Windows VPN server - Interaction with network infrastructure components (November 29, 2007)

  • Article

Chat Topic: Windows VPN server - Interaction with network infrastructure components
Date: Thursday, November 29, 2007

Please note: Portions of this transcript have been edited for clarity.

Carolyn [MSFT] (Moderator):
In about 30 minutes, we will begin our chat - Windows VPN server - Interaction with network infrastructure components. Join us for a live webchat to discuss your queries regarding the deployment and configuration of the VPN server and its interaction with other network infrastructure services. This webchat will focus on Routing and Remote Access Server (RRAS) configuration and its interoperability with DNS, NAT, Firewall and RADIUS servers. Your feedback on our product is extremely valuable to us.

We will answer as many questions as we can and post a transcript of the upper window within a few days at https://www.microsoft.com/technet/community/chats/trans/default.mspx.

Carolyn [MSFT] (Moderator):
We are pleased to welcome our experts for today. I will have them introduce themselves now.

 

Introductions:

Janani_MSFT (Expert):
Hi everyone. This is Janani here, a test in the Routing and Remote Access team. Welcome to the chat!

RamAmar - MSFT (Expert):
Hi, I am Rama Amaravadi working as Development Lead in RAS team.

Uma Mahesh_MSFT (Expert):
Hello Everyone, I am Uma Mahesh, a dev in RRAS team.

VIKAS_MSFT (Expert):
Hi, I am Vikas Jain. I am the Development Manager of RRAS product at Microsoft.

AydinAs (Expert):
Hi, I am Aydin Aslaner from German Networking Team at Microsoft.

abhi [msft] (Expert):
Hi, I am Abhishek, Program Manager for RAS.

Start of chat:

Carolyn [MSFT] (Moderator):
Q: Are any of our guests system admins who are responsible for making sure that users can connect remotely to their corporate network?

abhi [msft] (Expert):
Q: How will SSTP make my life as a remote user easier over that of PPTP or IPsec?

abhi [msft] (Expert):
Q: Is there any way in current or upcoming version of RRAS for how to provide static per user IP addresses? Our current firewall rules are set on clients source IP so every VPN client has to have his "own" IP address.
A: We don't have a way to specify per user static IP address from the server. VPN client can have the static IP address and if it is available then the server will assign it to the client.

Janani_MSFT (Expert):
Q: I'm sure all of you would have heard of SSTP. Now, Why would I want to use SSTP over any other option out there?

A: With other protocol options like PPTP, L2TP etc., if you are behind a firewall or a proxy, these VPN ports are usually blocked. Or you might have NATs which will again block VPN traffic. Usually, the HTTP and HTTPS ports on these firewalls and proxies are opened to let web traffic and so if you use SSTP you can leverage this advantage to establish VPN connections.

VIKAS_MSFT (Expert):
Q: What about interop with old Windows Server versions?
A: Can you clarify your question?

Janani_MSFT (Expert):
Q: What about interop with old Windows Server versions?
A: Hi, can you explain your question a little more - what you need to know?

abhi [msft] (Expert):
Q: I forget to say that I'm forced to authenticate users against Vasco RADIUS server which uses one-time passwords.
A: As I said in earlier response, that IPV4 RAS server does not provide static IP address but client can choose it. For IPV6 usually client tries to negotiate last identifier by default so it results in getting the same IP address most of the time.

VIKAS_MSFT (Expert):
Q: Is there any way in current or upcoming version of RRAS how to provide static per user IP addresses? Our current firewall rules are set on clients source IP so every VPN client has to have his "own" IP address.
A: Can you describe your firewall rules a bit? Do you have per user firewall rules or would you like a group of users to have a set of firewall rules?

Uma Mahesh_MSFT (Expert):
Q: Is there any way in current or upcoming version of RRAS how to provide static per user IP addresses? Our current firewall rules are set on clients source IP so every VPN client has to have his "own" IP address.
A: In addition to what Abhi has replied, Windows RRAS server supports raatframed ip address so the server can assign an address given by RADIUS server. Windows NPS server supports assigning IP address per matched policy. So if you have a separate policy per user you can achieve what you want.

Janani_MSFT (Expert):
Q: What ports are going to be used for SSTP? Is it being changed anything different ports than using a VPN?

Janani_MSFT (Expert):
A: SSTP would be using HTTPS underneath. So TCP port 443 would be usually used on the SSTP server. However, we provide a way using which you can configure which port you want the SSTP server to listen. However, in this case you will need to explicitly make sure of opening this port in the firewall, etc., on the server. This feature is especially useful when you have a reverse proxy or a web publishing scenario where all the HTTPS connections are terminated at a single machine on the edge of the corporate network and the connections are re-established to the appropriate web server/SSTP servers in the corporate network.

Janani_MSFT (Expert):
Please refer to our blog at https://blogs.technet.com/rrasblog to know more about the exciting new features in RRAS.

Janani_MSFT (Expert):
Q: I am not computer literate enough to understand what you are asking me.  How do I stop Windows Update from trying to install Microsoft .Net Framework 1.1 Service Pack 1?
A: Winn, this question is beyond the scope of this chat. Please post your question in the relevant forum of https://technet.microsoft.com and the experts will answer it.

abhi [msft] (Expert):
Q: I forget to say that I'm forced to authenticate users against Vasco RADIUS server which uses one-time passwords
A: What problem does this one-time password have?

Janani_MSFT (Expert):
Q: Hi, Will there be any form of SDK/API available to integrate SSTP into my applications (to demand dial or create connections on-the-fly)?
A: SSTP is like any other tunneling protocol (PPTP or L2TP). We don't support Demand Dial (DD Interface) but you can create a VPN connection to dial VPN with SSTP.

AydinAs (Expert):
Q: I have an old Windows 2000 Server and a more recent version in my corporate lan. Can I keep my server or must I update it to a new version by interaction with other network infrastructure services?
A: not sure what you mean with "interaction with other network services" but you can have Windows 2000 Server in a Windows Server 2008 domain if you mean that (depending on what domain level is being used).

Uma Mahesh_MSFT (Expert):
Q: TO VIKAS: Our firewall or firewalls are Cisco PIX. VPN server is used by multiple teams and every team needs to access different resources. So Cisco PIX is permitting access by client IP address.
A: Using raatframed ip address to push a particular ip address to a client should work in your case as you have a firewall behind the ras server.

Janani_MSFT (Expert):
Q: You said SSTP uses HTTPS port 443. Would it be possible to have a secure web server, i.e., an HTTPS site in IIS on the same machine? Can SSTP server and IIS coexist?
A: Good question. Yes, you can have IIS on the same machine as SSTP server. However, as both operate on the same HTTPS store, there might be some issues due to misconfiguration. Our blog post at https://blogs.technet.com/rrasblog/archive/2007/11/08/configuring-iis-on-the-sstp-server-implications-and-how-to-resolve.aspx  tells you about how both can coexist.

Uma Mahesh_MSFT (Expert):
Q: TO VIKAS: Our firewall or firewalls are Cisco PIX. VPN server is used by multiple teams and every team needs to access different resources. So Cisco PIX is permitting access by client IP address.
A:https://msdn2.microsoft.com/en-us/library/aa363536.aspx  raatFramedIPAddress

Specifies the IP address that is configured for the user requesting authentication. This attribute is typically returned by the authentication provider. However, the NAS may use it in an authentication request to specify a preferred IP address. The value field in RAS_AUTH_ATTRIBUTE for this type is a 32-bit integral value. For more information, see RFC 2865 https://go.microsoft.com/fwlink/?linkid=84055.

AydinAs (Expert):
Q: hmm...SSTP sounds like a great thing. I would like to configure and try it out. Is there a step-by-step guide that I can refer to?
A: Yes, there is a guide at https://blogs.technet.com/rrasblog/archive/2007/09/14/deploying-sstp-step-by-step-guide-available-at.aspx.

JimHoltz: (Expert):
Q: hmm...SSTP sounds like a great thing. I would like to configure and try it out. Is there a step-by-step guide that I can refer to?
A: There will be an update to the SSTP guide published in a week or so. Also, there were be a SSTP TechNet Virtual Lab coming. Maybe January. You can also see a screencast of an SSTP Vlab. Go to https://microsoft.com/rras for links. It will replace the current step-by-step. Just a rewrite. Not a major revision.

Janani_MSFT (Expert):
Q: and that a fix is available from the Microsoft support. But how do I get it?
A: Just call support and quote the following KB number associated with the fix 933468: SMB (port 445) does not bind on Vista over RAS connection.

If you need help with the problem or the fix please contact rrasblog@microsoft.com.

VIKAS_MSFT (Expert):
Q: I mean for instance printer services. I have a print server. In some cases setting new protocols, options, etc., makes my users unable to connect to it.
A: Do you have any specific issue? We do not know of any known issue of printer sharing when using RAS on Vista/Windows Server 2008 RC0.

AydinAs (Expert):
Q: I mean for instance printer services. I have a print server. In some cases setting new protocols, options, etc., makes my users unable to connect to it.
A: There is no "general" issue that you would run in to, but I would need to know the whole environment to be able say anything specific.

Janani_MSFT (Expert):
Q: OK. SSTP is one cool feature. Can somebody briefly tell what are all the new things or features of RRAS in Windows Vista and Windows Server 2008?
A: The major features are

(1) VPN NAP enforcement

(2) IPv6

(3) Removal of weak crypto and enable of strong crypto algorithm

(4) A new simple way to create VPN connection using "New connection Wizard."

(5) Connection manager administration kit now supports multi-locale.

You can refer to this post on our blog for more information https://blogs.technet.com/rrasblog/archive/2006/08/14/446669.aspx

Janani_MSFT (Expert):
Q: Thanks Jim. Where will the updated SSTP guide be published?
A: It would available for download on TechNet. Please look at our blog https://blogs.technet.com/rrasblog for an update on this. We will publish the new location here.

VIKAS_MSFT (Expert):
Q: OK. SSTP is one cool feature. Can somebody briefly tell what are all the new things or features of RRAS in Windows Vista and Windows Server 2008?
A: In addition to the above, the system administrators can easily debug the failures using improved event logging on client and correlation of server logs with client events using Correlation Id logged in most events.

Janani_MSFT (Expert):
Q: I have had a difficult time trying to set up VPN on Vista. Is there any link where I can refer to for easier troubleshooting or some mail ID that I can ask queries to?
A: Yes. Our blog has a lot of posts on this especially this one - https://blogs.technet.com/rrasblog/archive/2007/04/08/troubleshooting-vista-vpn-problems.aspx. Also in case you are not able to resolve your issue using these links, you can mail about your issue to the feature team at rrasblog@microsoft.com.

Janani_MSFT (Expert):
Q: OK. Back to SSTP. I agree that SSTP is a great help when there are NATs and proxies in the network. However, as an admin I might want to block the SSTP connections from being made from within my network to the internet. Is this possible?
A: This CONNECT request sent by the SSTP client has a custom HTTP header named "SSTPVERSION" with value "1.0". On the web-proxy, you can add a rule which inspects the CONNECT requests for this particular header and blocks it accordingly. Please refer to the post in our blog for more information - https://blogs.technet.com/rrasblog/archive/2007/06/01/controlling-sstp-connections-in-managed-networks.aspx.

Janani_MSFT (Expert):
Q: I have another query. I came to know from forums that it is not possible to access network shares from a Windows Vista machine over a VPN connection if Net BIOS over TCP (NetBT) is disabled on one of the machines or port 139 is blocked.
A: Call support and quote the following KB number associated with the fix 933468: SMB (port 445) does not bind on Vista over RAS connection. If you need help with the problem or the fix please contact rrasblog@microsoft.com.

Carolyn [MSFT] (Moderator):
I'd like to thank our experts for joining us today to talk about Windows VPN server - Interaction with network infrastructure components.

If you would like further information on today's topic, please visit the following URLs:

VPN resources on TechNet

·         https://www.microsoft.com/vpn

·         https://www.microsoft.com/rras

RRAS blog

·         https://blogs.technet.com/rrasblog

TechNet Forum

·         https://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=1510&SiteID=17

You can email the feature team community on the following email alias: rrasblog@microsoft.com for any issues or queries.

We are sorry we could not answer all your questions. We will post the transcript from today’s chat within a few days at https://www.microsoft.com/technet/community/chats/trans/default.mspx.

Thanks for your interest and feedback!  We are going to leave now.