Tài liệu Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks doc

Virtual Private Networking Using Routing and Remote Access RRAS supports: Remote access policies that define remote access connections and connection parameters Connection Manager comp

Module 8: Configuring

Virtual Private Network

Access for Remote Clients

and Networks

Virtual Private Networking Overview

Configuring Virtual Private Networking for

Remote Clients

Configuring Virtual Private Networking for Remote Sites Configuring VPN Quarantine Control Using

ISA Server 2004

Lesson: Virtual Private Networking Overview

What Is Virtual Private Networking?

What Is Virtual Private Networking?

ISA Server ISA Server

Branch Office

Windows ME, or Windows 98

Windows 2000, Windows XP, or Windows Server 2003

Certificate

support Requires a certificate infrastructure only for EAP-TLS authentication

Requires a certificate infrastructure or a pre-shared key

Security Provides data encryption

Does not provide data integrity

Provides data encryption, data confidentiality, data origin authentication, and replay protection

NAT support

To locate PPTP-based VPN clients behind a NAT, the NAT should include an editor that can translate PPTP

To locate L2TP/IPSec– based clients or servers behind a NAT, both client and server must support IPSec NAT-T

VPN Authentication Protocol Options

Authentication

protocol Considerations

PAP Uses plaintext passwords and is the least secure authentication protocol

SPAP Uses a reversible encryption mechanism employed by Shiva

CHAP Requires passwords stored by using reversible encryptionCompatible with Macintosh and UNIX-based clients

Data cannot be encrypted

MS-CHAP Does not require that passwords be stored by using reversible encryption

Encrypts data

MS-CHAPv2 Performs mutual authenticationData is encrypted by using separate session keys for

transmitted and received data

EAP-TLS Most secure remote authentication protocol Enables multifactor authentication

VPN Quarantine Control

VPN Quarantine Control:

Enables screening of VPN client machines

before granting them access to the organization’s network

Uses a client script that analyzes the security

configuration of the remote access client

VPN clients connecting to ISA Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network

Enables screening of VPN client machines

before granting them access to the organization’s network

Uses a client script that analyzes the security

configuration of the remote access client

VPN clients connecting to ISA Server with approved security configurations are moved from the VPN Quarantine network to the VPN Clients network

Virtual Private Networking Using Routing and Remote Access

RRAS supports:

Remote access policies that define remote access

connections and connection parameters

Connection Manager components to simplify the

configuration of remote access clients

RADIUS servers for authentication and the

centralization of remote access policies

VPN quarantine control to restrict network access to

quarantined clients

Packet filtering for securing VPN and network

quarantine connections

Remote access policies that define remote access

connections and connection parameters

Connection Manager components to simplify the

configuration of remote access clients

RADIUS servers for authentication and the

centralization of remote access policies

VPN quarantine control to restrict network access to

quarantined clients

Packet filtering for securing VPN and network

quarantine connections

Virtual Private Networking Using ISA Server 2004

ISA Server enables VPN access:

Including remote client VPN access for individual

clients and site-to-site VPN access to connect

By using network and access rules to limit network

traffic between the VPN networks and the other

networks with servers running ISA Server

By extending RRAS functionality

Including remote client VPN access for individual

clients and site-to-site VPN access to connect

By using network and access rules to limit network

traffic between the VPN networks and the other

networks with servers running ISA Server

By extending RRAS functionality

Benefits of Using ISA Server for Virtual Private Networking

Connection

security ISA Server uses firewall access policies to inspect and filter all traffic from VPN clients

Performance ISA Server is optimized to enforce complex security requirements on VPN connections

Quarantine control

for Windows 2000

VPN quarantine is not available in Windows 2000 RRAS but can be enabled with ISA Server 2004 on Windows 2000

Enhanced

protection ISA Server is protected via firewall access policy on all interfaces

Lesson: Configuring Virtual Private Networking for Remote Clients

VPN Client Access Configuration Options

How to Enable and Configure VPN Client Access Default VPN Client Access Configuration

How to Configure VPN Address Assignment

How to Configure VPN Authentication

How to Configure Authentication Using RADIUS

How to Configure User Accounts for VPN Access How to Configure VPN Connections from

Client Computers

VPN Client Access Configuration Options

How to Enable and Configure VPN Client Access

Use user mapping is to apply firewall policies to users who do not use Windows authentication

Use user mapping is to apply firewall policies to users who do not use Windows authentication

Default VPN Client Access Configuration

System policy rules System policy rule that allows the use of PPTP, L2TP, or both is enabled

VPN access network ISA Server will listen for VPN client connections only on the External network VPN protocols Only PPTP is enabled for VPN client access

Firewall access rules No firewall access rules are enabled

Remote access policy Default policy requires MS-CHAPv2 authentication

How to Configure VPN Address Assignment

Configure static IP address

How to Configure VPN Authentication

Configure EAP for

additional security

Configure EAP for

additional security

Configure less secure

options only if required

for client compatibility

Configure less secure

options only if required

for client compatibility

Accept default for

secure authentication

Accept default for

secure authentication

How to Configure Authentication Using RADIUS

Enable RADIUS for authentication

and accounting, and then configure a RADIUS server

Enable RADIUS for authentication

and accounting, and then configure a RADIUS server

How to Configure User Accounts for VPN Access

Configure dial-in and

VPN access permissions

Configure dial-in and

VPN access permissions

How to Configure VPN Connections from Client Computers

Practice: Configuring VPN Access for Remote Clients

Configuring VPN access on ISA Server Configuring user account

dial-in permissions Configuring and testing a VPN client configuration

Internet

Den-ISA-01

Den-DC-01

Gen-Clt-01

Lesson: Configuring Virtual Private Networking for Remote Sites

Site-to-Site VPN Access Configuration Components

About Choosing a VPN Tunneling Protocol

How to Configure a Remote-Site Network

Network and Access Rules for Site-to-Site VPNs

How to Configure the Remote-Site VPN Gateway Server How to Configure Site-to-Site VPNs Using IPSec

Tunnel Mode

Site-to-Site VPN Access Configuration Components

About Choosing a VPN Tunneling Protocol

IPSec Tunnel

Mode

Connect to Microsoft VPN gateways

non-Only option if you are connecting to a non-Microsoft VPN server

Requires certificates or pre-shared keys

L2TP over

IPSec

Connect to ISA Server or Windows RRAS VPN

gateways

Requires user name and password and certificates or pre-shared keys for

authentication

PPTP

Connect to ISA Server or Windows RRAS VPN

gateways

Requires user name and password for authentication Less secure than L2TP over

IPSec

How to Configure a Remote-Site Network

VPN protocol Choose the tunneling protocol that you will use to connect to the remote site Remote VPN server Enter the server name or IP address for the VPN gateway server in the remote site

Remote authentication Enter a user name and password that will be used to initiate a VPN connection to the

remote-site VPN gateway server

L2TP/IPSec

authentication

If required, configure a pre-shared key that will be used to authenticate the computers when creating the tunnel

Network address Configure the IP address range for all of the computers in the remote-site network

Network and Access Rules for Site-to-Site VPNs

To enable network traffic across a site-to-site VPN:

Two system policy rules are enabled:

 Allow VPN site-to-site traffic to ISA Server

 Allow VPN site-to-site traffic from ISA Server

Create a network rule for remote-site networks

Configure access rules or publishing rules enabling or restricting network access

 For full access, allow all protocols through

ISA Server

 For limited access, configure access rules or publish rules that define allowed network traffic

Two system policy rules are enabled:

 Allow VPN site-to-site traffic to ISA Server

 Allow VPN site-to-site traffic from ISA Server

Create a network rule for remote-site networks

Configure access rules or publishing rules enabling or restricting network access

 For full access, allow all protocols through

ISA Server

 For limited access, configure access rules or publish rules that define allowed network traffic

How to Configure the Remote-Site VPN Gateway Server

To configure the remote site VPN gateway server:

Configure the remote-site VPN gateway to use the same tunneling protocol

Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict

the flow of network traffic between networks

Configure the remote-site VPN gateway to use the same tunneling protocol

Configure the connection to the main-site VPN gateway Configure network routing rules that enable or restrict

the flow of network traffic between networks

How to Configure Site-to-Site VPNs Using IPSec Tunnel Mode

To configure site-to-site VPNs using IPSec tunnel mode:

Configure a local VPN gateway IP address used by the

computer running ISA Server to listen for VPN

connections

Configure the VPN gateways to use a certificate or a

pre-shared key for authentication

Configure advanced IPSec settings to optimize

VPN security

Configure a local VPN gateway IP address used by the

computer running ISA Server to listen for VPN

connections

Configure the VPN gateways to use a certificate or a

pre-shared key for authentication

Configure advanced IPSec settings to optimize

VPN security

Practice: Configuring VPNs for Remote Sites

Configuring the head-office computer running ISA Server to enable site-to-site VPN connections

Internet Den-ISA-01

Den-DC-01

Lesson: Configuring Quarantine Control Using ISA Server 2004

How Does Network Quarantine Control Work?

About Quarantine Control on ISA Server

How to Prepare the Client-Side Script

How to Configure VPN Clients Using

Connection Manager

How to Prepare the Listener Component

How to Enable Quarantine Control

How to Configure Internet Authentication Service for Quarantine Control

How to Configure Quarantine Access Rules

How Does Network Quarantine Control Work?

ISA Server ISA Server

DNS

Server DNS

Server

Web Server Web Server

Domain

Controller Domain

Controller

File Server File Server

Quarantine script

VPN Quarantine Clients Network

VPN Clients Network

RQC.exe

Quarantine remote access policy

Quarantine remote access policy

ISA Server ISA Server

DNS

Server DNS

Server

Web Server Web Server

Domain

Controller Domain

Controller

File Server File Server

Quarantine script

VPN Quarantine Clients Network

VPN Clients Network

RQC.exe

Quarantine remote access policy Quarantine remote access policy

To implement quarantine control on ISA Server:

Create and install a listener component 3

Enable quarantine control on ISA Server4

Configure network rules and access rules for the Quarantined VPN Clients network

Configure network rules and access rules for the Quarantined VPN Clients network

Command for running Rqc.exe

How to Prepare the Client-Side Script

The client-side script:

Can be an executable file, a script, or a simple

command file

Contains a set of tests to ensure that the remote

access client complies with network policy

Runs Rqc.exe if all of the tests specified in the script are successful

Can be an executable file, a script, or a simple

command file

Contains a set of tests to ensure that the remote

access client complies with network policy

Runs Rqc.exe if all of the tests specified in the script are successful

rqc ConnName TunnelConnName TCPPort Domain

UserName ScriptVersion

rqc ConnName TunnelConnName TCPPort Domain

UserName ScriptVersion

How to Configure VPN Clients Using Connection Manager

To configure VPN clients using Connection Manager:

Configure a quarantine VPN client profile

Distribute and install the client profile on all remote

clients that require quarantined VPN access

Configure a quarantine VPN client profile

Distribute and install the client profile on all remote

clients that require quarantined VPN access

How to Prepare the Listener Component

Installs RQS as a Network Quarantine Service

Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network

Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server

Starts the RQS service

Installs RQS as a Network Quarantine Service

Creates an access rule that allows communication on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network

Modifies registry keys on the computer running ISA Server so that RQS will work with ISA Server

Starts the RQS service

Command for running ConfigureRQSforISA.vbs

Cscript ConfigureRQSForISA.vbs /install

SharedKey1\0SharedKey2 pathtoRQS.exe

Cscript ConfigureRQSForISA.vbs /install

SharedKey1\0SharedKey2 pathtoRQS.exe

How to Enable Quarantine Control

Define timeout value

Define timeout value

How to Configure Internet Authentication Service for Quarantine Control

To configure IAS for quarantine control:

Install the listener component on the server

How to Configure Quarantine Access Rules

To configure the access rules for VPN quarantine:

Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or

networks as the destination

Configure access rules that:

 Enable the notification component to communicate with the listener component

 Enable access to required network services such as domain controllers or DNS

 Enable access to resources that are needed to meet the quarantine requirements on the VPN clients

Create access rules with the Quarantined VPN Clients network as the source and appropriate servers or

networks as the destination

Configure access rules that:

 Enable the notification component to communicate with the listener component

 Enable access to required network services such as domain controllers or DNS

 Enable access to resources that are needed to meet the quarantine requirements on the VPN clients

Den-Clt-01

Practice: Configuring ISA Server to Support VPN Quarantine

Reviewing the quarantine client-side script Installing and configuring the Network

Quarantine Service Enabling quarantine control Creating a Connection Manager profile Installing a Connection Manager profile Testing a VPN quarantine connection

Den-ISA-01

Den-DC-01