The Windows 2000 Routing And Remote Access Service (RRAS) allows you to configure a Windows 2000 Server family computer as a VPN server. The Windows 2000 VPN server represents a tremendous improvement over the VPN server functions available in the Steelhead release of the Windows NT 4.0 version of the RRAS VPN server. Windows NT 4.0 VPN server configuration was tedious and difficult, and the only tunneling protocol supported was PPTP. You configure the Windows 2000 VPN server using easy-to-use wizards, and it supports both PPTP and L2TP/IPSec as tunneling protocols.

While the Windows 2000 VPN server is easy to set up and configure, you should do several things to make sure you have the most effective and efficient inbound VPN server traffic possible for your network. The VPN Wizard does most of the legwork for you, but you’ll do more after you run the wizards.

In this Daily Drill Down, I’ll explain what you can focus on to optimize your inbound VPN connections. After reading this, you’ll be ready to tune your VPN server environment for the quickest and most secure inbound connections you can get out of your setup.

Client side
Most Windows 2000 VPN servers allow inbound VPN connections from external network VPN clients directly connected to the Internet. Implementing a VPN server allows you to dispose of your modem banks and replace them with a single fast connection to the Internet. Your remote users don’t need to make expensive long-distance or 800-number calls to reach the corporate network. All they need to do is establish a connection to a local ISP and then create the virtual link to the internal network via a VPN client connection.

On the client side, you can focus on three areas to optimize client connections:

  • PPTP client connections
  • L2TP/IPSec client connections
  • Simplifying client connection setups using the Connection Manager Administration Kit

PPTP client connections
The VPN Wizard creates a number of PPTP ports on the external interface of the VPN server that accept incoming calls from PPTP VPN clients. PPTP was introduced with the Steelhead release of the Routing And Remote Access Server for Windows NT 4.0. The first version of PPTP got some bad press because of some well-described security holes. Although Microsoft patched those holes, PPTP has suffered from a bad reputation as an unsecure VPN protocol. However, nothing could be farther from the truth.

The version included with Windows 2000 is PPTP 2.0. It closes the holes seen with the initial version of PPTP and includes a number of performance enhancements. PPTP is the fastest of the VPN protocols included with the Windows 2000 VPN server and the easiest Windows 2000 VPN protocol to set up and configure. If you’re a beginner at setting up Windows 2000 VPN servers, you should use PPTP as your VPN protocol.

PPTP is a secure VPN protocol, but the level of security is dependent on the complexity of the passwords used by VPN clients. If your VPN clients choose simple passwords, hackers and other Internet intruders will be able to break into the VPN server almost as easily as they could have with the previous version of PPTP. Make sure they use complex passwords of at least eight characters. The passwords should contain letters, numbers, and symbols. Your network policy should be set so that passwords are changed periodically. Be careful not to force password changes too often, though, as users will balk if they have to change and remember new, complex passwords frequently.

The default PPP authentication protocols are MS-CHAP and MS-CHAP version 2. MS-CHAP allows downlevel operating systems to authenticate with the VPN server. To secure your PPP logon credentials, you should disable MS-CHAP authentication and require MS-CHAP version 2. To disable MS-CHAP authentication, perform the following steps:

  1. Select Start | Programs | Administrative Tools | Routing And Remote Access.
  2. In the Routing And Remote Access console (Figure A), right-click on your server name and click Properties.
  3. Figure A
    Accessing the RRAS’s Properties dialog box

  4. In the server Properties dialog box, select the Security tab (Figure B) and click the Authentication Methods button.
  5. Figure B
    Configuring PPP Authentication Methods

  6. In the Authentication Methods dialog box, remove the checkmark from the Microsoft Encrypted Authentication (MS-CHAP) checkbox and click OK.
  7. Click Apply and then click OK in the server Properties dialog box. Restart the Routing And Remote Access Service. Right-click on the server name, select All Tasks, and click Restart (see Figure C).

Figure C
Restarting the Routing and Remote Access Server after configuring the PPP Authentication Method

Each VPN port configured on the VPN server requires system resources. If your organization requires only a maximum of 10 concurrent VPN connections, it makes little sense to use up resources required to support 128 PPTP virtual interfaces. To ameliorate this situation, change the number of PPTP ports to the number you require. While you’re changing the PPTP ports, you can also change the number of L2TP ports:

  1. In the Routing And Remote Access console, expand your server name and then right-click on the Ports node in the left pane of the console. Click the Properties command.
  2. In the Ports Properties dialog box, click on the WAN Miniport (PPTP) entry and then click the Configure button (see Figure D).
  3. Figure D
    Reducing the number of VPN ports

  4. In the Configure Device – WAN Miniport (PPTP) dialog box, type the number of desired ports in the Maximum Ports text box (see Figure E). Click OK after making the change.
  5. Figure E
    Changing the number of PPTP listening ports

  6. If you want to change the number of L2TP listening ports, repeat the procedure by clicking on the WAN Miniport (L2TP) entry. After you have completed configuring the port numbers, click Apply and then click OK in the Ports Properties dialog box.

PPTP is the best protocol for small to medium-size businesses that don’t want to implement a Public Key Infrastructure to support L2TP/IPSec VPN calls. Even if you do plan to roll out an L2TP/IPSec VPN solution, it may actually be easier to allow PPTP and L2TP/IPSec VPN connections to live side by side for a while so that you can implement client-side computer certificates and support downlevel operating systems that are in the process of being upgraded.

L2TP/IPSec client connections
If you want the best security Windows 2000 VPN servers have to offer, you’ll want to use L2TP/IPSec for your VPN client connections. L2TP/IPSec doesn’t depend on just the username and password information to secure a connection. L2TP/IPSec clients require computer certificates to authenticate to the VPN server. Computer certificates cannot be “guessed” and provide a high level of security for VPN client connections.

I know many administrators who balk at the idea of implementing L2TP/IPSec VPNs. It’s not that they don’t want to use L2TP/IPSec, it’s just that they’re unfamiliar with setting up a Certificate Server and configuring Group Policy to automatically assign client certificates via autoenrollment. Once the VPN client computers have computer certificates, creating L2TP/IPSec connections is a no-brainer.

Certificate service

Before you attempt to create an L2TP/IPSec connection, you’ll have to have a Certificate Service set up. For more information, check out Brien Posey’s ”Setting up a Certificate Server” Daily Drill Down.

You can configure a Certificate Server on your internal network using Microsoft Certificate Services. After the Certificate Server is installed and configured, Group Policy is configured to automatically enroll domain members and assign machine certificates. Perform the following steps to enable autoenrollment:

  1. On a Windows 2000 domain controller, select Start | Programs | Administrative Tools | Active Directory Users And Computers.
  2. Right-click on your domain name and click Properties.
  3. In the domain Properties dialog box’s Group Policy tab, click on the domain Group Policy object and then click Edit.
  4. In the Group Policy window, expand the Computer Configuration, Windows Settings, Security Settings, and the Public Key Policies nodes. Right-click on the Automatic Certificate Request Settings node, select New, and click on Automatic Certificate Request (see Figure F).
  5. Figure F
    Starting the Automatic Certificate Request Setup Wizard

  6. The Welcome page for the Automatic Certificate Request Setup Wizard will appear. Click Next to continue.
  7. On the Certificate Template page, select the Computer certificate option. (Note that only certificate templates that are installed on the Certificate Server will be available on the Certificate Template page. See Figure G.) Click Next to continue.
  8. Figure G
    Selecting the Computer Certificate Template for autoenrollment

  9. On the Certification Authority page (see Figure H), select the certification authority (CA) that you want to process the request. You can select multiple CAs, but only the first one to receive the request will service the request. Selecting multiple CAs adds a measure of fault tolerance to the process. Click Next.
  10. Figure H
    Selecting the certification authority to process autoenrollment requests

  11. On the last page of the wizard, click Finish.
  12. Open a command prompt on the domain controller, type secedit /refreshpolicy machine_policy, and press [Enter]. You’ll receive notification that the policy will be refreshed but that it may take some time to replicate across multiple domain controllers.
  13. When new computers join the domain, they’re automatically assigned a computer certificate. Existing domain members will receive a certificate after they restart or during a policy refresh.

Note that this method works for machines that are domain members. You can use the Web-based certificate request interface to assign machine certificates to machines that are not members of the domain. In this situation, it’s useful to have a PPTP VPN connection in place before moving over to L2TP. Users can connect via PPTP, use the Web-based certificate enrollment form to obtain a machine certificate, and then use L2TP/IPSec connections after they obtain the certificate. Then at some point, you can shut down the PPTP listening ports and use only L2TP/IPSec.

When VPN clients connect to the Windows 2000 VPN server, the default client configuration is to negotiate the type of VPN tunnel. The VPN client will try L2TP/IPSec first and, if not successful, try PPTP. You can configure the client to use only L2TP/IPSec by configuring the client connection properties, like so:

  1. Right-click the My Network Places object on the desktop and click Properties.
  2. In the Network And Dial-Up Connections dialog box, right-click the VPN connection object and click Properties.
  3. In the VPN connection object’s Properties dialog box (see Figure I), click the Networking tab.
  4. Figure I
    Forcing the type of VPN connection to create with the VPN server

  5. On the Networking tab, click the down arrow in the Type Of VPN Server I Am Calling drop-down list box, click Layer-2 Tunneling Protocol (L2TP), and click OK. Note that if you want the client to use only PPTP, you can select Point To Point Tunneling Protocol (PPTP) and prevent negotiation for an L2TP connection.

You may get complaints from your users regarding their ability to access the Internet after they establish the VPN link to the corporate network because a new default route is added to the VPN client’s routing table. All Internet-bound requests will be routed through the VPN link and will cause attempts to browse the Internet or access Internet e-mail servers to fail.

This inability to access the Internet while the VPN link is active is the preferred configuration. You don’t want your clients to access the Internet at the same time that they access the internal network; this represents a very poor security configuration. It would be like allowing internal network users to add a modem to their machines so that they can access the Internet independently of any client access controls you’ve set on your firewall.

I don’t suggest this, but if you have to…

If you must allow VPN clients to access the Internet at the same time they’re connected to the VPN server, you can configure the VPN client connection object to allow this. The key entry is Use Default Gateway On Remote Network. You’ll find this entry in various places, depending on the version of VPN client connection object you’re using. Once you disable the Use Default Gateway On Remote Network option, the user will be able to access the Internet and the internal network simultaneously.

As you work to set up and configure your VPN, don’t forget that both the clients and the servers can use some good old-fashioned tweaking. Although the improvements from previous versions are significant, the need for further optimization, as with most Microsoft products, is necessary in order to make the best of your VPN server connections.

As VPNs have quickly become the de facto standard for remote access, it’s critical for systems administrators to get up to speed on their optimization. As VPN technology grows and stabilizes, so should your knowledge of VPN optimization. Getting rid of MS-CHAP version 1, changing the number of L2TP ports, enabling autoenrollment, and configuring clients to use only L2TP/IPSec are sound ways to get your incoming VPN connections zipping along with speed and security.