Extranet for Business Partners

  • Article

Extranet for Business Partners

The network administrator for Electronic, Inc. has created an extranet, a portion of the Electronic, Inc. private network that is available to business partners through secured VPN connections. The Electronic, Inc. extranet is the network attached to the Electronic, Inc. VPN server and contains a file server and a Web server. Parts distributors Tasmanian Traders and Parnell Aerospace are Electronic, Inc. business partners and connect to the Electronic, Inc. extranet by using on-demand, router-to-router VPN connections. An additional remote access policy is used to ensure that the business partners can only access the extranet file server and Web server.

The file server on the Electronic, Inc. extranet is configured with an IP address of 172.31.0.10 and the Web server is configured with an IP address of 172.31.0.11. Tasmanian Traders uses the public network ID of 131.107.254.0 with a subnet mask of 255.255.255.0. Parnell Aerospace uses the public network ID of 131.107.250.0 with a subnet mask of 255.255.255.0. To ensure that the extranet Web server and file server can reach the business partners, static routes are configured on the file server and Web server for each of the business partner networks that use the gateway address of 172.31.0.1.

To simplify configuration, the VPN connection is a one-way initiated connection. The connection is always initiated by the business partner’s router. For more information, see the topic titled “One-Way Initiated Demand-Dial Connections” in Windows 2000 Server Help.

Figure 5 shows the Electronic, Inc. VPN server that provides extranet connections for business partners.

Figure 5: The Electronic, Inc. VPN server that provides extranet connections for business partners

Figure 5: The Electronic, Inc. VPN server that provides extranet connections for business partners

To deploy business partner, on-demand, one-way initiated, router-to-router VPN connections to connect Tasmanian Traders and Parnell Aerospace to the Electronic, Inc. extranet based on the settings configured in the "Common Configuration for the VPN Server" section of this paper, the following additional settings are configured.

Domain Configuration
For the VPN connection to Tasmanian Traders, the user account PTR_Tasmanian is created with the following settings:

  • Password of Y8#-vR7?]fI.

  • For the dial-in properties on the PTR_Tasmanian account, the remote access permission is set to Control access through Remote Access Policy and the static route 131.107.254.0 with a subnet mask 255.255.255.0 is added.

  • For the account properties on the PTR_Tasmanian account, the Password never expires account option is selected.

  • The PTR_Tasmanian account is added to the VPN_Partners group.

For the VPN connection to Parnell Aerospace, the user account PTR_Parnell is created with the following settings:

  • Password of W@8c^4r-;2\.

  • For the dial-in properties on the PTR_Parnell account, the remote access permission is set to Control access through Remote Access Policy and the static route 131.107.250.0 with a subnet mask 255.255.255.0 is added.

  • For the account properties on the PTR_Parnell account, the Password never expires account option is selected.

  • The PTR_Parnell account is added to the VPN_Partners group.

Remote Access Policy Configuration
To define the authentication and encryption settings for business partner VPN connections, the following remote access policy is created:

  • Policy name: VPN Partners

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN).

    • Windows-Groups is set to VPN_Partners.

    • Called-Station-ID is set to 207.46.130.1

  • Permission is set to Grant remote access permission.

  • Profile settings:

    • On the IP tab, the following TCP/IP packet filters are configured:
      From client:

      • Filter action: Deny all traffic except those listed below

      • Filter 1: Destination network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

      • Filter 2: Destination network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

    • To client:

      • Filter action: Deny all traffic except those listed below

      • Filter 1: Source network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

      • Filter 2: Source network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

  • Authentication tab: Extensible Authentication Protocol is selected and Smartcard or other certificate (TLS) is configured to use the installed machine certificate. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also selected.

  • Encryption tab: Strong and Strongest are the only options that are selected.

Note: The Called-Station-ID is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.

The following sections describe a PPTP-based extranet for the business partner Tasmanian Traders and an L2TP-based extranet for the business partner Parnell Aerospace.

PPTP-based Extranet for Business Partners

Tasmanian Traders is a business partner that uses a Windows 2000 router to create an on-demand, PPTP-based, router-to-router VPN connection with the Electronic, Inc. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Tasmanian Traders router is connected to the Internet by using a permanent WAN connection.

To deploy a PPTP, one-way initiated, on-demand, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "Extranet for Business Partners" sections of this paper, the following settings are configured on the Tasmanian Traders router.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the Tasmanian Traders router to the Electronic, Inc. VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    Electronic

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address
    207.46.130.1

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: PTR_Tasmanian
    Domain: electronic.microsoft.com
    Password: Y8#-vR7?]fI
    Confirm password: Y8#-vR7?]fI

Static Route for Electronic, Inc. Extranet
To make all locations on the Electronic, Inc. extranet reachable, the following static route is configured:

  • Interface: Electronic

  • Destination: 172.31.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

PPTP Packet Filters on the Internet Interface
To ensure that only PPTP-based traffic is allowed on the connection to the Internet, you can configure PPTP packet filters on the Internet interface. For more information, see the "Adding PPTP Packet Filters" procedure in Appendix A.

L2TP-based Extranet for Business Partners

Parnell Aerospace is a business partner that uses a Windows 2000 router to create an on-demand, L2TP-based, router-to-router VPN connection with the Electronic, Inc. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Parnell Aerospace router is connected to the Internet by using a permanent WAN connection.

To deploy an L2TP, one-way initiated, on-demand, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "Extranet for Business Partners" sections of this paper, the following settings are configured on the Parnell Aerospace router.

Certificate Configuration
The Parnell Aerospace router was configured by the Electronic, Inc. network administrator while physically connected to the Electronic, Inc. intranet and then shipped to the network administrator at Parnell Aerospace. While the Parnell Aerospace router was connected to the Electronic, Inc. intranet, a computer certificate was installed through auto-enrollment.

Demand-Dial Interface for Router-to-Router VPN Connection
To connect the Parnell Aerospace router to the Electronic, Inc. VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface name
    Electronic

  • Connection type
    Connect using virtual private networking (VPN) is selected.

  • VPN type
    Layer-2 Tunneling Protocol (L2TP) is selected.

  • Destination address
    207.46.130.1 (This is the IP address of the Electronic, Inc. VPN server’s interface on the Internet).

  • Protocols and security
    The Route IP packets on this interface check box is selected.

  • Dial-out credentials
    User name: PTR_Parnell
    Domain: electronic.microsoft.com
    Password: W@8c^4r-;2\
    Confirm password: W@8c^4r-;2\

Static Route for Electronic, Inc. Extranet
To make all locations on the Electronic, Inc. extranet reachable, the following static route is configured:

  • Interface: Electronic

  • Destination: 172.31.0.0

  • Network mask: 255.255.0.0

  • Metric: 1

L2TP over IPSec Packet Filters on the Internet Interface
To ensure that only L2TP over IPSec-based traffic is allowed on the connection to the Internet, L2TP over IPSec packet filters are configured on the Internet interface. For more information, see the "Adding L2TP Packet Filters" procedure in Appendix A.