Networking

Optimal VPN server security and management

VPNs are a snap to set up, but knowing how to optimize them is a different story. Thomas Shinder shows you how to get the best performance from your server by using RRAS policies and configuring name server assignments.

Though it isn't difficult to set up a Windows 2000 VPN server for use, a general setup doesn't allow for optimal use of the server's resources. However, there are a number of configurations that you can implement to help that server reach its full potential. On the client side, you can enable MS-CHAP version 2, change the number of L2TP ports, enable autoenrollment, and configure clients to use only L2TP/IPSec.

On the server side, a couple of simple but powerful actions allow you to optimize connections: using Routing and Remote Access Service (RRAS) policies and configuring IP address and name server assignments. Doing both of these things allows you to increase your VPN server's efficiency and blow the socks off your users.

More on optimizing Windows 2000 VPN servers
To further optimize your VPN server, take a look at the following articles:

Using RRAS policies
RRAS policies allow you to simplify and optimize all of your RRAS server connections by centralizing the management of VPN client connections. To make the most of RRAS policies, run your Windows 2000 domains in native mode. This allows you to configure the policies on a granular basis by configuring the properties of user accounts. Figure A shows the available options when a Windows 2000 domain is run in native mode.

Figure A


Note that Deb Shinder’s user account is allowed dial-in access based on the Remote Access Policy. The extant Remote Access Policy can be specific to a particular VPN server, or if you decide to use RADIUS for authentication and accounting, you can have a single Remote Access Policy apply to all VPN servers.

To configure an RRAS policy to optimize your VPN environment:
  1. In the Routing And Remote Access console, expand your server name and click on the Remote Access Policies node in the left pane. You can create a new RRAS policy or edit the existing RRAS policy. To edit the existing RRAS policy, double-click on the Allow Access If Dial-In Permission policy in the right pane of the RRAS console.

  2. Figure B

  3. In Figure B, you can see that several conditions must be met to allow a connection to the RRAS VPN server: a day and time condition, a Windows group membership condition, and a Network Access Server port type condition. In this example, connections are accepted at any time on any day of the week, users must be members of the TACTEAM\Domain Admins group, and the connection type must be a VPN connection. Only after all these conditions are met will the Grant Remote Access Permission option be activated. (This option is seen in the If A User Matches The Conditions frame.) To add a condition, click the Add button.
  4. The Select Attribute dialog box appears next (Figure C). To allow only L2TP/IPSec VPN tunnels for the Domain Admins group covered in this policy, for example, select the Tunnel-Type attribute and click the Add button.

  5. Figure C

  6. In the Available Types column in the Tunnel-Type dialog box (Figure D), select the Layer Two Tunneling Protocol (L2TP) entry and click the Add button. The entry will then move to the Selected Types column.

  7. Figure D

  8. The condition now appears in the policy's properties dialog box (Figure E). Click Edit to change the profile settings for this policy.

  9. Figure E

  10. In the Edit Dial-In Profile dialog box, click the Authentication tab (Figure F). The default settings allow both MS-CHAP and MS-CHAP version 2. Deselect the Microsoft Encrypted Authentication (MS-CHAP) check box.

  11. Figure F
    Deselecting MS-CHAP forces the server to use MS-CHAP version 2 for the Remote Access Policy.

  12. Select the Encryption tab (Figure G). Since domain administrators will carry out the most security-sensitive operations, you might want to force 128-bit encryption for all their sessions. Deselect the Basic and Strong check boxes, leaving only the Strongest encryption option selected. This will force 128-bit encryption on all connections matching the conditions of this Remote Access Policy. Click Apply and OK to accept the changes you have made to the policy's profile.

  13. Figure G

  14. Then, click Apply and OK to accept the changes you made to the RRAS policy.

You can create multiple RRAS policies to meet the specific needs of your organization. In the above example, I set some stringent settings on connections made by domain admins. You might want to create other policies for different groups of users, which require different VPN tunnel types, time of day requirements, and levels of encryption.

Configuring IP address and name server assignments
There are two ways VPN servers can assign addresses to clients: via a DHCP server or via a static address pool.

To assign addresses via DHCP, it is important to note that your RAS VPN client never directly communicates with the DHCP server. The VPN server obtains the IP addresses used for VPN client assignments during VPN server boot-up. If the VPN server uses all the available addresses it obtained during boot-up, it will obtain extra blocks of IP addresses from the DHCP server ad libitum. The RRAS server doesn't assign any DHCP options. However, you can install a DHCP Relay Agent on the RRAS server to assign a limited set of DHCP options to VPN clients.

A static address pool can be configured on the VPN server, and IP addresses can be assigned to VPN clients from this pool. If you choose the static address pool option, make sure internal network clients are not using the addresses in the pool. You’ll also make life simpler if you choose a range of addresses that are on subnet—on the same network ID as the internal interface of the VPN server.

You don't need to use DHCP options to assign name servers to VPN clients, because the RRAS server will automatically assign WINS and DNS server addresses to VPN clients based on the WINS and DNS server settings on the internal interface of the VPN server. This name server assignment takes place during the Internet Protocol Connection Protocol (IPCP) negotiation process. If you have multiple internal interfaces on the VPN server, you can manually select which interface will be used to assign name server addresses to VPN clients.

To configure address assignment:
  1. Right-click the server name in the Routing And Remote Access console and click Properties.
  2. Click on the IP tab (Figure H). The default setting is to use DHCP for IP address assignment. If you need to use a static address pool, select the Static Address Pool option and click Add to add a range of IP addresses. The Enable IP Routing check box should be selected if you want the VPN clients to access servers on the internal network. If it's not selected, VPN clients will only be able to access resources on the VPN server itself. The Allow IP-Based Remote Access And Demand-Dial Connections option must be selected if you want the VPN server to assign addresses to the VPN clients.

  3. Figure H

  4. The RRAS server determines which interface should be used to assign name server settings; however, it sometimes gets things wrong. If it does, click the down-arrow on the Adapter drop-down list and manually select the adapter that should be used for WINS and DNS server assignments to VPN clients. The VPN clients will be configured with WINS and DNS server addresses that are configured on the interface you select. Click Apply and OK to accept the changes.

Conclusion
Using RRAS and configuring IP addresses and name server assignments allows you to further tune the settings on your Windows 2000 VPN server and create a VPN environment that meets the requirements of your organization. Doing so can make your job go a little smoother and your end users happy campers.
0 comments

Editor's Picks