Re: Secure VPN access
- From: "susantha silva" <susanthasilva@xxxxxxxxxxx>
- Date: Tue, 31 Jan 2006 12:08:45 -0000
Hi Li,
Finally I ended up using the PPTP option in the D-Link router which is fine
with it's security option for the client. But one thing I notice is when I
make the VPN in the client side he cannot browse internet which I heard
pretty normal. But is their a workaround to this? I spoke to D-link tech
support and they mention this sis a problem related to Microsoft side. But
When used Watchguard firewall through their software this problem didn't
happened.
After getting the VPN connection I check the Ip settings and found the
default gateway is same as the VPN connection IP address. the DNS server is
point to the head ISP's DNS server. Please note I've given a separate Ip
scope for the VPN client's in the router side. But can I make their DNS
servers as the head-office server IP and if I do that will they able to
browse the internet at the same time when they access the internal lan via
VPN?
Regards,
Susantha
""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eg2xs0jIGHA.3152@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Susantha,
>
> Thanks for your update.
>
> You may refer to the following articles for information about deploying
> L2TP VPN:
>
> 324258 HOW TO: Configure a Preshared Key for Use with Layer 2 Tunneling
> Protocol Connections in Windows Server 2003
> http://support.microsoft.com/?id=324258
>
> 818754 White Paper: Virtual Private Networking with Windows Server 2003:
> Overview
> http://support.microsoft.com/?id=818754
>
> L2TP-based remote access VPN deployment
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
> rHelp/fe8e1d66-959c-476e-8b8f-6b44d511c825.mspx
>
> Computer certificates for L2TP/IPSec VPN connections
> http://technet2.microsoft.com/WindowsServer/en/Library/222d5646-4e81-4efb-af
> 6e-616e9cd3f7db1033.mspx
>
> Virtual Private Networking with Windows Server 2003: Deploying Remote
> Access VPNs
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
> networking/vpndeplr.mspx
>
> Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
> networking/rmotevpn.mspx
>
> I just wanted to stress the following:
>
> To use L2TP in Windows Server 2003, you must have a public key
> infrastructure (PKI) to issue computer certificates to the VPN server and
> to clients so that the IKE authentication process can occur.
>
> With Windows Server 2003, although you can use a preshared key for IKE
> authentication, we don't encourage the use of preshared keys, because it
> is
> a less secure method of authentication than certificates. Preshared keys
> are not meant to replace the use of certificates; instead, preshared keys
> are another method for testing and internal operations.
>
> In order to create an L2TP/IPSec connection using the computer certificate
> authentication method, you must install a certificate in the local
> computer
> certificate store on the VPN client and VPN server computer. To install a
> computer certificate, a certification authority must be present to issue
> certificates. Once the certification authority is configured, you can
> install a certificate in three different ways:
>
> - By configuring the automatic enrollment, or auto-enrollment, of computer
> certificates to computers in a Windows Server 2003 domain.
>
> - By using the Certificates snap-in to obtain a computer certificate.
>
> - By using your browser to connect to the CA Web enrollment pages to
> install a certificate on the local computer or to a floppy disk for
> installation on another computer, such as a user's home computer.
>
> Please note that the autoenrollment of remote access clients with the
> appropriate certificate requires the creation and usage of a Version 2
> certificate template. Version 2 certificates are not available on or
> distributable by Windows Server 2003, Standard Edition, but they are
> distributable by Windows Server 2003, Enterprise Edition. SBS 2003 is
> built
> on Windows Server 2003 Standard Edition, therefore, version 2 certificates
> are not supported.
>
> You can add an additional member server running Windows Server 2003
> Enterprise as the CA server, so that you can allow for autoenrollment. Or
> else you have to enroll certificates through the Web enrollment method.
>
> Windows 98 does not support virtual private networking (VPN) protocols,
> like Internet Protocol security (IPSec) or Layer 2 Tunneling Protocol
> (L2TP). You should install the Microsoft L2TP/IPSec VPN Client at:
>
> Microsoft L2TP/IPSec VPN Client
> http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpcl
> ient.asp
>
> Hope this helps.
>
> Please feel free to let me know if you have any questions or if you need
> further assistance.
>
> I'm looking forward to hearing from you.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------
> | Reply-To: "susantha silva" <susanthasilva@xxxxxxxxxxx>
> | From: "susantha silva" <susanthasilva@xxxxxxxxxxx>
> || Subject: Re: Secure VPN access
> | Date: Wed, 25 Jan 2006 09:11:51 -0000
> | | Newsgroups: microsoft.public.windows.server.sbs
> |
> | Hi Crin Li,
> |
> | Thanks for the information and informing via hotmail. Really appreciate
> all
> | your work. Is there any document or a guidance one about configuring
> IPSec
> | in SBS server side and in client side. I heard about creating GPO for
> this
> | and implement it. Can it be done like this? As I'm aware of these
> laptops
> | are going to be use in the office and home and no other machines going
> to
> | get the VPN options so can I trust them at least mac address level for
> | security purpose. If that so where do I've to enter those details? I'm
> going
> | to use a Dlink DFL700 hardware firewall but want to see the options
> | available in Microsoft SBS server side also.
> |
> | Regards,
> |
> | Susantha
> |
> | ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | news:CsOGG$XIGHA.1240@xxxxxxxxxxxxxxxxxxxxxxxx
> | > Hi Susantha,
> | >
> | > Thank you for posting in SBS newsgroup.
> | >
> | > From the description, do you mean you want to create VPN between SBS
> and a
> | > few laptops? If so, PPTP VPN is secure for the scenario.
> | >
> | > Currently, I provide some general steps below to configure VPN access
> on
> | > an
> | > SBS environment?
> | >
> | > 1. Run CEICW, follow the wizard and select Enable firewall and then
> make
> | > sure Virtual Private Networking (VPN) is selected in the Services
> | > Configuration page. And make sure you have typed the public FQDN of
> the
> | > SBS
> | > server on the Web Server Certificate page.
> | > 2. Run Remote Access Wizard in Server Management\Internet and
> | > E-mail\Configure Remote Access, and select VPN access in the Remote
> Access
> | > Method page. After finishing this wizard, RRAS is configured to allow
> | > inbound VPN access, and it can assign IP addresses to the VPN clients
> by
> | > using DHCP.
> | >
> | > Note: When we run the remote access wizard to set up the VPN service,
> we
> | > need to input the public IP address or the public FQDN of the SBS
> server.
> | > We need to make sure that the address can be accessed from the
> internet.
> | >
> | > 3. On the VPN client, go to https://publicFQDN/remote, clear I'm using
> a
> | > public or shared computer, log in and download Connection Manager.
> | > 4. Install Connection Manager on the VPN client.
> | > 5. Is there a hardware router installed in front of the SBS server? If
> so,
> | > ensure that the port forwarding for TCP 1723 and GRE port (protocol
> number
> | > 47) are opened. PPTP VPN is negotiating a connection on TCP port 1723
> and
> | > send data to and from the PPTP server using the GRE protocol (IP
> Protocol
> | > 47, 0x2F if you are looking in Network Monitor). You should open port
> 1723
> | > on the router and also make sure IP Protocol 47 is allowed.
> | >
> | > For detailed information, you can refer to the following KB articles:
> | >
> | > 323441 How To Install and Configure a Virtual Private Network Server
> in
> | > Windows
> | > http://support.microsoft.com/?id=323441
> | >
> | > 305550 How to configure a VPN connection to your corporate network in
> | > Windows
> | > http://support.microsoft.com/?id=305550
> | >
> | > For PPTP and IPSec, as I know, PPTP is comparatively less secure than
> L2TP
> | > because L2TP does per packet authentication and integrity check using
> | > IPSec. But PPTP is easy to deploy.
> | >
> | > L2TP/IPSec and PPTP are similar in the following ways:
> | >
> | > They provide a logical transport mechanism to send PPP frames.
> | > They provide tunneling or encapsulation so that PPP frames based on
> any
> | > protocol can be sent across an IP network.
> | > They rely on the PPP connection process to perform user
> authentication,
> | > typically using a user name and password, and protocol configuration.
> | >
> | > L2TP/IPSec and PPTP are different in the following ways:
> | >
> | > With PPTP, data encryption begins after the PPP connection process
> (and,
> | > therefore, PPP authentication) is completed. With L2TP/IPSec, data
> | > encryption begins before the PPP connection process, so that the user
> | > authentication process is encrypted.
> | > PPTP connections use MPPE, which uses the Rivest-Shamir-Aldeman (RSA)
> | > RC-4 encryption algorithm and 40, 56, or 128-bit encryption keys.
> | > L2TP/IPSec connections use the Data Encryption Standard (DES)
> algorithm,
> | > which uses either a 56-bit key for DES or three 56-bit keys for Triple
> DES
> | > (3DES). Block ciphers encrypt data in discrete blocks (64-bit blocks,
> in
> | > the case of DES). Microsoft L2TP/IPSec VPN Client supports only DES
> | > encryption.
> | > PPTP connections require only user-level authentication through a
> | > PPP-based authentication protocol. L2TP/IPSec connections require two
> | > levels of authentication. To create the IPSec security associations
> (SAs)
> | > to protect the L2TP-encapsulated data, an L2TP/IPSec client must
> perform a
> | > computer-level authentication with a certificate or a pre-shared key.
> | > After
> | > the IPSec SAs are successfully created, the L2TP portion of the
> connection
> | > performs the same user-level authentication as PPTP.
> | >
> | > You can also refer to the following links:
> | >
> | >
> http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet_10200
> | > 5.mspx
> | >
> | >
> http://www.microsoft.com/technet/community/chats/trans/windowsnet/050217_tn_
> | > ws03.mspx
> | >
> | > Administrator's Guide to Microsoft L2TP/IPSec VPN Client
> | >
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/vpnclie
> | > ntag.mspx
> | >
> | > How VPN Works
> | >
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
> | > ef/6e2e7206-de85-45bf-89fa-634a67be3708.mspx
> | >
> | > Regarding information:
> | >
> | > 812076 HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco
> VPN
> | > http://support.microsoft.com/?id=812076
> | >
> | > Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall
> and
> | > a D-Link DI-804HV IPSec VPN Router
> | > http://www.isaserver.org/articles/2004isadlink.html
> | >
> | > http://www.microsoft.com/ntserver/ProductInfo/faqs/PPTPfaq.asp
> | >
> | > Hope it helps.
> | >
> | > I am appreciated your time and look forward to hearing from you.
> | >
> | > Best regards,
> | >
> | > Crina Li (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > =====================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | >
> | > =====================================================
> | >
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | > --------------------
> | > | Reply-To: "susantha silva" <susanthasilva@xxxxxxxxxxx>
> | > | From: "susantha silva" <susanthasilva@xxxxxxxxxxx>
> | > | Subject: Secure VPN access
> | > | Date: Tue, 24 Jan 2006 12:51:07 -0000
> | > || Newsgroups: microsoft.public.windows.server.sbs
> | > | |
> | > | I want to implement VPN connections to few laptops used by one of my
> | > client
> | > | staff. They are very concerned about the security also. I know in
> SBS
> | > | default you get the PPTP connection. But I want to know if this is
> | > secure.
> | > | What about the IPSec option is that better secure than the PPTP? if
> that
> | > so
> | > | how to implement if on the SBS server side and in the client
> machines
> | > sides?
> | > | (Svr= SBS 2003, clients= Windows XP Pro) no ISA.
> | > | Can anyone give me some idea to solve this matter. Thanks in
> advance
> | > for
> | > | any information
> | > |
> | > | Regards,
> | > |
> | > | Susantha
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
.
- References:
- Secure VPN access
- From: susantha silva
- RE: Secure VPN access
- From: "Crina Li"
- Re: Secure VPN access
- From: susantha silva
- Re: Secure VPN access
- From: "Crina Li"
- Secure VPN access
- Prev by Date: SBS2003 firewall is blocking access to local router
- Next by Date: Re: Mac & Sbs
- Previous by thread: Re: Secure VPN access
- Next by thread: Still unable to add a shared network printer [reposted]
- Index(es):
Relevant Pages
|
