Windows Server 2008 R2 Unleashed (171 page)

attacks and determine user passwords. If the PPP authentication exchange is encrypt-

ed, offline dictionary attacks are possible only after the encrypted packets have been

successfully decrypted.

Advantages of PPTP

Although L2TP/IPSec is more secure than a PPTP VPN session, there are significant reasons

organizations choose PPTP over L2TP/IPSec. The following are advantages of PPTP over

L2TP/IPSec:

. PPTP does not require a certificate infrastructure. L2TP/IPSec, SSTP, and DirectAccess

require a certificate infrastructure for issuing computer certificates to the VPN server

computer (or other authenticating server) and all VPN client computers.

. PPTP can be used by all Windows desktop platforms (Windows Server 2008,

Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server, Windows 7,

874

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

Windows Vista, Windows XP, Windows 2000 client, Windows NT 4.0, Windows

Millennium Edition [Me], Windows 98, and Windows 95 with the Windows Dial-Up

Networking 1.3 Performance and Security Update). Windows Server 2008 R2,

Windows Server 2008, Windows Server 2003, Windows 2000 Server, Windows 7,

Windows Vista, Windows XP, and Windows 2000 Workstation VPN clients are the

only clients that support L2TP/IPSec and the use of certificates. Windows 7 is the

only client that supports DirectAccess.

IPSec functions at a layer below the TCP/IP stack. This layer is controlled by a security

policy on each computer and a negotiated security association between the sender and

receiver. The policy consists of a set of filters and associated security behaviors. If a

packet’s IP address, protocol, and port number match a filter, the packet is subject to the

associated security behavior.

Advantages of SSTP

The SSTP protocol in Windows Server 2008 R2 gives administrators the capability to estab-

lish tunnels across the majority of corporate networks, bypassing many of the technical

hurdles that stop PPTP and L2TP.

The advantages of SSTP are as follows:

ptg

. SSTP helps lower administrative costs by reducing the technical steps needed to

tunnel between organizations. Because HTTPS is allowed through most firewalls and

proxy servers, there is no additional infrastructure changes needed to support SSTP.

. SSTP is certificate-based security implemented via SSL. However, certificates only

need to be issued to the servers rather than the clients. This provides the security

benefits of L2TP, but with almost the ease of configuration of PPTP.

The benefits are offset by the requirement that the client Certificate Authority require-

ments and the operating system requirement. The client requirement is that it trusts the

CA issuing the certificates and that it can access the certificate revocation list.

Support for SSTP in clients is available in Windows Server 2008, Windows Server 2008 R2,

Windows 7, Windows XP SP3 or later, and Windows Vista SP1 or later.

Advantages of DirectAccess

DirectAccess is a new technology introduced with Windows Server 2008 R2 and is a

completely new idea for remote access. Essentially, DirectAccess is a transparent always-on

remote access. It allows users to always appear to be on the corporate network and appear

as if they are in the office. In addition, it allows administrators to manage systems as local

systems through tools like Group Policy and Microsoft System Center Configuration

Manager (SCCM). From a user perspective, this is the easiest remote access solution. Once

configured, they don’t need to perform any action; it just works. From an administrator

point of view, however, this solution is the most complex due to the IPv6 and certificate

requirements.

Choosing Between Traditional VPN Technologies and DirectAccess

875

The advantages of DirectAccess are as follows:

. DirectAccess provides seamless connectivity wherever a remote system has an

Internet connection. No user interaction is required.

. System administrators can manage remotely connected systems as if they were inter-

nal systems.

24

. DirectAccess allows folder redirection so that all critical data is maintained inside the

corporate network and backed up using enterprise tools.

. DirectAccess uses a new technology, Name Resolution Policy Table (NRPT), to deter-

mine the appropriate DNS server for connection requests. Combined with split-tun-

neling, this makes for a truly transparent solution.

Despite these benefits, DirectAccess can be somewhat complex to implement. If most of

the pieces, such as IPv6, PKI, and Windows 7 on the desktop are already in place,

DirectAccess might be the best overall remote access solution for Windows Server 2008 R2.

NOTE

One advantage of DirectAccess is the fact that it uses IPv6. For organizations that have

been looking to deploy IPv6 and gain experience with this new addressing scheme, the

ptg

DirectAccess technology provides a good IPv6 learning platform that is self-contained

and integrates well with existing IPv4 technologies.

Ports Affecting the VPN Connectivity

Frequently, RRAS servers operating as VPN servers have two network cards, one of which is

plugged into the external network or DMZ. This is simpler, as there are typically few

restrictions on communicating with that externally facing interface. The RRAS server is

firewalled and the externally facing interface is hardened as a matter of best practice to

mitigate the potential risks. In fact, this is a requirement for DirectAccess servers.

However, even with mitigation steps, this externally facing interface can present an unac-

ceptable level of risk to some organizations. In those cases, the VPN infrastructure must

remain entirely within the internal network. In that configuration, the firewall must be

configured to allow the appropriate traffic to the RRAS server.

Table 24.3 and Table 24.4 list the relevant firewall rules needed for the PPTP and L2TP

protocols. The IP address for each of the rules is the RRAS server address, which is the

destination if the direction is inbound and the source if the direction is outbound.

TABLE 24.3

Firewall Rules for the RRAS Server for PPTP

Direction

Protocol

Port or

Why?

ID

Inbound

TCP

1723

Allows PPTP tunnel maintenance traffic from the PPTP client to

the PPTP server

876

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

TABLE 24.3

Firewall Rules for the RRAS Server for PPTP

Direction

Protocol

Port or

Why?

ID

Inbound

IP

47

Allows tunneled PPTP data from the PPTP client to the PPTP

server

Outbound

TCP

1723

Allows PPTP tunnel maintenance traffic from the PPTP server to

the PPTP client

Outbound

IP

47

Allows tunneled PPTP data from the PPTP server to the PPTP

client

TABLE 24.4

Firewall Rules for the RRAS Server for L2TP

Direction Protocol Port or ID Why?

Inbound

UDP

500

Allows IKE traffic to the VPN server

Inbound

UDP

4500

Allows IPSec NAT-T traffic to the VPN server

Inbound

IP

50

Allows IPSec ESP traffic to the VPN server

Outbound UDP

500

Allows IKE traffic from the VPN server

ptg

Outbound UDP

4500

Allows IPSec NAT-T traffic from the VPN server

Outbound IP

50

Allows IPSec ESP traffic from the VPN server

NOTE

Interestingly, because the DirectAccess server must be a dual-homed server with a net-

work interface on the public network, there are no ports needed on the firewall for

DirectAccess. In effect, it bypasses the firewall completely.

The SSTP protocol is simple and only requires that TCP port 443 be permitted inbound to

the RRAS server.

Traditional VPN Scenario

The best way to illustrate the concepts in this chapter is to walk through a sample VPN

scenario. The example will walk through the setup and testing of a VPN infrastructure that

will include health checks and remediation of a client. The sample VPN scenario architec-

ture is shown in Figure 24.15.

The scenario will use the systems with the basic configuration shown in Table 24.5. These

examples assume that an Active Directory domain companyabc.com has been created and

that DC1 is the domain controller.

Traditional VPN Scenario

877

VISTA1

VPN Client

VPN1

192.168.1.201

24

RRAS Server

172.16.1.152

172.16.1.100

172.16.1.151

DC1

NPS1

Active Directory

Network Policy Server

Server

Certificate Server

FIGURE 24.15

VPN scenario diagram.

ptg

TABLE 24.5

VPN Scenario Servers

Server

Roles

Operating System

IP Address

DC1

Directory server

Windows Server 2008

172.16.1.100

R2

NPS1

Network Policy Server Certificate

Windows Server 2008

172.16.1.151

server

R2

VPN1

RRAS server

Windows Server 2008

172.16.1.152 (internal)

R2

192.168.1.201 (external)

VISTA1

VPN client

Windows Vista SP1

The steps to configure the VPN architecture will consist of the following:

. Set up the certificate server.

. Set up the Network Policy Server.

. Configure the Network Policy Server.

. Set up the RRAS.

. Set up the VPN client.

. Test the VPN connection.

. Control unhealthy VPN clients.

878

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

In Windows Server 2008 R2 Active Directory, the users would need to be enabled in the

Dial-in tab of the account properties. As you can see in Figure 24.16, the default option is

Control Access Through NPS Network Policy.

ptg

FIGURE 24.16

Dial-in tab in Windows Server 2008 R2 Active Directory.

We’ll now step through the setup, configuration, and testing of a Windows Server 2008 R2

traditional VPN infrastructure.

Setting Up the Certificate Server

The first step is to configure the certificate server. This server will be used to issue certifi-

cates for the VPN infrastructure. The example uses Microsoft Certificate Services, but a

third-party CA and certificates could be used as well.

The NPS1 server was chosen for this example, as it will be the centralized policy server

and so is well situated to provide certificate services. A completely separate server could

have been configured as well. The procedure assumes that the Windows Server 2008 R2

operating system has been installed and that the NPS1 server has joined the compa-

nyabc.com domain.

Install the Active Directory Certificate Services role on the NPS1 server using the following

steps:

1. Launch Server Manager.

2. In the Roles Summary pane, select Add Roles to start the wizard.

Traditional VPN Scenario

879

3. Click Next.

4. Select Active Directory Certificate Services, and click Next.

5. Click Next.

6. Check the Certification Authority Web Enrollment to add the check mark.

7. A window opens with an additional set of role services and features required to

24

support web enrollment. Click Add Required Role Services to add these prerequisites.

8. Click Next.

9. Leave the Enterprise option to create an enterprise CA, and click Next.

10. Leave the Root CA option selected, and click Next.

11. Leave the Create a New Private Key option selected, and click Next.

12. Click Next to accept the cryptography options for the CA.

13. Click Next to accept the CA name.

14. Click Next to accept the default validity period of five years.

15. Click Next to accept the default directories.

16. Click Next.

17. Click Next to accept the default web server role services.

ptg

18. Click Install to install the roles.