On-Demand Branch Office

On-Demand Branch Office

The Portland and Dallas branch offices of Electronic, Inc. are connected to the corporate office by using on-demand router-to-router VPN connections. Both the Portland and Dallas offices contain a small number of employees who only need occasional connectivity with the corporate office. The Windows 2000 routers in the Portland and Dallas offices are equipped with an ISDN adapter that dials a local Internet service provider to gain access to the Internet, and then a router-to-router VPN connection is made across the Internet. When the VPN connection is not used for five minutes, the routers at the branch offices terminate the VPN connection.

The Dallas branch office uses the IP network ID of 192.168.28.0 with a subnet mask of 255.255.255.0. The Portland branch office uses the IP network ID of 192.168.4.0 with a subnet mask of 255.255.255.0.

To simplify the configuration, the VPN connection is a one-way initiated connection that is always initiated by the branch office router. For more information, see the topic titled "One-way Initiated Demand-Dial Connections" in the Windows 2000 Server Help.

Figure 3 shows the Electronic, Inc. VPN server that provides on-demand branch office connections.

Figure 3: The Electronic, Inc. VPN server that provides on-demand branch office connections

Figure 3: The Electronic, Inc. VPN server that provides on-demand branch office connections

To deploy on-demand router-to-router VPN connections to connect the Portland and Dallas branch offices to the corporate office based on the settings configured in the "Common Configuration for the VPN server" section of this paper, the following additional settings are configured.

Domain Configuration
For the VPN connection to the Dallas office, the user account VPN_Dallas is created with the following settings:

  • Password of nY7W{q8~=z3.

  • For the dial-in properties on the VPN_Dallas account, the remote access permission is set to Control access through Remote Access Policy and the static route 192.168.28.0 with a subnet mask of 255.255.255.0 is added.

  • For the account properties on the VPN_Dallas account, the Password never expires account option is selected.

  • The VPN_Dallas account is added to the VPN_Routers group.

For the VPN connection to the Portland office, the user account VPN_Portland is created with the following settings:

  • Password of P*4s=wq!Gx1.

  • For the dial-in properties on the VPN_Portland account, the remote access permission is set to Control access through Remote Access Policy and the static route 192.168.28.0 with a subnet mask of 255.255.255.0 is added.

  • For the account properties on the VPN_Portland account, the Password never expires account option is selected.

  • The VPN_Portland account is added to the VPN_Routers group.

Remote Access Policy Configuration
To define the authentication and encryption settings for remote access VPN clients, the following remote access policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN).

    • Windows-Groups is set to VPN_Routers.

    • Called-Station-ID is set to 207.46.130.1.

  • Permission is set to Grant remote access permission.

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is selected and Smartcard or other certificate (TLS) is configured to use the installed machine certificate. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also selected.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note: The Called-Station-ID is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.

The following sections describe a PPTP-based on-demand branch office connection for the Dallas office and an L2TP-based on-demand branch office connection for the Portland office.

PPTP-based On-Demand Branch Office

The Dallas branch office is a PPTP-based branch office that uses a Windows 2000 router to create an on-demand, router-to-router VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated.

To deploy a PPTP, one-way initiated, on-demand, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "On-Demand Branch Office" sections of this paper, the following settings are configured on the Dallas router.

Demand-Dial Interface for the Connection to the ISP
To connect the Dallas office router to the Internet by using a local ISP, a demand-dial interface is created using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    ISP

  • Connection type
    Connect using a modem, ISDN adapter, or other physical device is selected.

  • Select a device
    The appropriate ISDN device is selected.

  • Phone number or address
    Phone number of the ISP for the Dallas office.

  • Protocols and security
    The Route IP packets in this interface check box is selected.

  • Dial-out credentials
    User name: Dallas office ISP account name
    Password: Dallas office ISP account password
    Confirm password: Dallas office ISP account password.

To run the Demand-Dial Interface wizard, right-click Routing Interfaces, and then click New Demand-Dial Interface.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the Dallas office router to the VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    CorpHQ

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address
    207.46.130.1

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: VPN_Dallas
    Domain: electronic.microsoft.com
    Password: nY7W{q8~=z3
    Confirm password: nY7W{q8~=z3

Static Route for Corporate Headquarters and Branch Offices
To make all locations on the corporate intranet reachable, the following static route is configured:

  • Interface: CorpHQ

  • Destination: 172.16.0.0

  • Network mask: 255.240.0.0

  • Metric: 1

To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:

  • Interface: CorpHQ

  • Destination: 192.168.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

Static Route for Electronic, Inc. VPN Server
To create the connection to the Dallas ISP when the router-to-router VPN connection needs to be made, the following static route is configured:

  • Interface: ISP

  • Destination: 207.46.130.1

  • Network mask: 255.255.255.255

  • Metric: 1

PPTP Packet Filters on the Demand-Dial Interface Connecting to ISP
To ensure that only PPTP-based traffic is allowed on the connection to the Internet, PPTP packet filters are configured on the ISP demand-dial interface. For more information, see the "Adding PPTP Packet Filters" procedure in Appendix A.

L2TP-based On-Demand Branch Office

The Portland branch office is an L2TP-based branch office that uses a Windows 2000 router to create an on-demand, router-to-router VPN connection with the VPN server in New York as needed. When the connection is made and is idle for five minutes, the connection is terminated.

To deploy an L2TP, one-way initiated, on-demand, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "On-Demand Branch Office" sections of this paper, the following settings are configured on the Portland router:

Certificate Configuration
The Portland router was configured by the Electronic, Inc. network administrator while it was physically connected to the Electronic, Inc. intranet and then shipped to the Portland site. While the Portland router was connected to the Electronic, Inc. intranet, a computer certificate was installed through auto-enrollment.

Demand-Dial Interface for the Connection to the ISP
To connect the Portland office router to the Internet by using a local ISP, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

Demand-Dial Interface for the Connection to the ISP
To connect the Portland office router to the Internet by using a local ISP, a demand-dial interface is created using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    ISP

  • Connection type
    Connect using a modem, ISDN adapter, or other physical device is selected.

  • Select a device
    The appropriate ISDN device is selected.

  • Phone number or address
    Phone number of the ISP for the Portland office.

  • Protocols and security
    The Route IP packets in this interface check box is selected.

  • Dial-out credentials
    User name: Portland office ISP account name
    Password: Portland office ISP account password
    Confirm password: Portland office ISP account password.

To run the Demand-Dial Interface wizard, right-click Routing Interfaces, and then click New Demand-Dial Interface.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the Portland office router to the VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    CorpHQ

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address
    207.46.130.1

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: VPN_Portland
    Domain: electronic.microsoft.com
    Password: nY7W{q8~=z3
    Confirm password: nY7W{q8~=z3

Static Route for Corporate Headquarters and Branch Offices
To make all locations on the corporate intranet reachable, the following static route is configured:

  • Interface: CorpHQ

  • Destination: 172.16.0.0

  • Network mask: 255.240.0.0

  • Metric: 1

To make all locations on Electronic, Inc. branch offices reachable, the following static route is configured:

  • Interface: CorpHQ

  • Destination: 192.168.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

Static Route for Electronic, Inc. VPN Server
To create the connection to the Portland ISP when the router-to-router VPN connection needs to be made, the following static route is configured:

  • Interface: ISP

  • Destination: 207.46.130.1

  • Network mask: 255.255.255.255

  • Metric: 1

L2TP Over IPSec Packet Filters on Demand-Dial Interface Connecting to ISP
To ensure that only L2TP over IPSec-based traffic is allowed on the connection to the Internet, L2TP over IPSec packet filters are configured on the ISP demand-dial interface. For more information, see the "Adding L2TP Packet Filters" procedure in Appendix A.