Enhancements for Connecting Remote Users and Networks in Windows 7 CHAPTER 27 1303 How DirectAccess Works DirectAccess is built on several different technologies as described in the next sections. ACTIVE DIRECTORY DOMAIN SERVICES An Active Directory Domain Services (AD DS) infrastructure is required for DirectAccess, with at least one domain controller in the domain running Windows Server 2008 or later versions. DirectAccess clients and servers must be domain members. WINDOWS 7 AND WINDOWS SERVER 2008 R2 Client computers must be running Windows 7 Enterprise or Ultimate operating systems or Windows Server 2008 R2 to use DirectAccess. In addition, at least one server on the corporate network must be running Windows Server 2008 R2 so it can act as the DirectAccess server. This server typically resides on your perimeter network and acts as both a relay for IPv6 traffic and also an IPsec gateway. IP V 6 DirectAccess uses IPv6 to enable client computers to maintain constant end-to-end connec- tivity with remote intranet resources over a public Internet connection. Because most of the public Internet currently uses IPv4, however, DirectAccess can use IPv6 transition technologies such as Teredo and 6to4 to provide IPv6 connectivity over the IPv4 Internet. The preferred connectivity method for the client computer depends on the type of IP address assigned to the client. Specifically: n If the client is assigned a globally routable IPv6 address, the preferred connectivity method is to use this address. n If the client is assigned a public IPv4 address, the preferred connectivity method is to use 6to4. n If the client is assigned a private (NAT) IPv4 address, the preferred connectivity method is to use Teredo. n If the client is assigned a private (NAT) IPv4 address and the NAT device also provides 6to4 gateway functionality, 6to4 will be used. If none of these connectivity methods can be used in a particular scenario, DirectAccess can also use IP-HTTPS, a new protocol developed by Microsoft for Windows 7 and Windows Server 2008 R2, which enables hosts located behind a Web proxy server or firewall to estab- lish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. For more information about IPv6 transition technologies and about IP-HTTPS, see Chapter 28, “Deploy- ing IPv6.” For remote client computers to use DirectAccess to connect to computers on the internal corporate network, these computers and their applications must be reachable over IPv6. This means the following: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1304 n The internal computers and the applications running on them support IPv6. Computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2 support IPv6 and have IPv6 enabled by default. n You have deployed native IPv6 connectivity or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet. ISATAP allows your internal servers and applications to be reachable by tunneling IPv6 traffic over your IPv4-only intranet. For computers and applications that do not support IPv6, you can use a Network Address Translation-Protocol Translation (NAT-PT) device to translate IPv6 and IPv4 traffic. Microsoft recommends using IPv6-capable computers and applications and native IPv6 or ISATAP-based connectivity over the use of NAT-PT devices. IPSEC DirectAccess uses IPsec to provide protection for DirectAccess traffic across the Internet. IPsec policies are used for authentication and encryption of all DirectAccess traffic across the Internet. These policies can also be used to provide end-to-end traffic protection between DirectAccess clients and intranet resources. These policies are configured and applied to client computers using Group Policy. For more information on IPsec and how to configure it, see Chapter 26. PUBLIC KEY INFRASTRUCTURE A Public Key Infrastructure (PKI) is required to issue computer certificates for authentication, issue health certificates when NAP has been implemented, and providing certificate revoca- tion checking services. These certificates can be issued by a certification authority (CA) on the internal network—they do not need to be issued by a public CA. PERIMETER FIREWALL EXCEPTIONS If your corporate network has a perimeter firewall, the following traffic to and from the DirectAccess server over the IPv4 Internet must be allowed: n UDP port 3544 for Teredo traffic n IPv4 protocol 41 for 6to4 traffic n TCP port 443 for IP-HTTPS traffic If you need to support client computers that connect over the IPv6 Internet, the following traffic to and from the DirectAccess server must be allowed: n Internet Control Message Protocol version 6 (ICMPv6) n UDP port 500 n IPv4 protocol 50 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Enhancements for Connecting Remote Users and Networks in Windows 7 CHAPTER 27 1305 SMART CARDS DirectAccess also supports the optional use of smart cards for authenticating remote users. Implementing DirectAccess To implement DirectAccess on the server side, you need a computer running Windows Server 2008 R2 with two physical network adapters and at least two consecutive public IPv4 addresses that can be externally resolved through the Internet DNS. You can add the DirectAccess Management Console feature using Server Manager and then use the DirectAccess Setup Wizard in the DirectAccess Management Console to configure DirectAccess on your network. For more information on setting up the server side of DirectAccess, click the Help links in the DirectAccess Management Console. To implement DirectAccess on the client side, your client computers must be running Windows 7 Enterprise or Ultimate Edition, be domain joined, and be a member of a security group for DirectAccess clients. Initial configuration is done automatically by the DirectAccess Setup Wizard for the members of the specified security groups for DirectAccess clients. Additional client configuration can be done using Group Policy settings or with scripts. MoRe inFo For more information on deploying a DirectAccess solution for your organization, see the technical documentation found on the DirectAccess page on TechNet at http://technet.microsoft.com/en-us/network/dd420463.aspx. See also the product documentation at http://www.microsoft.com/directaccess/. Understanding BranchCache BranchCache is a new feature of Windows 7 and Windows Server 2008 R2 that allows content from file servers and Web servers at a central office to be cached on computers at a local branch office, thus improving application response time and reducing WAN traffic. This sec- tion provides an overview of the benefits of BranchCache, how it works, and how it can be implemented. Benefits of BranchCache BranchCache can provide the following benefits to enterprises and their users: n Reduces WAN link utilization By enabling branch office clients to use locally cached copies of files instead of having to download them from the central office over the WAN, BranchCache reduces WAN link utilization, thus freeing up bandwidth for other applications that need to use the WAN. n Improves user productivity and reduces application response time Opening a file located on a remote file server from a locally cached version of the file is typi- cally much faster than downloading the file over a slow WAN link. BranchCache thus Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1306 increases user productivity when accessing content over the WAN for applications that use Server Message Block (SMB; for example, using Microsoft Office Word to open a document stored in a shared folder on a file server) or HTTP/HTTPS (for example, using Windows Internet Explorer to open a page on an intranet Web site or using Windows Media Player [WMP] to play a video embedded in an intranet Web page). BranchCache adds significant value to Windows 7 and Windows Server 2008 R2 with little overhead by providing significant bandwidth savings and an improved user experience. BranchCache doesn’t require additional equipment in the branch offices, is easy to deploy, supports your existing security requirements, and can be easily managed using Group Policy. How BranchCache Works Depending on how you implement it, BranchCache can function in one of two modes: n Hosted Cache This scenario uses a client/server architecture in which clients running Windows 7 at a branch office site cache the content they’ve downloaded over the WAN from the central office to a Windows Server 2008 R2 computer (called the Hosted Cache) located at the same branch office site. Other clients that need this content can then retrieve it directly from the Hosted Cache without needing to use the WAN link. Hosted Cache mode does not require a dedicated server. The BranchCache feature can be enabled on a server that is running Windows Server 2008 R2, which is located in a branch that is also running other workloads. In addition, BranchCache can be set up as a virtual workload and can run on a server with other workloads, such as File and Print. n Distributed Cache This scenario uses a peer-to-peer architecture in which Windows 7 clients cache content that they retrieve by using the WAN, and then they send that content directly to other authorized Windows 7 clients on request. Distributed Cache mode allows IT professionals to take advantage of BranchCache with minimal hardware deployments in the branch office. However, if the branch has deployed other infrastructure (for example, servers running workloads such as File or Print), using Hosted Cache mode may be beneficial for the following reasons: • Increased cache availability Hosted Cache mode increases the cache efficiency, because content is available even if the client that originally requested the data is offline. • Caching for the entire branch office Distributed Cache mode operates on a single subnet. If a branch office that is using Distributed Cache mode has multiple subnets, a client on each subnet needs to download a separate copy of each requested file. With Hosted Cache mode, all clients in a branch office can access a single cache, even if they are on different subnets. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Enhancements for Connecting Remote Users and Networks in Windows 7 CHAPTER 27 1307 Protocols Supported by BranchCache BranchCache supports the SMB 2 and HTTP 1.1 protocols. Applications do not need to directly communicate with BranchCache, although they can if they need to. However, applications accessing SMB and HTTP interfaces in the Windows 7 and Windows Server 2008 R2 operating systems automatically benefit from BranchCache. Consequently, applications like Windows Explorer, Robocopy CopyFile, WMP, Internet Explorer, and Silverlight automatically benefit. These benefits are also realized when using HTTPS, IPsec, or SMB signing. However, applications that implement SMB or HTTP stacks will not benefit from BranchCache, because BranchCache optimizations are leveraged directly by the SMB and HTTP protocol stack implementations in the Windows 7 and Windows Server 2008 R2 operating systems. Implementing BranchCache To implement BranchCache for a file server located at your central site, the file server must be running Windows Server 2008 R2 and you must install the BranchCache For Network Files role service of the File Services role on the server using the Add Roles Wizard. After doing this, you must also configure the shares on your file server to use BranchCache. Using Group Policy, you can enable or disable BranchCache on all your file server’s shares, or you can mark specific shares to use BranchCache. To implement BranchCache for a Web or application server located at your central site, the Web or application server must be running Windows Server 2008 R2, and you must install the BranchCache feature on the server using the Add Features Wizard. After doing this, you must also start the BranchCache service on your Web or application server by typing netsh BranchCache set service mode=local at an administrative-level command prompt. To configure a computer running Windows Server 2008 R2 located at a branch office as a Hosted Cache server, you must install the BranchCache feature on the server, enable the fea- ture and configure it to use Hosted Cache server mode, and install a certificate that is trusted by your client computers on the server. To configure clients running Windows 7 located at a branch office to use BranchCache, you must enable BranchCache on the computers, configure the computers to use either Distrib- uted Cache mode or Hosted Cache mode as needed, and open the necessary exceptions in Windows Firewall to allow the computers to access the cache on other computers at the site. BranchCache can be enabled and configured on computers running Windows 7 either by using Group Policy or by using the netsh branchcache context of the Netsh command. MoRe inFo For more information on deploying a BranchCache solution for your organi- zation, see the documentation found on the BranchCache section of the Networking and Access Technologies TechCenter on Microsoft TechNet at http://technet.microsoft.com /en-us/network/dd425028.aspx. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1308 Supported Connection Types Windows 7 supports both outgoing and incoming network connections. For outgoing connections, the computer running Windows 7 acts as a client that connects to a remote computer, server, or network to access remote resources. For incoming connections, Windows 7 acts as a server to allow other computers to connect to the computer and access resources on it. Outgoing Connection Types As Windows Vista did before it, Windows 7 supports a number of different types of outgoing (client-side) network connections: n LAN or high-speed Internet connections Connections to an Ethernet LAN or broadband router providing high-speed access to the Internet. LAN connections are computer-to-network connections that Windows creates automatically when it detects the presence of an installed network interface card (NIC). Internet connections are computer-to-network connections that you can create and configure manually using the Set Up A Connection Or Network wizard to provide Internet access using a broad- band Digital Subscriber Line (DSL) adapter or cable modem, an Integrated Services Digital Network (ISDN) modem, or an analog (dial-up) modem. Broadband Internet connections use Point-to-Point Protocol over Ethernet (PPPoE); dial-up Internet con- nections use Point-to-Point Protocol (PPP). n Wireless network connections Connections to a WLAN through a wireless access point or wireless router. Wireless network connections are computer-to-network con- nections that you can create and configure manually using the Set Up A Connection Or Network wizard, provided that the computer has a wireless network adapter installed. Wireless network connections may be either secured or unsecured, depending on how the access point has been configured. n Wireless ad hoc connections Connections to another computer that is enabled for wireless networking. Wireless ad hoc connections are temporary computer-to- computer connections that you can use to share files between users. n Wireless routers or access points Devices used to network wireless-enabled computers primarily for Small Office/Home Office (SOHO) environments so that users can share files and printers and connectivity to the Internet. Setting up this type of connection in Windows Vista using the Connect To A Network wizard requires that the computer has a wireless network adapter installed or attached to the computer and the presence of an external wireless router or wireless access point device that can be configured. n Dial-up connections Connections to a remote access server (RAS server) or modem pool at a remote location. Dial-up connections are computer-to-server or computer- to-network connections that you can create and configure manually using the Set Up Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Supported Connection Types CHAPTER 27 1309 A Connection Or Network wizard, provided that the computer has an analog or ISDN modem installed or connected to it. Dial-up connections either provide remote access to corporate networks or dial-up access to the Internet using the services of an Inter- net service provider (ISP). n VPN connections Connections to a remote workplace by tunneling over the Internet. VPN connections work by creating a secure tunnel that encapsulates and encrypts all traffic between the client computer and the remote corporate network. This tunnel creates a secure private link over a shared public infrastructure such as the Internet. After the user is connected, her experience on the client computer is similar to what it would be if her computer were directly attached to the remote LAN (with performance limitations depending on the speed of the remote connection), with the exception of any restrictions imposed on remote connections by the network administrator. VPN connections are computer-to-server or computer-to-network connections that you can create and configure manually using the Set Up A Connection Or Network wizard. VPN connections can use Internet connectivity, or they can establish an existing broadband Internet connection or an existing analog or ISDN dial-up connection to obtain the Internet connectivity they require. The rest of this chapter describes how to create and manage VPN and dial-up connections. For information about LAN and wireless connections in Windows 7, see Chapter 25, “Config- uring Windows Networking.” Incoming Connection Types As Windows Vista did before it, Windows 7 supports the following types of incoming (server- side) network connections: n Incoming VPN connections Connections from a remote computer by tunneling over the Internet, using either a broadband Internet connection or a dial-up connec- tion to an ISP n Incoming dial-up connections Connections from a remote computer using an analog or ISDN modem For more information on how to create and configure incoming connections, see the section titled “Configuring Incoming Connections” later in this chapter. Deprecated Connection Types The following connection technologies supported in Windows XP were deprecated in Windows Vista and are no longer available in Windows 7: n X.25 n Microsoft Ethernet permanent virtual circuit (PVC) n Direct cable connection using a serial, parallel, universal serial bus (USB), or IEEE 1394 cable Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1310 note Most types of network connections available in Windows 7 support IPv6 out of the box and can be used to establish pure-IPv6 connectivity with remote servers or networks (provided they support incoming IPv6 connections). More information concerning IPv6 support for network connections in Windows 7 is provided throughout this chapter where appropriate. Configuring VPN Connections Windows 7 supports both outgoing and incoming VPN connections. For outgoing connec- tions, Windows 7 is the client and connects to a VPN server on a remote network, usually the corporate intranet. For incoming connections, Windows 7 acts as a server and allows a remote client computer to establish a VPN connection between the two computers. In enterprise environments, outgoing VPN connections are commonly used to allow mobile users to securely access resources on the corporate intranet from remote locations. Incoming VPN connections to client computers are rarely used in enterprise environments, so most of this discussion deals with outbound connections only. For information on how to create and configure an inbound connection on Windows 7, see the section titled “Configuring Incoming Connections” later in this chapter. Supported Tunneling Protocols Windows 7 supports four different tunneling protocols for creating secure VPN connections to remote corporate networks: n Internet Key Exchange version 2 New in Windows 7, IKEv2 is an updated version of the IKE protocol that uses the IPsec tunnel mode over UDP port 500. IKEv2 enables VPN connections to be maintained when the VPN client moves between wireless hotspots or switches from a wireless to a wired connection. Using IKEv2 and IPsec together enables support for strong authentication and encryption methods. IKEv2 is documented in RFC 4306. n Secure Socket Tunneling Protocol Supported in Windows Vista Service Pack 1 (SP1) and later versions, SSTP encapsulates PPP frames over HTTPS (HTTP over Secure Sockets Layer [SSL]) to facilitate VPN connectivity when a client is behind a firewall, NAT, or Web proxy that allows outgoing TCP connection over port 443. The SSL layer provides data integrity and encryption while PPP provides user authentication. SSTP was introduced in Windows Vista SP1 and Windows Server 2008. SSTP was developed by Microsoft and the SSTP protocol specification can be found on MSDN at http://msdn.microsoft.com/en-us/library/cc247338.aspx. n Layer Two Tunneling Protocol An industry-standard Internet tunneling protocol designed to run natively over IP networks and which encapsulates PPP frames like Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Configuring VPN Connections CHAPTER 27 1311 PPTP does. Security for L2TP VPN connections is provided by IPsec, which provides the authentication, data integrity, and encryption needed to ensure that L2TP tunnels are protected. The combination of L2TP with IPsec for tunneling purposes is usually referred to as L2TP over IPsec or L2TP/IPsec. L2TP/IPsec is documented in RFC 3193, while L2TP is documented in RFC 2661. n Point-to-Point Tunneling Protocol An open industry standard developed by Microsoft and others, PPTP provides tunneling over PPP frames (which themselves encapsulate other network protocols such as IP) and uses PPP authentication, compres- sion, and encryption schemes. PPTP was first introduced in Microsoft Windows NT 4.0 and is simpler to set up than L2TP, but it does not provide the same level of security as L2TP. PPTP is documented in RFC 2637. Comparing the Different Tunneling Protocols Table 27-1 compares the four different tunneling protocols that are available in Windows 7 and Windows Server 2008 R2. TABLE 27-1 Comparison of VPN Tunneling Protocols Supported by Windows 7 and Windows Server 2008 R2 PROTOCOL PROVIDES DATA CONFIDENTIALITY PROVIDES DATA INTEGRITY PROVIDES DATA AUTHENTICATION REQUIRES A PUBLIC KEY INFRASTRUCTURE SUPPORTED VERSIONS IKEv2 Yes Yes Yes Yes Windows 7, Windows Server 2008 R2, and later versions SSTP Yes Yes Yes Yes for issuing computer certificates Windows Vista SP1, Windows Server 2008, and later versions L2TP/IPsec Yes Yes Yes Recommended for issuing computer certificates; an alternative is using a pre-shared key Microsoft Windows 2000 and later versions PPTP Yes No No No Windows 2000 and later versions Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 27 Connecting Remote Users and Networks 1312 Microsoft recommendations for choosing the right tunneling protocol for providing VPN access to your corporate network are as follows: n For client computers running Windows 7 and VPN servers running Windows Server 2008 R2, implement IKEv2 as your tunneling protocol. In addition to providing data confidentiality, data integrity, and data origin authentication (to confirm that the data was sent by the authorized user), IKEv2 provides resiliency to VPN connections using MOBIKE, which enables VPN connections to be maintained when the underlying Layer 2 network connectivity changes. n For client computers running Windows 7 and VPN servers running Windows Server 2008 RTM or SP2, use SSTP as a fallback tunneling protocol. This way, whenever an IKEv2 tunnel connection is blocked due to a firewall configuration or some other issue, the client can use SSTP to achieve VPN connectivity to the corporate network. For more information about the order in which different tunneling protocols are used during a VPN connection attempt, see the section titled “Understanding the VPN Connection Negotiation Process” later in this chapter. n For client computers running Windows 7 that need to connect to VPN servers running older versions of Windows, use L2TP/IPsec if a PKI is available; otherwise use PPTP. note Microsoft may remove support for L2TP/IPsec and PPTP in future versions of Windows, so enterprises deploying Windows 7 should implement IKEv2 with SSTP fallback as their VPN solution wherever possible. Understanding Cryptographic Enhancements Beginning with Windows Vista, support for cryptographic algorithms and protocols used for data integrity, encryption, and authentication is now updated to increase VPN security. These updates include: n Addition of support for the Advanced Encryption Standard (AES). n Removal of support for weak cryptographic algorithms. n Removal of support for less secure authentication protocols. The sections that follow provide more details concerning these security enhancements. Support for AES Support for the AES was first added in Windows Vista. AES is a Federal Information Process- ing Standard (FIPS) encryption standard developed by the National Institute of Standards and Technology (NIST) that supports variable key lengths and that replaces Data Encryption Standard (DES) as the standard encryption algorithm for government and industry. For L2TP/ IPsec–based VPN connections, the following AES encryption levels are supported in Windows Vista and later versions: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... crypto support on your VPN clients Table 27- 2 summarizes the differences between Windows 7, Windows Vista, and Windows XP with regard to crypto support for data integrity and encryption for VPN connections Table 27- 2  Data Integrity and Encryption Support for VPN Connections in Windows 7, Windows Vista, and Windows XP Crypto Algorithm Use Windows 7 Windows Vista Windows XP 40-bit RC4 3 56-bit RC4 1314... authentication schemes And although PPTP in Windows 7 no longer supports MD5 for data integrity checking using L2TP/IPsecbased VPN connections, support for MD5 usage in CHAP has been maintained because of the continuing popularity of this authentication protocol with many broadband- and dial-up– based ISPs Table 27- 3 summarizes the differences between Windows 7, Windows Vista, and Windows XP with regard to user... Table 27- 3, L2TP/IPsec also supports machine-level authentication (using either pre-shared keys or machine certificates), and SSTP supports the client validating the server (using the certificate sent by the server to the client during the SSL negotiation phase) Table 27- 3  Authentication Protocols Supported for VPN Connections in Windows 7, Windows Vista, and Windows XP Authentication Protocol PAP Windows. .. a 64-bit version of Windows only To create 64-bit connection profiles, use the Add Features Wizard to install the CMAK feature on a computer running Windows Server 2008 R2 To create 42-bit connection profiles, use the Turn Windows Features On Or Off option to install the RAS CMAK feature on a computer running a 32-bit version of Windows 7 What Will Happen if I Connect a Windows 7 Client to a VPN Server... about configuring Windows Server 2008 VPN servers including Network Policy Server (NPS) servers, see the Windows Server 2008 Networking and Network Access Protection (NAP)” volume in the Windows Server 2008 Resource Kit” from Microsoft Press at http://www.microsoft.com/learning/en/us/books/11160.aspx In addition to creating and configuring new connections on clients running Windows 7, administrators... 1314 Data encryption and integrity checking for PPTP only Data encryption and integrity checking for PPTP only 3 Chapter 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Crypto Algorithm Use Windows 7 Windows Vista Windows XP 3 3 3 128-bit RC4 Data encryption and integrity checking for PPTP only DES Data encryption 3DES Data encryption... After a successful switchover, the user’s VPN connection is reconnected Chapter 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Configuring Dial-Up Connections Windows 7 supports both outgoing and incoming dial-up connections For outgoing connections, Windows 7 is the client and connects to either a remote access server (RAS server) on... top of” the VPN tunnel, the client running Windows 7 will try to get an IPv4 as well as an IPv6 address from the VPN server, but it will get only an IPv4 address Hence the connection will still go through In other words, the connection fails only if you cannot get both IPv4 and IPv6 addresses on top of the VPN tunnel What Will Happen if I Connect a Windows 7 Client to a VPN Server That Doesn’t Support... Supported for VPN Connections in Windows 7, Windows Vista, and Windows XP Authentication Protocol PAP Windows 7 3 Windows Vista 3 SPAP CHAP 3 3 3 3 MS-CHAP MS-CHAPv2 Windows XP 3 3 3 3 EAP with MD5 challenge 3 3 EAP with smart card 3 3 EAP with other certificate 3 3 3 PEAP 1316 3 3 3 Chapter 27 Connecting Remote Users and Networks Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark... Configuring VPN Connections  Chapter 27 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 1321 attempting to establish a connection, or you could create a connection that tries each tunneling protocol in a specified order Note  You must use the new Windows Server 2008 R2 version of CMAK to create and configure connections for clients running Windows 7 Creating a VPN Connection To . TABLE 27- 2 Data Integrity and Encryption Support for VPN Connections in Windows 7, Windows Vista, and Windows XP CRYPTO ALGORITHM USE WINDOWS 7 WINDOWS. TABLE 27- 3 Authentication Protocols Supported for VPN Connections in Windows 7, Windows Vista, and Windows XP AUTHENTICATION PROTOCOL WINDOWS 7 WINDOWS