Virtual Private Networking

Previous Topic Next Topic

Configuration of the Company B VPN Server

Configure the company B VPN server as follows:

  1. Configure the company B VPN server to accept remote access VPN connections. For more information, see Windows 2000 Server Help.
  2. Manually configure the IP address pool that contains a range of public IP addresses.
  3. Create a Windows 2000 group to contain the user accounts for visiting employees of other companies that are making pass-through VPN connections. For example, create the group VPN_PassThrough.
  4. Create the user account that is used by the visiting employee of company A.

Assuming that this VPN server is only to be used for pass-through VPNs for the visiting employees of business partners, delete the default remote access policy called Allow access if dial-in permission is enabled and create a remote access policy called VPN Pass-Through for Business Partners with the remote access policy permission setting, Grant remote access permission, selected. Then set the conditions and profile settings as listed in Tables 9.7 and 9.8. For detailed information about configuring these settings, see Windows 2000 Server Help.

Table 9.7 Remote Access Policy Conditions for Company B VPN Server

Conditions Setting
NAS-Port-Type Virtual
Called-Station-ID IP address of the VPN server interface accepting VPN connections
Windows-Groups For example, VPN_PassThrough

Table 9.8 Remote Access Policy Profile Settings for Company B VPN Server

Profile settings Setting
Authentication tab Enable Microsoft Encrypted Authentication (MS-CHAP).
Encryption tab Select Basic, Strong, or No encryption.

The remote access policy settings outlined in Tables 9.7 and 9.8 assume that you are managing remote access on a group basis by setting the remote access permission on all user accounts to Control access through Remote Access Policy.


note-icon

Note

The remote access policy profile settings do not require encryption. The tunnel from the employee of company A to the company B VPN server does not need to be encrypted because the tunnel from the employee of company A to the company A VPN server on the Internet is encrypted. Forcing the encryption of the first tunnel causes encryption to occur twice when it is not necessary and can impact performance.

Filtering Configuration

To ensure that the company B VPN server connected to the Internet is confined to accepting and forwarding pass-through VPN traffic, configure the following filters using the Routing and Remote Access snap-in.

To configure PPTP filtering

  1. On the intranet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
  2. On the intranet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
  3. On the Internet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
  4. On the Internet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:

To configure L2TP over IPSec filtering

  1. On the intranet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
  2. On the intranet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
  3. On the Internet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
  4. On the Internet interface configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:

© 1985-2000 Microsoft Corporation. All rights reserved.