Virtual Private Networking
|
|
Configuration of the Company B VPN Server
Configure the company B VPN server as follows:
- Configure the company B VPN server to accept remote access VPN connections. For more information, see Windows 2000 Server Help.
- Manually configure the IP address pool that contains a range of public IP addresses.
- Create a Windows 2000 group to contain the user accounts for visiting employees of other companies that are making pass-through VPN connections. For example, create the group VPN_PassThrough.
- Create the user account that is used by the visiting employee of company A.
Assuming that this VPN server is only to be used for pass-through VPNs for the visiting employees of business partners, delete the default remote access policy called Allow access if dial-in permission is enabled and create a remote access policy called VPN Pass-Through for Business Partners with the remote access policy permission setting, Grant remote access permission, selected. Then set the conditions and profile settings as listed in Tables 9.7 and 9.8. For detailed information about configuring these settings, see Windows 2000 Server Help.
Table 9.7 Remote Access Policy Conditions for Company B VPN Server
Conditions |
Setting |
NAS-Port-Type |
Virtual |
Called-Station-ID |
IP address of the VPN server interface accepting VPN connections |
Windows-Groups |
For example, VPN_PassThrough |
Table 9.8 Remote Access Policy Profile Settings for Company B VPN Server
Profile settings |
Setting |
Authentication tab |
Enable Microsoft Encrypted Authentication (MS-CHAP). |
Encryption tab |
Select Basic, Strong, or No encryption. |
The remote access policy settings outlined in Tables 9.7 and 9.8 assume that you are managing remote access on a group basis by setting the remote access permission on all user accounts to Control access through Remote Access Policy.
Note
The remote access policy profile settings do not require encryption. The tunnel from the employee of company A to the company B VPN server does not need to be encrypted because the tunnel from the employee of company A to the company A VPN server on the Internet is encrypted. Forcing the encryption of the first tunnel causes encryption to occur twice when it is not necessary and can impact performance.
Filtering Configuration
To ensure that the company B VPN server connected to the Internet is confined to accepting and forwarding pass-through VPN traffic, configure the following filters using the Routing and Remote Access snap-in.
To configure PPTP filtering
- On the intranet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723.
- Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and IP protocol of 47.
- On the intranet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Source IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and TCP source port of 1723.
- Source IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and IP protocol 47.
- On the Internet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Destination IP address and subnet mask of the public IP address pool and TCP source port of 1723.
- Destination IP address and subnet mask of the public IP address pool and IP protocol of 47.
- On the Internet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Source IP address and subnet mask of the public IP address pool and TCP destination port of 1723.
- Source IP address and subnet mask of the public IP address pool and IP protocol of 47.
To configure L2TP over IPSec filtering
- On the intranet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and destination UDP port of 1701.
- Destination IP address of the VPN server intranet interface, subnet mask of 255.255.255.255, and destination UDP port of 500.
- On the intranet interface, configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Source IP address of VPN server intranet interface, subnet mask of 255.255.255.255, and source UDP port of 1701.
- Source IP address of VPN server intranet interface, subnet mask of 255.255.255.255, and source UDP port of 500.
- On the Internet interface, configure the following input IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Destination IP address and subnet mask of the public IP address pool and IP protocol of 50.
- Destination IP address and subnet mask of the public IP address pool and source UDP port of 500.
- On the Internet interface configure the following output IP filters with the filter action set to Drop all packets except those that meet the criteria below:
- Source IP address and subnet mask of the public IP address pool and IP protocol of 50.
- Source IP address and subnet mask of the public IP address pool and destination UDP port of 500.
© 1985-2000 Microsoft Corporation. All rights reserved.