Setting up a VPN Infrastructure for Remote Access and Site-to-Site Routing
Published: Tuesday, November 20, 2001, 10:00 AM PST
Host Guide_KenM:
Welcome to the Technet Chat on VPN Infrastructure. There are three hosts today. Dave Eitelbach is the lead Program Manager for Remote Access features in Windows. Rob Trace is the Program Manager with primary responsibility for VPN support in Windows. Tod Edwards is a Technical Lead in Microsoft's support organization.
We are looking forward to a lively discussion on this topic. We believe that VPNs are a very important technology, and have put a lot of work into making them as easy to use as possible. That said, we know that networking issues can be difficult, so we hope we can help with any questions or problems that you may have encountered. Be sure to check out the information and links on http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx.
The Input Room is where you can enter questions for our hosts today. We will read them and select questions to answer. The questions and answers will be posted in the Reading Room. Please feel free to go ahead with your questions!
Host Guide_KenM:
Thanks for the questions; we're working on your answers right now.
Q: If I would like to set up a VPN. Where do I start—what books, CDs, or other resources can I use to help with setting up a VPN?
Host Guest_JoeDavies_MS:
A: See the "Virtual Private Networking with Windows 2000: Deploying Remote Access VPNs" and "Virtual Private Networking with Windows 2000: Deploying Router-to-Router VPNs" white papers on http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx.
Q: What is the best way to establish an outbound VPN client connection when behind ISA server? GateWay or Firewall client?
Host Guest_Tod_MS:
A: Depends on how you have ISA set up. The firewall client will work, but you can also just use the NAT functionality if the clients point to ISA for their default gateway. You just need to make sure you use the wizards in ISA to allow PPTP connections, so it opens the appropriate ports.
Q: Would you contrast the Microsoft VPN implementation versus a firewall vendor's VPN?
Host Guest_RobTrace_MS:
A: The main difference between Microsoft's VPN implementation and other vendors' is in the protocols that are supported. With Windows 2000 VPN server we support L2TP/IPSEC and PPTP as tunneling protocols. With L2TP/IPSEC, you get the highest form of security from IPSEC in a standards-based implementation. With other firewall implementations of VPN, you typically get IPSEC tunnel mode as the tunneling protocol. IPSEC tunnel mode uses a non-standard form of user authentication and address assignment. This can create interoperability and security issues.
Hurleymc:
Q: Will you talk a little about why L2TP and not PPTP?
Host Guest_dave_MS:
A: The newest Microsoft VPN is L2TP over IPSec (L2TP/IPSec). Both of these are IETF standard protocols. L2TP provides user authentication, IP address assignment, and other housekeeping, while IPSec provides strong security. PPTP is similar to L2TP and uses MPPE to encrypt its data streams. It also provides a secure VPN using an efficient encryption algorithm. PPTP is widely used and can be seen as a lightweight alternative to L2TP/IPSec.
Q: Is there a way to specify to allow a VPN Server connection to only accept calls from a particular IP address or range of addresses?
Host Guest_JoeDavies_MS:
A: The best way is to customize IP packet filters for the Internet interface with the Routing and Remote Access snap-in. By default, VPN connections are allowed from any IP address.
Host Guest_dave_MS:
Microsoft will continue to support both protocols. For a full comparison of L2TP and PPTP, see http://www.microsoft.com/technet/community/columns/cableguy/cg0801.mspx.
Q: When we RAS into the SQL Server, SQL authenticates the login, but when using VPN, it does not. Any ideas?
Host Guest_Tod_MS:
A: Are you connecting via VPN and/or RAS directly to the SQL server, or are you connecting to another server that is routing you to the SQL server? What is the error you get on the client when it fails?
Host Guide_KenM:
Thanks for the questions. We're working on answers right now.
Host Guest_RobTrace_MS:
Q: Rob, so my Microsoft VPN Server would set behind my firewall on the LAN port or the DMZ port?
Host Guest_RobTrace_MS:
A: Actually, the VPN server can be in either place. You just need to configure the firewall to open ports for L2TP/IPSEC or PPTP depending on your implementations. The details on what ports to open are in the deployment whitepaper at http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpndeploy.asp.
Q: To establish a router-to-router VPN (inter-site connectivity), could I use the Network Connection Wizard? We would feel a lot safer doing that rather than plunging into RRAS.
Host Guest_JoeDavies_MS:
A: No. The Network Connection Wizard is for the creation of network connections. For router-to-router VPN, you must create a demand-dial interface with the Demand-Dial Interface Wizard in the RRAS snap-in.
Host Guide_KenM:
For those new to the chat, our topic is "Setting up a VPN Infrastructure for Remote Access and Site-to-Site Routing". Questions, comments, and suggestions are welcome.
rodney:
Q: Are L2TP and IPSec difficult to set up? Also, can Certificate Services issue the required certificate easily?
Host Guest_dave_MS:
A: If you are using Active Directory and the Microsoft Certificate Server, it is pretty easy to set up an L2TP/IPSec VPN server. See the deployment white paper at http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpndeploy.asp. We recommend that you set up policy to auto-enroll clients as they login. Then cert distribution will be transparent to the users.
Q: On a Windows 2000 Pro system as the "'server", can it issue certificates (CA) for L2TP/IPSec VPN connections to it?
Host Guest_JoeDavies_MS:
A: No. Windows 2000 Professional does not support the Certificate Service. Use a Windows 2000 Server with the Certificate Service and configure it to auto-enroll computer certificates.
Q: Any advice on a simple cost-effective set-up for a small-office VPN for remote access?
Host Guest_RobTrace_MS:
A: It depends on how many users will be dialing in. If there are less than five, I would just set up Incoming Connections in the Make New Connection Wizard (it is in the advanced path). I would also recommend using PPTP as the protocols since it will not require any PKI deployment.
Q: When some clients try to access particular servers in domain, they get a prompt for IPC$ authentication. Can you please explain this?
Host Guest_Tod_MS:
A: I'm assuming these are Windows 9x clients. They need to be configured to login to the domain when they VPN in. If they are not logged on with their domain account, they will get the prompt for IPC$ when connecting to servers, since their username/password/domain doesn't match anything valid on the domain.
Host Guide_KenM:
If you asked a question earlier in the chat and it hasn't been answered yet, please go ahead and repost.
Q: We are building a router-to-router VPN end-point on our ISA server (integrated mode). Is the RRAS Demand-Dial Interface Wizard compatible with ISA? Or could one "break" the other?
Host Guest_Tod_MS:
A: Yes, it is compatible. You can use either one; the ISA one just creates demand dial connections like the RRAS wizard would do. The end result is the same.
Q: When using a Windows 9x client to connect to our remote network over the VPN, we are unable to browse the remote network and the login script doesn't get executed.
Host Guest_Tod_MS:
A: To open network neighborhood and see a browse list, the client's workgroup would need to be set to the name of the domain at the office. If the client is not configured to log in to the domain in the properites for Client for Microsoft Networks, then they will not get prompted to log in after the VPN connection is made, and login scripts won't run either.
Host Guide_KenM:
Working on answers right now.
Q: I currently have a RRAS server set up to do site-to-site routing, and for inbound VPN access. I would like to install ISA Server on the same box. How will that affect the existing demand-dial interfaces I have created for inter-office routing?
Host Guest_Tod_MS:
A: It won't affect the existing install; you don't need to change anything in RRAS. You will need to use the wizards in ISA to allow VPN connections, so the ports for PPTP are open and you can accept the VPN client and demand dial calls.
Host Guide_KenM:
For those new to the chat, our topic is "Setting Up a VPN Infrastructure for Remote Access and Site-to-Site Routing". Questions, comments, and suggestions are welcome. The Input Room is where you can enter questions for our hosts today. We will read them and select questions to answer. The questions and answers will be posted in the Reading Room.
Q: What if I used the Windows 2000 Server Network Connection Wizard to "Connect to a private network through the Internet" and then clicked to "Enable Internet Connection Sharing"? Isn't this a router-to-router VPN? If not, what's the difference?
Host Guest_JoeDavies_MS:
A: This is not a router-to-router VPN. ICS is an implementation of a Network Address Translator (NAT) designed to share an Internet connection with a group of computers in a small office or home office. This is not a supported configuration for router-to-router VPN. The NAT will introduce addressing issues, and you still have to configure routes on the VPN server you are calling.
Q: How can I change the workgroup name to match the office, when my cable provider wants their workgroup name set?
Host Guest_RobTrace_MS:
A: The workgroup name is meant to set the browsing context. It is supposed to define what you will see in Network Neighborhood. Your provider is using it for address management which is unfortunate. There is no way to have two workgroup names at the same time. You might just try changing it and see if it has an adverse affect on your Internet connection. We have seen cases where you can change the workgroup name without impacting you Internet connection.
Q: When we RAS into the SQL Server, SQL authenticates the login, but when using VPN going through an ISP, it says the SQL Server is not available. Any ideas?
Host Guest_Tod_MS:
A: It sounds like either a name resolution issue or an issue with routing packets from the VPN server to the SQL server.
Q: If the SQL server is not on the same subnet as the VPN server, can the VPN server ping the SQL server?
Host Guest_Tod_MS:
A: If they are on the same subnet, is the VPN server handing out IP addresses from the same subnet or from a different range of IP addresses.
Q: Clients have a checkbox "Require data encryption". The server appears to have only settings to encrypt authentication but not data. Can I enforce encryption of data from the server? For authentication on the server, I am using MS-CHAP-V2. Thank you.
Host Guest_JoeDavies_MS:
A: Yes. Encryption for the VPN server is configured through remote access policies. See the Encryption tab on the profile properties of a remote access policy in the Routing and Remote Access snap-in. To require encryption, clear the "No Encryption" check box.
Q: We have a concern about RRAS/ISA. If we establish a router-to-router VPN on our ISA server, RRAS will need to "enable this computer as a router". Some ISA documents advise against this setting. How can we set up routing but remain secure vis-a-vis ISA?
Host Guest_Tod_MS:
A: True, the routing function will allow packets to route from one adapter to another, but if you are locking down ISA (as it is by default) and only opening the ports you need and only allowing requests on those ports to the Internet netcard of the ISA server, the filters will keep intruders out.
Host Guide_KenM:
We are going to have to wrap up this chat in about 12 minutes. We are working on answers to some last questions though. If you asked a question earlier in the chat and it hasn't been answered yet, please go ahead and repost.
Q: What is the difference between strong and basic encryption?
Host Guest_JoeDavies_MS:
A: Basic encryption uses 40-bit Microsoft Point-to-Point Encryption (MPPE) for PPTP connections and 56-bit Data Encryption Standard (DES) for L2TP/IPSec connections. Strong encryption uses 56-bit MPPE for PPTP connections and 56-bit DES for L2TP/IPSec connections.
Q: Regarding RRAS routing and ISA, are there recommended settings other than accepting ISA defaults? Is there a KB article/white paper about this?
Host Guest_Tod_MS:
A: There are numerous docs on ISA available on http://www.microsoft.com/ISAServer
and http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx. The bottom line is you want to open the least amount of inbound ports in ISA so that you keep traffic out.
Host Guide_KenM:
We are going to have to wrap up this chat in a few minutes. We are working on some final answers. Any final questions?
Q: Can you please tell me what the highest level of encryption is for 98/me/2000/XP clients? Thank you.
Host Guest_JoeDavies_MS:
A: 128-bit MPPE for 98/ME/2000/XP (PPTP connections) and 3-DES IPSec for 2000/XP (L2TP). For Windows 2000 computers, you need Service Pack 2 (or later) or the High Encryption Pack. Windows 98 needs DUN 1.4 (http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx).
Q: How do I reach the VPN server via the Internet if the VPN server is behind a firewall (and the firewall supports PPTP pass-through)?
Host Guest_Tod_MS:
A: As long as you properly configured that firewall so that it maps inbound PPTP connections to the server you are using as your VPN server, it should work fine. Make sure your VPN server uses that firewall as its outbound router and not another firewall.
Q: …and the IP address I use in the VPN client is the IP for the Firewall/Routerand the IP assigned by my DSL ISP.
Host Guest_Tod_MS:
A: Correct.
Q: Are there specific ports I need to forward?
Host Guest_Tod_MS:
A: PPTP uses TCP port 1723 and GRE protocol (protocol 47). There is more information on this at http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx.
Host Guide_KenM:
Looks like we need to wrap things up now. Thanks to everyone for a great set of questions. We hope that our answers have been helpful. Please look at the information we've posted on the Web site (http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx). You can also post questions to various newsgroups, including microsoft.public.win2000.ras_routing. Thank you everybody!
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.