VPN 70-680 Study Guide - Configure Remote Connections http://www.mcmcse.com/microsoft/guides/70-680/remote_connections.shtml :: Return to Main Menu :: Introduction to VPNs: A VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP) or PPTP. In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. Although not every edition of Windows 7 supports DirectAccess, every edition of Windows 7 supports VPN using the PPTP, L2TP/IPsec, SSTP, and IKEv2 protocols which are discussed below: Point-to-Point Tunneling Protocol (PPTP) - Based on PPP, the Point to Point Tunneling Protocol (PPTP) provides for the secure transfer of data from a remote client to a private server by creating a multi-protocol Virtual Private Network(VPN) which encapsulates PPP packets into IP datagrams. PPTP is considered to have weak encryption and authentication, therefore, IPsec is typically preferred. Layer 2 Tunneling Protocol (L2TP) / IP security (IPsec): - L2TP is the next-generation tunneling protocol partially based on PPTP. To provide encryption, L2TP acts as a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec. IPSec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPSEC is made of two different protocols: AH and ESP. AH (Authentication header) is responsible for authenticity and integrity, while ESP (Encapsulating Security payload) encrypts the payload. Secure Socket Tunneling Protocol (SSTP) - A tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAPTLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking. Internet Key Exchange (IKEv2) - IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. An IKEv2 VPN is useful when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec provide strong authentication and encryption methods. Windows 7 is the first Microsoft operating system to support this protocol. By default, the VPN type is set to Automatic. You can configure a connection to use a specific VPN protocol, but if you do this, Windows 7 does not try to use other VPN protocols if the protocol you select is not available. When a VPN connection type is set to Automatic, Windows 7 attempts to make a connection using the most secure protocol. VPN Authentication Protocols: Remote access in Windows 7 supports the authentication protocols listed in the following table. They are listed in order of increasing security. Protocol Description PAP This protocol uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. PAP is the least secure authentication protocol. It does not protect against replay attacks, remote client impersonation, or remote server impersonation. PAP is not enabled by default for Windows 7 and is not supported by remote access servers running Windows Server 2008. CHAP CHAP uses a 3-way handshake in which the authentication agent sends the client program a key to be used to encrypt the user name and password. CHAP uses the Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is an improvement over PAP, in that the password is not sent over the PPP link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not protect against remote server impersonation. Although remote access servers running Windows Server 2008 do not support this protocol, it is enabled by default for Windows 7 VPN connections for legacy VPN connections. MS-CHAP v2 Supports two-way mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password. MS-CHAP v2 provides stronger security than CHAP. EAP-MSCHAPv2 Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. EAP offers the strongest security by providing the most flexibility in authentication variations. This protocol requires the installation of a computer certificate on the VPN server. Just like the VPN protocols, by default, Windows first tries to use the most secure authentication protocol that is enabled, and then falls back to less secure protocols if the more secure ones are unavailable. Configuring a VPN Connection: When configuring a VPN, you need to know the IP address or fully qualified domain name (FQDN) of the remote access server to which you are connecting. The steps for creating the VPN connection to a Windows Server 2008 computer are as follows: 1. Open the Control Panel, select Network and Internet then Network and Sharing Center. 2. Click Set up a new connection. 3. Click Connect to a workplace and then click Next. 4. Select Use my Internet connection (VPN). 5. Enter the hostname or IP Address for the VPN Server and enter a name for the connection. You can also configure the option to use a smart card for authentication, allow other people to use your VPN connection, and instruct the wizard not to connect you to the VPN now. 6. Next, you will need to enter a username and password to connect to the network. Click Create to finish the wizard. Once the connection is created, you can modify additional settings such as the authentication protocols and sharing by following these steps: 1. In the Network and Sharing Center, click Connect to a network. 2. From the list of networks, right click on your VPN and click Properties. VPN Reconnect: In previous versions of Windows, when Internet connectivity is lost, the VPN connection is also lost. This means that if the user was working with an application or had a document open when the interruption occurred, the user's work would be lost. In Windows 7, VPN Reconnect uses IKEv2 technology to provide seamless and consistent VPN connectivity, automatically re-establishing a VPN when users temporarily lose their Internet connections. Users who connect using wireless mobile broadband will benefit most from this capability. Only VPN servers running Windows Server 2008 R2 support IKEv2. You can configure VPN Reconnect with a maximum timeout of 8 hours. After the period specified in the Network Outage Time setting has expired, the user must reconnect manually. NAP Remediation: NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Typical problems might include having Windows Firewall turned off, missing or out-of-date virus protection, uninstalled security updates, etc. On NAP client computers running Windows 7, NAP is integrated into Action Center. If a NAP client computer is determined to be noncompliant with network health polices, you can obtain more information by reviewing the Network Access Protection category under Security. NAP client computers that are compliant with health requirements and computers that are not running the NAP Agent service do not display NAP information in Action Center. With regard to VPN connections, achieving compliance often requires access to a remediation network. A remediation network hosts necessary services that can allow the client to achieve compliance. Noncompliant clients can communicate with hosts on the remediation network but not other hosts on the internal corporate network. A remediation network might include a Windows Server Update Services (WSUS) server, Antivirus signature server, System Center component server, etc.