On-Demand Branch Office
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
On-demand branch office
The Portland and Dallas branch offices of Electronic, Inc. are connected to the corporate office by using on-demand router-to-router VPN connections. Both the Portland and Dallas offices contain a small number of employees who only need occasional connectivity with the corporate office. The routers running Windows Server 2003, Standard Edition, in the Portland and Dallas offices are equipped with an ISDN adapter that dials a local Internet service provider to gain access to the Internet, and then a router-to-router VPN connection is made across the Internet. When the VPN connection is not used for five minutes, the routers at the branch offices terminate the VPN connection.
The Dallas branch office uses the IP network ID of 192.168.28.0 with a subnet mask of 255.255.255.0. The Portland branch office uses the IP network ID of 192.168.4.0 with a subnet mask of 255.255.255.0.
To simplify the configuration, the VPN connection is a one-way initiated connection that is always initiated by the branch office router. For more information, see One-way initiated demand-dial connections.
The following illustration shows the Electronic, Inc. VPN server that provides on-demand branch office connections.
To deploy on-demand router-to-router VPN connections to connect the Portland and Dallas branch offices to the corporate office based on the settings configured in Common configuration for the VPN server, the following additional settings are configured.
Domain configuration
For the VPN connection to the Dallas office, the user account VPN_Dallas is created with the following settings:
Password of nY7W{q8~=z3.
For the dial-in properties on the VPN_Dallas account, the remote access permission is set to Control access through Remote Access Policy, and the static route is 192.168.28.0 with a subnet mask of 255.255.255.0 is added.
For the account properties on the VPN_Dallas account, the Password never expires account option is enabled.
The VPN_Dallas account is added to the VPN_Routers group.
For the VPN connection to the Portland office, the user account VPN_Portland is created with the following settings:
Password of P*4s=wq!Gx1.
For the dial-in properties on the VPN_Portland account, the remote access permission is set to Control access through Remote Access Policy, and the static route is 192.168.4.0 with a subnet mask of 255.255.255.0 is added.
For the account properties on the VPN_Portland account, the Password never expires account option is enabled.
The VPN_Portland account is added to the VPN_Routers group.
Remote access policy configuration
To define the authentication and encryption settings for the VPN routers, the following remote access policy is created:
Policy name: VPN Routers
Conditions:
NAS-Port-Type is set to Virtual (VPN)
Windows-Groups is set to VPN_Routers
Called-Station-ID is set to 207.209.68.1
Permission is set to Grant remote access permission
Profile settings:
Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also enabled.
Encryption tab: Strong and Strongest are the only options that are selected.
Note
- The Called-Station-ID is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.
For more information about the branch office router configuration, see:
The Dallas office: PPTP-based on-demand branch office
The Portland office: L2TP-based on-demand branch office
Note
- The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.