Condividi tramite


On-Demand Branch Office

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

On-demand branch office

The Portland and Dallas branch offices of Electronic, Inc. are connected to the corporate office by using on-demand router-to-router VPN connections. Both the Portland and Dallas offices contain a small number of employees who only need occasional connectivity with the corporate office. The routers running Windows Server 2003, Standard Edition, in the Portland and Dallas offices are equipped with an ISDN adapter that dials a local Internet service provider to gain access to the Internet, and then a router-to-router VPN connection is made across the Internet. When the VPN connection is not used for five minutes, the routers at the branch offices terminate the VPN connection.

The Dallas branch office uses the IP network ID of 192.168.28.0 with a subnet mask of 255.255.255.0. The Portland branch office uses the IP network ID of 192.168.4.0 with a subnet mask of 255.255.255.0.

To simplify the configuration, the VPN connection is a one-way initiated connection that is always initiated by the branch office router. For more information, see One-way initiated demand-dial connections.

The following illustration shows the Electronic, Inc. VPN server that provides on-demand branch office connections.

On-demand VPN connections for branch offices

To deploy on-demand router-to-router VPN connections to connect the Portland and Dallas branch offices to the corporate office based on the settings configured in Common configuration for the VPN server, the following additional settings are configured.

Domain configuration

For the VPN connection to the Dallas office, the user account VPN_Dallas is created with the following settings:

  • Password of nY7W{q8~=z3.

  • For the dial-in properties on the VPN_Dallas account, the remote access permission is set to Control access through Remote Access Policy, and the static route is 192.168.28.0 with a subnet mask of 255.255.255.0 is added.

  • For the account properties on the VPN_Dallas account, the Password never expires account option is enabled.

  • The VPN_Dallas account is added to the VPN_Routers group.

For the VPN connection to the Portland office, the user account VPN_Portland is created with the following settings:

  • Password of P*4s=wq!Gx1.

  • For the dial-in properties on the VPN_Portland account, the remote access permission is set to Control access through Remote Access Policy, and the static route is 192.168.4.0 with a subnet mask of 255.255.255.0 is added.

  • For the account properties on the VPN_Portland account, the Password never expires account option is enabled.

  • The VPN_Portland account is added to the VPN_Routers group.

Remote access policy configuration

To define the authentication and encryption settings for the VPN routers, the following remote access policy is created:

  • Policy name: VPN Routers

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN)

    • Windows-Groups is set to VPN_Routers

    • Called-Station-ID is set to 207.209.68.1

  • Permission is set to Grant remote access permission

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also enabled.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Note

  • The Called-Station-ID is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.

For more information about the branch office router configuration, see:

Note

  • The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.