RE: Secure VPN access

Hi Susantha,

Thank you for posting in SBS newsgroup.

>From the description, do you mean you want to create VPN between SBS and a
few laptops? If so, PPTP VPN is secure for the scenario.

Currently, I provide some general steps below to configure VPN access on an
SBS environment?

1. Run CEICW, follow the wizard and select Enable firewall and then make
sure Virtual Private Networking (VPN) is selected in the Services
Configuration page. And make sure you have typed the public FQDN of the SBS
server on the Web Server Certificate page.
2. Run Remote Access Wizard in Server Management\Internet and
E-mail\Configure Remote Access, and select VPN access in the Remote Access
Method page. After finishing this wizard, RRAS is configured to allow
inbound VPN access, and it can assign IP addresses to the VPN clients by
using DHCP.

Note: When we run the remote access wizard to set up the VPN service, we
need to input the public IP address or the public FQDN of the SBS server.
We need to make sure that the address can be accessed from the internet.

3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
public or shared computer, log in and download Connection Manager.
4. Install Connection Manager on the VPN client.
5. Is there a hardware router installed in front of the SBS server? If so,
ensure that the port forwarding for TCP 1723 and GRE port (protocol number
47) are opened. PPTP VPN is negotiating a connection on TCP port 1723 and
send data to and from the PPTP server using the GRE protocol (IP Protocol
47, 0x2F if you are looking in Network Monitor). You should open port 1723
on the router and also make sure IP Protocol 47 is allowed.

For detailed information, you can refer to the following KB articles:

323441 How To Install and Configure a Virtual Private Network Server in
Windows
http://support.microsoft.com/?id=323441

305550 How to configure a VPN connection to your corporate network in
Windows
http://support.microsoft.com/?id=305550

For PPTP and IPSec, as I know, PPTP is comparatively less secure than L2TP
because L2TP does per packet authentication and integrity check using
IPSec. But PPTP is easy to deploy.

L2TP/IPSec and PPTP are similar in the following ways:

.. They provide a logical transport mechanism to send PPP frames.
.. They provide tunneling or encapsulation so that PPP frames based on any
protocol can be sent across an IP network.
.. They rely on the PPP connection process to perform user authentication,
typically using a user name and password, and protocol configuration.

L2TP/IPSec and PPTP are different in the following ways:

.. With PPTP, data encryption begins after the PPP connection process (and,
therefore, PPP authentication) is completed. With L2TP/IPSec, data
encryption begins before the PPP connection process, so that the user
authentication process is encrypted.
.. PPTP connections use MPPE, which uses the Rivest-Shamir-Aldeman (RSA)
RC-4 encryption algorithm and 40, 56, or 128-bit encryption keys.
L2TP/IPSec connections use the Data Encryption Standard (DES) algorithm,
which uses either a 56-bit key for DES or three 56-bit keys for Triple DES
(3DES). Block ciphers encrypt data in discrete blocks (64-bit blocks, in
the case of DES). Microsoft L2TP/IPSec VPN Client supports only DES
encryption.
.. PPTP connections require only user-level authentication through a
PPP-based authentication protocol. L2TP/IPSec connections require two
levels of authentication. To create the IPSec security associations (SAs)
to protect the L2TP-encapsulated data, an L2TP/IPSec client must perform a
computer-level authentication with a certificate or a pre-shared key. After
the IPSec SAs are successfully created, the L2TP portion of the connection
performs the same user-level authentication as PPTP.

You can also refer to the following links:

http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_10200
5.mspx

http://www.microsoft.com/technet/community/chats/trans/windowsnet/050217_tn_
ws03.mspx

Administrator's Guide to Microsoft L2TP/IPSec VPN Client
http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/vpnclie
ntag.mspx

How VPN Works
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
ef/6e2e7206-de85-45bf-89fa-634a67be3708.mspx

Regarding information:

812076 HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN
http://support.microsoft.com/?id=812076

Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall and
a D-Link DI-804HV IPSec VPN Router
http://www.isaserver.org/articles/2004isadlink.html

http://www.microsoft.com/ntserver/ProductInfo/faqs/PPTPfaq.asp

Hope it helps.

I am appreciated your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "susantha silva" <susanthasilva@xxxxxxxxxxx>
| From: "susantha silva" <susanthasilva@xxxxxxxxxxx>
| Subject: Secure VPN access
| Date: Tue, 24 Jan 2006 12:51:07 -0000
|| Newsgroups: microsoft.public.windows.server.sbs
| |
| I want to implement VPN connections to few laptops used by one of my
client
| staff. They are very concerned about the security also. I know in SBS
| default you get the PPTP connection. But I want to know if this is
secure.
| What about the IPSec option is that better secure than the PPTP? if that
so
| how to implement if on the SBS server side and in the client machines
sides?
| (Svr= SBS 2003, clients= Windows XP Pro) no ISA.
| Can anyone give me some idea to solve this matter. Thanks in advance
for
| any information
|
| Regards,
|
| Susantha
|
|
|

.

Relevant Pages