How To Configure VPN

How To Configure VPN

A VPN network can send voice, data, and video over secure and encrypted private channels in the public network. There are many VPN client programs that are configured in such a way that all the IP traffic must pass the VPN tunnels before reaching the destination.

VPN Features

A VPN connection can provide the following features.

• Global Networking
• Broadband Network Compatibility System
• Secure Communication
• Cost Effective solution for the corporate offices.
• Reduced Operational cost
• Faster Return on investment

Configuration Of VPN Using Windows Server 2003 -Server Side

Windows Server 2003 provides the ability to act as a router on your network and to provide remote access services to users outside your network. Routing And Remote Access (RRAS) in Windows Server 2003 provides VPN, routing, NAT, dialup and basic firewall services. On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.

A VPN server running Windows Server 2003 provides support for both Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP). When choosing between PPTP-based and L2TP/IPSec remote access VPN solutions, consider the following:PPTP can be used with a variety of Microsoft clients including Windows 95 (with the Dial-up Networking Upgrade 1.3 and later), Windows 98, Windows Millennium Edition, Windows NT 4.0, Windows 2000, and Windows XP. PPTP does not require a public key infrastructure (PKI) to issue computer certificates. By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).

L2TP can only be used with client computers running Windows 2000 or Windows XP. L2TP supports either computer certificates or a preshared key as the authentication method for Internet Protocol security (IPSec). Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPSec, L2TP/IPSec VPN connections provide data confidentiality, data integrity, and data authentication.

Configuration Of Firewall

If you have a firewall, you must configure packet filters on the firewall to allow traffic between VPN clients on the Internet and the VPN server.

VPN server in front of the firewall. The VPN server is attached to the Internet, and the firewall is between the VPN server and the intranet.
VPN server behind the firewall. The firewall is attached to the Internet, and the VPN server is between the firewall and the intranet.

VPN server in front of the firewall

When the VPN server is in front of the firewall and attached to the Internet, you need to add packet filters to the Internet interface that allow only VPN traffic to and from the IP address of the VPN server's Internet interface.

For inbound traffic, when the tunneled data is decrypted by the VPN server, it is forwarded to the firewall. Through the use of its filters, the firewall allows the traffic to be forwarded to intranet resources. Because the only traffic that crosses the VPN server is generated by authenticated VPN clients, in this scenario, firewall filtering can be used to prevent VPN users from accessing specific intranet resources. Because the only Internet traffic allowed on the intranet must pass through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.

VPN server behind the firewall

In a more common configuration, the firewall is attached to the Internet, and the VPN server is an intranet resource that is attached to the Perimeter Network. The VPN server has an interface on both the perimeter network and the intranet. In this scenario, the firewall must be configured with input and output filters on its Internet interface that allow tunnel maintenance traffic and tunneled data to pass to the VPN server. Additional filters can allow traffic to pass to Web, FTP, and other types of servers on the perimeter network. For an additional layer of security, the VPN server can also be configured with PPTP or L2TP/IPSec packet filters on its perimeter network interface.

Because the firewall does not have the encryption keys for each VPN connection, it can filter only on the plain text headers of the tunneled data. In other words, all tunneled data passes through the firewall. This is not a security concern, however, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

• < Prev
• Next >