Chapter 20: Getting from the Office to the Road: VPNs BAI617
Chapter Topics Introduction to VPNs Layer 2 Tunneling Protocol Secure Socket Tunneling Protocol Using Network Policy and Access Services Role Conditions, Permissions, Constraints, and Settings
Why VPNs Users often need access to data in the office even when they’re away from the office. Field workers (technicians, engineers, sales staff), telecommuters, and others need to be able to connect, and virtual private networks (VPNs) are often used to meet this need.
VPN If the users can access the Internet, they can access the office over the VPN. Once connected, users can access any office resources just as if they were there—this includes , shared folders, and more
VPNs in 2008 R2 To configure a VPN server, you’ll need to add the Network Policy and Access Services role, configure the VPN server, and create or manipulate remote access policies – Internet Protocol Security is an encryption protocol commonly used with Layer 2 Tunneling Protocol. – You can also use IPSec by itself within a network to encrypt or digitally sign traffic on the wire.
VPNs The VPN server has at least two network interface cards (NICs). – One NIC has a public IP address and can be reached by any user who has access to the Internet. – The other NIC has a private address connected to the internal network.
VPNs VPN servers are often hosted in a demilitarized zone (DMZ) as shown in the figure. A DMZ would have two firewalls. – One firewall provides a layer of protection to hosts in the DMZ from potential Internet attackers – The second internal firewall provides an extra layer of protection for internal clients.
Many Names of VPN VPN server uses a virtual private connection over a public network—the user connects to the Internet first and then connects to the public IP of the VPN server over the Internet NAS server and a RAS server can support both VPN and direct dial-up connections. – In a dial-up connection, a client could have a modem and a phone line and connect directly to the server
Gateway-to-Gateway VPN it’s also possible to configure VPNs to allow two different offices to connect. This is referred to as a gateway-to-gateway VPN – two VPN servers are connected over the public oe semi-private network
Tunneling Data can’t be sent across the Internet in clear text without the risk of someone using a sniffer to capture it. To combat this risk, VPNs use tunneling protocols. Windows 2008 R2 Supports: – Layer 2 Tunneling Protocol (L2TP) – Secure Socket Tunneling Protocol (SSTP) – Internet Key Exchange - version 2 (IKEv2)
Layer 2 Tunneling Protocol Layer 2 Tunneling Protocol is a popular tunneling protocol used with VPNs. It commonly encrypts traffic with IPSec When used with IPSec, L2TP encrypts the data, providing confidentiality, and signs the data, providing integrity.
Layer 2 Tunneling Protocol However, IPSec has a weakness that prevents it from being used all the time—IPSec can’t travel through a Network Address Translation (NAT) server Because of the way that IPSec packets are put together, NAT effectively breaks IPSec packets. If you need to go through a NAT server, you simply can’t use L2TP/IPSec
Secure Socket Tunneling Protocol If you need to go through a NAT server, you have another choice today—Secure Socket Tunneling Protocol. Secure Socket Tunneling Protocol is a newer tunneling protocol that was introduced with Windows Server 2008 It uses Secure Sockets Layer (SSL) over port 443 to secure VPN traffic
Secure Socket Tunneling Protocol An SSTP session works by first creating an HTTPS session. This HTTPS session is encrypted with SSL, ensuring the session is secure before any data or authentication credentials are sent over the network
Internet Key Exchange Version 2 Internet Key Exchange version 2 was added in Windows Server 2008 R2 as a new VPN type The biggest advantage of IKEv2 is its ability to support VPN Reconnect. – VPN Reconnect allows VPN clients to survive short interruptions in network connectivity without losing the entire connection. – IKEv2 is useful in environments where clients may move from one wireless client to another or even move from a wireless to a wired connection
Internet Key Exchange Version 2 IKEv2 is useful in environments where clients may move from one wireless client to another or even move from a wireless to a wired connection
Using Network Policy and Access Services Role The Network Policy and Access Services role includes much more than just the ability to create a VPN server – Routing and Remote Access This service is used to host either a VPN server or a dial-up server and will be the focus in this chapter. The server must have at least two NICs to be used as a VPN server – Network Policy Server (NPS) NPS is Microsoft’s implementation of a Remote Authentication Dial-in User Service (RADIUS) server and includes network access policies
Using Network Policy and Access Services Role The Network Policy and Access Services role includes much more than just the ability to create a VPN server Network Access Protection (NAP) – NAP can be used to ensure the “health” of clients before they are allowed access to network resources Health Registration Authority (HRA) – HRA is part of NAP and is used to issue health certificates for the NAP IPSec enforcement. If the client passes the health policy verification performed by NPS, the HRA will issue a clean bill of health in the form of a health certificate. Host Credential Authorization Protocol (HCAP) – HCAP is used to integrate Microsoft’s NAP solution with Cisco’s Network Access Control Server.
Routing and Remote Access Routing and Remote Access Services (RRAS) is the core component that provides remote access, or network access, to internal networks by external clients. This service provides two capabilities: Remote access Remote Access : – used to configure your system as a VPN server or as a dial-up remote access server. This is the primary reason why Routing and Remote Access will be added to a server. Routing – It’s also possible to configure a Windows Server 2008 R2 server as a dedicated router with this service. The router is a software router. Although RRAS will perform routing as part of its role as a VPN server, it’ll be rare to use RRAS as only a dedicated router in a production environment. It can be done, but most production environments require the better performance gained by using a hardware router.
Configuring 2008 R2 for VPN To configure your server as a VPN server and connect with a client, you’ll need to perform the following: 1. Add the Network Policy and Access Server role. 2. Configure Routing and Remote Access. 3. Add policies to allow connections. 4. Add the Active Directory Certificate Services and Web Server roles to the VPN server. 5. Configure the VPN client, and connect.
Adding the Network Policy and Access Services Role
See Pg 858 of text for steps to install the Network Policy and Access Services Role
Configuring Routing and Remote Access As a reminder, two NICs are required to fully configure RRAS as a VPN server. However, if you have only one NIC, you can still configure RRAS so that you can explore both RRAS and NPS. Instead of choosing “Virtual private network (VPN) access and NAT” on the Configuration page, choose Custom configuration, and select VPN access and NAT on the Custom Configuration page. Once complete, you’ll also need to access the properties page of the server and add a static address pool from the IPv4 tab
Configuring Routing and Remote Access See pg for steps to install Routing and Remote Access
Configuring Policies Network access policies are an integral component required for VPN access. If a client doesn’t meet the conditions of any policy, the client will not be able to connect – If the VPN server doesn’t have any policies, clients can’t meet the conditions of a policy, and they can’t connect – Network access policies were previously known as remote access policies and were accessed from within the RRAS console. However, since Windows Server 2008, the NPS console is used to configure and manage policies, and they are now referred to as network access policies
Network Policy Server Console
NPS includes two default policies in the Network Policies node. Each of these policies is set to Deny Access when created but can be changed if desired. The two policies are as follows: – Connections to Microsoft Routing and Remote Access Service Policy This includes a single condition that specifies that the RADIUS client must be a Microsoft client (specified as MS- RAS Vendor ^311$). This applies only to RADIUS clients. – Connections to Other Access Servers This includes a single condition of any time of the day and any day of the week. If no other conditions are met by previous policies, this policy will be used.
Network Policy Server Console Policies have four important elements: conditions, permissions, constraints, and settings. Conditions – Each policy must have one or more conditions that must be met for the client to use the policy. If the condition is not met, the policy will not be used. Many conditions can be specified, such as being a member of a Windows group or connecting at a certain time of day or day of week
Network Policy Server Console Policies have four important elements: conditions, permissions, constraints, and settings. Permissions – Permissions help determine whether a user is granted access once it’s determined that they will use this policy (by meeting the conditions of the policy).
Network Policy Server Console Policies have four important elements: conditions, permissions, constraints, and settings. Constraints – Used to ensure that clients follow some specific rules for the connection. Constraints include authentication methods, timeouts for the session or idle time, and more. If a user meets the condition and is allowed permission but doesn’t meet one of the constraints, the connection will be refused.
Network Policy Server Console Policies have four important elements: conditions, permissions, constraints, and settings. Settings – Settings are applied if the policy meets the conditions and constraints of a policy. Settings include encryption choices, IP settings, and IP filters
Creating a Network Policy Once you understand the elements of a network access policy, you can create your own See pg. 872 of your text for steps to configure network access policies
Configuring and Connecting with a VPN Client With your domain controller and VPN server created and configured, it’s time to configure your client and connect One of the biggest challenges is getting a certificate to work with both the server and the client, so for initial testing – you can add the certificate after – just to test the initial connection
Next Steps Once you have the fundamental infrastructure in place you can set the options you need: – Authentication: Microsoft: Secured password (EAP-MS-CHAP-v2) Microsoft: Protected EAP (PEAP) Microsoft: Smart Card or other certificate – RRAS – Protecting VPNs with IP Security (IPSec)
Review Introduction to VPNs Layer 2 Tunneling Protocol Secure Socket Tunneling Protocol Using Network Policy and Access Services Role Conditions, Permissions, Constraints, and Settings
Questions?
Lab Environment
Hands On