Today, it is very common for an organization to use a remote access server (RAS). This enables users to connect remotely to a network using various protocols and connection types. By connecting to the RAS over the Internet, users can connect to their organization’s network so that they can access data files, read email, and access other applications just as if they were sitting at work.
Virtual private networks (VPNs) links two computers through a wide-area network such as the Internet. To keep the connection secure, the data sent between the two computers is encapsulated and encrypted. In one scenario, a client connects to the RAS server to access internal resources from off-site. Another scenario is to connect two remote sites together by creating a VPN tunnel between an RAS server located at each site.
The three types of tunneling protocols used with a VPN/RAS server running on Windows Server 2008 include:
• Point-to-Point Tunneling Protocol (PPTP): A VPN protocol based on the legacy Point-to-Point protocol used with modems. Unfortunately, PPTP is easy to set up but is considered to use weak encryption technology.
• Layer 2 Tunneling Protocol (L2TP): Used with IPSec to provide security. L2TP is the industry standard when setting up secure tunnels.
• Secure Socket Tunneling Protocol (SSTP): Introduced with Windows Server 2008, which users the HTTPS protocol over TCP port 443 to pass traffic through firewalls and web proxies that might block PPTP and L2TP/IPSec.
When using VPNs, Windows 7 and Windows Server 2008 support the following forms of authentication:
• Password Authentication Protocol (PAP): Uses plain text (unencrypted passwords). PAP is the least secure authentication and is not recommended.
• Challenge Handshake Authentication Protocol (CHAP): A challenge-response authentication that uses the industry standard md5 hashing scheme to encrypt the response. CHAP was an industry standard for years and is still quite popular.
• Microsoft CHAP version 2 (MS-CHAP v2): Provides two-way authentication (mutual authentication). MS-CHAP v2 provides stronger security than CHAP.
• Extensible Authentication Protocol (EAP-MS-CHAPv2): A universal authentication framework that allows third-party vendors to develop custom authentication schemes including retinal scans, voice recognition, fingerprint identifications, smart cards, Kerberos, and digital certificates. It also provides a mutual authentication method that supports password-based user or computer authentication.
LOAD REMOTE ACCESS AND ROUTING
To make a computer running Windows Server 2008 load Remote Access and Routing:
1. Start the Add Roles Wizard using Server Manager or the Initial Configuration Tasks window.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select Network Policy and Access Services and click Next twice.
4. On the Select Role Services page, select Routing and Remote Access Services.
5. On the Confirm Installation Selections page, click Install.
6. On the Installation Results page, review the status and click Close.
CONFIGURE A VPN SERVER
To enable RRAS and configure it as a VPN server:
1. Open the RRAS MMC Snap-in.
2. Right-click the server name for which you want to enable routing and then click Configure
and Enable Routing and Remote Access. If you are using Server Manager, right-click Routing
and Remote Access and then click Configure and Enable Routing and Remote Access.
3. On the Welcome page, click Next.
4. On the Configuration page, click Remote Access (dial-up or VPN) and then click Next.
5. On the Remote Access page, select VPN and click Next.
6. On the VPN Connection page, select the network interface that is connected to the public Internet from which remote VPN clients will connect to this server.
7. To configure packet filters that restrict network access through the specified public network adapter to only the ports required by VPN clients, select Enable security on the selected interface by setting up static packet filters.
8. On the Network Selection page, select the private network to which remote VPN clients
are to be granted access. The network adapter and its IP address are displayed to help you determine which to select.
9. On the IP Address Assignment page, specify the way in which the RRAS server will acquire IP addresses for the remote VPN clients. If you have a DHCP server with a range of addresses available, click Automatic. If you want the RRAS server to manage the IP addresses, click From a specified range of addresses.
10. If you did not select Automatic on the Address Range Assignment page, click New and type starting and ending IP addresses to create the range from which remote VPN clients are assigned addresses. You can enter multiple ranges if required.Click Next when you have created the address ranges.
11. On the Managing Multiple Remote Access Servers page, select whether you want to use a centralized RADIUS server for authentication of your network clients. If you select No, then RRAS uses its local account database or, if the RRAS server is joined to an Active Directory domain, the RRAS server uses the domain account database. Note: To use Active Directory Domain Services (AD DS), you must join the RRAS server to a domain and add the computer account of this server to the RAS and IAS Servers security group in the domain of which this server is a member. The domain administrator can add the computer account to the RAS and IAS Servers security group by using Active Directory Users and Computers or by using the netsh ras add registeredserver command.
12. On the Completing page, click Finish.
CREATE A VPN TUNNEL
To create a VPN tunnel on a computer running Windows 7 so you can connect to a Remote Access Server:
1. From the Control Panel, select Network and Internet to access the Network and Sharing
2. From the Network and Sharing Center, choose Set up a new connection or wizard.
3. On the Set Up a Connection or Network page, choose Connect to a workplace.
4. On the Connect to a Workplace page, answer the question “Do you want to use a connection that you already have?” Choose to create a new connection or choose an existing connection.
5. On the next page, choose Use my Internet connection (VPN).
6. On the next screen, choose your VPN connection or specify the Internet Address for the VPN Server and a Destination Name. You can also specify the options to use a Smart card for authentication; Allow other people to use this connection; or Don’t connect now, just set up so I can connect later.
You may need to do additional configuration to your VPN connection, such as specifying the
type of protocol, authentication protocol, and the type of encryption.
To connect using the VPN once the VPN connection is created and configured, open the Network and Sharing Center and click Manage Network Connections. Then, right-click your
VPN connection and click the Connect button. See Figure 1
By default, when you connect to a VPN using the previous configuration, all web browsing and network traffic goes through the default gateway on the Remote Network unless you are communicating with local home computers. Having this option enabled helps protect the corporate network because all traffic also goes through firewalls and proxy servers, which prevents a network from being infected or compromised.
If you wish to route your Internet browsing through your home Internet connection rather than going through the corporate network, you can disable the “Use Default Gateway on Remote Network” option. Disabling this option is called using a split tunnel.
ENABLE A SPLIT TUNNEL
To enable a split tunnel:
1. Right-click a VPN connection and click Properties.
2. Click the Networking tab.
3. Double-click the Internet Protocol Version 4 (TCP/IPv4).
4. Click the Advanced button.
5. Deselect the Use default gateway on remote network.
If you have to configure multiple clients to connect to a remote server, it can be a lot of work,
and it can be easy to make an error. To help simplify the administration of the VPN client into an easy-to-install executable, you could use the Connection Manager Administration Kit (CMAK), which can also be installed as a feature in Windows Server 2008.
This lesson is a part of Popular Windows Network Services and Applications chapter from 98-365 Windows Server Administration Fundamentals Prep course. More lessons in this chapter are
The Practice tests included in this course are: