MCTS Self-Paced Training Kit (Exam 70-653): Managing and Configuring Remote Access in Windows Small Business Server 2008

  • 8/19/2009

Lesson 3: Managing a Virtual Private Network

Even though Remote Web Workplace is the preferred choice for remote access to the Windows Small Business Server network and its resources, in some cases virtual private network (VPN) access is required. A VPN connection uses encryption and tunneling to transfer data from a remote computer across the Internet to the VPN server, in this case the server running Windows Small Business Server. The virtual private network is considered an extension of the private Windows Small Business Server network across a public network such as the Internet.

In the past, VPNs were used for secure remote access connections across the Internet to negate the cost of dedicated dial-up or leased lines without sacrificing privacy. Most tasks that are performed by remote users can now be easily and securely handled by Remote Web Workplace.

Nevertheless, you still have the option to enable and use VPN access in Windows SBS 2008, which provides several protocol choices for a VPN: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPSec), and Secure Socket Tunneling Protocol (SSTP). By default, Windows Small Business Server uses PPTP.

One of the benefits of using PPTP is that it does not require a certificate for remote access and still provides a good level of security that is acceptable to most organizations.

  • Estimated lesson time: 75 minutes

Configuring a Virtual Private Network

In Windows SBS 2008, you can enable or disable a virtual private network from the Windows SBS Console. Click the Network tab, click the Connectivity tab, and then click Configure A Virtual Private Network in the task pane. The Set Up Virtual Private Networking Wizard opens and offers two choices:

  • Allow Users To Connect To The Server By Using A VPN

  • Do Not Allow Users To Connect To The Server By Using A VPN

If the router is Universal Plug and Play (UPnP) enabled, the wizard will configure the server and the router. If the router is not UPnP enabled, you must manually configure the ports.

The Set Up Virtual Private Networking Wizard enables the Routing and Remote Access service and sets up PPTP using TCP port 1723 and Generic Routing Encapsulation (GRE) IP port 47. Table 5-1 lists commonly used ports and protocols for VPNs.

PPTP by itself creates, maintains, and disconnects a virtual private network between two end points (hence the term “tunnel”), but it does not encrypt the data. PPTP allows multiprotocol traffic to be encrypted; therefore, GRE is used to encapsulate the data, or payload, in a secure manner, and then the payload is encapsulated in an IP header that is sent across the internetwork connection. Often, small office and home office (SOHO) routers offer an option for VPN pass-through. Because these routers do not support VPN end points, they can be configured to pass through GRE packets.

In some cases, certain organizations cannot use PPTP for VPN connectivity. Instead, they must configure an L2TP/IPSec VPN connection. L2TP/IPSec VPNs are supported in Windows SBS 2008 but must be configured manually. The L2TP/IPSec VPN uses UDP ports 500 and 4500 and IP port 50, and uses Internet Key Exchange (IKE) or preshared or public keys for authentication. Considerations for working with L2TP/IPSec VPNs are beyond the scope of this chapter, so for more information, see the article titled “Virtual Private Networks” at Microsoft TechNet (http://technet.microsoft.com/en-us/network/bb545442.aspx).

Table 5-1 Commonly Used VPN Ports and Protocols

Protocol

Description

Point-to-Point Protocol (PPTP)

PPTP establishes the session and uses TCP port 1723 to create and maintain the connections between the VPN client and VPN server.

Generic Routing Encapsulation (GRE)

GRE is used to encapsulate the data, and IP port 47 is used to send the data.

Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPSec)

L2TP uses UDP port 1701 to negotiate and establish the L2TP tunnel, and UDP port 500 (IKE) and UDP port 4500 (IPSec NAT-T) to create the connection.

IP Protocol ID 50

IP Protocol ID 50 is used to send Encapsulated Security Protocol (ESP) traffic.

Secure Socket Tunneling Protocol (SSTP)

SSTP uses HTTPS port 443.

The VPN is not enabled during the Windows SBS 2008 installation. You must first configure a valid Internet address using the Internet Address Management Wizard (on the Windows SBS Console home page) before you can enable a VPN.

Configure Access to the Virtual Private Network

By default, all users assigned the Network Administrator role in Windows SBS 2008 have VPN access permissions. You must assign VPN access permissions for other users. You can assign permissions in two ways in the Windows SBS Console:

  • Click the Users And Groups tab, click the Users tab, and then click the user account you want to configure. Click Edit User Account Properties in the task pane, and then click the Remote Access link. In the right pane, select the User Can Access Virtual Private Network option to add the user account to the Windows SBS Virtual Private Network Users security group and clear this option to remove the account from the security group.

  • Click the Network tab, click the Connectivity tab, and then click Virtual Private Network. In the task pane, click View Virtual Private Network Properties. In the General Properties dialog box, click Modify to open the Change Group Membership dialog box. In this dialog box, you can select which users and groups to add to the Windows SBS Virtual Private Network Users security group and which to remove.

In both cases the users or groups are added to or removed from the preconfigured Windows SBS Virtual Private Network Users security group in Active Directory.

Manage Routing and Remote Access

By default, when you run the Set Up Virtual Private Networking Wizard Windows SBS 2008 is configured to enable five PPTP VPN ports. This can cause a problem on a network where, for instance, 20 users try to connect using the VPN at the same time! You can reconfigure this setting in the Routing And Remote Access console. You can open the Routing And Remote Access console by clicking Start, pointing to Administrative Tools, and clicking Routing And Remote Access, or by clicking Start and typing rrasmgmt.msc in the Start Search box.

Adding VPN Ports

You can add an unlimited number of VPN ports in Routing And Remote Access. Expand the Server node, right-click the Ports node, and then click Properties. There you can see a list of all the Routing And Remote Access devices (Point-to-Point Protocol over Ethernet (PPPoE), PPTP, L2TP, and SSTP). Select the WAN Miniport (PPTP) option, and then click Configure to open the Configure Device–WAN Miniport (PPTP) dialog box. In this dialog box, you can increase the number of ports available for remote access.

Assigning IP Addresses

When the remote client initiates the connection with the server running Windows SBS 2008, it creates a virtual interface and requests an IP address from the server. By default, the server grabs five Dynamic Host Configuration Protocol (DHCP) address leases. Five PPTP ports are enabled on the server running Windows Small Business Server, as shown in Figure 5-12. When a remote client connects to the server, an IP address from the available pool is assigned using the Internet Protocol Control Protocol (IPCP), as shown in Figure 5-13.

Figure 5-12

Figure 5-12 The server grabs five IP addresses for lease to remote clients.

Figure 5-13

Figure 5-13 The port status in Routing And Remote Access, which reveals that the client was assigned an IP address that was set aside in the Remote Access Service (RAS) DHCP pool.

The Network Policy Server (NPS) manages the Network policy for VPN access as well as the connection request authentication and connection request authorization in Windows SBS 2008, as shown in Figure 5-14. You can open the Network Policy Server by clicking Start, pointing to Administrative Tools, and clicking Network Policy Server, or by clicking Start and typing nps.msc in the Start Search box. A fuller description of NPS is beyond the scope of this training kit, but for more information you can visit http://www.microsoft.com/nps.

Figure 5-14

Figure 5-14 The Network Policy Server (NPS) in Windows SBS 2008 is preconfigured to manage connection requests and authorization.

The Windows Firewall with Advanced Security rules are configured by default when enabling the VPN in Windows Small Business Server. You can access the firewall rules by clicking Start and typing wf.msc in the Start Search box or by clicking Start, pointing to Administrative Tools, and clicking Windows Firewall With Advanced Security. One of the many rules that is configured is the Routing And Remote Access (PPTP-In) rule, which defines the port number for Point-to-Point Tunneling Protocol (PPTP) traffic and enables Windows Firewall with Advanced Security to filter connections based on the rule criteria, as shown in Figure 5-15. The informational notice in the General tab states that this is a predefined rule and some of its properties cannot be modified. You cannot modify the port number; however, you can modify which user accounts and computers are authorized to connect, and you can configure a scope of local and remote addresses for the firewall rule if needed. If you use the Set Up Virtual Private Networking Wizard, you should not have to open the Windows Firewall with Advanced Security (or Routing And Remote Access and NPS, for that matter), but it is good to know that you can fine-tune VPN access using the native Windows tools if so desired.

Figure 5-15

Figure 5-15 One of many predefined rules in Windows Firewall with Advanced Security

Configure Clients for the Virtual Private Network

You can configure client computers running Windows XP and Windows Vista for access to the Windows SBS 2008 virtual private network. This is a straightforward process that is documented in each operating system’s Help files.

For step-by-step instructions, see the article titled “Set Up a VPN on Client Computers” at the Windows Small Business Server TechCenter (http://technet.microsoft.com/en-us/library/cc513974.aspx).

Practice: Configuring a Virtual Private Network

Exercise 1 Enable a Virtual Private Network

In this exercise, you enable a VPN.

  1. Open the Windows SBS Console.

  2. On the navigation bar, click the Network tab, and then click the Connectivity tab.

  3. Click Configure A Virtual Private Network in the task pane to open the Set Up Virtual Private Networking Wizard.

  4. Click Allow Users To Connect To The Server By Using A VPN. The wizard enables the Routing and Remote Access service, configures the router (if it is UPnP enabled), and sets up a PPTP VPN.

  5. When the wizard finishes, click Finish.

Exercise 2 Set Up a VPN on a Computer Running Windows XP

Perform this exercise only if you are using a client computer that runs Windows XP.

  1. On the computer running Windows XP, confirm that the connection to the Internet is correctly configured.

  2. Click Start, and then click Control Panel.

  3. In Control Panel, double-click Network Connections.

  4. Click Create A New Connection.

  5. On the Network Connection Wizard Welcome page, click Next.

  6. On the Network Connection Type page, click Connect To The Network At My Workplace, and then click Next.

  7. On the Network Connection page, click Virtual Private Network Connection, and then click Next.

  8. On the Connection Name page, type a descriptive name for the connection, and then click Next.

  9. On the Public Network page, click Do Not Dial The Initial Connection, and then click Next.

  10. On the VPN Server Selection page, type the IP address of the computer that you want to connect to (192.168.0.2 or the external IP address in the real world), and then click Next.

  11. Select the Add A Shortcut To This Connection To My Desktop check box if you want to create a shortcut on the desktop, and then click Finish.

  12. If you are prompted to connect, click No.

  13. In the Network Connections window, right-click the new connection, and then click Properties.

  14. Click the Options tab, and then click the Include Windows Logon Domain option to specify that you want to request Windows logon domain information before you try to connect.

Exercise 3 Set Up a VPN on a Computer Running Windows Vista

Perform this exercise only if you have a client computer that runs Windows Vista.

  1. On the computer that is running Windows Vista, confirm that the connection to the Internet is correctly configured.

  2. Click Start, and then click Control Panel.

  3. In Control Panel, click Network And Internet, and click Network And Sharing Center.

  4. Click Set Up A Connection Or Network.

  5. Click Connect To A Workplace, and then click Next. Select No, Create A New Connection, and then click Next.

  6. Type the user name KIMA and password Pa$$w0rd in the text boxes, click Create, and then click Close.

Exercise 4 Configure Permissions for a Virtual Private Network Connection

In this exercise, you configure access permissions for users. Switch to the server running Windows SBS 2008 for this exercise, which has the Windows SBS Console open.

  1. On the navigation bar, click Users And Groups, and then click the Users tab.

  2. Double-click the Kim Akers user account, and click the Remote Access link on the Kim Akers Properties page.

  3. Select the User Can Access Virtual Private Network check box, and click OK. This action adds Kim Akers to the Windows SBS Virtual Private Network Users security group.

  4. On the navigation bar, click the Network tab, click the Connectivity tab, and then right-click VPN Connection.

  5. Click View Virtual Private Network Properties. On the General Properties page, click Modify.

  6. Select Mu Han and Don Richardson in the left pane, and then click Add. You can add multiple user accounts at once to the Windows SBS Virtual Private Network Users group. Click OK, and then click OK again.

Exercise 5 Use the Virtual Private Network Connection

To use the VPN connection, switch to the non-domain-joined client computer and complete this exercise.

  1. To start a VPN connection, click Start, point to Connect To, and then click the new connection. (If you added a connection shortcut to the desktop, double-click the shortcut on the desktop.)

  2. If you are not currently connected to the Internet, Windows on the client computer offers to connect to the Internet.

  3. After your computer connects to the Internet, the VPN server prompts you for the user name and password. Type the user name KIMA and password P@ssw0rd, and then click Connect. Close the window.

  4. You can now access network resources the same way you do when you are connected directly to the local area network.

  5. Open the command prompt and type ipconfig/ all, and find the IP address assigned to the client computer using the PPP adapter VPN connection.

  6. Switch to the server running Windows SBS 2008, click Start, and type rrasmgmt.msc in the Start Search box to open Routing And Remote Access.

  7. Expand the server node, and then click the Remote Access Clients node. You should see Contoso\Kima listed as a remote access client. Right-click Contoso\Kima, and click Status. Under Network Registration you will see the assigned IP address listed. Here you could also reset the connection or disconnect the remote access client. Close Routing And Remote Access.

  8. To disconnect from the VPN, switch back to the client computer. Click Start, point to Connect To, and click Disconnect in the Connect To A Network dialog box.

Exercise 6 Disable a Virtual Private Network Connection

In this exercise, you disable a virtual private network connection.

  1. In the Windows SBS Console, on the navigation bar, click the Network tab, and then click the Connectivity tab.

  2. Click Configure A Virtual Private Network in the task pane to open the Set Up Virtual Private Networking Wizard.

  3. Click Do Not Allow Users To Connect To The Server By Using A VPN. This causes the wizard to disable the Routing and Remote Access service, close port 1723 on the router (if it is UPnP enabled), and remove the VPN configuration.

  4. When the wizard finishes disabling the VPN, click Finish.