This is the part 3 of the series of articles which explains complete setup of VPN in windows serverenvironment.
Configure Logs
To maintain the security and the monitor the issues involve with the remote access it’s important to configure proper logs. NPS keeps separate logs for this process. In below I will demonstrate how to configure these logs.
1. Open the network policy server mmc.
2. In the console click accounting.
2. In the console click accounting.
3. In the detail panel click configure local file logging. Then local file logging box will open.
4. On the log file tab, it is possible to define the directory the log files should store. Also by selecting “database-compatibility” the files will be save on IAS format which allow to open it from database level.
For monitor the VPN connections can use the “Routing and Remote Access” mmc. In their clicking on “Remote Access Clients” will list down the active VPN connections.
Setup VPN Client
So far I have configured all the server side configurations which required for VPN connection. Now it’s time to look how to setup a client pc to connect with VPN. Following demo explains how to do this on windows 7 client pc.
1. Go to network sharing center by Start > control Panel > Network Sharing Center
2. Under change your networking settings section click “set up a new connection or network”. Then in choose connection option click connect to a work place and then click next.
3. In the connection to workplace dialog box, select the use my internet connection(VPN) option. When prompt select “I’ll setup internet connection later”
4. In the next window specify the ip address of the public interface I assign for the public interface of the VPN server and click create.
5. Then go back to network sharing center > change adapter settings. Then right click on the new VPN called “Greenwich VPN” which is created and click connect.
6. In the authentication window need to provide the login details of a user account allowed for the VPN. ( due to practice issues with public ip address cannot demonstrate it further )
So this is the end of long 3 parts post which explain complete setup of VPN server in windows server environment. if you have any question please send email to rebeladm@live.com
HOW TO CONFIGURE VPN ? PART 1
This article is part 1 for explaining the setup of the VPN on windows server environment. This demo is done using windows 2008 R2 but the theory will be same for windows 2012.
In this set of article i will be doing the following,
1. configure inbound and outbound VPN connections
2. configure remote access policies to control the access of various groups via RRAS
3. configure a RADIUS server to log all accounting
4. monitor remote access
2. configure remote access policies to control the access of various groups via RRAS
3. configure a RADIUS server to log all accounting
4. monitor remote access
To do the setup it needs the following,
• A server with windows 2008 / R2 which is connected to the company domain
• Two NIC configured for local network access and public access
• IP address allocation
• Authentication provider ( Network policy server, RADIUS )
• DHCP relay agent
• User account with domain administrator privileges.
• A server with windows 2008 / R2 which is connected to the company domain
• Two NIC configured for local network access and public access
• IP address allocation
• Authentication provider ( Network policy server, RADIUS )
• DHCP relay agent
• User account with domain administrator privileges.
In this setup I will be using Network Policy Server as the authentication provider. Before start on setup it’s important to know the use of it. According to Microsoft (http://technet.microsoft.com/en-us/library/cc732912.aspx)
Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS servers that you configure in remote RADIUS server groups.
Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. In addition, you can use NPS as a Remote Authentication Dial-In User Service (RADIUS) proxy to forward connection requests to a server running NPS or other RADIUS servers that you configure in remote RADIUS server groups.
NPS allows you to centrally configure and manage network access authentication, authorization, and client health policies with the following three features:
• RADIUS server . NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS. You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.
• RADIUS proxy . When use NPS as a RADIUS proxy, can configure connection request policies that tell the NPS server which connection requests to forward to other RADIUS servers and to which RADIUS servers you want to forward connection requests. You can also configure NPS to forward accounting data to be logged by one or more computers in a remote RADIUS server group.
• Network Access Protection (NAP) policy server . When configure NPS as a NAP policy server, NPS evaluates statements of health (SoH) sent by NAP-capable client computers that want to connect to the network. NPS also acts as a RADIUS server when configured with NAP, performing authentication and authorization for connection requests. You can configure NAP policies and settings in NPS, including system health validators (SHVs), health policy, and remediation server groups that allow client computers to update their configuration to become compliant with your organization's network policy.
We can configure NPS with any combination of the preceding features. For example, you can configure one NPS server to act as a NAP policy server using one or more enforcement methods, while also configuring the same NPS server as a RADIUS server for dial-up connections and as a RADIUS proxy to forward some connection requests to members of a remote RADIUS server group for authentication and authorization in another domain.
Let’s move in to the configuration as next step,
For the setup I log in to a server which is connected to the company network. It is running windows 2008 standard version.
Before we start for a selected server in domain we need to add 2 nic interfaces. One will be to serve for LAN and other NIC will have a public ip address.
For the setup I log in to a server which is connected to the company network. It is running windows 2008 standard version.
Before we start for a selected server in domain we need to add 2 nic interfaces. One will be to serve for LAN and other NIC will have a public ip address.
For the server I already add 2 nic and configured the ip address as following,
For LAN Interface
Ip address : 192.168.20.2
Subnet : 255.255.255.0
Default Gateway : none
DNS servers : none
For LAN Interface
Ip address : 192.168.20.2
Subnet : 255.255.255.0
Default Gateway : none
DNS servers : none
As we know in a same machine we cannot deal with different default gateways. There for we no need to put gateway here.
For Public Interface
Ip address : 10.0.0.2
Subnet : 255.255.255.0
Default Gateway : 10.0.0.1
DNS servers : 8.8.8.8 ( public dns from ISP )
Ip address : 10.0.0.2
Subnet : 255.255.255.0
Default Gateway : 10.0.0.1
DNS servers : 8.8.8.8 ( public dns from ISP )
This used public ip info is just for demo purposes and these are not real public ip from ISP. But in real setup you need to fill that info with the details provided by the ISP.
In the server I have renamed the 2 interfaces according to ip as “private” and “public” for easy identification.
Install Network Policy and Access Service role
1. To start the server manager Start > administrative tools > Server Manager
2. In the Server manager windows right click on the “Roles” and click on “Add Roles”
3. Then add doles wizard will appears. Click next to continue.
4. On the select server roles page, select “Network policy and access services” and click next.
5. In “Network policy and access service introduction” page, click Next.
6. On the select role service page, select the “network policy server” and “routing and remote access services” check boxes and click next.
7. On the confirmation page click “Next” to continue.
8. On the installation result page, verify the “installation succeeded” appears in the detail pane then click close to complete.
Configure VPN Server
1. To start “Routing and Remote Access” mmc, click on start > administrative tools > routing and remote access.
2. In the mmc, click on the server name, right click on it and from options click on “Configure and enable routing and remote access”
3. Click next on welcome page to continue. On the configuration page, leave default “Remote access (dial-up or VPN) selected and click Next.
4. On the remote access page, select the “VPN” check box and click next.
5. On the VPN connection page, select the “Public” interface and then click next.
6. On the IP address assignment page, select “From a specified range of addresses” and then click next.
7. In the address range assignment page, click new and in the “start ip address” box, type the value of 10.0.0.5. in the “number of addresses” box type the value of 75 and click ok, then click next to continue.
8. On the managing multiple remote access servers page, leave the default selection “No, use routing and remote access to authenticate connection requests” and click next, and then Finish.
9. In the routing and remote access dialog box, click ok.
10. In next dialog box about DHCP relay agent click Ok too.
WHY VPN ?
When most business grows it mostly will expand in to different branches in different geographical locations. It may be expanding its sales to different areas even to different countries. It creates new situations to apply appropriate networking technology solutions which help for company operations. The branch offices will need to be part of the cooperate network to access company data and continue on operations. There can be sales peoples who conducts demonstrations from remote locations which also need to access cooperate network time to time. Since “virtual office” concept is growing there can be employees who works remotely which also need to be part of the cooperate network.
The old and traditional way of doing this setup is to use “Leased Lines”. In this solution each branch office, sales peoples, remote workers will connect to the cooperate network via dedicated communication links. The connection is almost will be physical connections using cable media and the link will be fully dedicated for communication between those selected points (ex- Cooperate office to Branch office). The connection will be secure and runs with high bandwidth.
Even though it’s reliable, high bandwidth secure lines there are some issue involves applying this solution for most of the modern day requirements. Let’s examine few of the issues in details.
Issue
|
Description
|
Cost
|
The main particle issue on using these is cost. To create dedicated line between two locations it need more man power, resources. There for the cost for getting such connection is very high. When the distance between locations and required bandwidth increase, the line cost also increases. If it’s between countries it will involves with many different ISP (internet Service providers) which increases implementation and operational cost.
|
| No Mobility | Sometime sales representatives, management staff can be traveling in to different locations for business presentations, training etc. stay on those locations can be temporally for few hours or days. If they need to get access to cooperate network with leased line it’s impossible. You can’t bring lease line to any place you go. Leased line will be permanent physical connection to particular location and will not support for mobile use. |
Implementation Complexity and Time
|
The implantation of leased lines can be more complex. Some time you may need to work with few different ISP in different geographical areas. Some time it can take months to perform a lease connection between two locations. It will defiantly effect on company operations. Also let’s say there is manager who is in business trip for certain product presentations. He wants to connect cooperate network to get some data. It is obviously not practical to get leased line for it. Even it’s possible it will not be instant, can take days, weeks to do it.
|
Service Provider Dependency
|
Once leased line in place between branch offices and cooperate network, let’s assume it get connection issues. To get it fixed you have to get the service provider who provided the link. Even though it’s too critical for operations you have to wait till they fix it. You can’t simply connect through different service provider. Even you switch service providers it can take days, weeks to get them to lay new leased line.
|
Is there any other solution than lease line which can use without these types of issues? Yes it is we called it as VPN (Virtual Private Network). Its simply creates “virtual” private network similar to leased line over public network. So there is no physical leased line, but it creates secure tunnel between two locations over Internet. This we can also call as virtual leased line. Most of ISP, provides VPN solutions which will suite your requirement but you also can create your own VPN solutions based on VPN appliance or based on software such as windows routing and remote access.
Even Though its make connection over the internet it is secure tunnel which transfer only encrypted data. There are many security protocols that VPN can configure with.
• IPSec ( IP Security )
• L2TP ( Layer 2 tunneling Protocol )
• PPTP ( Point to Point tunneling Protocol )
• SSL/TLS ( Secure Socket Layer/Transport Layer Security)
• L2TP ( Layer 2 tunneling Protocol )
• PPTP ( Point to Point tunneling Protocol )
• SSL/TLS ( Secure Socket Layer/Transport Layer Security)
First 3 methods are works on OSI network layer. When use this most of the time it will need a VPN client install on the host to connect to the VPN server or appliance.
The SSL/TSL is works on OSI Transport layer. So it will be working on industry standard SSL port 443 and no need to use custom ports for VPN connections. The connection setup from client end is easy as it can be perform via web browser.
One of the main advantage of VPN is the low implantation and operation cost. If you have public ip with proper internet connection you can simply setup your on VPN server and allow the clients to dial in to it. You do not need to spend money on additional hardware, services, and resources for it. The operation cost also will be very low or null. For ex Microsoft Remote Access solution is comes with the windows server operating system in built. To set it up all you need to do is add the role and configure it. It will not involve any license cost, monthly fees, maintains fees or services charges like we do have with leased connections.
The other beauty of VPN is that it support for mobility. As we discussed it do not have any physical connection between the locations. If you have internet connection you can use VPN to connect to cooperate network from anywhere in the world. It can be via your mobile, smart phone, pad, laptop etc. This is very best solution for mobile sales peoples, management staff which travels on business matters. All they need is working internet connection. It doesn’t matter if you in hotel, road, airport, bus stop if you connected to VPN you will be part of corporate network.
One of another advantage of using VPN is it will not have dependency on service providers. There are certain situations such as cooperate site-to-site VPN solutions which may use via service provider but majority of the VPN connection solutions are not depend on the service provider. In leased line if you got connection from particular ISP you always have to depend on that service provider to get connected. If line has issues you have to wait till they fix it. But in VPN solutions all you need is working internet connection. It doesn’t matter which ISP you connects from. For ex- In home office let’s assume you using VPN connection to connect to office network. While you working, the DSL connection you using as primary internet connection starts to drop. But you have mobile internet connection from another service provider. You can simply plug in the dongle and connect to VPN via and continue your work. You will not need to change any VPN connection settings to do it.
If you take a leased line solution some time it may be a combination of different ISP, different technologies. There for to maintain/troubleshoot it will take time and complex routine. But on a VPN it’s easier to maintain and troubleshoot. Mostly it will be due to failure of internet connections. Other than that very rarely it involves any complex troubleshooting routine specially because no physical connection.
Considering all these facts it’s obviously VPN is the best solution to use for remote access.
There are different solutions such as Remote desktop Services, Terminal services, Citrix Solutions which can use for the remote access. All those have different pros and cons but here I only compare the leased line solution and the VPN solution.
No comments:
Post a Comment