In our sample configuration, the Windows 2003 VPN server connects directly to the Internet. You can deploy the VPN server either in front of the firewall or inside the demilitarized zone (DMZ)—Microsoft provides information for configuring packet filters on your firewall and VPN server to accomplish either scenario. The firewall and VPN server can even reside on the same computer. In our example, the VPN server also connects to the intranet, so we'll need to tightly lock down the server so that attackers can't break into the internal network.
In addition to the Windows 2003 VPN server, we need to install Internet Authentication Service (IAS), which is Microsoft's implementation of a Remote Authentication Dial-In User Service (RADIUS) server, on one of the existing Win2K DCs so that the VPN server can use RADIUS to authenticate remote users against their accounts in the Win2K domain. For the final server-based component, we must install Certificate Services so that we can provide computer certificates to the VPN server and remote client computers. For XP and Win2K clients, you need to install the IPSec NAT-T update. Because XP and Win2K already support L2TP and IPSec, this update simply adds support for IPSec to NAT-T devices. For NT and Win9x clients, you need to install the Microsoft L2TP/IPSec VPN Client, which is available at http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp.
Configuring CA and IAS in the Win2K Domain
Before we set up the VPN server, let's establish the CA. You can select any server in the domain, including DCs, as the CA. Certificate Services can install either a standalone CA or an enterprise CA. In enterprise mode, Win2K and later computers in the domain will automatically trust certificates that the CA issues. This mode also lets you automatically deploy these certificates to Windows 2003, XP, and Win2K computers. In our sample network, we'll install Certificate Services on the ad1 DC, as Figure 1 shows.
To install Certificate Services, log on to the server, open the Control Panel Add/Remove Programs applet, then select Add/Remove Components to start the Windows Component Wizard. Select the Certificate Services check box, click Next until you reach the Certification Authority Type screen, select Enterprise Root CA as the first CA, then proceed through the rest of the wizard. Because Certificate Services requires Microsoft IIS, if you haven't already installed IIS, Win2K will install it. Within a few hours after you create the enterprise CA, each Win2K and later computer in the domain will automatically add a self-signed certificate to its Trusted Root Certification Authorities certificate store, thereby establishing a trust with all certificates presented by other computers that your CA has signed.
Next, you need to deploy certificates to the client computers that will use the VPN to connect to the network so that they can set up the initial IPSec link to the VPN server. To deploy certificates to Win2K and later computers that are part of the domain, you can use Group Policy. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, select the root of the domain, and deploy a certificate to every computer in the domain. (Optionally, you can select the organizational unit—OU—that stores information about all the remote computers.) Right-click the domain name, select Properties to open the properties for the domain root, then select the Group Policy tab. Under the Default Domain Policy Group Policy Object (GPO), navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click Automatic Certificate Request Settings, select New, then select Automatic Certificate Request. The Automatic Certificate Request Setup Wizard will open and ask you which certificate template and CA you want to use. Select the Computer certificate template, select your new CA, then finish the wizard to complete the process of adding a new request to the local CA. Now, each computer that applies this GPO will automatically request a certificate from the CA without further action on your part. The CA automatically approves the request because default permissions on the Computer certificate template let DCs request a certificate, and the computer can use Kerberos to automatically authenticate to the CA because both computers are part of the same domain.
To deploy certificates to pre-Win2K computers and employee-owned systems used for telecommuting, you must manually request and install the client computer's certificate as well as the CA's certificate. To make this request, you can use the certificate server's Web site, which is available at \\computername\certserv.
Next, you need to install IAS on the DC to handle authentication requests from the RADIUS-enabled VPN server. Open the Add/Remove Programs applet again, then select Add/Remove Components. This time, select Networking Services, then select Details. Select the Internet Authentication Service check box and continue through the wizard. After you install IAS, you must configure it to accept RADIUS requests from the VPN server, which is a client of the IAS server. Open the Internet Authentication Service snap-in, right-click the Clients folder, then select New Client. Enter the name of the VPN server (in this example, I entered the name testras), then click Next. When prompted, add the client name in the RADIUS Client dialog box (in this example, I entered the name testras.ad.local), change the Client-Vendor setting to Microsoft, then enter a string of characters that you want to use as the shared secret. The shared secret limits authentication requests to only the legitimate VPN server on which you'll enter the same shared secret to authenticate with the domain. Win2K also uses this secret to encrypt and confirm the integrity of data sent between the VPN server and the RADIUS server. The shared secret protects sensitive RADIUS traffic from prying eyes and meddling fingers as it travels on the internal network. Microsoft recommends making the secret at least 22 characters long, consisting of upper- and lowercase letters as well as numbers and symbols. After you've entered the shared secret, click Finish to exit the wizard.
The DC is now ready to accept requests from the VPN server, but before you get too far, you need to make one security tweak that the IAS wizard fails to do. Open the Internet Authentication Service snap-in, then select the Clients folder. Double-click the client record for the VPN server to open the server's Properties dialog box, which Figure 2 shows, then select the Client must always send the signature attribute in the request check box. Enabling this setting ensures that Windows uses maximum protection for RADIUS traffic on your internal network by forcing the client to authenticate each request and providing the RADIUS server with a way to ensure that the request wasn't modified in transit.
Register
