glance:
program: ssh -f [user@remote] -L
This program must be run in the exact same [command]
terminal that you ran ssh-agent in. It will load
Let’s take a look at a commonly used exam-
the key into memory and ask you for your
ple. Many people use SSH tunneling to
password. Now you will be able to start SSH
retrieve their POP3 mail from their ISP or
sessions from that terminal alone without ever
other system. By using SSH tunneling for this,
having to enter your password again (until you
you prevent people from sniffing your POP3
close or log off the terminal, of course).
password, and you also prevent anyone from
If you want to have this capability in all ter-
sniffing the contents of your e-mail. OpenSSH
minals you open, you will need to add the eval
also provides an option to compress data,
command to your X startup files: ~/.xinitrc if
which may help you get your mail faster. To use
you start X from the console, or ~/.xsession if
compression, use the -c command-line option.
you boot directly into X. Then you can run
Let’s assume for a moment that your POP3
ssh-add from any terminal, and any future ter-
username is joe and that your POP3 account is
minals you open during that login will be like-

Security 171
located at To establish the will run fetchmail every five minutes to
tunnel, use the following command: download mail:
ssh -f -c -L #!/bin/sh sleep 10 ssh-add
This command will start the port forward com- while true; do fetchmail —syslog
mand with compression enabled. Our login on —invisible; sleep 5m; done
the remote machine,, is Then you can run the following command
joe, so we provide that as the username and when you log in to your system:
the fully qualified domain name for the remote ssh-agent ~/bin/getmail
host name on the command line. We then cre- if you saved the above script as the executable
ate a tunnel from port 1110 on the localhost to file ~/bin/getmail.
port 110 (the POP3 port) on the remote host. Now let’s take a look at another use for SSH
We then run the command sleep 10 to keep the tunneling. Suppose you wanted to run X appli-
connection alive long enough for the mail cations from a remote server and have them
client to connect to the remote server. You can displayed on your local computer. This is easily
basically put anything here that produces some done with OpenSSH as well and provides a
activity, such as using tail on a log file, so that secure way to use remote applications. The
some data keeps the connection alive. first step is to log in to the remote machine
Once you execute the command, you will be and create a file called ~/.ssh/environment,
prompted for your password on the remote which contains the following line:
system. Once you’ve done this, you can then XAUTHORITY=/home/user/.Xauthority
point your mail client to port 1110 on the The /home/user directory is, of course, the
localhost to retrieve your e-mail. To take the home directory of the remote user. Once you
example further, let’s take a quick look at the have done this, close the session and then start
fetchmail program and see how you would another session using:
have to configure fetchmail to make use of ssh -f -x -l [user] [remote host]
this SSH tunnel. xterm
If you use fetchmail, you will be aware of
This will open up an xterm from the
the ~/.fetchmailrc configuration file that it uses.
remote machine onto your local computer.
Expanding upon the example above, let’s look
You can do this with any application you like,
at a sample ~/.fetchmailrc file:
such as Netscape, xchat, or an administrative
poll localhost with protocol pop3 and
program. As long as you have permission to
port 1110:
execute the program, you will be able to run it
preconnect "ssh -f -c -L
in this manner. sleep 10"
password private;
Further configuration options
You can also configure OpenSSH to make it
And that’s it! What this does is tell fetchmail easier and more convenient for you to use.
to connect to port 1110 on the local system. There are three ways that you can pass options
The preconnect command tells fetchmail to exe- to OpenSSH, and they are, in order of priority:
cute the command in quotes prior to making command line, user configuration, and system-
the POP3 connection to download mail. The wide configuration. By default, you will not
last line provides the password for the POP3 have a user configuration file, so you may want
account. to copy /etc/ssh/ssh_config to ~/.ssh/ssh_config.
To take this one step further, combine To change system-wide configuration options,
this with the ssh-agent and ssh-add commands simply edit the /etc/ssh/ssh_config file.
we looked at previously, and you will need The configuration file is read from top to
to enter your password only once. Or you bottom. It uses matching, so the first configu-
can use a BASH script similar to this, which ration option that matches the situation is the

172 Administrator’s Guide to VPN and Remote Access, Second Edition

one that will be used. Because of this, your file, use your user name to log in, and authenti-
specifics should be listed first and the more cate using your key. Simple, isn’t it? Connec-
general options specified last. tions to all other machines will continue to use
Let’s look at a quick example: Assume that the default paranoid settings, which will pro-
you have an account on as the tect you from untrusted hosts.
user joe. You’re using the one-time password
authentication method discussed previously, Conclusion
and you want to simply type sh instead of some- There are a number of shortcuts you can take whenever you connect to the remote with OpenSSH without reducing security.
machine. You also want to be able to use X11 Using key-based authentication is a simple, yet
forwarding to run remote applications on your secure, means of making life a little easier.
local machine. However, you still want to keep Creating secure tunnels with SSH also has
the paranoid settings for every other host, many advantages. You can use tunneling for
which are the default in the configuration file. anything from POP3 to SMTP, and even use it
You might edit your ~/.ssh/ssh_config file to for FTP and HTTP connections. Creating a
look like this: tunnel for FTP is unnecessary, however, as
Host *sh
you can use scp (secure copy) to transfer files
HostName or use sftp, a secure FTP client and its associ-
User joe ated secure FTP server, to make use of SSH-
ForwardAgent yes enabled FTP.
# Be paranoid by default With all the obvious advantages of using
Host * OpenSSH, using other insecure options should
ForwardAgent no be considered a thing of the past. OpenSSH is
ForwardX11 no more than a simple secure shell. It can be used
FallBackToRsh no to secure many aspects of your system and
Now all you need to do is type: generally make life easier and let network
ssh sh administrators breathe easier. And since
instead of: OpenSSH is completely free, there is no rea-
ssh son why it should not be used.
to connect to the remote machine. OpenSSH
will look up the host name in the configuration

Protect your VPN by keeping a tight

rein on passwords
May 22, 2002
By Dana Norton

J oe Edwards knows what damage one per-

son can do to an organization by misusing a
virtual private network (VPN) password.
An employee at Edwards’ former workplace
employer’s VPN, and deleted all of his docu-
ments off the network.
“So as a result, we basically had a situation
where we couldn’t get his current data that he
was fired under questionable circumstances. had done for the day,” said Edwards, now a
The employee went home, dialed into the senior network administrator for eLink

Security 173
Communications, Inc., an Internet serv- anybody’s ISP on basically anyone’s network,”
ice provider (ISP) in Bethesda, MD said Edwards. “So if an employee leaves, he
( could very well go home and either still get
Edwards also saw how an employee who dis- sensitive information off the network or still
liked another fired employee accessed a VPN send out e-mails basically using your com-
using the terminated employee’s password and pany’s service for his own good,” he said.
sent hateful e-mails to supervisors in the organ- In the wrong hands, a single VPN password
ization under the fired employee’s name. can open up an entire network to a malicious
These examples demonstrate why IT man- user or hacker. “VPN passwords are the keys to
agers must control VPN password use in their the kingdom,” said Marty Roesch, the president
organization and delete passwords when they and founder of Sourcefire, Inc., a provider of
are no longer needed. network monitoring infrastructure solutions in
Columbia, MD (
VPN use and risk increase Staying on top of password use is the easi-
Passwords are necessary for secure access to a est way managers can protect VPNs. “You use
VPN. They’re also one of the only ways an a VPN to secure your point-to-point commu-
organization can protect its VPN. “Passwords nications, so if it’s secured via passwords and
really are the only line of defense today you don’t have good password control mecha-
between an intruder and your data,” said Tom nisms, then you run the risk of a password get-
Rose, the vice president of marketing for ting out,” said Roesch.
Courion, a provider of self-service identity
management solutions, in Framingham, MA How to manage IT passwords
( “For example, the problem scenarios I men-
The need for secure passwords is increasing tioned could have been avoided if the organi-
simply because VPN use is rising. John Doyle, zation’s human resources department had told
the director of product marketing for Corpo- the IT team when an employee was to be
rate Edge Services for Nortel Networks fired,” said Edwards. “A bad thing to do is to
(, said that fire someone in the evening and not let us
Nortel Networks sells VPN services to all types know,” he said.
of companies, government entities, and carrier IT managers should establish a system to
partners that offer managed VPN services. track passwords to know when certain pass-
This overall growth means that VPNs are words are no longer needed. For example,
more important to an organization’s productiv- when an employee leaves the organization, you
ity. “There are two principle applications for should uninstall those passwords immediately.
VPNs,” said Doyle. “One is remote access. Here are other password management tips:
That would be the stuff that you’re doing X “Refresh passwords at least every 60 days,”
when you dial in from home. And then there’s said Rose. “Obviously the more frequently
the branch-to-branch stuff. That would you refresh your passwords, the more diffi-
describe most companies,” he said. He added cult it becomes for a hacker to compromise
that users in an organization’s branch offices a password or obtain one,” he said.
need network access from anywhere, at any
X Explain to users why they must be careful
time, and that VPNs meet this need.
with VPNs. Tell them that it is impossible
Keep your organization safe to deploy security software to users outside
Protecting your network is one reason each user of an organization’s network and that they
in your organization needs a VPN password cannot trust external computing platforms.
and also the reason IT managers need to focus X Encourage users to use other forms of pro-
on managing passwords to prevent abuse. tection at home. For example, establish a
If the idea of turning over one password to policy that states that users must use fire-
each user makes you shake in your boots, it walls and other protection solutions that are
should. “With a VPN, you can access through approved by the organization.

174 Administrator’s Guide to VPN and Remote Access, Second Edition

X Force users to create strong passwords. automatically delete expired ones. The
Managers should especially encourage a application can also tie all of a user’s pass-
user with “12345” as a password, for exam- words together into one central location
ple, to change it for security reasons. Longer where they can be changed or updated auto-
passwords that are a mix of letters, num- matically.
bers, and symbols are stronger than one- If you do not use an automatic system,
word or number-string passwords. search your network for weak passwords. For
X You can use an automatic solution. For example, Edwards checks each password in his
example, Courion makes and distributes organization twice a month. “That way if
PasswordCourier (http://www.courion. someone’s using a password of, say, 123, which
com/products/pwc/index.asp?Node= is pretty common, we can actually make those
PWC), an application that enables managers people change the password and force the
to securely reset forgotten passwords or password length,” he said.


Security 175

176 Administrator’s Guide to VPN and Remote Access, Second Edition

When it comes to administering a VPN, you have to know your protocols. This chapter contains
the material you need to troubleshoot TCP/IP, PPTP, L2TP, and IPSec connections.

TechRepublic’s TCP/IP primer..............................................................................................................177

Troubleshoot your network errors with TechRepublic’s TCP/IP checklist ..................................180
Troubleshoot Novell TCP/IP network errors with TechRepublic’s checklist ..............................183
Putting the “private” in virtual private networking ............................................................................186
Configuring certificates for an L2TP/IPSec VPN ............................................................................191
Customize the security of L2TP/IPSec connections ........................................................................196
Troubleshooting L2TP/IPSec VPN connections in Win2K ............................................................199
The Windows NT 4.0 PPTP VPN client connection guide ............................................................202

TechRepublic’s TCP/IP primer
Sep 1, 2000
By Jason Pachomski

W What is TCP/IP made of?

ith the explosion in the popularity
of the Internet, nearly all comput- Under the hood, TCP/IP’s architecture con-
ers are connected to one another in sists of several “layers” performing certain
some fashion. From the mission-critical data- functions. Each layer contains protocols. There
base server in a large corporation to the old are four general layers of the TCP/IP stack:
clunker in your basement that the kids play
1. Application layer
games on, the concept of a “stand-alone” PC
is quickly becoming obsolete. As IT profes- 2. Transport layer
sionals, we need to understand and implement 3. Internet layer
the functionality that fuels this technology. So 4. Physical or Network Interface layer
how does it all work? How is it that one com-
A full-scale description of each layer and its
puter can “talk” to another no matter where
underlying functionality is well beyond the
that computer is?
scope of this article. Whole courses are taught
Simply put, networking drives the Internet.
on TCP/IP alone. However, here’s a brief
Networking and computer networks are not
overview of the part each layer plays and how
new concepts. The first indications of where
they work together.
they would take us began to surface in the late
When you transmit over the Internet, you
1960s with the U.S. Department of Defense.
are using your computer’s implementation of
It needed a way for employees and associated
TCP/IP. The data you send follows a certain
institutions around the world to be able to
path and is transmitted in a specific way so that
communicate large amounts of data quickly
when it arrives at its final destination, it can be
and securely, so it contracted with a small com-
read, understood, and used by the receiving
pany to develop the technology to accomplish
machine without any problems. Common prac-
this. The result of this assignment has become
tices and functionality are the basis for which
the most popular means for two computers to
all standards are produced, and TCP/IP is no
communicate with each other. That technol-
different. Let’s follow the path that a portion of
ogy is called TCP/IP.
data, or a packet as it is commonly called, takes
TCP/IP defined when it travels the TCP/IP highway.
What is TCP/IP and how does it work? TCP/ Application layer
IP is defined as an industry standard suite of The data you want to send starts off at the top
protocols that computers use to find, access, of the TCP/IP stack in the Application layer.
and communicate with each other over a trans- This layer contains network applications and
mission medium. A protocol is a set of stan- services that the user interfaces with in order to
dards and rules that need to be followed. In use network communication. Also living in the
the case of networking computers, a protocol Application layer are utilities for things like file
is the set of standards and rules that a and print services and name resolution. A good
machine’s hardware and software must follow example of this is NetBIOS, an application
in order to be recognized and understood by programming interface (API) that supports a
other computers. The protocol suite is imple- desktop operating environment. Finally, all the
mented via a software package most com- utilities that work with TCP/IP live in the
monly known as the TCP/IP stack. This Application layer. These utilities provide the
functionality ships with all versions of Win- user with connectivity, file transfer capabilities,
dows from 95 and up and can be easily utilities for remote administration, and Internet
installed using the network setup applets in the utilities. Examples of these include programs
Control Panel. like PING, TRACERT, FTP, and Telnet.

Protocols 177
Transport layer asked. This obviously makes UDP a much
Once the Application layer is through with the faster protocol when it comes to data transmis-
data, it passes the data down the line to the sion. But UDP has rudimentary error checking
Transport layer. The two major components of and flow control, as well as reliability issues.
the Transport layer are the Transfer Control That is why TCP is the most widely used pro-
Protocol (TCP) and the User Datagram Proto- tocol in Internet communications.
col (UDP). Entire books are available on TCP, Internet layer
UDP, and the Transport layer, but simply put, Beneath the Transport layer is the Internet
the Transport layer is an interface that applica- layer. Three key protocols reside in the Inter-
tions use for network connectivity. The design- net layer: Internet Protocol (IP), Address Res-
ers of TCP/IP wanted to make sure that the olution Protocol (ARP), and Internet Control
data you send gets received by the right Message Protocol (ICMP). Each of these
machine, as well as the right application run- serves a specific purpose. There are also two
ning on that machine. The Transport layer less-used protocols, Reverse Address Resolu-
provides this functionality. In the Transport tion Protocol (RARP) and Internet Group
layer, there are mechanisms for error checking, Management Protocol (IGMP).
flow control, and verification ensuring the IP addressing and address resolution
integrity and completeness of the data it is occur within the Internet layer. IP addressing
working with. is a scheme that standardizes how machines
Although TCP and UDP are the main work- are identified and differentiated from one
horses of this layer, there is one very important another. This scheme allows any computer
difference between the two. TCP is considered running TCP/IP to communicate with other
a connection-oriented protocol, while UDP computers running TCP/IP anywhere in the
is considered a connectionless protocol. A world. No matter what type of machine,
connection-oriented protocol is one that estab- operating system, or network topology the
lishes a connection with another machine and PCs live on, as long as both machines are
maintains that connection for the entire dura- using TCP/IP, they’re speaking the same
tion of data transmission. A slew of functions language.
are built into TCP that check and recheck the ARP’s job is to resolve a logical IP address,
data while the two machines are connected. such as, into its physical
This makes TCP a more reliable, albeit slower, equivalent address. ICMP is mostly used by
transmission. A connectionless protocol such routers to send information back to a source
as UDP, however, does not establish a connec- computer about a transmission that computer
tion with the target machine at all. UDP is told is trying to make. When you use the PING
by the Application layer which machine it is utility, the information you receive was gath-
supposed to transmit to, with no questions ered using ICMP.

Table A: Terms defined

API A message and language format that allows programmers to use functions within another program
NetBIOS A protocol that provides the underlying communication mechanism for some basic NT functions,
such as browsing and communication between network servers
PING A command used to verify the existence of and connection to remote hosts over a network
TRACERT A diagnostic utility that determines the route a packet has taken to a destination
FTP A protocol for transferring files to and from a local hard drive to an FTP server located on another
TCP/IP-based network
Telnet A remote terminal emulation application that has its own protocol for transport

178 Administrator’s Guide to VPN and Remote Access, Second Edition

Physical layer The OSI reference model
The final layer on the TCP/IP stack is the The Open Systems Interconnected reference
Physical layer. This layer is at the base of the model (OSI/RM) is the standard that all other
stack and is the last section a packet must go protocols follow. The OSI/RM provides a
through before it’s sent out across the trans- framework that connects heterogeneous sys-
mission medium. The Physical layer contains a tems using a common protocol. It also gives
collection of services and specifications that developers universal concepts so they can
provide and manage access to the network develop and perfect protocols. As you can see
hardware. Its responsibilities include: in Figure A, each layer of the TCP/IP reference
X Interfacing with the computer’s network model corresponds to a part of the OSI model.
hardware TCP/IP has transformed the way people
X Checking for errors in incoming packets use computers. Although TCP/IP was origi-
of data nally developed to traverse heterogeneous net-
work environments, it has evolved due to its
X Tagging outgoing packets with error- nonproprietary standards. These standards
checking information provide a framework for programmers who
X Acknowledging the receipt of a packet develop protocols. Without it, we would still
X Resending that packet if no acknowledg- be in the stone-age of networking.
ment is returned by the recipient
This layer is almost totally invisible to the
everyday user, which, given this layer’s com-
plexity, is not such a bad idea.

Figure A

This diagram illustrates the layers of the OSI Model and how they map to different areas of Microsoft’s TCP/IP. It also shows
the four layers of the TCP/IP Reference Model and how they map to Microsoft’s TCP/IP.

Protocols 179
Troubleshoot your network errors with
TechRepublic’s TCP/IP checklist
Jan 21, 2000
By David Mays

hether your systems are powered by system, including the installation of service
Windows or Linux, network config- packs, new Internet software, Elf Bowling
uration problems inevitably arise. games, and so on.
Often the problem can be traced to an 4. Check the physical network. The physical
improperly configured TCP/IP setting, but topology of your network is most prone to
finding the culprit can be difficult. Use the fol- failure. In fact, most network problems are
lowing checklist to help identify and eliminate often due to Physical Layer failures.
network TCP/IP errors.
5. Is it plugged in? Check all network cable
TechRepublic’s TCP/IP checklist connections. Start at the NIC; is there a
1. What stopped working? The client or the green light? Check the wiring closet to see
server? Ask around before attacking if someone “borrowed” the patch cable.
coworkers’ PCs; learn if the outage is Check the hub to see if the system is get-
affecting others or just a single desktop. ting a link across the cable.
2. If the server stopped working, you 6. If you don’t have a cable tester, get one.
should notice many office mates banging Cabling is very susceptible to electricians,
their heads against their desks simultane- cleaning people, HVAC personnel, and
ously. If this is the case, focus on fixing so on.
the server. 7. Start PINGing. Both Windows and Linux
3. If a single client PC has stopped respond- have the PING command. In a typical net-
ing to the network, ask the user whether work you have this order (client->gateway-
new software was just loaded or whether >server) or (client->gateway->internet).
any recent changes have been made to the First, attempt to PING yourself from
the Windows command prompt or use the
Linux shell. Your local “loopback” address
Listing A for such testing is Windows
C:\WINDOWS>PING users should see the response shown in
Listing A, while Linux operators should see
PINGing with 32 bytes of data: the results shown in Listing B.
Note that in Linux you must add -c 4
to the command, which requests four
Reply from bytes=32 time<10ms TTL=32 PINGs. Otherwise, you must stop the test
Reply from bytes=32 time<10ms TTL=32 using [CTRL]C.
Reply from bytes=32 time<10ms TTL=32 8. If you do not receive a successful PING
Reply from bytes=32 time=1ms TTL=32 from yourself, in Windows, try re-installing
the TCP/IP protocol from the Network
Control Panel. In Linux, see if your
PING statistics for Ethernet card is loading properly by using
Packets: Sent = 4, Received = 4, Lost = 0 ifconfig. It should provide the information
(0% loss), shown in Listing C.
Approximate round trip times in milli-seconds: When you issue the interface configura-
Minimum = 0ms, Maximum = 1ms, Average = 0ms tion (ifconfig) program, you’ll receive a list

180 Administrator’s Guide to VPN and Remote Access, Second Edition

of your interfaces. If the loopback (lo) is Listing B
not listed, you may have an incorrectly [root@gateway /root]# PING -c 4
configured kernel or possible problems
PING ( 56 data bytes
with the loopback module. Try recompiling/
reinstalling to see if that resolves the 64 bytes from icmp_seq=0 ttl=255 time=1.2 ms
problem. 64 bytes from icmp_seq=1 ttl=255 time=0.9 ms
9. If PINGing your loopback worked fine, 64 bytes from icmp_seq=2 ttl=255 time=0.9 ms
then try PINGing someone who is on 64 bytes from icmp_seq=3 ttl=255 time=0.9 ms
the same subnet as you. In the ifconfig
example above, the IP address is set to Thus, in this scenario you —- PING statistics —-
should attempt to PING Be 4 packets transmitted, 4 packets received,
sure the target IP address being PINGed is 0% packet loss
a valid IP address assigned to a system; round-trip min/avg/max = 0.9/0.9/1.2 ms
otherwise, you’ll receive errors. Use the
Start | Run | IPCONFIG command to
learn your NT machine’s IP configuration TCP/IP protocol stack; with PINGing on
(use the WINIPCFG command with Win- your local subnet you tested for failure on
dows 98). the failing machine. Try replacing the net-
In Linux, use ifconfig to learn your net- work card and using a new patch cable.
work settings. 11. The next problem area is in the gateway.
10. If you can PING someone on your local Find the IP address of your gateway. You
subnet, move on to the next step. If you can find this in the IPCONFIG screen
can’t, you’re probably experiencing a Physi- with NT systems (WINIPCFG for Win-
cal Layer failure. The usual suspects are dows 98) or in Linux by running the
bad cables or a NIC gone bad (they do netstat-rn command, providing these
that sometimes). With loopback, you were results shown in Listing D.
just testing the inner workings of the

Listing C
[root@gateway /root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:11:22:33:44
inet addr: Bcast: Mask:
RX packets:219876 errors:0 dropped:0 overruns:0 frame:0
TX packets:153838 errors:0 dropped:0 overruns:0 carrier:0
collisions:77 txqueuelen:100
Interrupt:10 Base address:0x230

lo Link encap:Local Loopback

inet addr: Mask:
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Protocols 181
Listing D
[root@gateway /root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface U 0 0 0 lo UG 0 0 0 eth0

The -rn prints the routing table and puts router administrator add one. If it has one
everything in numeric format. In this but has stopped working, it could mean
example, the default gateway ( is you’re experiencing a router failure, and others will be affected as well. Conversely,
If you don’t have a gateway config- the router administrator may have loaded
ured, then one will not show up in an old config; check with the administrator
WINIPCFG or when using netstat. to make sure this isn’t the case.
This is a problem. 12. The final step is through the gateway.
In Windows, locate Start | Settings | PING something that is on the other side
Control Panel | Network | TCP/IP | of the gateway. In an intranet, PING a
Gateway and add your gateway. This is printer on a remote subnet. On the Inter-
your local interface on your router. In net, PING Yahoo! ( If you
Linux, use linuxconf or set up a temporary do so successfully, you should not have a
route using: problem. If you can’t get to a particular
route add default gw system in your network or on the Internet,
gateway_ip_address that resource may not be available. You
where gateway_ip_address is your gateway. may want to tell the administrators of those
PING this address; this will prove a systems about this checklist! Certainly, you
solid connection from your PC to the gate- can expect they’re working through the
way. If you have made it this far, the PC is same difficulties as you.
working, the cabling is working, and the Remember, TCP/IP was designed to be
router (gateway) interface is working. You indestructible, even in a global thermonuclear
can skip to the next section. war. After you get past an initial install, it
However, if you receive no response should run for quite some time without any
from the gateway, and you have one con- trouble. Always look for the most obvious
figured, it’s time to call in the big guns. problems first, and if in doubt, reboot your
Your router is improperly configured. It system.
must have a local interface (IP address) on
your subnet to listen to the traffic on your
network. If there is no interface, have the

182 Administrator’s Guide to VPN and Remote Access, Second Edition

Troubleshoot Novell TCP/IP network errors
with TechRepublic’s checklist
Jun 21, 2000
By Steven Pittsley, CNE

ust as with Windows or Linux systems, been severed or crushed by a heavy piece of
TCP/IP network configuration issues can furniture.
prove quite frustrating to solve on Novell X Reboot the computer. As simple as it may
networks. Novell administrators can save time be, rebooting the workstation resolves many
by following a troubleshooting checklist. problems. NetWare 5 clients will automati-
Here’s a step-by-step guide that you can use cally reconnect if there’s a lapse in the net-
the next time your Novell network experiences work signal, but older clients don’t have
TCP/IP problems. this capability. Rebooting the workstation
What changed last? shouldn’t make the problem worse, and it
will provide you with a good starting point
We do not live in a perfect world. Equipment
breaks or software changes are made, and it’s for troubleshooting configuration issues.
up to us to resolve the ensuing problems. X Check the network signal. Verify that the
When we’re faced with network troubles, our network card has a green light. This does
first step should be to answer one simple ques- not always mean that the signal is good, but
tion: What changed? it is a sign of connectivity. Using a line
Many times, the answer to this question will tester, verify the physical cabling from the
provide the resolution to our problem. This communications closet to the wall jack.
guide offers some straightforward trou- X Verify the line speed. Using a line tester,
bleshooting steps to help diagnose and resolve verify the speed of the connection. Switch
problems on misbehaving Novell TCP/IP ports can be forced to slower speeds, and
networks. network cards can be configured incor-
rectly. Also verify that the switch port and
Determine the scope of the network card are not both configured
the problem to auto sense the line speed. If they are,
When troubleshooting any problem, take a neither one will be able to determine the
moment to absorb the big picture. Is one user correct speed.
or a single system affected, or does the prob-
lem have an impact on the entire department? X Check the wiring closet. If you aren’t
First, call the help desk to see if it is receiving receiving a signal at the client, head for the
similar complaints. Determining the scope and wiring closet. Reconnect both ends of the
nature of a problem will allow you to diagnose patch cable to ensure the connection is
and resolve any issue correctly and efficiently. good. Next, check for a link light on the
hub or switch port. If you don’t have a link
Single-client problem light, try another port. Finally, check for
If a single client is having connectivity prob- error lights on the network device and con-
lems, you can follow these steps to restore net- firm that the network feeds are securely
work service to your users and systems. connected.
X Check physical connections. Sometimes X Use PING to test connectivity. If every-
users move their computers and forget to thing in the communications closet is good,
plug in the network connection. Occasion- go back to the workstation and PING the
ally, the network connection is accidentally local loopback address of This
removed. Reconnect both ends of the net- will test the TCP/IP protocol stack and ver-
work cable and check to see if the cable has ify that it is working correctly. Next, try to

Protocols 183
PING various locations on the network. new card, not one that has been sitting on
Start by PINGing a workstation on the the shelf for the past six months, so that
same network segment as the non-working you don’t introduce new problems into the
client. Finally, PING the default gateway, already fuzzy equation.
followed by a device on the other side of
the gateway, such as a remote server or an Department or area
Internet address. A failure of any of these connectivity problem
devices should pinpoint the problem. When one or more segments of a TCP/IP
network lose connectivity, the problem usually
X Use TRACERT to test connectivity. If
lies with the network equipment. Here are
you are unsure of the IP addresses of
some troubleshooting tips that can help you
various network devices, use the handy
isolate the problem and restore connectivity to
command-line utility TRACERT. Select an
your users and systems.
Internet address, such as,
which is Novell’s home page, or X Reboot at least one workstation. If, which is TechRepublic’s site. the outage is brief, the workstations may
At a command prompt, type TRACERT regain connectivity after being rebooted.
and then the IP address. For instance, to NetWare 5 clients will be able to reconnect
check the route to TechRepublic, you would automatically, but older clients will be
type TRACERT The results unable to do so.
will show each hop that the ICMP packet X Check the wiring closet. Collect a few
takes to reach the destination address. A data jack numbers and head to the com-
failure of any of these devices should pin- munications closet. First, determine if all
point the problem. the devices in the closet are powered on.
X Use WINIPCFG to release/renew the A localized power outage is a common
IP address. Releasing and renewing the IP cause of network failures. Next, determine
address lease can eliminate problems with a if all the data jack numbers are connected
particular address. While the WINIPCFG to a single network device. If they are,
screen is displayed, take a moment to verify move a couple to a different device and
the other settings. see if the problem goes away. Finally, look
for error lights on the switch or hub and
X Try a different computer on the same confirm that the network feeds are
network connection. If you don’t know securely connected.
whether the issue is a computer problem or
network problem, try using a different com- X PING the network equipment from the
puter on the “bad” network connection. affected area. Try to PING the switch
Using a laptop is probably the easiest from a workstation located in the affected
method, but you can also borrow a nearby area. If that is successful, PING the default
computer that is not in use. If the other gateway, followed by a device on the other
computer works normally, then look to the side of the gateway. A failure on any of
nonfunctional computer to resolve the these devices should pinpoint the problem.
problem. X Use TRACERT to test connectivity.
X Reinstall the network drivers. Reinstalling As described in the previous section, use
the network card driver will allow you to TRACERT to quickly test the network
start from scratch with the network soft- devices from the affected area to the Inter-
ware. After doing this, you should have no net. If you use TRACERT from a working
doubts about the configuration of the net- area and then from the non-working area,
work card. are both routes the same? If they aren’t,
the differences may help you pinpoint
X Install a new NIC. Network cards, like any the problem.
other device, can go bad. Install a brand-

184 Administrator’s Guide to VPN and Remote Access, Second Edition

X Verify any router or network changes. server, head for the wiring closet. Check the
Because an entire area has been affected, it’s patch cable and reconnect both ends to
possible that someone has made changes to ensure the connection is good. Next, check
a router or network device. Ask someone for a link light on the hub or switch port. If
from the wide area network (WAN) team to you don’t have a link light, try another port.
confirm that the device is configured cor- Look for error lights on other ports and
rectly. If the connection is made through a verify that the network feed is securely con-
leased line, contact the provider’s support nected. You might also try a different port
desk to verify that the device is working on the network device, or even try a differ-
correctly. ent network device altogether. Before doing
so, verify that the new device is working
File server TCP/IP problem correctly.
Once TCP/IP is configured and working on a
file server, you normally won’t have many
problems with it. However, occasionally some-
If you aren’t receiving a signal at the client,
thing is changed and problems arise. Here are
some tips to help you troubleshoot these prob- head for the wiring closet.
lems and restore network service to your users
or systems.
X Things to consider. Was any software X Verify that other protocols are working
recently installed on the file server? Has the correctly. If your file server is running IPX
server gone down lately? Why was it down? or another protocol, verify that it is working
Press the up arrow key to scroll back correctly. If so, then you can begin to look
through many of the recent commands that toward a TCP/IP configuration problem.
have been executed and look for something This is not always true, but it is very rare to
to be loaded, unloaded, set, or changed. see a network card unable to pass a single
X Check the physical connections. While protocol.
it’s normally rare to find your server X Are all network cards having problems?
unplugged from the network, you should If the file server has multiple network cards,
never overlook the obvious. An operator or determine whether one of them is having a
cleaning person could accidentally discon- problem or if they both have similar prob-
nect the network connection and not even lems. It is rare for both network cards to
realize it. physically fail at the same time. If one is
X Check the network signal. Verify that the working and the other one is not, check the
network card has a green light to indicate configuration of the failing card.
that a network signal is present. Using a line X Check CONFIG.NCF and
tester, verify the physical cabling from the AUTOEXEC.NCF for changes. Verify
communications closet to the wall jack. that all the settings in these two boot files
X Verify the line speed. If your network are correct. Someone may have recently
contains segments with differing speeds, use changed something that is causing the
the line tester to verify the speed of the problem you’re facing.
connection. Switch ports can accidentally be X Verify bindings and network card con-
forced to a slower speed and network cards figuration. Make sure that the network
can be configured incorrectly. card bindings and configuration are correct.
X Check the wiring closet. Since most Using SET commands from the console,
servers are in a secured area, many of the unbind the protocol from the network card,
wiring closets are also well secured. How- reload the driver, and bind the protocol
ever, if you’re not receiving a signal at the back to the card.

Protocols 185
X Use PING to test connectivity. Using the called TCPCON.NLM. You should be able
NetWare server’s PING utility, PING the to see the values in the middle of the screen
local loopback of the file server to verify changing as network traffic flows to and
that the TCP/IP stack is working correctly. from the server. Verify that IP routing is
If this test is successful, PING a device that enabled by selecting Protocol Information
is on the same segment as the server, fol- -> IP -> IP Packet Forwarding. The IP
lowed by the default gateway and a device Packet Forwarding field should be set to
on the other side of the gateway. A failure Router. TCPCON can also be used to verify
on any of these devices should pinpoint the the IP Routing Table.
problem. X Install a new network card. If you deter-
X Use IPTRACE to test connectivity. A mine that the network card is bad, install a
NetWare server’s IPTRACE utility is very new one. This will affect all your users and
similar to TRACERT. Choose an IP address systems, including ones that might be work-
from a distant router or the Internet and at ing and currently in use.
the server console type: IPTRACE <IP X Reboot the server. Because of the impact
address>. You’ll be taken to a new screen that this solution will have on your users
that shows the route that the ICMP packet and systems, rebooting the file server
took to reach the destination. should be used only as a last resort. On a
X Verify that the server is not discarding NetWare 5 server, you can issue the
TCP/IP packets. From the server’s system RESTART SERVER command.
console screen, enter: SET TCP IP DEBUG These troubleshooting steps may not solve
= 1. The console screen should immediately all your connectivity problems, but they
start scrolling TCP/IP information. To stop should provide you with a good starting point.
the log, enter: SET TCP IP DEBUG = 0, Hopefully, you will never need to use them.
and you shouldn’t see any packets being But as we noted earlier, we do not live in a
DISCARDed. perfect world.
X Use TCPCON to gather TCP/IP statis-
tics. NetWare 5.x includes a nifty utility

Putting the “private” in virtual private

Apr 12, 2001
By Debra Littlejohn Shinder, MCSE

irtual private networks (VPNs) are distances. This is called an access VPN, and
growing in popularity, and the reason can work across analog or ISDN dial-up lines,
is obvious: The ability to connect to a DSL, or cable modems. Intranet and extranet
private LAN by “tunneling” through the pub- VPNs can be used to connect corporate
lic Internet provides both convenience and offices at different locations to one another
cost benefits. This is especially true if the con- using a dedicated connection, or to link to the
nections are of long duration or over very long sites of partners or customers.

186 Administrator’s Guide to VPN and Remote Access, Second Edition

A great deal has been written about VPN Components of a secure
tunneling and popular tunneling protocols
such as Point-to-Point Tunneling Protocol
The tunneling process is called encapsulation
(PPTP), Layer 2 Forwarding (L2F), and Layer
because the tunneling protocol, also called the
2 Tunneling Protocol (L2TP). IPSec can also
encapsulating protocol, creates the tunnel
perform tunneling, but it is more commonly
through which the passenger protocol (for
used to provide security for an L2TP tunnel.
example, PPP in a dial-up connection) travels.
These tunneling protocols make virtual net-
A carrier protocol carries the encapsulated
working possible.
packet. IP is typically the carrier protocol, as it
Using a tunneling protocol, a client com-
routes packets across the Internet.
puter anywhere in the world can connect to a
The tunnel is the conduit by which the data
server running the same protocol and access
travels over the public network, but it does not
the entire company LAN on which the server
secure the data itself. Security of data commu-
resides (provided both are configured appro-
nications involves several issues, including:
priately). The key is that both the client and
the server are connected to the global Inter- X Verifying the origin of the data—making
net. The network is virtual because there is sure that the apparent sender really sent it.
no direct connection from the client or This is called authentication.
server. X Ensuring the integrity of the data—
What about the second part of the equa- making sure that it has not been modified
tion? A virtual network is useful and may save during its travel between sender and recipi-
money (because a client can dial up a local ISP ent. This is also called packet authentication.
instead of making a long-distance call directly X Providing confidentiality for the data—
to their company’s RAS server), but it’s not making sure that if an unauthorized party
secure. Data packets are traveling across a vast does intercept it, it cannot be read.
public network and could be intercepted and
A secure VPN connection provides all three
read or changed en route. Before virtual net-
of these services using security protocols.
working can be used for sensitive or mission-
critical communications, you must find a way Protocols protect privacy
to make it private. That’s what VPN security Just as a VPN requires a tunneling protocol to
protocols are all about. establish the virtual network, it also requires
In this article, I will show you how VPN separate protocols to provide the privacy.
security works, discuss the protocols that keep These include:
the data private as it travels through the tunnel, X Authentication protocols
and address the question of “Just how safe is it
to send your data through a VPN?” X Encryption protocols
Authentication protocols are used to vali-
TIP date the identity of a user or computer and
There are many ways to construct a
ensure data integrity. Encryption protocols
provide confidentiality.
VPN tunnel, including both software- and
The authentication and encryption proto-
hardware-based implementations. Some
cols used for a VPN connection depend on
use open source software, such as the particular implementation by the vendor of
Secure Shell (SSH), and others—such the VPN solution and settings selected by the
as CheckPoint’s FWZ Encapsulation—are VPN user (on the client side) and the network
proprietary. Each VPN vendor can offer administrator (on the server side).
its own solution, as there are no universal For a VPN client and VPN server to estab-
standards. lish a connection and communicate over an
internetwork, they must support at least one

Protocols 187
common authentication protocol and one
common encryption protocol. TIP
Hashing is a nonreversible method of
VPN authentication applying an algorithm (formula) to a string
There are different authentication levels asso-
of characters, such as a password, to dis-
ciated with VPNs. Two of them are user-level
guise the original data. It is called nonre-
authentication (PPP authentication) and
versible because you cannot reverse the
machine-level authentication, which uses the
Internet Security Association and Key Man- formula and recover the original data.
agement Protocol (ISAKMP).
Authentication can also be provided by
User-level authentication Remote Authentication Dial-In User Service
When a VPN client attempts to make a con- (RADIUS), which is an industry-standard pro-
nection to a VPN server, the server will use a tocol that requires clients to send user and
PPP user-level authentication method to con- connection information to a RADIUS server,
firm the client’s identity based on the user’s which authenticates the client and authorizes
credentials (account name and password or the connection request.
smart card and PIN). In addition, the VPN PAP is the least secure authentication
server must verify that the client has the method because if an unauthorized person
proper permissions to establish the connec- uses a packet sniffer (for example, the Net-
tion (this is called authorization or access work Monitor software built into Windows
control). NT/2000) to capture the data as it travels
With mutual authentication, the process across the network, he or she will be able to
goes both ways; the client also authenticates view the contents of the packets and read the
the server to verify its identity and protect password. PAP is not recommended for VPN
against server masquerading. authentication.
Some user-level authentication protocols
include: Machine-level authentication
When the IPSec encryption protocol is used,
X Password Authentication Protocol
the authentication of the client and server
(PAP), which uses plain text passwords to
machines is done using machine certificates.
authenticate the client’s identity.
The ISAKMP protocol is used to create a
X Shiva PAP (SPAP), which is used to security association, and the Oakley key-
authenticate Shiva clients. generation protocol is used to generate and
X Challenge Handshake Authentication manage the authenticated keys that are used to
Protocol (CHAP), where the server “chal- secure the data.
lenges” the remote client to supply authen-
tication credentials. Message Digest 5 TIP
(MD5) is used to hash the message, allow- Digital certificates use cryptography to ver-
ing the hash value to be sent across the net- ify identity, while making it difficult for an
work instead of the actual password. unauthorized person to intercept, alter, or
X Microsoft CHAP (MS-CHAP), which is a spoof (forge) data. Certificates use public
version of CHAP developed by Microsoft and private keys (a key pair) to sign mes-
to authenticate Windows clients. MS-CHAP sages; the sender’s public key is included
v2 is a mutual authentication protocol by in the certificate. The sender signs the
which both the client and the server prove message using his or her private key.
their identities to one another. Using the public key that matches it, the
The first two are supported by Cisco’s L2F recipient can verify the sender’s identity.
implementation; the third is associated with
Microsoft’s PPTP.

188 Administrator’s Guide to VPN and Remote Access, Second Edition

VPN encryption Figure A
The data that passes through a VPN tunnel is
encrypted to provide confidentiality. When it
reaches its destination, it is then decrypted so Authenti-
it can be read. If someone captures the data Header cation
packets in transit, he or she will not be able to
read the messages without access to the
encryption key. The key is used to lock the
data, and the longer the key is, the more secure
it is. Just as a ten-letter password is more diffi-
cult to guess than one with only three letters, a Entire packet is signed
128-bit key is more difficult to crack than a
AH signs the entire packet, providing authentication and integrity but not
40-bit key. confidentiality.
The protocol used to secure VPN data
depends on the encapsulation protocol that is Figure B
used to build the tunnel. For example,
Microsoft PPTP VPNs use the Microsoft
Point-to-Point Encryption (MPPE) protocol.
The specifications for Cisco’s L2F (see RFC Workstation Workstation Workstation Workstation
2341) do not specify an encryption protocol.
Both Microsoft and Cisco now support
L2TP as the preferred tunneling protocol. VPN tunnel
Both implementations operate in conjunction VPN server
with the IP Security Protocol (IPSec) to pro- Internet
vide encryption. VPN server
L2TP is an Internet standard, defined in
RFC 2661. IPSec is described in RFC

IPSec was developed to add security to data Workstation Workstation Workstation Workstation
that travels across a network (not only VPN
connections) and is capable of providing both When ESP is used between two gateways, data is encrypted only when
authentication and encryption. The compo- traveling over the Internet.

nents of IPSec are:

X Authentication Header (AH) tion. The packet is signed, and the signature
X Encapsulating Security Payload ensures that the identity of the sender is
known and that the data has not changed since
X Security associations (SAs)
it left the sender.
Let’s take a look at how these components The authentication header is placed
work. between the IP header and the TCP/UDP
IPSec Authentication Header (AH) header on the data packet. The entire packet is
AH can provide authentication and integrity signed (see Figure A).
between a set of hosts or between a set of IPSec Encapsulating Security Payload
gateways. Both ends of the connection must Encapsulating Security Payload (ESP) can pro-
implement AH. It is important to understand vide authentication, integrity, and confidential-
that AH does not provide confidentiality of ity of data traveling between two or more
data; it can still be read if intercepted. How- hosts or two or more gateways that have
ever, it does provide protection from modifica-

Protocols 189
implemented ESP. VPNs often utilize gateway- The Internet Engineering Task Force (IETF)
to-gateway encryption, which protects the data has established a standardized way for this
while it is traveling on the public Internet. In process to take place, using two technologies:
this case, data is not encrypted while on the X ISAKMP
private network (see Figure B).
X Oakley
ESP and AH can operate in two modes:
transport mode or tunnel mode. In tunnel ISAKMP manages the security associations
mode, ESP creates a tunnel to provide privacy and negotiates the security policies. Oakley
for tunneled packets. The packets can be generates the authenticated keys that are used
encrypted using Data Encryption Standard to protect the data. ISAKMP/Oakley is known
(DES) or 3DES (also called Triple DES), as the Internet Key Exchange (IKE). Cisco
although encryption is not required if only Systems prepared IETF drafts specifying stan-
authentication and integrity are desired and dards for IKE and made a version of IKE
confidentiality is not required. available at no charge via the Internet.
ESP in transport mode is used to provide The security association is established by a
the security for a tunnel created by L2TP. two-part process:
When used in transport mode, ESP does not X Key exchange
sign the entire packet. It protects the data, but X Data protection
not the IP header (see Figure C). During the key exchange step, the commu-
IPSec security associations nicating computers create the ISAKMP SA.
IPSec creates a security association (SA) to Oakley protects the identities during this step.
define the security services and keys that will Policy is negotiated, and the computers
be used to secure a communication between exchange information that allows the genera-
two hosts or gateways. The security associa- tion of a shared secret key, which is generated
tion is like a contract between the sending by the Diffie-Hellman protocol. The comput-
and receiving computers (source and destina- ers must then authenticate the key information
tion) that lays out the terms or rules for the exchange (note that the keys themselves are
transaction. not exchanged; only the information that is
used to generate the shared “master” key).
The second step, data protection, begins
Figure C with the negotiation of a pair of SAs that are
called the IPSec SAs (to differentiate them
Data and ESP trailer
are encrypted from the ISAKMP SA). Policies are negotiated
for the new SAs. There are two because one is
used for inbound communication and the
other for outbound. The ISAKMP SA protects
the negotiation. Multiple IPSec SAs can be
IP ESP ESP ESP protected by one ISAKMP SA.
Header Header Data Trailer Authenti-
cation The IPSec authentication and
encryption process
Once the SAs have been established, the send-
ing computer will use the outbound IPSec SA
to sign the packets (to provide integrity) and
encrypt the data (for confidentiality). The
packets will then be transmitted through the
tunnel to the destination computer.
ESP header, data, and The destination computer will use the
ESP trailer are signed
inbound SA and corresponding key to verify
In transport mode, ESP does not sign the entire packet.

190 Administrator’s Guide to VPN and Remote Access, Second Edition

the integrity signature and decrypt the data, tunneled data. One of the most common secu-
and then the decrypted data will be passed by rity protocols in use today is IPSec. IPSec can
TCP/IP to the appropriate application. provide authentication, integrity, and confiden-
tiality. It can even be used in tunnel mode as
TIP the encapsulation protocol that creates the vir-
If there is a firewall, proxy server, or router tual tunnel, however, it is more often used in
functioning as a security gateway between transport mode to provide encryption of data
the communicating computers, packet fil- that passes through an L2TP tunnel. Microsoft
tering must be configured to allow the and Cisco, along with other vendors, support
IPSec packets to go through. L2TP and IPSec as the most secure and effec-
tive means of implementing VPNs.
In this article, I discussed how VPNs work
Summary and went under the hood to examine the secu-
Security is a major concern for VPN imple- rity protocols that put the “private” into virtual
mentations because the data passes across the private networking.
public Internet to reach the private network.
There are many ways to provide protection for

Configuring certificates for an

Dec 14, 2001
By Carol Bailey, MCSE+I

uch has been written on the merits how to get Windows 2000 Professional to
of using a virtual private network make an L2TP/IPSec connection to a Win-
(VPN) connection for remote dows 2000 VPN server, as well as how to cus-
access and how Windows 2000’s Routing and tomize and maintain that connection. In this
Remote Access (RRAS) service has greatly installment, I’ll explain how to use the Win-
simplified the process. The main benefit of a dows 2000 Certification Authority service to
VPN is cost savings, since it allows corpora- achieve a connection. Then, my next two arti-
tions to use a persistent Internet connection cles will focus on customizing and trou-
rather than a bank of modems, and calls are bleshooting L2TP/IPSec connections.
cheaper for users because they incur only local
charges to their ISP rather than long-distance WIN2K VPN AND RRAS BASICS
costs. For the basics on using and configuring
Many of us have mastered the use of PPTP Windows RRAS with VPN connections,
connections for a VPN. However, Windows see “Setting up a VPN with Windows
2000 (and Windows XP) natively supports the 2000” (page 53).
more secure form of VPN, L2TP/IPSec.
Unfortunately, little has been written about
how to configure L2TP/IPSec beyond saying, It all starts with the certificates
“It’s more complicated.” So this three-part The most likely reason that L2TP/IPSec
series will provide a step-by-step tutorial on connections fail is because of problems with

Protocols 191
certificates. In its default configuration, a valid intermediary device (e.g., NAT server) may
computer certificate is required on both the be preventing your L2TP/IPSec connec-
client and the server. There are various ways of tions from working, my next article will
obtaining a computer certificate for a help. I’ll describe how to eliminate Internet
L2TP/IPSec connection, such as using a third- devices to confirm whether these are pre-
party Certification Authority like VeriSign venting the L2TP/IPSec connections from
(which should provide its own instructions on working.
this) or using Windows 2000 Active Directory
automatic certificate deployment. Configuring the Certification
However, this article will describe how to Authority service
use L2TP/IPSec connections by issuing your Deploying your own certificates with an in-
own certificates—without Active Directory— house Certification Authority requires careful
using the Windows 2000 Certification Author- planning. For example, you need to think
ity service in Stand-alone mode. This allows about the hierarchy you’ll be using (root CA,
anyone with a Windows 2000 Server to benefit subordinate and issuing servers), the certificate
from L2TP/IPSec connections regardless of lifetimes and key lengths, and how you will
whether they’re running Active Directory or secure this service. (Standard advice is to take
they have an NT 4.0 domain or even a simple the root CA offline and physically secure it
Windows Workgroup. until needed.) One of the best sources of
These instructions also hold good for using information on this is Microsoft’s white
just IPSec on your network, outside the VPN paper Windows 2000 Certificate Services
environment, although we won’t describe the (
IPSec policy configuration. treeview/default.asp?url=/TechNet/
Preliminary configuration steps 2000cert.asp).
Make the following checks before we begin: To streamline the process for the testing
X First, ensure that your Windows 2000 Pro- purposes of this tutorial, we will use only an
fessional can successfully connect to your online root CA as the issuing certificate server.
Windows 2000 RRAS server using PPTP Certificates will be requested and issued
with TCP/IP. This will verify that the basics through the Web browser, so IIS also needs to
of RRAS are working, that associated hard- be running on the certification server. How-
ware (modem, router, cable modem, etc.) is ever, these services will be on a different server
working, that the user is allowed remote from the one running RRAS, just as they
access, that remote access policies aren’t should be on a production network.
preventing a successful connection, and that On the Windows 2000 Server, you will be
IP address assignment is handled correctly. installing the Certification Authority service.
X Second, ensure that your client’s Internet First, double-check to make sure that the date
connection is not going through a network and time are correct on the server, because
address translation (NAT) server. certificates are based on timestamps. Then, go
Microsoft’s IPSec implementation has to the Add/Remove Windows Components
known problems with NAT. If all your and select Certificates Services. You’ll see a
clients’ Internet connections must go warning dialog box telling you that after
through NAT (as opposed to having static installing this service, the computer cannot be
IP addresses), Microsoft’s L2TP/IPSec renamed, join a domain, or be removed from
implementation is probably not for you. one. Click Yes to continue and then click Next.
X Third, if you have a firewall between the Now, you’ll be prompted to configure the
client and server, you may need to reconfig- Certification Authority service. The first win-
ure it to allow the L2TP/IPSec connection dow prompts for Certification Authority
through. Open UDP port 500 and IP port Type. Select Stand-alone Root CA (Figure A)
50. If you suspect your firewall or another and click Next.

192 Administrator’s Guide to VPN and Remote Access, Second Edition

Figure A Figure B

Specifying the Certification Authority Type Specifying the CA details

The next prompt will ask for CA Identify- Figure C

ing Information, with some defaults already in
place. The defaults are for your country/
region, the validity time of the certificate (two
years), and the expiration date/time. Fill in the
other boxes with as much or little information
as you desire, although you must supply a CA
name. My example uses the CA Name of
MyCompany Root (reminding me that this is
root CA), as you can see in Figure B.
The next screen is for the Data Storage
Location, which refers to the certificate data-
base and log. Keep the defaults and click Next.
You should now see a warning box that IIS is The newly installed Certification Authority service
running on the computer and must be stopped
to proceed. Stopping IIS will allow us to create manually issue the computer certificate
the virtual directory we are going to use for requests.
deploying the certificates. Click OK, and the
CA virtual directory will install (prompting for Configuring the systems for your
the Windows 2000 source files, so have the Certification Authority
CD handy or have the files available locally or For the computer certificate element to work,
over a network connection). When the installa- both client and server need to have a Certifica-
tion is complete, click the Finish button and tion Authority in common. Then, both need to
then click Close. There’s no need to reboot. have a computer certificate issued by that CA.
You should now have Certification Author- If you are using one of the well-known third-
ity listed as one of your Administrative Tools party CAs (such as VeriSign), you won’t need
on this server. Load it up, and it should look to complete the additional step of retrieving
like Figure C. Under the CA, you’ll see folders the Certification Authority certificate. Win-
for Revoked Certificates, Issued Certificates, dows 2000 ships with these, as you will see if
Pending Requests, and Failed Requests. At the you run Internet Explorer, choose Internet
moment, all of these should be empty. Keep Options from the Tools menu, select the Con-
this console open, because you will need it to tent tab, click the Certificates button, and

Protocols 193
select the Trusted Root Certification Authori- the CA server. The workstation could com-
ties tab. plete this step when it’s on the corporate net-
You’ll need to complete the following steps work (if it’s a laptop) or after connecting
on both the Windows 2000 RRAS Server and through the VPN server using PPTP (if it’s a
the Win2K Pro client machine. Again, before remote workstation).
you begin, verify the correct date and time on Open Internet Explorer and go to
these machines, as we did for the CA server. http://<CA servername>/certsrv (where <CA
Note that in this tutorial, the client workstation servername> is the name or IP address of the
and the RRAS server will need to connect to CA server we just set up). In my example, this
would be http://w2kca/certsrv. You should see
Figure D the home page for Microsoft Certificate Ser-
vices with the name you gave the CA displayed
at the top, as shown in Figure D.
Instead of requesting a certificate immedi-
ately (the default option), select the top option,
Retrieve The CA Certificate Or Certificate
Revocation List, and click Next. The following
page allows you to install the CA path directly
from the server (possible because we are con-
necting to it over the network) or download the
CA certificate into a file (an approach you
should use when the CA server is not con-
nected to the network, as would be the case
with an offline CA). Click on the Install This
CA Certification Path link, as shown in Figure E.
This will result in a warning message asking
you to confirm that you want to add the cer-
tificate to your Root Store. You’ll then see
Connecting to the Microsoft Certificate Services Web site
some information about the certificate, includ-
Figure E ing the name you gave it, the fact that it was
self-issued (because it is a root CA, there is no
higher server to sign this certificate), and other
information, such as the time validity, serial
number, and unique thumbprint. Click Yes.
The next screen should inform you that the
CA certificate has been successfully installed.

Requesting the certificate

Once you’ve installed the CA Certificate, click
Home or connect to the Certificate Web site
again. This time, we’re ready to request a cer-
tificate (the default option), so make sure this
option is selected and click Next.
The Choose Request Type screen will
appear with the default being User Certificate
Request For Web Browsing. Remember that
IPSec uses computer certificates and not user
certificates, so this default will not work for
our L2TP/IPSec connection. Instead, select
Installing the CA certificate over the network Advanced Request and click Next to display

194 Administrator’s Guide to VPN and Remote Access, Second Edition

the Advanced Certificate Requests screen. Figure F
Accept the default selection of Submit A Cer-
tificate Request To This CA Using A Form
and click Next.
Now you’ll be prompted to fill in the details
of the certificate you require. The information
you supply here is twofold. First, it allows the
CA administrator (who must manually inspect
each certificate request) to identify you and
check that the information you are supplying is
in accordance with acceptance policies. Sec-
ond, it dictates the certificate’s specification in
terms of its usage and security. Fill this in with
care. You will need to specify an identifying
name (e.g., RRAS Server), and the Intended
Purpose must be either Server Authentication
Certificate (e.g., for the RRAS server) or Client
Authentication Certificate (e.g., for the VPN Requesting a computer certificate for IPSec
client). You must also select both Create New
Key Set and Use Local Machine Store, as Figure G
shown in Figure F.
For a production environment, you might
need to change some of the other options for
security reasons (e.g., the key size), but these
settings will suffice for our test connection.
Click Submit, and the next screen will tell you
that your certificate is pending—waiting on the
administrator to issue it—and that you must
retrieve it within 10 days. Happily, since you
are the CA administrator, you don’t have to
wait that long.
The Pending Certificate request

Issuing a certificate from the

Certification Authority Installing the certificate
In the Certification Authority console on Back on the server or workstation, click on
your server, you should now have an entry Home or reconnect to the Certificate Web site
under the Pending Requests folder, as shown again. This time, select Check On A Pending
in Figure G. Certificate, and you will be prompted to select
If you scroll through the details pane so the certificate you requested. Because it’s the
you can see all the column information, you’ll only one, it will be selected by default, so go
notice that this is where the administrator ahead and click Next. The following screen
would check the identification details before will inform you that the certificate was issued.
issuing the certificate and use the e-mail Click on Install This Certificate, as shown in
address supplied if necessary to check or verify Figure H. The final screen should tell you that
information. However, since we know this is your certificate has been successfully installed,
our certificate request, we can quickly issue it and you can now close the browser.
by right-clicking on it in the details pane and
selecting All Tasks | Issue. The entry will dis- Ready to connect
appear from the Pending Requests folder and That’s it. When you’ve completed these steps
will appear under Issued Certificates. on both your client computer and RRAS

Protocols 195
server, they should have your CA root certifi- Because Windows 2000 automatically gen-
cate installed and have computer certificates erates IPSec policies for L2TP/IPSec con-
from this CA that allow them to use IPSec. nections, you should have nothing further to
do but stop and restart your RRAS service
Figure H and try a VPN connection from the client
machine. The defaults supplied with Win-
dows 2000 mean that an L2TP/IPSec con-
nection will be tried before a PPTP
connection. If your RAS client connects,
check the Ports listed in the RRAS console.
If it lists a WAN Miniport (L2TP) VPN
device as Active, you have an L2TP/IPSec
connection up and running.

Final word
This tutorial has explained how to achieve an
L2TP/IPSec VPN connection between a Win-
dows 2000 RAS client and Windows 2000
RRAS server using the Windows 2000 Certifi-
cation Authority service.

Installing the certificate

Customize the security of

L2TP/IPSec connections
Dec 18, 2001
By Carol Bailey, MCSE+I

hose who are familiar with a PPTP X How the default L2TP/IPSec policies work.
VPN in Windows 2000 will find that X How to monitor the IPSec connections.
an L2TP/IPSec VPN is quite similar
but contains some more complicated settings X How to override the default IPSec settings.
and management. Along with configuring
computer certificates, which I discussed in
How the default L2TP/IPSec
“Configuring certificates for an L2TP/IPSec policies work
VPN” (page 191), an L2TP/IPSec connection When you’re using Microsoft’s IP Security
involves some in-depth work with the VPN (IPSec) outside a VPN environment, you must
settings and other configuration options. This assign a preconfigured IPSec policy to the
article will introduce you to the more advanced computers. The Security Policy console (under
approaches that will enable you to customize Administrative Tools) allows you to view and
the security of your Win2K L2TP/IPSec con- edit these IPSec policies. However, by default,
nections. This will include: Microsoft uses a hidden, automatic IPSec pol-
icy for L2TP connections, which you won’t see

196 Administrator’s Guide to VPN and Remote Access, Second Edition

in the Security Policy console. It is called the Figure A
L2TP Rule, and you can see it only when it’s
in use.
The default L2TP Rule policy is in use on
the server when the RRAS server is listening
on L2TP ports and on the remote workstation
when the client tries to connect over L2TP/
IPSec. If you stop the IPSec policy agent on
the VPN server (for example, by typing net stop
policyagent) after RRAS has initialized, you will
delete this default policy. To re-create it, restart
the policyagent service and then the RRAS
service or reboot. The default L2TP Rule is
automatically deleted on the Windows 2000 RRAS showing an active L2TP connection
client whenever the L2TP/IPSec connection is
By default, a Windows 2000 client VPN However, if you need some background infor-
connection will try an L2TP/IPSec connection mation, these two resources are a good place
first. If this fails, it then falls back to trying to start:
PPTP. This is why there is no need to change X “IP Security for MS Windows 2000 Server”
anything on the client’s connection properties white paper
if the defaults are still in use when you try to (
make an L2TP connection from the client. treeview/default.asp?url=/TechNet/
However, you might want to change this for prodtechnol/windows2000serv/
security reasons so that only an L2TP/IPSec evaluate/featfunc/ipsecure.asp)
connection will be tried. If so, you will need to X “Internet Protocol security (IPSec)” from
go into the connection’s Network properties the Windows 2000 Server Manual
and change the Type Of VPN Server I Am (
Calling setting from Automatic to Layer-2 WINDOWS2000/en/server/help/
Tunneling Protocol (L2TP). ipsec.htm)
You can check to see that an L2TP connec- You can see the L2TP policy in use with the
tion is being used on the VPN server by look- IP Security Monitor. When you have a success-
ing at the Ports folder in the RRAS console on ful L2TP/IPSec connection, type ipsecmon
the VPN server. Look for an Active status on from a command prompt on the RRAS server,
an L2TP WAN Miniport, as shown in Figure A. and you’ll see the L2TP Rule policy. It should
The RRAS console will tell you that an look similar to Figure B.
L2TP connection is being used, but it won’t This monitor gives you some (but not all) of
tell you anything about the IPSec side of the the information on the current IPSec connec-
connection. To see exactly what IPSec settings tion. To see all the information, you’ll have to
are being used, you’ll have to delve a little use the Netdiag Windows 2000 Support tool
deeper. by typing netdiag /test:ipsec /v at the command
line. You’ll also have this level of information
How to monitor the IPSec recorded in your Security Event log if you
connections have enabled auditing for successful logons.
You use some of Win2K’s standard IPSec The policy filters on the VPN server are
monitoring utilities to see what IPSec settings sensible ones that you probably shouldn’t
are being used for your L2TP/IPSec connec- change. You’ll find them under the Current
tions. This article assumes that you have a Phase 2 SAs section when you use the Netdiag
basic understanding of how IPSec connections command. They are the source address(es) of
work, along with their basic components.

Protocols 197
the VPN server’s Internet NIC to any destina- level on your L2TP/IPSec connections, ensure
tion address and any source port from the that both the server and all clients support
VPN server to destination port UDP 1701. 128-bit encryption. The easiest way to do this
However, what is interesting is that (as with is to install SP2 or to install the High Encryp-
any IPSec connection) the remote access client tion Pack if you are running a pre-SP2
and VPN server can negotiate security options machine with 56-bit encryption. However, you
that will be used for the connection. The should realize that connections using 3DES
default L2TP Rule allows the VPN server to are slower and demand more processing on
offer 16 security preferences. (The equivalent the server.
options can be found under the Security Meth- You may be surprised when looking
ods tab when using the Security Policy con- through the full list of 16 “offers” in Netdiag
sole.) To see all offers, type netdiag /test:ipsec that there are more secure security methods
/debug on the server. on the list that will not be used by default
The first match between client and server because they are farther down the offer list.
will be used, so if your Windows 2000 client For example, you can use both Authenticated
and Windows 2000 VPN server offer the same Headers (AHs) and ESP to ensure that the
level of encryption (e.g., both support only 56- header information (addresses) is not changed
bit encryption), the resulting security methods in transit, and you can use SHA1, which is a
used will be data encryption (ESP) with DES stronger algorithm than MD5. However, both
and Cipher Block Chaining (CBC), together of these come with the overheads of addi-
with MD5 as the chosen algorithm method. tional processing, and if you use AH as well as
This matches the ESP DES/CBC HMAC ESP, you will also need to open Protocol ID
MD5 in Figure B. If both server and client 51 on your firewall.
support strong encryption (i.e., they both have The least secure offer on the list has AHs
Win2K SP2 installed), the resulting policy will without encrypting the data at all. This is not
be ESP 3DES/CBC HMAC MD5. most people’s idea of a virtual private network,
If the encryption levels are not the same on but there may be times when this option is nec-
the server and the client, the lower one will be essary for political reasons—for example, when
used. So if you want the highest encryption the data is being transferred in a country where
encryption is banned. However, if you specifi-
cally want to ensure that all connecting remote
Figure B clients will encrypt their data, having this offer
automatically listed (albeit at the bottom of the
offer list) may worry you because you cannot
change this default offer list. Fortunately, you
can customize your IPSec settings to prevent
the possibility that this offer will be used.

How to override the default

IPSec settings
You may be wondering how it is possible to
use any of the other offers if a Windows 2000
remote client to Windows 2000 VPN server
uses the same policy, which always results in
matching ESP with 3DES and MD5. Because
the first match between client and server will
be used, a VPN client that doesn’t use the
Microsoft default L2TP Rule may be config-
ured with different security options, so you
The default L2TP/IPSec policy in use can’t predict which of the 16 offers will be

198 Administrator’s Guide to VPN and Remote Access, Second Edition

used. Because of this uncertainty, or a desire to offer list until a match is found. Or you can do
use IPSec settings that are different from the the same on the client side so that both sides
default, you may have good cause to change use only one offer.
the IPSec options on the VPN server. Now, you need to configure your own IPSec
For example, you may have deployed SP2 policy and assign it. Make sure that you change
on all of your Windows 2000 computers for the default authentication from Kerberos to
the security patches but do not want the extra certificates. Use the filters previously men-
processing of 3DES, and you want to use tioned, select the security methods you want,
DES instead. Or you may want to use the and use Netdiag to ensure that your options
strongest combination possible, AH and ESP, are being implemented. Make sure you also
using the SHA1 algorithm. Or you may decide choose to rekey every so often and select your
you don’t want the risk of potentially offering own settings for this or use the sensible
a VPN connection that doesn’t encrypt data. defaults in the L2TP/IPSec policy, which are
If you decide to go this route, you’ll need to every 3,600 seconds or every 250,000 bytes.
disable the default L2TP/IPSec policy and cre-
ate one manually that matches the security Summary
options you want to use. To disable the default This article has provided information that
policy, add a new registry key (REG_DWORD) should help you understand, monitor, and tailor
of ProhibitIpSec and set the value to 1 under Microsoft’s L2TP/IPSec connections for a
the Windows Registry key shown in Listing A. more secure VPN connection. You’ll find addi-
Next, reboot the computer. You can do this tional information on Microsoft’s VPN site
just on your VPN server to ensure that only (
the security settings you want will be used and technologies/communications/vpn/).
then let the client work through its default

Listing A: Registry key


Troubleshooting L2TP/IPSec VPN

connections in Win2K
Dec 20, 2001
By Carol Bailey, MCSE+I

etting up and managing an L2TP/IPSec Microsoft’s L2TP/IPSec connections usu-
VPN in Windows 2000 is quite different ally fail for two main reasons:
in many respects from working with a X Problems with certificates
standard PPTP VPN. So it’s not surprising that
X Internet device problems (e.g., routers,
troubleshooting these connections also
switches, firewalls, or NAT)
requires some unique tactics, as this article will
demonstrate. Other potential problems include:

Protocols 199
X Straining server resources L2TP/IPSec connections. It argues that it is
X Interoperability with other systems not a secure implementation because pass-
words are always vulnerable to guessing and/or
Problems with certificates cracking and will be stored in the registry or
My article “Configuring certificates for an Active Directory as part of the IPSec policy. So
L2TP/IPSec VPN” (page 191) worked remember that it is possible to use Microsoft’s
through an example of how to use your own L2TP/IPSec connections with password
in-house CA to issue computer certificates authentication instead of certificates, but you’re
required for L2TP/IPSec connections in Win- unlikely to get a sympathetic hearing from
dows 2000. If you suspect that certificates may Microsoft if you report problems with them.
be to blame for your L2TP/IPSec connections To use passwords instead of certificates for
failing to connect, try the steps in this article. your L2TP/IPSec connections, you’ll have to
Alternatively, you can use Microsoft’s testing disable the L2TP policy on both server and
site ( clients and then configure and assign your own
to install a computer certificate from IPSec policy as described in my article “Cus-
Microsoft’s online CA. tomize the security of L2TP/IPSec connec-
Here are a few other things to check: tions” (page 196). But specify password
X Verify that the date/time is correct on the authentication and type in the password you
client and the VPN server (and the issuing want to use. For production use, don’t forget all
CA, if using an in-house CA). the rules about choosing secure passwords (at
least eight characters, mixture of alphanumeric
X Open the Certificates console on the client and nonalphanumeric, mixture of cases, etc.).
and verify that the CA path is installed, if If you need help setting up this policy,
using an in-house CA. You can confirm that there are step-by-step instructions in the
it exists under Trusted Root Certificates Microsoft Knowledge Base article Q240262,
Authority | Certificates or by checking that “How to Configure a L2TP/IPSec Connec-
the computer certificate is listed and valid tion Using Pre-shared Key Authentication”
under Personal | Certificates. (
If you still suspect that certificates may be ?scid=kb;EN-US;q240262). This article will
the problem, an option to confirm this is elim- also help if you’re configuring your custom
inating them and using password authentica- L2TP/IPSec policy with certificates. For the
tion instead of certificates. This is possible Authentication Method, instead of selecting a
only if you disable the default L2TP/IPSec preshared key, select Use A Certificate From
policy and configure your own IPSec settings. This Certificate Authority (CA) and select the
One of the advantages of using your own CA by browsing.
IPSec policy is that you can change the authen-
tication method from certificates to passwords. Internet device problems
You may decide that this is a configuration Check any Internet device that might be block-
you actually want to use all the time rather than ing the connection or changing the packets.
just for troubleshooting because it allows you Typically, this will be a firewall or a NAT
to use L2TP/IPSec and bypass all the over- server but can also include a faulty switch that
heads of installing, managing, and maintaining is occasionally corrupting packets or a router
your own Certificate Authority. Perhaps you that isn’t forwarding Protocol ID 50.
cannot justify the expense of using a third- In the first article in this series, we said
party Certificate Authority, or you have a non- that Microsoft’s L2TP/IPSec is not compati-
Microsoft L2TP/IPSec client that is ble with NAT. However, some L2TP imple-
compatible but can use only passwords. mentations are NAT-friendly (e.g., Cisco’s
However, Microsoft does not endorse using version) because they use a different imple-
computer password authentication for mentation. See Microsoft’s VPN FAQs

200 Administrator’s Guide to VPN and Remote Access, Second Edition

( over the Internet, it’s time to start inspecting
techinfo/howitworks/communications/ your Internet devices.
remoteaccess/vpnfaq.asp) for more infor-
mation on the Microsoft implementation and Straining server resources
how it differs from other vendors’. With the L2TP/IPSec connections consume more server
Microsoft implementation, it may be possible processing power—specifically, for the data
for NAT to allow one client to connect with encryption—than PPTP connections. This will
L2TP/IPSec but not allow subsequent con- be especially true if you are using strong
nections, so you should always connect at least encryption, which will happen by default if
two remote clients before celebrating. both client and server can support it. Keep an
Even if you’re not using NAT and think eye on the VPN server’s CPU usage, either with
you have configured your firewall correctly (to the Performance utility running as a service or,
allow UDP port 500 and Protocol ID 50), if more crudely, with Task Manager’s CPU Perfor-
your L2TP/IPSec connections are not work- mance figures. If you discover the processor
ing, it may be a good idea to eliminate the slowing down, you have several options, includ-
Internet side of the equation by trying to make ing adding another processor, using a network
a VPN connection from a client machine on card that offloads some of the IPSec process-
your LAN. If your connections still don’t ing, or disabling the default policy and specify-
work, at least you have narrowed it down to ing DES encryption instead of 3DES.
something on the client or server rather than
attempting to verify all the possible Internet
Interoperability with
issues (hardware devices, ISP services, band- other systems
width, firewall, etc.). If you are hoping to use either the client side
To test this connection, you’ll need to tem- or the server with a different vendor’s imple-
porarily rearrange your network so that there’s mentation of L2TP/IPSec, check for interop-
a standard Ethernet connection between the erability issues and determine whether they can
VPN server’s Internet adapter and your testing be configured to communicate, and when.
workstation. Assign the workstation a static IP Check my previously mentioned article on cus-
address in the same range as the VPN server tomizing security for information on the
so that routing is not required and then make default IPSec settings that will be tried, the
sure that you can successfully ping between the order they’ll be tried, and how you can disable
client and server. them and define your own policy if necessary.
Next, create a new VPN connection on the However, you can’t change Microsoft’s
Windows 2000 Professional machine that implementation of L2TP/IPSec, which uses
doesn’t automatically dial the ISP connection IPSec in Transport mode (not Tunnel mode),
first. (This is not the default.) Attempt to con- and the UDP port number of 1701 cannot be
nect your newly created VPN connection. changed. If the third-party vendor’s implemen-
PPTP and L2TP connections work just fine tation also uses Transport mode and port 1701
over Ethernet since all they care about is a for the IPSec side of the connection, chances
valid underlying TCP/IP connection. So, if are you can configure the custom IPSec set-
your client and server are configured correctly, tings to match if the defaults do not work.
you should have a good L2TP/IPSec connec- Additional guidance
tion. It’s important to verify that the connec- L2TP/IPSec connections must establish an
tion is an L2TP connection. (On the server, IPSec connection before the tunnel (L2TP), so
check the Active Ports under the RRAS con- if the IPSec connection fails, the tunnel is
sole, or on the client, check the connection’s never even attempted. Enable logon auditing
Status Details). If you have a successful and check the Event Viewer’s Security log for
L2TP/IPSec connection when connecting this IPSec errors such as negotiation timeouts
way but not when you connect a similar client (could be lack of a valid certificate or a packet

Protocols 201
being blocked by network devices). Make a (
note of the actual error logged and then aspx?scid=kb;EN-US;q259335)
look it up on Microsoft’s Knowledge Base
( Summary
?scid=fh;en-us;kbinfo). You may also find I hope this article has provided some useful
these TechNet articles useful: tips to help troubleshoot your Microsoft
X “Basic IPSec Troubleshooting in Windows L2TP/IPSec connections and, combined with
2000” (Q257225) my previous articles, has given you a good
( basic understanding of how Microsoft’s imple-
aspx?scid=kb;EN-US;q257225) mentation of L2TP/IPSec works.
X “Basic L2TP/IPSec Troubleshooting in
Windows” (Q259335)

The Windows NT 4.0 PPTP VPN client

connection guide
Jun 10, 2002
By Dr. Thomas Shinder, MCSE

n the not so distant past, companies that 4.0 VPN clients, because the only VPN proto-
wanted to allow road warriors access to col supported by Windows NT 4.0 is the
resources on the corporate internal net- Point-to-Point Tunneling Protocol (PPTP).
work had to install modem banks and multiple
phone lines. The cost of installing multiple PREREQUISITES
dial-up RAS (Remote Access Service) servers Before configuring your Windows NT 4.0
was compounded by long-distance charges. If PPTP VPN client software, you should
the company wanted to avoid long-distance install the latest service packets and secu-
charges, it still had to shell out for a 1-800 rity hotfixes. If you haven’t updated the Win-
number. VPN servers remove this capital- dows NT 4.0 computer you plan to make a
intensive hardware/telco layer and allow you PPTP VPN client, visit the Microsoft Win-
to support dozens, sometimes hundreds, of dows Update for Windows NT Server Web
remote access calls with a single VPN server
site (
and high-speed Internet connection.
I’ll look at how to make your Windows NT
4.0 computers VPN clients for Windows NT to get at least Windows NT 4.0 Service
4.0 VPN servers. You can use the same proce- Pack 6a. You’ll find all the security hotfixes
dures to connect Windows NT 4.0 clients to released since Service Pack 6a on this
Windows 2000 VPN servers. The only major page, too. I also recommend that you
difference between Windows NT 4.0 and install Internet Explorer 6.0; it includes a
Windows 2000 VPN servers is that the Win- number of features that improve the user
dows NT 4.0 VPN servers do not support experience and automatically adds 128-bit
L2TP/IPSec VPN links. This situation doesn’t encryption support.
pose much of a problem for our Windows NT

202 Administrator’s Guide to VPN and Remote Access, Second Edition

Figure A Figure B

Figure C

Creating the PPTP network

protocol VPN1 – RASPPTPM is the name of the VPN interface on
the VPN client.
Your first step in creating a Windows NT 4.0
PPTP VPN client is to install the PPTP net- Figure D
working protocol. Right-click on the Network
Neighborhood icon on the desktop and click
Properties. In the Network dialog box, click
the Protocols tab. On the Protocols tab, click
the Add button.
In the Select Network Protocol dialog box,
select the Point-to-Point Tunneling Protocol
(Figure A) and click OK. A Windows NT Setup
dialog box will appear and ask you for the loca-
tion of the setup files. You can type in the path
to a local or network location, or just put your The network interface is available on the VPN client computer.

Windows NT 4.0 CD in the tray. Click Continue.

In the PPTP Configuration dialog box Figure E
(Figure B), use the default entry (which is 1).
PPTP VPN clients aren’t going to connect to
more than one VPN server at a time. This
entry is used by the VPN Server to define how
many virtual VPN interfaces the server should
have available for VPN clients. (Windows NT
4.0 VPN servers support up to 256 PPTP
interfaces.) Click OK. At this point, you’ll see a Configure the interface to make outbound calls only.
dialog box that informs you that RAS will be
installed. Click OK to install and start RAS.
on a Windows NT 4.0 Server computer, the
The Add RAS Device dialog box (Figure C)
adapter is configured to allow outbound and
will appear and display the name of the single
inbound calls. To change this setting, click the
RAS device installed on the VPN client
Configure button in the Remote Access Setup
machine. Click OK.
dialog box (Figure D).
The VPN device is now added to RAS. On
Change the setting to Dial Out Only in the
a Windows NT 4.0 Workstation computer, the
Configure Port Usage dialog box (Figure E) to
VPN interface is automatically configured to