Extranet access

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Extranet access

This topic describes how IAS and the Routing and Remote Access service are used to support an extranet. An extranet is an extension of an organization intranet that is used to facilitate communication with business partners. It provides business partners with limited access to resources on an organization's intranet through a virtual private network (VPN) connection over the Internet. This enhances the speed and efficiency of the business relationship. The organization has multiple business partners, each of which need access to only a specific subnet or set of addresses within the organization's network. Network access control is defined at the IP level using IP packet filters for specific connection categories. The filters that are applied to VPN connections can be specified by using remote access policies.

This topic describes a typical configuration for an organization extranet that uses:

  • Two IAS servers.

    Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication. If only one RADIUS server is configured and it becomes unavailable, VPN users cannot connect. By using two IAS servers and configuring all VPN servers (RADIUS clients) for both the primary and secondary IAS servers, the RADIUS clients can detect when the primary RADIUS server is unavailable and automatically fail over to the secondary IAS server.

  • Active Directory domains.

    Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints. To optimize IAS authentication and authorization response times and minimize network traffic, IAS is installed on domain controllers.

  • Custom remote access policies.

    Remote access policies are configured to specify, based on group membership, how different business partners can access different extranet resources.

  • VPN servers.

    VPN servers consist of computers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000 and the Routing and Remote Access service.

The following illustration shows the configuration for VPN-based remote access to the extranet by business partners.

Printing process overview

Note

  • This topic only describes how to configure IAS. It does not describe the configuration of Active Directory, the VPN servers, or the resources on the extranet. For more information about how to deploy these components, see the appropriate Help topics.

To configure IAS for this example, complete the following steps:

  • Configure Active Directory for user accounts, groups, and certificate auto-enrollment.

  • Configure the primary IAS server on a domain controller.

  • Configure the secondary IAS server on a different domain controller.

  • Configure RADIUS authentication and accounting on VPN servers.

Configuring user accounts, groups, and certificate auto-enrollment

To configure user accounts, groups, and certificate auto-enrollment, do the following:

  1. Ensure that all business partners that are making remote access connections have a corresponding user account. Configure the user principal names (UPNs) for business partner accounts by using the organization name of the business partner. For example, for a user account named Someone for the business partner Microsoft, configure the UPN as someone@example.microsoft.com.

  2. Manage your business partner's extranet access by user by setting the remote access permission on user accounts to Allow access or Deny access. To manage your business partner's extranet by group, set the remote access permission on user accounts to Control access through Remote Access Policy. For more information, see Configure remote access permission for a user.

  3. Organize your business partner user accounts into the appropriate universal and nested global groups in order to take advantage of group-based remote access policies. Create global groups for each business partner and then add the appropriate user accounts. Next, create universal groups for business partner categories that contain the global groups as members. For example, for the business partner Microsoft, create a global group named Microsoft and add all Microsoft user accounts to the group. Then, because Microsoft is a supplier business partner, create a universal group named Suppliers and add the Microsoft global group as a member. For more information, see Group scope.

Configuring the primary IAS server on a domain controller

To configure the primary IAS server on a domain controller, do the following:

On the domain controller, install IAS as an optional networking component.

For more information, see Install IAS.

Configure the IAS server computer (the domain controller) to read the properties of user accounts in the domain.

For more information, see Enable the IAS server to read user accounts in Active Directory.

If the IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

Enable file logging of accounting, authentication, and periodic status events.

For more information, see Configure log file properties.

Add the VPN servers as RADIUS clients of the IAS server.

For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

Create remote access policies that reflect your required business partner extranet usage.

For example, to create a remote access policy that restricts all VPN remote access traffic for members of the Suppliers group to the subnet of 192.168.47.0/24, use the New Remote Access Policy Wizard to create a new custom remote access policy with the following settings:

  • Policy name: Supplier business partner connections

  • Conditions: Windows-Groups matches Suppliers

  • Permission: Grant remote access permission

  • Profile settings, Dial-in Constraints tab: Allow access only through these media and the Virtual (VPN) media type are selected.

  • Profile settings, IP tab, Input packet filter:

    • Deny all traffic except those listed below

    • Destination network, IP address: 192.168.47.0

    • Destination network, Subnet mask: 255.255.255.0

    • Protocol: Any

  • Profile settings, IP tab, Output packet filter:

    • Deny all traffic except those listed below

    • Source network, IP address: 192.168.47.0

    • Source network, Subnet mask: 255.255.255.0

    • Protocol: Any

  • Profile settings, Authentication tab: Select the Microsoft Encrypted Authentication version 2 (MS-CHAP v2) check box, and then clear all other check boxes.

  • Profile settings, Encryption tab: Select the Strongest check box, and then clear all other check boxes.

For more information, see Add a remote access policy.

As another example, to create a remote access policy that restricts all VPN remote access traffic for members of the business partners Investors group to the IP address of 10.59.192.17, create a new remote access policy with the following settings:

  • Policy name: Investor business partner connections

  • Conditions: Windows-Groups matches Investors

  • Permission: Grant remote access permission

  • Profile settings, Dial-in Constraints tab: Allow access only through these media and the Virtual (VPN) media type are selected.

  • Profile settings, IP tab, Input packet filter:

    • Deny all traffic except those listed below

    • Destination network, IP address: 10.59.192.17

    • Destination network, Subnet mask: 255.255.255.255

    • Protocol: Any

  • Profile settings, IP tab, Output packet filter:

    • Deny all traffic except those listed below

    • Source network, IP address: 10.59.192.17

    • Source network, Subnet mask: 255.255.255.255

    • Protocol: Any

  • Profile settings, Authentication tab: Select the Microsoft Encrypted Authentication version 2 (MS-CHAP v2) check box, and then clear all other check boxes.

  • Profile settings, Encryption tab: Select the Strongest check box, and then clear all other check boxes.

For more information, see Add a remote access policy.

For additional examples of remote access policies, see Remote Access Policies Examples.

Delete the default remote access policies, or move them so that they are the last policies to be evaluated. For more information, see Delete a remote access policy and Change the policy evaluation order.

Ensure that a computer certificate that can be validated by computers using smart cards is installed on the IAS server computer.

For more information, see Computer certificates for certificate-based authentication.

Configuring the secondary IAS server on a different domain controller

To configure the secondary IAS server on a different domain controller, do the following:

On the other domain controller, install IAS as an optional networking component.

For more information, see Install IAS.

Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain.

For more information, see Enable the IAS server to read user accounts in Active Directory.

If the secondary IAS server authenticates connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

Ensure that a computer certificate that can be validated by computers using smart cards is installed on the IAS server computer.

For more information, see Computer certificates for certificate-based authentication.

Copy the configuration of the primary IAS server to the secondary IAS server.

For more information, see Copy the IAS configuration to another server.

Configuring RADIUS authentication and accounting on the VPN servers

To configure each VPN server to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

  1. If the VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS servers as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  2. If the VPN server is a computer running Windows NT server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT server 4.0 online Help for information about how to configure the primary and secondary IAS servers as RADIUS servers for RADIUS authentication.