Windows Server 2008 R2 Unleashed (98 page)

Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server

473

2. Navigate to SERVERNAME, IPv4, Scope Name.

3. Right-click Scope Name, and choose Properties.

4. Select the Network Access Protection tab, and click the Enable for This Scope option

button, as shown in Figure 15.12. Click OK to save the changes.

15

ptg

FIGURE 15.12

Enabling NAP on a DHCP scope.

After enabling NAP on a Scope, individual scope options can be configured for noncom-

pliant clients. These scope options appear under the User Class named Default Network

Access Protection Class, as shown in Figure 15.13. By not configuring any scope options,

the clients effectively have no DHCP access to resources. Or, in a different example, you

could configure the clients to use an alternate DNS server for remediation. Scope options

can be configured by right-clicking on the Scope Options node under the Scope Name and

choosing Configure Options. Click the Advanced tab to view the classes and options.

NOTE

The default User Class is used for compliant NAP clients—the Default Network Access

Protection Class is used for noncompliant clients.

Deploying and Enforcing a Virtual Private Network

(VPN) Using an RRAS Server

A common method of securing information sent across unsecured networks is to create a

virtual private network (VPN), which is effectively a connection between two private

nodes or networks that is secured and encrypted to prevent unauthorized snooping of the

traffic between the two connections. From the client perspective, a VPN looks and feels

474

CHAPTER 15

Security Policies, Network Policy Server, and Network Access

Protection

FIGURE 15.13

Configuring DHCP scope options for noncompliant NAP clients.

ptg

just like a normal network connection between different segments on a network—hence

the term virtual private network.

Data that is sent across a VPN is encapsulated, or wrapped, in a header that indicates its

destination. The information in the packet is then encrypted to secure its contents. The

encrypted packets are then sent across the network to the destination server, using what is

known as a VPN tunnel.

The Windows Server 2008 R2 RRAS role allows for the creation of VPNs, and integrates

with the NPS role to provide for validation of client health before creating a VPN session.

NOTE

Virtual private network support in Windows Server 2008 R2 provides for simple VPN

tunnels to be created. For more complex scenarios where specific rules need to be cre-

ated and application-layer filtering of the VPN traffic is needed, look at Microsoft’s

Forefront Edge line of products, which includes the Forefront Threat Management

Gateway (previously called Internet Security and Acceleration or ISA Server) and the

Forefront Unified Access Gateway products.

Exploring VPN Tunnels

The connection made by VPN clients across an unsecured network is known as a VPN

tunnel. It is named as such because of the way it “tunnels” underneath the regular traffic

of the unsecured network.

VPN tunnels are logically established on a point-to-point basis but can be used to connect

two private networks into a common network infrastructure. In many cases, for example,

Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server

475

a VPN tunnel serves as a virtual wide area network (WAN) link between two physical loca-

tions in an organization, all while sending the private information across the Internet.

VPN tunnels are also widely used by remote users who log on to the Internet from multi-

ple locations and establish VPN tunnels to a centralized VPN server in the organization’s

home office. These reasons make VPN solutions a valuable asset for organizations, and one

that can be easily established with the technologies available in Windows Server 2008 R2.

NOTE

VPN tunnels can either be voluntary or compulsory. In short, voluntary VPN tunnels are

created when a client, usually out somewhere on the Internet, asks for a VPN tunnel to

be established. Compulsory VPN tunnels are automatically created for clients from spe-

cific locations on the unsecured network, and are less common in real-life situations

than are voluntary tunnels.

Tunneling Protocols

The tunneling protocol is the specific technology that defines how data is encapsulated,

transmitted, and unencapsulated across a VPN connection. Varying implementations of

15

tunneling protocols exist, and correspond with different layers of the Open System

Interconnection (OSI) standards-based reference model. The OSI model is composed of

ptg

seven layers, and VPN tunneling protocols use either Layer 2 or Layer 3 as their unit of

exchange. Layer 2, a more fundamental network layer, uses a frame as the unit of

exchange, and Layer 3 protocols use a packet as a unit of exchange.

The most common Layer 2 VPN protocols are the Point-to-Point Tunneling Protocol

(PPTP) and the Layer 2 Tunneling Protocol (L2TP), both of which are fully supported

protocols in Windows Server 2008 R2.

PPTP and L2TP Protocols

Both PPTP and L2TP are based on the well-defined Point-to-Point Protocol (PPP) and are

consequently accepted and widely used in VPN implementations. L2TP is the preferred

protocol for use with VPNs in Windows Server 2008 R2 because it incorporates the best of

PPTP, with a technology known as Layer 2 Forwarding. L2TP allows for the encapsulation

of data over multiple network protocols, including IP, and can be used to tunnel over the

Internet. The payload, or data to be transmitted, of each L2TP frame can be compressed,

as well as encrypted, to save network bandwidth.

Both PPTP and L2TP build on a suite of useful functionality that was introduced in PPP,

such as user authentication, data compression and encryption, and token card support.

These features, which have all been ported over to the newer implementations, provide

for a rich set of VPN functionality.

L2TP/IPSec Secure Protocol

Windows Server 2008 R2 uses an additional layer of encryption and security by utilizing IP

Security (IPSec), a Layer 3 encryption protocol, in concert with L2TP in what is known,

not surprisingly, as L2TP/IPSec. IPSec allows for the encryption of the L2TP header and

476

CHAPTER 15

Security Policies, Network Policy Server, and Network Access

Protection

trailer information, which is normally sent in clear text. This also has the added advantage

of dual-encrypting the payload, adding an additional level of security into the mix.

L2TP/IPSec has some distinct advantages over standard L2TP, namely the following:

. L2TP/IPSec allows for data authentication on a packet level, allowing for verification

that the payload was not modified in transit, as well as the data confidentiality that

is provided by L2TP.

. Dual-authentication mechanisms stipulate that both computer-level and user-level

authentication must take place with L2TP/IPSec.

. L2TP packets intercepted during the initial user-level authentication cannot be

copied for use in offline dictionary attacks to determine the L2TP key because IPSec

encrypts this procedure.

An L2TP/IPSec packet contains multiple, encrypted header information and the payload

itself is deeply nested within the structure. This allows for a great deal of transport-level

security on the packet itself.

Enabling VPN Functionality on an RRAS Server

ptg

By installing the Routing and Remote Access Service (RRAS) on the server, the ability to

allow VPN connections to and/or from the server is enabled. The following type of VPN

connections can be created:

.
VPN gateway for clients—
The most common scenario, this involves the RRAS

server being the gateway into a network for VPN clients. This scenario requires the

server to have two network cards installed.

.
Site-to-site VPN—
In this scenario, the RRAS server creates a VPN tunnel between

another RRAS server in a remote site, allowing for traffic to pass unimpeded between

the networks, but in an encrypted state.

.
Dial-up RAS server—
In this layout, the server is installed with a modem or pool of

modems and provides for dial-in capabilities.

.
NAT between networks—
On an RRAS server installed in Routing mode, this

deployment option provides for Network Address Translation (NAT) between

network segments. For example, on one network, the IP addresses might be public,

such as 12.155.166.x, while on the internal network they might be 10.10.10.x. The

NAT capability translates the addresses from public to private and vice versa.

.
Routing between networks—
On an RRAS server installed in Routing mode, this

deployment option allows for direct routing of the traffic between network segments.

.
Basic firewall—
The RRAS server can act as a simple Layer 3 router, blocking traffic

by port. For more secure scenarios, use of an advanced Layer 7 firewall such as

Microsoft’s Forefront Threat Management Gateway (previously called Internet

Security and Acceleration or ISA Server) is recommended.

Deploying and Enforcing a Virtual Private Network (VPN) Using an RRAS Server

477

NOTE

Setting up a VPN connection requires the server to have at least two network cards

installed on the system. This is because the VPN connections must be coming from

one network and subsequently passed into a second network, such as from the demili-

tarized zone (DMZ) network into the internal network.

To set up the RRAS server for the most common scenario, VPN gateway, perform the

following tasks:

1. Open the Routing and Remote Access MMC tool (Start, All Programs, Administrative

Tools, Routing and Remote Access).

2. Select the local server name or connect to a remote RRAS server by right-clicking

Routing and Remote Access and selecting Add Server.

3. Click Action, Configure and Enable Routing and Remote Access.

4. Click Next at the Welcome page.

15

5. Choose from the list of configuration settings, as shown in Figure 15.14. Different

scenarios would require different settings. For example, if setting up a site-to-site

VPN, you should select the Secure Connection Between Two Private Networks

ptg

option. In this case, we are setting up a simple VPN, so we select Remote Access

(Dial-up or VPN).

FIGURE 15.14

Enabling VPN functionality.

6. On the Remote Access page, check the box next to VPN. If enabling dial-up, such as

in scenarios when the VPN box has a modem attached to it, the Dial-up box can be

checked as well. Click Next to continue.

7. On the VPN Connection page, shown in Figure 15.15, select which network card is

connected to the network where VPN clients will be coming from. This might be