VPN Remote Access for Employees

VPN Remote Access for Employees

Remote access for Electronic, Inc. employees is deployed by using remote access VPN connections across the Internet based on the settings configured in the "Common Configuration for the VPN Server" section of this paper and the following additional settings.

Figure 2 shows the Electronic, Inc. VPN server that provides remote access VPN connections.

Figure 2: The Electronic, Inc. VPN server that provides remote access VPN connections

Figure 2: The Electronic, Inc. VPN server that provides remote access VPN connections

Domain Configuration
For each employee that is allowed VPN access:

  • The remote access permission on the dial-in properties of the user account is set to Control access through Remote Access Policy.

  • The user account is added to the VPN_Users Windows 2000 group.

Remote Access Policy Configuration
To define the authentication and encryption settings for remote access VPN clients, the following remote access policy is created:

  • Policy name: Remote Access VPN Clients

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN).

    • Windows-Groups is set to VPN_Users.

    • Called-Station-ID is set to 207.46.130.1.

  • Permission is set to Grant remote access permission.

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is selected and Smartcard or other certificate (TLS) is configured to use the installed machine certificate. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) are also selected.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note: The Called-Station-ID condition is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.

PPTP-based Remote Access Client Configuration
The Make New Connection wizard is used on client computers to create a VPN connection with the following setting:

  • Host name or IP address: vpn.electronic.microsoft.com

The VPN connection settings are modified as follows:

  • On the Networking tab, Type of dial-up server I am calling is set to Point-to-Point Tunneling Protocol (PPTP). This is done to provide better performance when connecting. When Type of dial-up server I am calling is set to Automatic, an IPSec security association (SA) for an L2TP connection is attempted first. By configuring the connection for PPTP, the IPSec SA for an L2TP connection is not attempted.

L2TP-based Remote Access Client Configuration
The remote access computer logs on to the Electronic, Inc. domain using a local area network (LAN) connection to the Electronic, Inc. intranet and receives a certificate through auto-enrollment. Then, the Make New Connection wizard is used to create VPN connection with the following setting:

  • Host name or IP address: vpn.electronic.microsoft.com

The VPN connection settings are modified as follows:

  • On the Networking tab, Type of dial-up server I am calling is set to Layer-2 Tunneling Protocol (L2TP). When Type of dial-up server I am calling is set to Automatic, an IPSec security association (SA) for an L2TP connection is attempted first. If the IPSec SA is not successful, then a PPTP connection is attempted. In this case, the network administrator for Electronic, Inc. does not want remote access clients that are capable of establishing an L2TP connection to fall back to the PPTP connection.