0 évaluation0% ont trouvé ce document utile (0 vote)
99 vues76 pages
VPN's are used to Connect Remote computers or networks to an internal network that would not be accessible any other way. A VPN provides security so that traffic sent through The VPN connection is isolated from external computers and networks. The VPN connection allows remote users to directly connect to a remote network to gain access to resources on that network.
VPN's are used to Connect Remote computers or networks to an internal network that would not be accessible any other way. A VPN provides security so that traffic sent through The VPN connection is isolated from external computers and networks. The VPN connection allows remote users to directly connect to a remote network to gain access to resources on that network.
VPN's are used to Connect Remote computers or networks to an internal network that would not be accessible any other way. A VPN provides security so that traffic sent through The VPN connection is isolated from external computers and networks. The VPN connection allows remote users to directly connect to a remote network to gain access to resources on that network.
This document will focus on setting up a Virtual Private Network in Windows Server 2008 R2.
A Virtual Private Network is used to connect remote computers or networks to an internal network that would not be accessible any other way. VPNs can connect remote computers or networks or multiple networks together. A VPN provides security so that traffic sent through the VPN connection is isolated from external computers and networks.
The VPN connection allows remote users to directly connect to a remote network to gain access to resources on that network.
Definitions:
VPN - Connect Remote users and/or networks to local resources PPTP - Point-to-Point Tunneling Protocol: Creates a tunnel used to ensure that traffic sent from one point to the next is secure GRE - Generic Routing Encapsulation is a tunneling protocol to encapsulate traffic L2TP - Layer 2 Tunneling Protocol: Tunneling protocol that relies on an encryption protocol to encrypt the data within the tunnel IPsec - Internet Protocol Security secures IP traffic by authenticating and encrypting each packet in a session Digital Certificate Certificate is an electronic document that uses a digital signature to verify the user/device identity Direct Access Introduced in Windows 7 and Windows 2008 R2, it allows remote users to securely access internal resources on the corporate network. The access connects from a direct access enabled portable computer before the user logs into the device. Windows 2008 R2 requires a Public Key Infrastructure to work. It also requires Windows 7 Enterprise/Ultimate and Windows Server 2008 R2. Network Policy Service (NPS) - Microsoft implementation of Remote Authentication Service. NPS provides Authentication, Authorization and Accounting for Wireless, Network Access and VPN services.
Setting up VPN requirements:
This demo will be using: Two Windows 2008 R2 with two network connections (one internal (Private) and one external (Public) Windows 7 to connect to the remote VPN server.
Windows 7 to Windows 2008 R2 VPN connection Windows 2008 R2 to Windows 2008 R2 site-to-site connection
Jim Long MOREnet 221 N. Stadium Blvd., Suite 201, Columbia, Mo. 65203 Oct 2012 Configure the Windows Server 2008 R2 VPN:
Pre-Setup Steps: Install your Windows 2008 R2 server Load all updates Secure server Add to Active Directory Domain Configure external network connection Configure host firewall Configure external firewall to allow VPN connections
Setting up VPN:
On the Windows 2008 R2 Server we will install the VPN Role:
Open Server Manager
Click Start Click Administrator Tools Click Server Manager
Click Roles Click Add Roles
Add Roles Wizard The Roles Wizard will walk you through adding Roles to your server
Click Next Select Network Policy and Access Services
Click Next Network Policy and Access Services Review this screen for more information about the service and review the links for additional information
Click Next
Select Role Services
Click Next
Select Role Services
Choose the roles that you need Minimum roles: NPS Create and enforce network access policies Routing and Remote Access Services Provides remote user access Remote Access Services Allow access through VPN Routing Provides support for NAT routing and LAN routing
Additional Roles: Health Registration Authority Validates certificate requests that contain health claims and issues certificates based on the health status Host Credentials Authorization Protocol Integrate Microsoft Network Access Protection with Cisco Network Access controls
Select the Roles that you require
Click Next
Confirm Installation Selections
Click Install
Install Progress
Installation Results
Confirm that all Roles were successfully installed
Click Close
You will be returned to Server Manager
You will notice that the Role is showing errors Click Network Policy and Access Services
Notice that it states that the service is installed but additional steps are required to configure the service
Click Go to the NPS console
Click Routing and Remote Access (Left Frame)
Click More Actions (Right Frame)
Click Configure and Enable Routing and Remote Access
Routing and Remote Access Wizard
Click Next
Configuration This screen has several options to install a combination of services. Since we only want to install a VPN server we will choose Custom Configuration
Click Custom Configuration Click Next Custom Configuration
Select VPN Access
Click Next
Complete the Routing and Remote Access Server Setup Wizard
Click Finish
Warning!
Routing and Remote access has created a default connection request policy called Microsoft Routing and Remote Access Service Policy
Click OK
Start the Service
Click Start service
Starting Service
Install Complete Routing and Remote Access is Configured on This Server
Out of the box we can not connect to the server because the Policies that were created will not allow connections.
We will need to check the Routing and Remote Access settings and make sure everything is setup properly.
Verify Routing and Remote Access Configuration
This section will focus on checking the settings and ensuring that everything is setup properly with our VPN configuration that we just finished installing.
Open Routing and Remote Access Management Console Click Start / Administrative Tools Click Routing and Remote Access
Routing and Remote Access Console
Checking the Properties for the Server Right Click the server name
Click Properties
General Tab
By default it is setup for IPv4
Security Tab
The Security tab will allow us to setup additional security settings.
Because Windows 2008 R2 uses NPS the Authentication Methods need to be configured in the Connection Policies. We will look at that Policy later.
IPsec Policy / PreShared Key for L2TP connections
You will need to determine by Internal Policies if you will require L2TP connections.
By default a PPTP connection is created, PPTP is basically creating an encrypted tunnel that sends the unencrypted data back and forth through the tunnel.
L2TP uses the encrypted tunnel but the data that is sent is then encrypted as well, this is the most secure method but it can cause additional overhead on the client and server as it will have to encrypt/decrypt the data at each end of the communication tunnel
To configure a basic L2TP policy you will click the Allow custom IPsec policy for L2TP connection and enter a preshared key. This key will then have to configure on the client computers when setting up the VPN client in order to connect to the server.
SSL Certificate Binding To configure your server to use Secure Socket Tunneling Protocol you will need to have a Server Authentication certificate to bind to the server. You can use an internal certificate store and the clients will also be required to have certificates How to setup SSTP: http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx IPv4 Tab
This screen allows us to define the IP addresses that will be used to hand out to our clients. IPv4 address assignment IP addresses can be handed out by the server or by a DHCP server. If you do not have an IP server defined then check Static Address pool
Enable IPv4 Forwarding You will have to have this enabled if you want the traffic that is coming through this VPN server to route from your public network to your private network. If you want clients to be able to access the entire network that the server is attached to then you should enable this.
Static Address Pool
Click Add
Add the IP addresses you want the server to hand out
Click Ok
Enable Broadcast Name Resolution this allows remote clients to resolve broadcast names on the subnet that they are connecting to
If you are using a DHCP server then leave the DHCP Server checked and then you can either allow RRAS to automatically select the adapter or you can select the adapter
* Allowing RAS to select the adapter will result in RRAS randomly selecting an adapter every time the service is started
IPv6 Tab
This tab allows you to define the IPv6 settings necessary for the server.
Enable IPv6 Routing Same as IPv4, specifies if the RRAS server will be forwarding the IPv6 Traffic
Enable Default Route Advertisement Specifies whether a default route is advertised on the server
IPv6 prefix assignment Enter your IPv6 assigned prefix
Use the Following adapter for DHCP, DNS - This is used the same as in IPv4 above
IKEv2
IKEv2 Internet Key Exchange is used to setup security associations with IPsec protocol
There are no changes to be made on this screen unless you encounter specific issues related to IKEv2
IKEv2 client connection timeouts
Idle time-out refers to the number of minutes that an IKE client can be idle before the connection is terminated
Network Outage Time refers to the amount of time that packets are retransmitted to the client without a response before the connection is considered severed.
Security Association(SA) expiration control
Security Association expiration time refers to the time that is allowed to create a SA connection to the IKE server before the session has to be re-negotiated. The negotiation must succeed before the computers can exchange data
Security Association data size refers to the maximum amount of data that can be transferred between the computers before SA must negotiate and create a new session PPP Tab
Multilink Determines whether you will allow clients to combine multiple physical connections to a single logical connection
Dynamic bandwidth control using BAP or BACP Defines whether the server uses these protocols to control multiple physical connections fore clients
Link control protocol (LCP) extensions Clearing this checkbox prevents the server from Sending Time- Remaining and Identification checks to the client
Software Compression Defines whether the server uses the Microsoft point-to-point Compression Protocol (MPPC) to compress data sent on the remote access connection
Logging Tab
Select the event types you want logged
Log Errors only Writes errors only to the Events Log files Log Errors and Warnings Writes errors and Warnings to the Event Log files Log all events Writes all log events to the Event Log files Do not log events Does not write any events to the Event Log files
Log Additional Routing and Remote Access information (used for debugging) Writes events in to the ppp.log located at %windir%/tracing location
This completes the settings needed for the RRAS server itself, we will take a closer look at some of the additional settings and the configuration in the RRAS console
Network Interfaces
Shows the Network Interfaces associated with this server. I have named mine by IP address and which is Public/Private so I can easily manage these connections
Remote Access Clients
Shows the clients that are currently connected to this RRAS server
Ports
This shows the Number of available ports per protocol that clients can access. You can change the number of ports.
Right Click Ports Click Properties
The default number of ports created is listed. You can change the number of ports available by selecting the type and clicking Configure
I have selected PPTP connections
You can change whether Remote access connections are allowed for this connection type You can change whether Demand Dial connections are allowed for this connection type
You can also change the Maximum number of ports allowed.
Once you have made your changes Click Ok
Click Ok to close the properties window Remote Access Logging and Policies
This setting will be controlled by the Network Policy Server. This will be discussed later in this document.
IPv4 Section
General
This screen again shows the network connections but on this screen we can click on the connections and view the properties. The properties for the network connection from this screen will allow us to setup Inbound and Outbound firewall rules.
Right Click on one of the network connection
You will see that you can now update the Routes as well as showing additional information about this interface
Click Properties
Enable IP Routing Specifies whether TCP/IP is enabled on this interface
Enable router discovery advertisements Specifies whether Internet Control message Protocol (ICMP) router discovery is enabled on this interface
Inbound\Outbound Filters
Configure inbound/outbound rules to control network traffic by IP source/Destination and Protocol Enable fragmentation checking Specifies whether the router discards all fragmented IP packets that do not correspond with the allowed traffic filters
Multicast Boundaries
Limit the range of the multicast scope
Multicast Heartbeat
Multicast Heartbeat listens for periodic traffic to confirm that the multicast infrastructure is functioning normally Static Routes
Allows for Static Routes to be defined for the network connections to this Routing and Remote Access server
Right Click static Routes Click New
Enter the information to create new static routes and click Ok to create
DHCP Relay Agent
DHCP Relay Agent listens for broadcast DHCP messages on the local subnet and routes them to the DHCP server on a different subnet.
To add additional Interfaces Right Click the DHCP Relay agent Click New Interface
Select the interface and click OK
This is not needed if you have setup the RRAS server as a router which it is setup as by default or you are having your RRAS server hand out the IP addresses as in this document IGMP
IGMP Internet Group Management Protocol is a used to manage host membership in IPv4 multicast groups on a network segment
Configure this only if needed
IPv6
General
This screen again shows the network connections but on this screen we can click on the connections and view the properties. The properties for the network connection from this screen will allow us to setup Inbound and Outbound firewall rules.
Similar to the IPv4 above, allows you to configure Inbound\Outbound filters for the traffic but does not show you the Update Routes or other information viewable with the IPv4 interfaces.
Static Routes
Same as IPv4 above; lets you create static route statements
This completes the settings and examples for this section. Network Policy Server (NPS) Console
Configures and Manages Network Policy Servers The Network Policy server is used to create, manage and enforce network access policies, connection requests for authentication and authorization to connect to your network
Open Network Policy Server Click Start Click Administrative Tools Click Network Policy Server
Network Policy Server
The NPS server handles more than just the VPN policies it also handles:
I will overview each Section but to learn more about the details of each component you can select the component and click the Learn more link.
This will open the Windows Help file with additional information about the selected item.
The Learn more link is available once you select ANY of the top level categories
NPS Overview
Radius Clients and Servers
This section allows you to add services or devices that can use this server to authenticate users. One of the most common uses today is to allow authenticated users access to Wireless network resources.
It will also allow Radius proxies to be configured so that this server can forward requests to other Radius Servers on the network.
Policies
There are 3 types of Policies that can be managed
Connection Request Policies These allow you to designate whether connection requests are processed locally or forwarded to remote Radius Servers
Network Policies Designate who is authorized to connect to the network and under what circumstances they can connect
Health Policies Setup Policies to control NAP-capable client computers to access the network
Network Access Protection (NAP)
NAP allows you to setup system health checks such as ensuring that systems are up-to-date with the latest patches that they are running current anti-virus software and other checks that you deploy.
There are 2 sections
System Health Validators Allow you to specify the settings required by NAP-capable clients
Remediation Server Groups Allow you to define servers that can provide services and updates to non- compliant clients
Accounting
Accounting allows the logs to be sent to an external server running a remote SQL server for accounting purposes.
Some of the data that is collected:
Who Connected? How long were they Connected? Connection Errors And more
Templates Configuration
You can use templates to create and manage several different settings for the server; templates include:
Shared Secrets Radius Clients Remote Radius Servers Health Policies Remediation Server Groups IP Filters
Templates are not applied to the server but are stored for reuse later. These templates can be applied to specific component configurations in the NPS console and can be re-used. This can save time when dealing with multiple configurations that need the same settings.
Now that we have taken a look at what is available in this console lets go back to the Policies section and focus on what is needed to allow remote connections to our VPN server.
The Policy that will allow users to connect to the VPN server was created when the VPN service was loaded. The Policy is located here:
NPS / Policies / Network Policies
The default connection policy is Connections to Microsoft Routing and Remote Access server and it is setup to Deny access to this server. To allow access to the VPN server all we have to do is open the policy and Check Grant Access
Granting Access
Right Click Connections to Microsoft Routing and Remote Access server Click Properties
Notice that Grant access is not checked
Check Grant Access We will also set the Type of network access server at this time.
Make these changes and Click Apply
All Users will now be able to connect to the VPN server.
Congratulations! You now have a working VPN server!!!
We have created a VPN server; however we have not looked at the security settings. As you can see from the screen shot above there are additional tabs available. These tabs will provide additional settings that we can use to apply more strict security to the server. Lets open the Connections to Microsoft Routing and Remote Access Policy again.
Right Click the Policy
Notice that you have some additional options
Move Up\Down Polices are read in a TOP-DOWN manner so that you can have multiple policies Disable Disable the selected policy Delete Deletes the selected policy Rename Renames the selected policy Duplicate policy This will allow you to duplicate the policy so that you can work with selected policy. This is perfect for creating new policies off known good policies so that if mistakes are made you can revert back to the original working policy Properties Displays the selected policy properties Help Displays the Microsoft help files
Click Properties
We are now back in the policy and we can explore the remaining tabs
Conditions
The Conditions tab allows us to define what conditions will need to be met in order for remote access clients to connect to this server.
To add specific conditions click Add
You can now choose from an extensive list of conditions to allow remote clients to access the VPN server. The easiest and most popular are located at the top of the list. We will add a Windows Group.
Adding a Windows Group will allow you to control the specific users that have access. As stated once the policy was changed to grant access then all users were allowed to connect to this server, We will limit this to a specific group that we will call VPN Users
Click Windows Group Click Add
Click Add Groups
Enter the Group to add
Click Ok
Add as many groups as necessary
Click Ok
You can now see that the group specified is listed
Click Apply
Users that are not in this group will no longer be able to connect to the VPN server and will receive an error
Using Conditions such as Windows Groups we can restrict who can connect to the VPN server Constraints
Constraints set criteria that must be matched in order to connect.
There are 6 available constraints
Authentication Define the authentication method for connecting to this server
Idle Timeout If the session is idle for a specific amount of time then disconnect the client
Session Timeout limits the amount of time a client can be connected to the server
Called Station ID specify the phone number of the calling client
Day and time restrictions restrict access to this server to defined days and times
NAS Port Type Specify what is allowed to connect to this server such as another VPN server, 802.11 warless etc Authentication
Set the allowed authentication methods
The most secure method is to allow certificate authentication only, however this can be an expensive and time consuming method
Secured Password (EAP-MSCHAP v2) is also a secure method of authentication and it is setup by default
You can also add Protected PEAP by clicking Add in the center window
All Authentication methods that are chosen will be allowed to connect.
I would recommend removing MS-CHAP as it is an older protocol and is less secure. Newer Windows operating systems support MS-CHAP v2 and this is the preferred encryption method
NONE of the other encryption methods should be used as they are not secure!!! Idle Timeout
The Idle Timeout setting is not enabled by default. This forces the client to disconnect from the VPN if the session is idle for a specific amount of time.
Configure the settings you want to use and Click Apply
Session Timeout
The session timeout specifies a maximum amount of time that a client can be connected to the server. The client will be disconnected after the timeout limit is reached and will have to establish a new connection.
Configure the maximum time allowed in minutes that you want and Click Apply
Called Station ID
The called station ID allows you to configure a string such as a phone number or an IP address that is allowed to connect to the server, it can use pattern matching so that you can use partial information in order to define where the connection is coming from.
Configure the settings you want to allow and Click Apply
Day and time restrictions
The day and time restriction will allow you to limit when clients can access the server. If an attempt is made to connect to the server outside the allowed day/time then the request will be refused.
To enable and modify these restrictions click the checkbox and click Edit
Modify the allowed connection day/time and click Ok. Click Apply
NAS Port Type
Define the allowed NAS port types that will be used to connect to this server. Check all that apply, only the types checked will be allowed to connect.
We have completed Configuring our VPN server and our Connection Policies. Clients can now connect. Connecting a the VPN server
In this section we will use a Windows 7 machine to connect to our VPN server and test our connection to the Internal Network.
I have setup my local intranet page and I only allow my internal network of 192.168.100.1/24 to connect. I have setup IP restrictions so that this is enforced and I have tested connecting to the webpage from my web servers public IP address of 192.168.0.240
I am connecting to the web site from my Windows 7 workstation and I receive this error:
In order to connect to the Internal Resource I will have to connect to my VPN server to gain access to my intranet site and internal resources.
Configure VPN connection from Windows 7
Click Start Type Network and Sharing in the search bar
Click Network and Sharing Center to open the link
Click set up a new connection or network
Select Connect to workplace
Click Next Click Use my Internet Connection
Enter the IP address or DNS name of the VPN server
Give the connection a name (Destination Name)
Click Next
Enter Username, Password and Domain information
Click Connect
Connecting
I have connected successfully to my VPN server.
Now that we have connected lets check to see that we have a proper internal IP address
Notice the PPP adapter shows that I have an IP address but no gateway. When setting up my VPN server I did not define a gateway since I did not want people using the VPN connection to browse the Internet. However with my default settings I cannot browse at all. We can fix this by modifying the VPN connection that we setup
By disabling the gateway I can save bandwidth by forcing the client to use their own internet connection to browse the internet and this means they are only using the VPN connection to connect to local resources. Configure VPN client to NOT use remote gateway
First we will disconnect from the VPN we do this by clicking the Network Connections Icon in the task bar
Click on MyDomain VPN Server and Click Disconnect
Right Click on the Connection
Click Properties
This will open the connection properties
Click on the Networking tab
Click on Internet Protocol Version 4 (TCP/IPv4)
Click Properties
Click Advanced Remove the check for Use default gateway on remote network
Click Ok Click Ok Click Ok to close all the Windows
Click the Network Connection Icon in the task menu
Click on the VPN connection
Click Connect
Enter the appropriate Information
Click Connect
Lets check our IP information now
Now we can see that there is no Gateway listed Now that I have connected I need to access my work Intranet site. Lets try and connect to our intranet site
Open IE
Browse to http://192.168.100.100
I can now connect and see the Intranet Site!!!
This completes the section on setting up a test connection to the VPN server. Setting up a Site-to-Site VPN connection
In this section we will work on setting up a site-to-site VPN connection.
VPN site-to-site connections can be used for connecting a branch office back to the primary office or for an offsite server to have an active connection back to the main site.
We will be using the VPN server we configured previously in this document as our primary site.
We will configure a secondary 2008 server to be our remote site.
Follow the steps outlined above to install the VPN service (pg 2-7) on the secondary VPN server.
You will only need to install Routing and Remote Access Services at this site:
NPS is not needed for this site since we will not be using this to allow remote connections
Routing is needed only if you intend to route traffic between the two remote networks. Configure Remote Access Demand-Dial
Open Service Manager Expand Roles Expand Network Policy and Access Server
Click Routing and Remote Access (Left Frame)
Click More Actions (Right Frame)
Click Configure and Enable Routing and Remote Access
Routing and Remote Access Wizard
Click Next
Configuration This screen has several options to install a combination of services.
Click Custom Configuration Click Next Custom Configuration
Select Demand-dial connections
Click Next
Complete Install Wizard
Click Next
Start the Service
Click Start service
Service is starting
RRAS is Configured
Create Demand-Dial Interface
Right Click on Network Interfaces
Click New Demand-dial Interface Demand-dial Interface Wizard
Click Next
Interface Name
Enter the name for this Interface
Click Next
Connection Type
Select Connect using virtual private networking (VPN)
Click Next
VPN Type
Select the VPN type you can use Automatic selection
Click Next Destination Address
Enter the DNS name or Public IP of the VPN server
Click Next
Protocols and Security
Select: Route IP packets on this interface (For routing traffic between networks) Select: Add a user account so a remote router can dial-in These settings are not needed for this connection
Click Next Dial-Out Credentials
Create a secure user account on the remote VPN server
Enter the appropriate credentials
Click Next
Complete the Wizard
Click Finish
Once we have completed the Wizard we will have a new Interface. This interface will need to be configured.
Right Click the new Interface
Click Properties
MyDomain Connection Properties
Notice that by default ONLY IPv6 is enabled
If using IPv6 addressing then this connection should work Enable IPv4 Addressing
Since we are only using IPv4 in this demo we will uncheck IPv6 and check IPv4 Enable all necessary protocols for this connection
Create this as a Persistent connection We will want this connection to maintain a persistent connection to out remote site
Click Options tab
Change the Connection type from Demand-Dial to Persistent
Click Ok to close the Properties Window Test the Connection
Right Click MyDomain Connection
Click Connect
You should now see that you are connected:
Success!!!! Issue:
After creating a successful connection you will not be able to access some resources or Ping the remote network. This is due to an issue with Windows 2008 R2 server not adding the appropriate route statement.
Fix:
In Routing and Remote Access Console Expand IPv4 Right Click Static Routes
Click New Static Route
Select the Demand-dial interface you created
Enter the Remote Network
Enter the Remote Network Mask
Check: Use this route to initiate demand-dial connections
Click Ok
Your Route should now be displayed in the static routes window
Test:
Open the Command Prompt and Ping Remote site IP address:
You can now access the resources from the remote network!
Can we access our Intranet now?
You have successfully setup the Site-to-Site VPN using a Demand-dial access rule!