Persistent Branch Office

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Persistent branch office

The Chicago and Phoenix branch offices of Electronic, Inc. are connected to the corporate office by using persistent router-to-router VPN connections that stay connected 24 hours a day. The routers running Windows Server 2003, Standard Edition, in the Chicago and Phoenix offices are equipped with T1 WAN adapters that have a permanent connection to a local Internet service provider to gain access to the Internet.

The Chicago branch office uses the IP network ID of 192.168.9.0 with a subnet mask of 255.255.255.0. The Chicago branch office router uses the public IP address of 131.107.0.1 for its Internet interface. The Phoenix branch office uses the IP network ID of 192.168.14.0 with a subnet mask of 255.255.255.0. The Phoenix branch office router uses the public IP address of 131.107.128.1 for its Internet interface.

The VPN connection is a two-way initiated connection. The connection is initiated from either the branch office router or the corporate office router. Two-way initiated connections require the creation of demand-dial interfaces, remote access policies, IP address pools, and packet filters on the routers on both sides of the connection.

The following illustration shows the Electronic, Inc. VPN server that provides persistent branch office connections.

Persistent VPN connections for branch offices

To deploy persistent router-to-router VPN connections to connect the Chicago and Phoenix branch offices to the corporate office based on the settings configured in Common configuration for the VPN server, the following additional settings are configured.

Domain configuration

For the Chicago office VPN connection that is initiated by the Chicago router, the user account VPN_Chicago is created with the following settings:

  • Password of U9!j5dP(%q1.

  • For the dial-in properties on the VPN_Chicago account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the VPN_Chicago account, the Password never expires account option is enabled.

  • The VPN_Chicago account is added to the VPN_Routers group.

For the Phoenix office VPN connection that is initiated by the Phoenix router, the user account VPN_Phoenix is created with the following settings:

  • Password of z2F%s)bW$4f.

  • For the dial-in properties on the VPN_Phoenix account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the VPN_Phoenix account, the Password never expires account option is enabled.

  • The VPN_Phoenix account is added to the VPN_Routers group.

For the Chicago office VPN connection and the Phoenix office VPN connection that are initiated by the corporate headquarters router, the user account VPN_CorpHQ is created with the following settings:

  • Password of o3\Dn6@`-J4.

  • For the dial-in properties on the VPN_CorpHQ account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the VPN_CorpHQ account, the Password never expires account option is enabled.

  • The VPN_CorpHQ account is added to the VPN_Routers group.

Remote access policy configuration

Remote access policies must be configured at the VPN server, the Chicago router, and the Phoenix router.

Remote access policy configuration at the VPN server

The remote access policy configuration for the VPN server is the same as described in On-Demand Branch Office.

Remote access policy configuration at the Chicago router

To define the authentication and encryption settings for the VPN connections, the default policies are deleted, and the following remote access policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN)

    • Windows-Groups is set to VPN_Routers

    • Called-Station-ID is set to 131.107.0.1

  • Permission is set to Grant remote access permission

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also enabled.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note

  • The Called-Station-ID is set to the IP address of the Internet interface for the branch office router. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. branch office network are not permitted.

Remote access policy configuration at the Phoenix router

To define the authentication and encryption settings for the VPN connections, the default policies are deleted, and the following remote access policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN)

    • Windows-Groups is set to VPN_Routers

    • Called-Station-ID is set to 131.107.128.1

  • Permission is set to Grant remote access permission

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also enabled.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note

  • The Called-Station-ID is set to the IP address of the Internet interface for the branch office router. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. branch office network are not permitted.

IP address pool configuration

IP address pools must be configured at the VPN server, the Chicago router, and the Phoenix router.

IP address pool configuration at the VPN server

The IP address pool configuration for the VPN server is the same as described in Common configuration for the VPN server.

IP address pool configuration at the Chicago router

A static IP address pool with a starting IP address of 192.168.9.248 and an ending IP address of 192.168.9.253 is configured. This creates a static address pool for up to five VPN clients.

For more information, see Create a static IP address pool.

IP address pool configuration at the Phoenix router

A static IP address pool with a starting IP address of 192.168.14.248 and an ending IP address of 192.168.14.253 is configured. This creates a static address pool for up to five VPN clients.

For more information, see Create a static IP address pool.

For more information about the corporate router and branch office router configuration, see:

Note

  • The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.