Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

VPN Remote Access Example

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Remote access for Fabrikam, Inc. employees is deployed by using remote access VPN connections across the Internet based on the settings configured in the previous topic Common Configuration for the VPN Server, and the following additional settings.

The following illustration shows the Fabrikam, Inc. VPN server that provides remote access VPN connections.

Remote access for Electronic, Inc. employees

For each employee that is allowed VPN access:

  • The network access permission on the dial-in properties of the user account is set to Control access through NPS Network Policy.

  • The user account is added to the VPN_Users group in Active Directory.

To define the authentication and encryption settings for remote access VPN clients, the following remote access network policy is created in Network Policy Server (NPS):

  • Policy name: Remote Access VPN Clients

  • Conditions:

    • NAS Port Type is set to Virtual (VPN)

    • Windows Groups is set to VPN_Users

    • Calling Station ID is set to 207.209.68.1

  • Permission is set to Grant access.

  • NPS policy settings:

    • On the Constraints tab, under Authentication Methods, for EAP Types select Microsoft: Smart Card or other certificate. Also enable Microsoft Encrypted Authentication version 2 (MS-CHAP v2).

      securitySecurity Note
      If you have client computers that require it, you can also enable Microsoft Authentication (MS-CHAP). Because MS-CHAP is no longer considered secure, we recommend that you do not use it unless you must for compatibility reasons.

    • On the Settings tab, under Encryption, select Strongest encryption (MPPE 128-bit), and then clear the Strong encryption (MPPE 56-bit), Basic encryption (MPPE 40-bit) and No encryption selections.

noteNote
The Calling-Station-ID condition is set to the IP address of the “Internet Connection” interface for the VPN server. Only tunnels initiated from the Internet to the specified address are allowed. Tunnels initiated from within the Fabrikam, Inc. intranet are not permitted. Fabrikam, Inc. users that require Internet access from the Fabrikam, Inc. intranet must go through the Fabrikam, Inc. proxy server (not shown), where Internet access is controlled and monitored.

The remote access computer logs on to the Fabrikam, Inc. domain using a LAN connection to the Fabrikam, Inc. intranet and receives a client authentication certificate through auto-enrollment. Then, the New Connection Wizard is used to create a VPN connection with the following setting:

  • Host name or IP address: vpn.fabrikam.com

  • On the Security tab, under Type of VPN, select IKEv2.

The New Connection Wizard is used on client computers to create a VPN connection with the following settings:

  • Host name or IP address: vpn.fabrikam.com

  • On the Security tab, under Type of VPN, select Point to Point Tunneling Protocol (PPTP).

The remote access computer logs on to the Fabrikam, Inc. domain using a LAN connection to the Fabrikam, Inc. intranet and receives a client authentication certificate through auto-enrollment. Then, the New Connection Wizard is used to create a VPN connection with the following setting:

  • Host name or IP address: vpn.fabrikam.com

The VPN connection settings are modified as follows:

  • On the Networking tab, under Type of VPN, select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). The network administrator for Fabrikam, Inc. does not want remote access clients that are capable of establishing an L2TP connection to fall back to the PPTP connection.

The remote access computer logs on to the Fabrikam, Inc. domain using a LAN connection to the Fabrikam, Inc. intranet and receives an SSL certificate through auto-enrollment. Then, the New Connection Wizard is used to create a VPN connection with the following setting:

  • Host name or IP address: vpn.fabrikam.com

  • On the Security tab, under Type of VPN, select Secure Socket Tunneling Protocol (SSTP).

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.