Outsourced VPN remote access

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Outsourced VPN remote access

This topic describes how IAS is used by both an outsourced service provider and an organization to outsource VPN-based remote access. The outsourced service provider offers worldwide Points of Presence (POPs), which organization employees can call. After the call is made, the employee's computer makes a Point-to-Point Tunneling Protocol (PPTP) VPN connection to one of the organization's VPN servers.

The organization in this example configuration has a large central location with remote users. Each user requires secure access to the organization network. The organization has determined that it is more cost-effective to provide VPN remote access through outsourcing than to implement and maintain its own dial-up remote access infrastructure.

The encryption and authentication requirements for the Internet connection are less stringent than those required for the VPN connection. For example, the Internet connection uses CHAP without encryption, while the VPN connection uses smart cards and Extensible Authentication Protocol-Transport Level Security (EAP-TLS) with 128-bit encryption.

This topic describes a configuration for an organization that uses:

  • Two IAS servers.

    Two IAS servers (one primary and one secondary) are used to provide fault tolerance for RADIUS-based authentication, authorization, and accounting. If only one RADIUS server is configured and it becomes unavailable, dial-up and VPN users cannot connect. By using two IAS servers, the IAS proxies in the ISP network can detect when the primary RADIUS server becomes unavailable and automatically fail over to the secondary IAS server. The IAS servers are placed in the perimeter network.

  • Active Directory domains.

    Active Directory domains contain the user accounts, passwords, and dial-in properties that each IAS server requires to authenticate user credentials and evaluate both authorization and connection constraints.

  • Smart card certificate infrastructure.

    The Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication protocol is used with smart cards to authenticate VPN remote access users and provide the highest level of security for VPN authentication.

  • Custom remote access policies.

    Remote access policies are configured to specify, based on group membership, the different types of connection constraints for users.

  • Connection Manager.

    Connection Manager is used to create a profile with all of the phone numbers of the ISP's POPs. This automates both the dialing of the ISP and the creation of the VPN connection. Remote access users select the location from which they are dialing, and then select either a local or other appropriate ISP phone number (POP) from the phone book in the Connection Manager service profile. Remote access users connect to the ISP's dial-up access server through the Challenge Handshake Password Authentication (CHAP). The realm name portion of the user name is used by the ISP's proxies to forward authentication requests to an IAS proxy in the organization’s perimeter network. After the ISP connection is made, the Connection Manager profile automatically initiates a VPN connection to one of the organization's VPN servers.

  • VPN servers.

    VPN servers consist of computers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows 2000 and the Routing and Remote Access service.

This topic also describes a configuration for an ISP that uses:

  • Two IAS proxies in the ISP's network.

    The ISP uses RADIUS proxies on its network to forward RADIUS request messages between the ISP dial-up servers and the RADIUS servers of multiple customers. Two IAS proxies are used to provide fault tolerance for RADIUS authentication.

  • Dial-up access servers.

    Dial-up servers consist of computers running:

    • Windows Server 2003, Standard Edition

    • Windows Server 2003, Enterprise Edition

    • Windows Server 2003, Datacenter Edition

    • Windows 2000 and the Routing and Remote Access service

    • Third-party network access server (NAS) devices

The following illustration shows the outsourced VPN configuration.

IAS as a RADIUS proxy

Note

  • This topic only describes how to configure IAS. It does not describe the configuration of Active Directory domains, the smart card certificate infrastructure, Connection Manager, or the VPN servers. For more information about how to deploy these components, see the appropriate Help topics.

To configure IAS for this example, complete the following steps:

  • Configure Active Directory for user accounts and groups.

  • Configure the primary IAS server in the perimeter network.

  • Configure the secondary IAS server in the perimeter network.

  • Configure RADIUS authentication and accounting on VPN servers.

  • Configure the Internet firewall to support RADIUS traffic.

  • Configure the primary IAS proxy at the service provider.

  • Configure the secondary IAS proxy at the service provider.

  • Configure RADIUS accounting and authentication on the dial-up access servers at the service provider.

Configuring user accounts and groups

To configure user accounts and groups, do the following:

  1. Ensure that all users who are making remote access connections have a corresponding user account.

  2. If you want to manage access by group, ensure that all user accounts are configured with the Control access through Remote Access Policy remote access permission. For more information, see Configure remote access permission for a user.

  3. Create two universal groups: one for employees (named Employees) and one for contractors (named Contractors). Because of the large number of potential users, create global groups and add the user accounts as members to the appropriate group. Next, add the global groups as members to the universal groups. For more information, see Group scope.

  4. Because the ISP requires the use of Challenge-Handshake Authentication Protocol (CHAP) authentication for the dial-up connection, you must enable support for reversibly encrypted passwords for the appropriate domains. For more information, see Enable reversibly encrypted passwords in a domain.

Configuring the primary IAS server in the perimeter network

To configure the primary IAS server in the perimeter network, do the following:

  1. On a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the perimeter network; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. You can install IAS on a Web server, file server, or DNS server.

  2. Configure the IAS server computer to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the IAS server computer is a member. Next, configure the IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the IAS server is authenticating connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the IAS server computer is a member, see Authentication across forests.

  4. Enable file logging for accounting and authentication events. For more information, see Configure log file properties.

  5. If needed, configure additional UDP ports for RADIUS messages that are sent by the ISP's RADIUS proxies. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

  6. Add the service provider's RADIUS proxies as RADIUS clients of the IAS server. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  7. Create remote access policies that allow VPN remote access for employees and deny it for contractors.

    Use the New Remote Access Policy Wizard to create a common remote access policy that both allows VPN remote access for members of the Employees group and requires the use of EAP-TLS and 128-bit encryption with the following settings:

    • Policy name: VPN connections for employees

    • Access Method: VPN access

    • User or Group: Select Group, and then specify the Employees group (example).

    • Authentication methods: Select the Extensible Authentication Protocol check box, ensure that the Smart Card or other Certificate EAP type is selected, and then clear all other check boxes.

    • Policy Encryption Level: Select the Strongest encryption check box, and then clear all other check boxes.

      Create a custom remote access policy that denies VPN remote access for members of the Contractors group with the following settings:

    • Policy name: Deny VPN connections for contractors

    • Conditions:

    • Windows-Groups matches Contractors

    • NAS-port-type matches Virtual (VPN)

    • Permission: Deny remote access permission

      For additional examples of remote access policies, see Remote Access Policies Examples.

  8. Delete the default remote access policies. For more information, see Delete a remote access policy.

Configuring the secondary IAS server in the perimeter network

To configure the secondary IAS server on another computer in the perimeter network, do the following:

  1. On another computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows server 2003, Datacenter Edition in the perimeter network; install IAS as an optional networking component. For more information, see Install IAS.

  2. Configure the secondary IAS server computer (the other domain controller) to read the properties of user accounts in the domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  3. If the secondary IAS server is authenticating connection attempts for user accounts in other domains, verify that the other domains have a two-way trust with the domain in which the secondary IAS server computer is a member. Next, configure the secondary IAS server computer to read the properties of user accounts in other domains. For more information, see Enable the IAS server to read user accounts in Active Directory. For more information about trust relationships, see Trust direction.

    If the secondary IAS server is authenticating connection attempts for user accounts in other domains, and those domains do not have a two-way trust with the domain in which the secondary IAS server computer is a member, see Authentication across forests.

  4. Copy the configuration from the primary IAS proxy to the secondary IAS proxy in the perimeter network. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS authentication and accounting on the VPN servers

To configure each VPN server to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

  1. If the VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS servers in the perimeter network as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  2. If the VPN server is a computer running Windows NT Server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT Server 4.0 online Help for information about how to configure the primary and secondary IAS servers as RADIUS servers for RADIUS authentication.

  3. If the VPN server is a third-party network access server (NAS), see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS servers).

Configuring the Internet firewall to support RADIUS traffic

  1. Configure the Internet firewall to allow RADIUS traffic between the IAS servers in the perimeter network and the IAS proxies in the ISP's network.

    For more information, see IAS and firewalls

Configuring the primary IAS proxy at the service provider

  1. On a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the ISP's network; install IAS as an optional networking component. For more information, see Install IAS. The computer on which IAS is installed is not required to be dedicated to forwarding RADIUS messages. You can install IAS on a Web server, file server, or DNS server.

  2. If needed, configure additional UDP ports for authentication and accounting messages that are sent by the ISP's dial-up access servers. For more information, see Configure IAS port information. By default, IAS uses UDP ports 1812 and 1645 for authentication and 1813 and 1646 for accounting.

  3. Add the ISP's dial-up access servers as RADIUS clients of the IAS proxy. For more information, see Add RADIUS clients. Verify that you are configuring the correct name or IP address and shared secrets. For more information, see Shared secrets.

  4. Create a connection request policy that forwards RADIUS request messages on the basis of the ISP customer’s realm name.

    Use the New Connection Request Policy Wizard to create a connection request policy with the condition that the user name matches the realm name for the customer's organization and forwards RADIUS request messages to a remote RADIUS server for authentication. In the New Connection Request Policy Wizard, use the New Remote RADIUS Server Group Wizard to create a remote RADIUS server group with members that include the two IAS servers in the customer's perimeter network.

    For more information, see Add a connection request policy.

  5. Delete the default connection request policy named Use Windows authentication for all users. For more information, see Delete a connection request policy.

Configuring the secondary IAS proxy at the service provider

To configure the secondary IAS proxy on another computer in the perimeter network, do the following:

  1. On another computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition in the ISP's network; install IAS as an optional networking component. For more information, see Install IAS.

  2. Copy the configuration of the primary IAS proxy to the secondary IAS proxy in the ISP's network. For more information, see Copy the IAS configuration to another server.

Configuring RADIUS accounting and authentication on the dial-up access servers at the service provider

To configure each dial-up or VPN server to use the primary and secondary IAS servers for authentication, authorization, and accounting of remote access connections, do the following:

  1. If the dial-up or VPN server is a computer running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; or Windows 2000 and the Routing and Remote Access service, configure the primary and secondary IAS proxies in the ISP's network as RADIUS servers for both RADIUS authentication and accounting. For more information, see Use RADIUS authentication and Use RADIUS accounting.

  2. If the dial-up or VPN server is a computer running Windows NT Server 4.0 and the Routing and Remote Access Service (RRAS), see the Windows NT Server 4.0 online Help for information about how to configure the primary and secondary IAS proxies in the ISP's network as RADIUS servers for RADIUS authentication.

  3. If the dial-up or VPN server is a third-party network access server (NAS), see the documentation for the NAS to determine how to configure it as a RADIUS client with two RADIUS servers (the primary and secondary IAS proxies) in the ISP's network.