VPN Remote Access for Employees (VPN with Windows Server 2003)
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Remote access for Electronic, Inc. employees is deployed by using remote access VPN connections across the Internet based on the settings configured in the Common Configuration for the VPN Server section of this paper and the following additional settings.
Figure 2 shows the Electronic, Inc. VPN server that provides remote access VPN connections.
.gif "Art Image")
Figure 2: The Electronic, Inc. VPN server that provides remote access VPN connections
Domain Configuration
For each employee that is allowed VPN access:
The remote access permission on the dial-in properties of the user account is set to Control access through Remote Access Policy.
The user account is added to the VPN_Users Active Directory group.
Remote Access Policy Configuration
To define the authentication and encryption settings for remote access VPN clients, the following common remote access policy is created:
Policy name: Remote Access VPN Connections
Access method: VPN
User or Group Access: Group with the EXAMPLE\VPN_Users group selected
Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type, Microsoft Encrypted Authentication version 2 (MS-CHAP v2), and Microsoft Encrypted Authentication (MS-CHAP) selected
Policy Encryption Level: Strong encryption and Strongest encryption selected
PPTP-based Remote Access Client Configuration
On the Windows XP remote access client computers, the New Connection Wizard is used to create a VPN connection with the following settings:
Network Connection Type: Connect to the network at my workplace
Network Connection: Virtual Private Network connection
Connection Name: Electronic, Inc.
VPN Server Selection: vpn.electronic.example.com
Connection Availability: Anyone's use
L2TP/IPSec-based Remote Access Client Configuration
The remote access computer logs on to the Electronic, Inc. domain using a local area network (LAN) connection to the Electronic, Inc. intranet and receives a computer certificate through autoenrollment. Then, the New Connection Wizard is used to create VPN connection with the following setting:
Network Connection Type: Connect to the network at my workplace
Network Connection: Virtual Private Network connection
Connection Name: Electronic, Inc.
VPN Server Selection: vpn.electronic.example.com
Connection Availability: Anyone's use
From the Connect Electronic, Inc. dialog box, click Properties, and then click the Networking tab.
On the Networking tab, Type of VPN is set to L2TP/IPSec VPN. When Type of VPN is set to Automatic, a PPTP connection is tried first. In this case, the network administrator for Electronic, Inc. does not want remote access clients that are capable of establishing an L2TP/IPSec connection to use PPTP.