Extranet for Business Partners (VPN with Windows Server 2003)

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The network administrator for Electronic, Inc. has created an extranet, a portion of the Electronic, Inc. private network that is available to business partners through secured VPN connections. The Electronic, Inc. extranet is the network attached to the Electronic, Inc. VPN server and contains a file server and a Web server. Parts distributors Tasmanian Traders and Parnell Aerospace are Electronic, Inc. business partners and connect to the Electronic, Inc. extranet by using on-demand, site-to-site VPN connections. An additional remote access policy is used to ensure that the business partners can only access the extranet file server and Web server.

The file server on the Electronic, Inc. extranet is configured with an IP address of 172.31.0.10 and the Web server is configured with an IP address of 172.31.0.11. Tasmanian Traders uses the public network ID of 131.107.254.0 with a subnet mask of 255.255.255.0. Parnell Aerospace uses the public network ID of 131.107.250.0 with a subnet mask of 255.255.255.0. To ensure that the extranet Web server and file server can reach the business partners, static routes are configured on the file server and Web server for each of the business partner networks that use the gateway address of 172.31.0.1

To simplify configuration, the VPN connection is a one-way initiated connection. The business partner's router always initiates the connection. For more information, see the topic titled One-Way Initiated Demand-Dial Connections in Windows Server 2003 Help and Support.

Figure 5 shows the Electronic, Inc. VPN server that provides extranet connections for business partners.

Art Image

Figure 5: The Electronic, Inc. VPN server that provides extranet connections for business partners

To deploy business partner, on-demand, one-way initiated, site-to-site VPN connections to connect Tasmanian Traders and Parnell Aerospace to the Electronic, Inc. extranet based on the settings configured in the Common Configuration for the VPN Server section of this paper, the following additional settings are configured.

Domain Configuration

For the VPN connection to Tasmanian Traders, the user account PTR_Tasmanian is created with the following settings:

  • Password of Y8#-vR7?]fI.

  • For the account properties of the PTR_Tasmanian account, the User must change password at next logon option is cleared and Password never expires option is selected.

  • For the dial-in properties on the PTR_Tasmanian account, the remote access permission is set to Control access through Remote Access Policy and the static route 131.107.254.0 with a subnet mask 255.255.255.0 is added.

  • The PTR_Tasmanian account is added to the VPN_Partners group.

For the VPN connection to Parnell Aerospace, the user account PTR_Parnell is created with the following settings:

  • Password of W@8c^4r-;2\.

  • For the account properties of the PTR_Parnell account, the User must change password at next logon option is cleared and Password never expires option is selected.

  • For the dial-in properties on the PTR_Parnell account, the remote access permission is set to Control access through Remote Access Policy and the static route 131.107.250.0 with a subnet mask 255.255.255.0 is added.

  • The PTR_Parnell account is added to the VPN_Partners group.

Remote Access Policy Configuration

To define the authentication and encryption settings for business partner VPN connections, the following remote access policy is created:

  • Policy name: VPN Partners

  • Access method: VPN

  • User or Group Access: Group with the EXAMPLE\VPN_Partners group selected

  • Authentication Methods: Extensible Authentication Protocol with the Smart card or other Certificate type and Microsoft Encrypted Authentication version 2 (MS-CHAP v2) selected

  • Policy Encryption Level: Strong encryption and Strongest encryption selected

After the remote access policy is created, it configuration is modified in the following way:

  • On the IP tab of the profile settings, the following TCP/IP packet filters are configured:

Input Filters:

  • Filter action: Deny all traffic except those listed below

  • Filter 1: Destination network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

  • Filter 2: Destination network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

Output Filters:

  • Filter action: Deny all traffic except those listed below

  • Filter 1: Source network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

  • Filter 2: Source network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

The following sections describe a PPTP-based extranet for the business partner Tasmanian Traders and an L2TP/IPSec-based extranet for the business partner Parnell Aerospace.

PPTP-based Extranet for Business Partners

Tasmanian Traders is a business partner that uses a Windows Server 2003 router to create an on-demand, PPTP-based, site-to-site VPN connection with the Electronic, Inc. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Tasmanian Traders router is connected to the Internet by using a permanent WAN connection.

To deploy a PPTP, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and Extranet for Business Partners sections of this paper, the following settings are configured on the Tasmanian Traders router.

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Tasmanian Traders router to the Electronic, Inc. VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface Name: Electronic

  • Connection Type: Connect using virtual private networking (VPN)

  • VPN Type: Point to Point Tunneling Protocol (PPTP)

  • Destination Address: 207.46.130.1

  • Protocols and Security: The Route IP packets on this interface check box is selected.

  • Static Routes for Remote Networks

    To make all locations on the Electronic, Inc. extranet reachable, the following static route is configured:

    Destination: 172.31.0.0

    Network mask: 255.255.0.0

    Metric: 1

  • Dial Out Credentials

    User name: PTR_Tasmanian

    Domain: electronic.example.com

    Password: Y8#-vR7?]fI

    Confirm password: Y8#-vR7?]fI

L2TP/IPSec-based Extranet for Business Partners

Parnell Aerospace is a business partner that uses a Windows Server 2003 router to create an on-demand, L2TP/IPSec-based, site-to-site VPN connection with the Electronic, Inc. VPN server in New York as needed. When the connection is created and is idle for five minutes, the connection is terminated. The Parnell Aerospace router is connected to the Internet by using a permanent WAN connection.

To deploy an L2TP/IPSec, one-way initiated, on-demand, site-to-site VPN connection to the corporate office based on the settings configured in the Common Configuration for the VPN Server and Extranet for Business Partners sections of this paper, the following settings are configured on the Parnell Aerospace router:

Certificate Configuration

The Parnell Aerospace router was configured by the Electronic, Inc. network administrator while physically connected to the Electronic, Inc. intranet and then shipped to the network administrator at Parnell Aerospace. While the Parnell Aerospace router was connected to the Electronic, Inc. intranet, a computer certificate was installed through auto-enrollment.

Demand-Dial Interface for Site-to-Site VPN Connection

To connect the Parnell Aerospace router to the Electronic, Inc. VPN server by using a site-to-site VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface wizard with the following settings:

  • Interface Name: Electronic

  • Connection Type: Connect using virtual private networking (VPN)

  • VPN Type: Layer 2 Tunneling Protocol (L2TP)

  • Destination Address: 207.46.130.1

  • Protocols and Security: The Route IP packets on this interface check box is selected.

  • Static Routes for Remote Networks

    To make all locations on the Electronic, Inc. extranet reachable, the following static route is configured:

    Destination: 172.31.0.0

    Network mask: 255.255.0.0

    Metric: 1

  • Dial Out Credentials:

    User name: PTR_Parnell

    Domain: electronic.example.com

    Password: W@8c^4r-;2\

    Confirm password: W@8c^4r-;2\