Export (0) Print
Expand All

Common Configuration for the VPN Server

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

To deploy a VPN solution for Fabrikam, Inc., the network administrator performs an analysis and makes design decisions regarding:

The key elements of the network configuration are:

  • The Fabrikam, Inc. corporate intranet uses the private networks of 172.16.0.0 with a subnet mask of 255.240.0.0 and 192.168.0.0 with a subnet mask of 255.255.0.0. The corporate campus network segments use subnets of 172.16.0.0 and the branch offices use subnets of 192.168.0.0.

  • The VPN server computer is directly attached to the Internet by using a T3 (also known as a DS-3) dedicated WAN link.

  • The IP address of the T3 WAN adapter on the Internet is 207.209.68.1 as allocated by the Internet service provider (ISP) for Fabrikam, Inc. The IP address of the WAN adapter is referred to on the Internet by the DNS name vpn.fabrikam.com.

  • The VPN server computer is also directly attached to a perimeter network segment that contains a RADIUS server, a file server and Web server for business partner access, and a router that connects to the rest of the Fabrikam, Inc. corporate intranet. The perimeter network segment has the IP network ID of 172.31.0.0 with the subnet mask of 255.255.0.0.

  • The VPN server computer is configured with a static pool of IP addresses to allocate to remote access clients and calling routers. The static pool of IP addresses is a subset of the perimeter network segment (an on-subnet address pool).

The following illustration shows the network configuration of the Fabrikam, Inc. VPN server.

Network configuration of “Electronic” VPN server

Based on the network configuration of the Fabrikam, Inc. corporate campus intranet, the VPN server computer is configured as follows.

The network adapter that is used to connect to the intranet segment and the WAN adapter that is used to connect to the Internet are installed according to the adapter manufacturer's instructions. After drivers are installed and functioning, both adapters appear as local area connections in the Network Connections folder. The connections are renamed (from the default names of “Local Area Connection” and “Local Area Connection 2”) as “Corpnet Connection” and “Internet Connection.”

For the LAN adapter named “Corpnet Connection,” an IP address of 172.31.0.1 with a subnet mask 255.255.0.0 is configured. For the WAN adapter named “Internet Connection,” an IP address of 207.209.68.1 with a subnet mask 255.255.255.255 is configured, as specified by the ISP. A default gateway is not configured for either adapter. DNS and WINS server addresses are also configured.

The Routing and Remote Access Server Setup Wizard is run. Within the wizard, the Remote Access (dial-up or VPN) option is selected. For more information, see Install and Enable the Routing and Remote Access Service in the RRAS Deployment Guide.

While running the wizard, a static IP address pool with a starting IP address of 172.31.255.1 and an ending IP address of 172.31.255.254 is configured. This creates a static address pool for up to 254 VPN clients.

For more information, see Configure the Routing and Remote Access Service and Demand-Dial Interfaces in the RRAS Deployment Guide.

The default method of authenticating remote access and demand-dial connections is to use Windows authentication, which is appropriate in this configuration containing only one VPN server. For information about the use of RADIUS authentication for Fabrikam, Inc., see Understanding Remote Access Network Policies in the RRAS Deployment Guide. For more information about the use of Windows and RADIUS authentication, see Authentication vs. Authorization in the RRAS Deployment Guide.

To enable the use of smart card-based remote access VPN clients and certificate-based calling routers, the network administrator enables Extensible Authentication Protocol (EAP) on the VPN server.

For more information, see Enable Authentication Protocols in the RRAS Deployment Guide.

To reach intranet locations, a static route is configured with the following settings:

  • Interface: The “Corpnet Connection” adapter attached to the intranet

  • Destination: 172.16.0.0

  • Network mask: 255.240.0.0

  • Gateway: 172.31.0.2

  • Metric: 1

This static route simplifies routing by summarizing all destinations on the Fabrikam, Inc. corporate intranet. This static route is used so that the VPN server does not need to be configured with a routing protocol.

To reach Internet locations, a static route is configured with the following settings:

  • Interface: The “Internet Connection” adapter attached to the Internet

  • Destination: 0.0.0.0

  • Network mask: 0.0.0.0

  • Gateway: 0.0.0.0

  • Metric: 1

This static route summarizes all destinations on the Internet. This route allows the VPN server to respond to a remote access client or demand-dial router VPN connection from anywhere on the Internet.

noteNote
Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example.

To aid in the configuration of network policies to confine VPN connections from Internet users, the port properties for the WAN Miniport (PPTP), WAN Miniport (L2TP), WAN Miniport (SSTP), and WAN Miniport (IKEv2) devices are modified with the IP address of the VPN server's Internet interface in the Phone number for this device field. For more information, see Set the Phone Number on a Port in the RRAS Deployment Guide.

To reach branch office locations from the intranet, a static route is configured on the intranet router (not the VPN server) with the following settings:

  • Interface: The “Corpnet Connection” adapter attached to the intranet

  • Destination: 192.168.0.0

  • Network mask: 255.255.0.0

  • Gateway: 172.31.0.1

  • Metric: 1

This static route simplifies routing by summarizing all destinations at branch offices of Fabrikam, Inc. and specifying that they are accessed through the VPN Server.

The network administrator for Fabrikam, Inc. decides on an access-by-policy administrative model. The network access permission on all user accounts is set to Control access through NPS Network Policy. The granting of access permission to connection attempts is controlled by the access permission setting on the first matching Network Policy Server (NPS) network policy. Network policies are used to apply different VPN connection settings based on group membership, and the default remote access network policies are deleted.

For more information, see Understanding Remote Access Network Policies in the RRAS Deployment Guide.

To take advantage of the ability to apply different connection settings to different types of VPN connections, the following Active Directory groups are created:

  • VPN_Users. Used for remote access VPN connections

  • VPN_Routers. Used for router-to-router VPN connections from Fabrikam, Inc. branch offices

  • VPN_Partners. Used for router-to-router VPN connections from Fabrikam, Inc. business partners

noteNote
All users and groups in this implementation example are created in the fabrikam.com Active Directory domain.

To enable L2TP/IPsec connections, the use of smart cards by remote access clients, and the use of EAP-TLS by routers, the Fabrikam, Inc. domain is configured to auto-enroll computer certificates to all domain members.

For more information, see Appendix A: Computer Certificates for VPN Connections in this guide.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft