Remote access for employees
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Remote access for employees
Remote access for Electronic, Inc. employees is deployed by using remote access VPN connections across the Internet based on the settings configured in Common configuration for the VPN server and the following additional settings.
The following illustration shows the Electronic, Inc. VPN server that provides remote access VPN connections.
Domain configuration
For each employee that is allowed VPN access:
The remote access permission on the dial-in properties of the user account is set to Control access through Remote Access Policy.
The user account is added to the VPN_Users Active Directory group.
Remote access policy configuration
To define the authentication and encryption settings for remote access VPN clients, the following remote access policy is created:
Policy name: Remote Access VPN Clients
Conditions:
NAS-Port-Type is set to Virtual (VPN)
Windows-Groups is set to VPN_Users
Called-Station-ID is set to 207.209.68.1
Permission is set to Grant remote access permission
Profile settings:
Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP) are also enabled.
Encryption tab: Strong and Strongest are the only options that are selected.
Note
- The Called-Station-ID condition is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.
PPTP-based remote access client configuration
The New Connection Wizard is used on client computers to create a VPN connection with the following setting:
Host name or IP address: vpn.electronic.microsoft.com
On the Networking tab, Type of dial-up server I am calling is set to Point-to-Point Tunneling Protocol (PPTP). This is done to provide better performance when connecting. When Type of dial-up server I am calling is set to Automatic, an Internet Protocol security (IPSec) security association (SA) for an Layer Two Tunneling Protocol (L2TP) connection is attempted first. By configuring the connection for PPTP, the IPSec SA for an L2TP connection is not attempted.
L2TP/IPSec remote access client configuration
The remote access computer logs on to the Electronic, Inc. domain using a LAN connection to the Electronic, Inc. intranet and receives a certificate through auto-enrollment. Then, the New Connection Wizard is used to create a VPN connection with the following setting:
- Host name or IP address: vpn.electronic.microsoft.com
The VPN connection settings are modified as follows:
- On the Networking tab, Type of dial-up server I am calling is set to Layer-2 Tunneling Protocol (L2TP). When Type of dial-up server I am calling is set to Automatic, an IPSec SA for an L2TP connection is attempted first. If the IPSec SA is not successful, then a PPTP connection is attempted. In this case, the network administrator for Electronic, Inc. does not want remote access clients that are capable of establishing an L2TP connection to fall back to the PPTP connection.
Notes
On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling Protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling Protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.
The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.