Re: Secure VPN access
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Thu, 26 Jan 2006 05:55:48 GMT
Hi Susantha,
Thanks for your update.
You may refer to the following articles for information about deploying
L2TP VPN:
324258 HOW TO: Configure a Preshared Key for Use with Layer 2 Tunneling
Protocol Connections in Windows Server 2003
http://support.microsoft.com/?id=324258
818754 White Paper: Virtual Private Networking with Windows Server 2003:
Overview
http://support.microsoft.com/?id=818754
L2TP-based remote access VPN deployment
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/fe8e1d66-959c-476e-8b8f-6b44d511c825.mspx
Computer certificates for L2TP/IPSec VPN connections
http://technet2.microsoft.com/WindowsServer/en/Library/222d5646-4e81-4efb-af
6e-616e9cd3f7db1033.mspx
Virtual Private Networking with Windows Server 2003: Deploying Remote
Access VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
networking/vpndeplr.mspx
Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
networking/rmotevpn.mspx
I just wanted to stress the following:
To use L2TP in Windows Server 2003, you must have a public key
infrastructure (PKI) to issue computer certificates to the VPN server and
to clients so that the IKE authentication process can occur.
With Windows Server 2003, although you can use a preshared key for IKE
authentication, we don't encourage the use of preshared keys, because it is
a less secure method of authentication than certificates. Preshared keys
are not meant to replace the use of certificates; instead, preshared keys
are another method for testing and internal operations.
In order to create an L2TP/IPSec connection using the computer certificate
authentication method, you must install a certificate in the local computer
certificate store on the VPN client and VPN server computer. To install a
computer certificate, a certification authority must be present to issue
certificates. Once the certification authority is configured, you can
install a certificate in three different ways:
- By configuring the automatic enrollment, or auto-enrollment, of computer
certificates to computers in a Windows Server 2003 domain.
- By using the Certificates snap-in to obtain a computer certificate.
- By using your browser to connect to the CA Web enrollment pages to
install a certificate on the local computer or to a floppy disk for
installation on another computer, such as a user's home computer.
Please note that the autoenrollment of remote access clients with the
appropriate certificate requires the creation and usage of a Version 2
certificate template. Version 2 certificates are not available on or
distributable by Windows Server 2003, Standard Edition, but they are
distributable by Windows Server 2003, Enterprise Edition. SBS 2003 is built
on Windows Server 2003 Standard Edition, therefore, version 2 certificates
are not supported.
You can add an additional member server running Windows Server 2003
Enterprise as the CA server, so that you can allow for autoenrollment. Or
else you have to enroll certificates through the Web enrollment method.
Windows 98 does not support virtual private networking (VPN) protocols,
like Internet Protocol security (IPSec) or Layer 2 Tunneling Protocol
(L2TP). You should install the Microsoft L2TP/IPSec VPN Client at:
Microsoft L2TP/IPSec VPN Client
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpcl
ient.asp
Hope this helps.
Please feel free to let me know if you have any questions or if you need
further assistance.
I'm looking forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "susantha silva" <susanthasilva@xxxxxxxxxxx>
| From: "susantha silva" <susanthasilva@xxxxxxxxxxx>
|| Subject: Re: Secure VPN access
| Date: Wed, 25 Jan 2006 09:11:51 -0000
| | Newsgroups: microsoft.public.windows.server.sbs
|
| Hi Crin Li,
|
| Thanks for the information and informing via hotmail. Really appreciate
all
| your work. Is there any document or a guidance one about configuring
IPSec
| in SBS server side and in client side. I heard about creating GPO for
this
| and implement it. Can it be done like this? As I'm aware of these laptops
| are going to be use in the office and home and no other machines going to
| get the VPN options so can I trust them at least mac address level for
| security purpose. If that so where do I've to enter those details? I'm
going
| to use a Dlink DFL700 hardware firewall but want to see the options
| available in Microsoft SBS server side also.
|
| Regards,
|
| Susantha
|
| ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:CsOGG$XIGHA.1240@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Susantha,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > From the description, do you mean you want to create VPN between SBS
and a
| > few laptops? If so, PPTP VPN is secure for the scenario.
| >
| > Currently, I provide some general steps below to configure VPN access
on
| > an
| > SBS environment?
| >
| > 1. Run CEICW, follow the wizard and select Enable firewall and then make
| > sure Virtual Private Networking (VPN) is selected in the Services
| > Configuration page. And make sure you have typed the public FQDN of the
| > SBS
| > server on the Web Server Certificate page.
| > 2. Run Remote Access Wizard in Server Management\Internet and
| > E-mail\Configure Remote Access, and select VPN access in the Remote
Access
| > Method page. After finishing this wizard, RRAS is configured to allow
| > inbound VPN access, and it can assign IP addresses to the VPN clients by
| > using DHCP.
| >
| > Note: When we run the remote access wizard to set up the VPN service, we
| > need to input the public IP address or the public FQDN of the SBS
server.
| > We need to make sure that the address can be accessed from the internet.
| >
| > 3. On the VPN client, go to https://publicFQDN/remote, clear I'm using a
| > public or shared computer, log in and download Connection Manager.
| > 4. Install Connection Manager on the VPN client.
| > 5. Is there a hardware router installed in front of the SBS server? If
so,
| > ensure that the port forwarding for TCP 1723 and GRE port (protocol
number
| > 47) are opened. PPTP VPN is negotiating a connection on TCP port 1723
and
| > send data to and from the PPTP server using the GRE protocol (IP
Protocol
| > 47, 0x2F if you are looking in Network Monitor). You should open port
1723
| > on the router and also make sure IP Protocol 47 is allowed.
| >
| > For detailed information, you can refer to the following KB articles:
| >
| > 323441 How To Install and Configure a Virtual Private Network Server in
| > Windows
| > http://support.microsoft.com/?id=323441
| >
| > 305550 How to configure a VPN connection to your corporate network in
| > Windows
| > http://support.microsoft.com/?id=305550
| >
| > For PPTP and IPSec, as I know, PPTP is comparatively less secure than
L2TP
| > because L2TP does per packet authentication and integrity check using
| > IPSec. But PPTP is easy to deploy.
| >
| > L2TP/IPSec and PPTP are similar in the following ways:
| >
| > They provide a logical transport mechanism to send PPP frames.
| > They provide tunneling or encapsulation so that PPP frames based on any
| > protocol can be sent across an IP network.
| > They rely on the PPP connection process to perform user authentication,
| > typically using a user name and password, and protocol configuration.
| >
| > L2TP/IPSec and PPTP are different in the following ways:
| >
| > With PPTP, data encryption begins after the PPP connection process (and,
| > therefore, PPP authentication) is completed. With L2TP/IPSec, data
| > encryption begins before the PPP connection process, so that the user
| > authentication process is encrypted.
| > PPTP connections use MPPE, which uses the Rivest-Shamir-Aldeman (RSA)
| > RC-4 encryption algorithm and 40, 56, or 128-bit encryption keys.
| > L2TP/IPSec connections use the Data Encryption Standard (DES) algorithm,
| > which uses either a 56-bit key for DES or three 56-bit keys for Triple
DES
| > (3DES). Block ciphers encrypt data in discrete blocks (64-bit blocks, in
| > the case of DES). Microsoft L2TP/IPSec VPN Client supports only DES
| > encryption.
| > PPTP connections require only user-level authentication through a
| > PPP-based authentication protocol. L2TP/IPSec connections require two
| > levels of authentication. To create the IPSec security associations
(SAs)
| > to protect the L2TP-encapsulated data, an L2TP/IPSec client must
perform a
| > computer-level authentication with a certificate or a pre-shared key.
| > After
| > the IPSec SAs are successfully created, the L2TP portion of the
connection
| > performs the same user-level authentication as PPTP.
| >
| > You can also refer to the following links:
| >
| >
http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_10200
| > 5.mspx
| >
| >
http://www.microsoft.com/technet/community/chats/trans/windowsnet/050217_tn_
| > ws03.mspx
| >
| > Administrator's Guide to Microsoft L2TP/IPSec VPN Client
| >
http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/vpnclie
| > ntag.mspx
| >
| > How VPN Works
| >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
| > ef/6e2e7206-de85-45bf-89fa-634a67be3708.mspx
| >
| > Regarding information:
| >
| > 812076 HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN
| > http://support.microsoft.com/?id=812076
| >
| > Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall
and
| > a D-Link DI-804HV IPSec VPN Router
| > http://www.isaserver.org/articles/2004isadlink.html
| >
| > http://www.microsoft.com/ntserver/ProductInfo/faqs/PPTPfaq.asp
| >
| > Hope it helps.
| >
| > I am appreciated your time and look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > --------------------
| > | Reply-To: "susantha silva" <susanthasilva@xxxxxxxxxxx>
| > | From: "susantha silva" <susanthasilva@xxxxxxxxxxx>
| > | Subject: Secure VPN access
| > | Date: Tue, 24 Jan 2006 12:51:07 -0000
| > || Newsgroups: microsoft.public.windows.server.sbs
| > | |
| > | I want to implement VPN connections to few laptops used by one of my
| > client
| > | staff. They are very concerned about the security also. I know in SBS
| > | default you get the PPTP connection. But I want to know if this is
| > secure.
| > | What about the IPSec option is that better secure than the PPTP? if
that
| > so
| > | how to implement if on the SBS server side and in the client machines
| > sides?
| > | (Svr= SBS 2003, clients= Windows XP Pro) no ISA.
| > | Can anyone give me some idea to solve this matter. Thanks in advance
| > for
| > | any information
| > |
| > | Regards,
| > |
| > | Susantha
| > |
| > |
| > |
| >
|
|
|
.
- Follow-Ups:
- Re: Secure VPN access
- From: susantha silva
- Re: Secure VPN access
- References:
- Secure VPN access
- From: susantha silva
- RE: Secure VPN access
- From: "Crina Li"
- Re: Secure VPN access
- From: susantha silva
- Secure VPN access
- Prev by Date: Re: Cannot View Newwork Connection Property
- Next by Date: Re: ISA plus router appliance
- Previous by thread: Re: Secure VPN access
- Next by thread: Re: Secure VPN access
- Index(es):
Relevant Pages
|
Loading
