Windows Server TechCenter >
Windows Server Forums
>
Platform Networking
>
Create a VPN in Windows Server 2008
Create a VPN in Windows Server 2008
- Hi there,
I'd like to ask for advice about set up a VPN with WS2008.
What we have:- Our network consist in a router that holds a public static IP address and do NAT to the local network.
- The domain server is a Windows Server 2008 Standard x64, has a static local ip address and is where we want to set up the VPN service.
- The client machines that are Vista SP1 x86 and Windows XP SP3 x86 and one Windows XP SP2 x64, they will connect from hetereogeneous networks (sometimes will be a PPP connections, sometimes a NATed connections, sometimes a direct connections... who knows...).
- We can have ISA Server 2006 Standard/Enterprise if required (or whichever Microsoft software).
What I want:- Encrypted connection.
- Authentication.
- Would be nice have "smart cards" if is not very complex to do :P (I'm willing to learn whatever thing but I don't want to do something hard to mantain ).
- If smart cards are not possible or is very complicated, another kind of certicates... something that disallow outsiders even to try to connect.
- Secure, the server contains valuable work.
I saw that winXP SP3 has no SSTP support (I had to read the post 3 times for be sure that Microsoft had done, what a shoot in its own foot lol).
I know IPSec has some problems with NAT, although exists techniques like NAT-T that allow work with it.
What would be the best approach to fit the the requirements?
For example L2TP/IPSec will work with NATed connections?
Some good manual/tutorial for do this?
Thanks in advance.
Kind regards.
.: Valeriano Tórtola - MCPD 2.0:Windows Developer & Enterprise Applications :.: http://www.vtortola.net :.
Answers
- + You need to configure your Router to forward VPN packets to your internal RRAS box
+ Configure Server to act as VPN and Router
+ Configure L2TP/IPSec - encryption
+ Wndows Box will allow VPN connection only if they have right credentials
+ Smart card will be an add on authentication - definitely complex to setup
+ SSTP will be good feature but only vista SP1 clients will be able to use it. As you have mentioned XP clients will unable to connect using SSTP.
http://technet.microsoft.com/en-us/library/cc731352.aspx
http://download.microsoft.com/download/8/9/0/890C2C54-EE49-4743-A5B0-1F3AD7C36721/Step-by-Step_Deploy_Remote_Access_with_VPN_Reconnect.doc
Hope this helps.- Marked As Answer byvtortola Friday, March 06, 2009 10:41 AM
- I mean any Server OS, it can be member server as well, if you would like to use standalone server, use IAS for Windows Authentication. I agree that DC should not be acting as RRAS/VPN server.
You don't need to expose your VPN/RRAS box to internet, you can use following design,
Internet<<------->>Firewall (Port forwarding)<<------>> RRAS box (internal IP)== Internal network.
VPN server can be configured with singly NIC which mean it can be part of internal network, we just need to configure edge firewall to forward revelent packets to VPN server.
Hope this helps.- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- hi Vtortola
Is possible avoid the server acting as a router?
Yes , it is possible to avoid server acting as a router , provided you have external device configured as VPN server , eg: Ciscto Routers.
sainath Windows Driver Development- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- + According to my design, we will use PAT and not NAT. If we have NAT in between we need to have functionality/support for NAT-T.
- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- hi there,
Hi there, putting a server behing NAT device will induce many problems, and undesired behaviors.
please take a look at this article
http://support.microsoft.com/kb/926179
Also i would like to explain you some of the features which are provided within windows 2008 firewall which has advance firewall settings which were not present in earlier flavours of firewall.
Windows Server 2008 introduces a new and improved firewall; the Windows Firewall with Advanced Security. The new Windows firewall introduces many improvements and is very similar to the firewall that was included with Windows Vista. Features included with the new Windows Firewall with Advanced Security include:
- Granular inbound access control
- Granular outbound access control
- Tight integration with the Windows Server 2008 Server Manager, with automatic configuration of the firewall when services are installed using the Server Manager
- Highly improved IPsec policy configuration and management, and a name change. IPsec policies are now referred to as Connection Security Rules
- Improved monitoring of firewall policy
- Improved monitoring of IPsec policies (now called Connection Security Rules)
- Improved centralized monitoring of Main and Quick Mode Security Associations
sainath Windows Driver Development- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
All Replies
- + You need to configure your Router to forward VPN packets to your internal RRAS box
+ Configure Server to act as VPN and Router
+ Configure L2TP/IPSec - encryption
+ Wndows Box will allow VPN connection only if they have right credentials
+ Smart card will be an add on authentication - definitely complex to setup
+ SSTP will be good feature but only vista SP1 clients will be able to use it. As you have mentioned XP clients will unable to connect using SSTP.
http://technet.microsoft.com/en-us/library/cc731352.aspx
http://download.microsoft.com/download/8/9/0/890C2C54-EE49-4743-A5B0-1F3AD7C36721/Step-by-Step_Deploy_Remote_Access_with_VPN_Reconnect.doc
Hope this helps.- Marked As Answer byvtortola Friday, March 06, 2009 10:41 AM
- Humm...
Is possible avoid the server acting as a router? I don't like the idea of expose the machine directly on internet... although there be a firewall :P
Thanks for the docs, SSTP looks very sexy, it is a shame that there is no support in XP :( But we are not going to migrate to Vista only for that.
I'm going to take a look to the documens now.
Cheers.
.: Valeriano Tórtola - MCPD 2.0:Windows Developer & Enterprise Applications :.: http://www.vtortola.net :. - I mean any Server OS, it can be member server as well, if you would like to use standalone server, use IAS for Windows Authentication. I agree that DC should not be acting as RRAS/VPN server.
You don't need to expose your VPN/RRAS box to internet, you can use following design,
Internet<<------->>Firewall (Port forwarding)<<------>> RRAS box (internal IP)== Internal network.
VPN server can be configured with singly NIC which mean it can be part of internal network, we just need to configure edge firewall to forward revelent packets to VPN server.
Hope this helps.- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- hi Vtortola
Is possible avoid the server acting as a router?
Yes , it is possible to avoid server acting as a router , provided you have external device configured as VPN server , eg: Ciscto Routers.
sainath Windows Driver Development- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- Shilpesh, Sainath, would be a problem if there is a router doing NAT in the firewall? I mean, between internet and the RRAS box. I read about several problems about IPSec and NAT, and I know also that exists NAT-T... but I don't kown how that is related with the implementation in Windows Server.
Cheers.
.: Valeriano Tórtola - MCPD 2.0:Windows Developer & Enterprise Applications :.: http://www.vtortola.net :.- Proposed As Answer byShilpesh Desai MSFT Friday, March 06, 2009 6:18 AM
- + According to my design, we will use PAT and not NAT. If we have NAT in between we need to have functionality/support for NAT-T.
- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- hi there,
Hi there, putting a server behing NAT device will induce many problems, and undesired behaviors.
please take a look at this article
http://support.microsoft.com/kb/926179
Also i would like to explain you some of the features which are provided within windows 2008 firewall which has advance firewall settings which were not present in earlier flavours of firewall.
Windows Server 2008 introduces a new and improved firewall; the Windows Firewall with Advanced Security. The new Windows firewall introduces many improvements and is very similar to the firewall that was included with Windows Vista. Features included with the new Windows Firewall with Advanced Security include:
- Granular inbound access control
- Granular outbound access control
- Tight integration with the Windows Server 2008 Server Manager, with automatic configuration of the firewall when services are installed using the Server Manager
- Highly improved IPsec policy configuration and management, and a name change. IPsec policies are now referred to as Connection Security Rules
- Improved monitoring of firewall policy
- Improved monitoring of IPsec policies (now called Connection Security Rules)
- Improved centralized monitoring of Main and Quick Mode Security Associations
sainath Windows Driver Development- Marked As Answer byvtortola Friday, March 06, 2009 10:40 AM
- Thanks guys, I think I've enough information for give to my boss a couple of options :D
Thanks a lot!
.: Valeriano Tórtola - MCPD 2.0:Windows Developer & Enterprise Applications :.: http://www.vtortola.net :.
