Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server
473
2. Navigate to SERVERNAME, IPv4, Scope Name.
3. Right-click Scope Name, and choose Properties.
4. Select the Network Access Protection tab, and click the Enable for This Scope option
button, as shown in Figure 15.12. Click OK to save the changes.
15
ptg
FIGURE 15.12
Enabling NAP on a DHCP scope.
After enabling NAP on a Scope, individual scope options can be configured for noncom-
pliant clients. These scope options appear under the User Class named Default Network
Access Protection Class, as shown in Figure 15.13. By not configuring any scope options,
the clients effectively have no DHCP access to resources. Or, in a different example, you
could configure the clients to use an alternate DNS server for remediation. Scope options
can be configured by right-clicking on the Scope Options node under the Scope Name and
choosing Configure Options. Click the Advanced tab to view the classes and options.
NOTE
The default User Class is used for compliant NAP clients—the Default Network Access
Protection Class is used for noncompliant clients.
Deploying and Enforcing a Virtual Private Network
A common method of securing information sent across unsecured networks is to create a
virtual private network (VPN), which is effectively a connection between two private
nodes or networks that is secured and encrypted to prevent unauthorized snooping of the
traffic between the two connections. From the client perspective, a VPN looks and feels
474
CHAPTER 15
Security Policies, Network Policy Server, and Network Access
Protection
FIGURE 15.13
Configuring DHCP scope options for noncompliant NAP clients.
ptg
just like a normal network connection between different segments on a network—hence
the term virtual private network.
Data that is sent across a VPN is encapsulated, or wrapped, in a header that indicates its
destination. The information in the packet is then encrypted to secure its contents. The
encrypted packets are then sent across the network to the destination server, using what is
known as a VPN tunnel.
The Windows Server 2008 R2 RRAS role allows for the creation of VPNs, and integrates
with the NPS role to provide for validation of client health before creating a VPN session.
NOTE
Virtual private network support in Windows Server 2008 R2 provides for simple VPN
tunnels to be created. For more complex scenarios where specific rules need to be cre-
ated and application-layer filtering of the VPN traffic is needed, look at Microsoft’s
Forefront Edge line of products, which includes the Forefront Threat Management
Gateway (previously called Internet Security and Acceleration or ISA Server) and the
Forefront Unified Access Gateway products.
Exploring VPN Tunnels
The connection made by VPN clients across an unsecured network is known as a VPN
tunnel. It is named as such because of the way it “tunnels” underneath the regular traffic
of the unsecured network.
VPN tunnels are logically established on a point-to-point basis but can be used to connect
two private networks into a common network infrastructure. In many cases, for example,
Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server
475
a VPN tunnel serves as a virtual wide area network (WAN) link between two physical loca-
tions in an organization, all while sending the private information across the Internet.
VPN tunnels are also widely used by remote users who log on to the Internet from multi-
ple locations and establish VPN tunnels to a centralized VPN server in the organization’s
home office. These reasons make VPN solutions a valuable asset for organizations, and one
that can be easily established with the technologies available in Windows Server 2008 R2.
NOTE
VPN tunnels can either be voluntary or compulsory. In short, voluntary VPN tunnels are
created when a client, usually out somewhere on the Internet, asks for a VPN tunnel to
be established. Compulsory VPN tunnels are automatically created for clients from spe-
cific locations on the unsecured network, and are less common in real-life situations
than are voluntary tunnels.
Tunneling Protocols
The tunneling protocol is the specific technology that defines how data is encapsulated,
transmitted, and unencapsulated across a VPN connection. Varying implementations of
15
tunneling protocols exist, and correspond with different layers of the Open System
Interconnection (OSI) standards-based reference model. The OSI model is composed of
ptg
seven layers, and VPN tunneling protocols use either Layer 2 or Layer 3 as their unit of
exchange. Layer 2, a more fundamental network layer, uses a frame as the unit of
exchange, and Layer 3 protocols use a packet as a unit of exchange.
The most common Layer 2 VPN protocols are the Point-to-Point Tunneling Protocol
(PPTP) and the Layer 2 Tunneling Protocol (L2TP), both of which are fully supported
protocols in Windows Server 2008 R2.
PPTP and L2TP Protocols
Both PPTP and L2TP are based on the well-defined Point-to-Point Protocol (PPP) and are
consequently accepted and widely used in VPN implementations. L2TP is the preferred
protocol for use with VPNs in Windows Server 2008 R2 because it incorporates the best of
PPTP, with a technology known as Layer 2 Forwarding. L2TP allows for the encapsulation
of data over multiple network protocols, including IP, and can be used to tunnel over the
Internet. The payload, or data to be transmitted, of each L2TP frame can be compressed,
as well as encrypted, to save network bandwidth.
Both PPTP and L2TP build on a suite of useful functionality that was introduced in PPP,
such as user authentication, data compression and encryption, and token card support.
These features, which have all been ported over to the newer implementations, provide
for a rich set of VPN functionality.
L2TP/IPSec Secure Protocol
Windows Server 2008 R2 uses an additional layer of encryption and security by utilizing IP
Security (IPSec), a Layer 3 encryption protocol, in concert with L2TP in what is known,
not surprisingly, as L2TP/IPSec. IPSec allows for the encryption of the L2TP header and
476
CHAPTER 15
Security Policies, Network Policy Server, and Network Access
Protection
trailer information, which is normally sent in clear text. This also has the added advantage
of dual-encrypting the payload, adding an additional level of security into the mix.
L2TP/IPSec has some distinct advantages over standard L2TP, namely the following:
. L2TP/IPSec allows for data authentication on a packet level, allowing for verification
that the payload was not modified in transit, as well as the data confidentiality that
is provided by L2TP.
. Dual-authentication mechanisms stipulate that both computer-level and user-level
authentication must take place with L2TP/IPSec.
. L2TP packets intercepted during the initial user-level authentication cannot be
copied for use in offline dictionary attacks to determine the L2TP key because IPSec
encrypts this procedure.
An L2TP/IPSec packet contains multiple, encrypted header information and the payload
itself is deeply nested within the structure. This allows for a great deal of transport-level
security on the packet itself.
Enabling VPN Functionality on an RRAS Server
ptg
By installing the Routing and Remote Access Service (RRAS) on the server, the ability to
allow VPN connections to and/or from the server is enabled. The following type of VPN
connections can be created:
.
VPN gateway for clients—
The most common scenario, this involves the RRAS
server being the gateway into a network for VPN clients. This scenario requires the
server to have two network cards installed.
.
Site-to-site VPN—
In this scenario, the RRAS server creates a VPN tunnel between
another RRAS server in a remote site, allowing for traffic to pass unimpeded between
the networks, but in an encrypted state.
.
Dial-up RAS server—
In this layout, the server is installed with a modem or pool of
modems and provides for dial-in capabilities.
.
NAT between networks—
On an RRAS server installed in Routing mode, this
deployment option provides for Network Address Translation (NAT) between
network segments. For example, on one network, the IP addresses might be public,
such as 12.155.166.x, while on the internal network they might be 10.10.10.x. The
NAT capability translates the addresses from public to private and vice versa.
.
Routing between networks—
On an RRAS server installed in Routing mode, this
deployment option allows for direct routing of the traffic between network segments.
.
Basic firewall—
The RRAS server can act as a simple Layer 3 router, blocking traffic
by port. For more secure scenarios, use of an advanced Layer 7 firewall such as
Microsoft’s Forefront Threat Management Gateway (previously called Internet
Security and Acceleration or ISA Server) is recommended.
Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server
477
NOTE
Setting up a VPN connection requires the server to have at least two network cards
installed on the system. This is because the VPN connections must be coming from
one network and subsequently passed into a second network, such as from the demili-
tarized zone (DMZ) network into the internal network.
To set up the RRAS server for the most common scenario, VPN gateway, perform the
following tasks:
1. Open the Routing and Remote Access MMC tool (Start, All Programs, Administrative
Tools, Routing and Remote Access).
2. Select the local server name or connect to a remote RRAS server by right-clicking
Routing and Remote Access and selecting Add Server.
3. Click Action, Configure and Enable Routing and Remote Access.
4. Click Next at the Welcome page.
15
5. Choose from the list of configuration settings, as shown in Figure 15.14. Different
scenarios would require different settings. For example, if setting up a site-to-site
VPN, you should select the Secure Connection Between Two Private Networks
ptg
option. In this case, we are setting up a simple VPN, so we select Remote Access
(Dial-up or VPN).
FIGURE 15.14
Enabling VPN functionality.
6. On the Remote Access page, check the box next to VPN. If enabling dial-up, such as
in scenarios when the VPN box has a modem attached to it, the Dial-up box can be
checked as well. Click Next to continue.
7. On the VPN Connection page, shown in Figure 15.15, select which network card is
connected to the network where VPN clients will be coming from. This might be