Você está na página 1de 102

Department of Computing, Communications Technology and Mathematics

Final Year Project Report


Submitted in partial fulfilment of the requirements of
the degree of Bachelor of Science with Honours of
the London Metropolitan University

VIRTUAL PRIVATE NETWORKING


IMPLEMENTATION
FOR
SUN INFOSYS LTD.
By
Rashid Khan
May 2005
ID: 03020935
Supervisor: Professor Algirdas Pakstas

Author: Rashid Khan

ABSTRACT

This project will provide an introduction, research, theory, analysis, solutions & real
time implementation and study of Virtual Private Networking for Sun Infosys Ltd. It
also will provide a structure of content of this document. It will consist of various
concepts, theories and main terminology to understand and implement a Virtual
Private Network.
Chapter 1 (Introduction) will explain the introduction of the project proposal and
project implementation and a presentation in front of students and teachers after the
submission of this documentation. The presentation will clarify; demonstrate the
understanding of this project the actual implementation of this project by myself, and
to see through to implementation of this project.
Chapter 2 (Project Proposal) this is the project proposal report completed in the
previous module and detailed in theory how best to implement this project.
In this Chapter 3 (Literature Search) I will also be using the relevant literature
research, to justify some of the aims and objectives.
Chapter 4 (Project Plan) Here I discuss the project plan which is to examine how
and what I would like to implement.
Chapter 5 (Investigation and Result) This section describes the details of the
experiments or investigations carried out.
Chapter 6 (A critical appraisal of the work done) This section examines the project
in its entirety with a critique of what is achieved, discussion of problems encountered,
examination of the validity of the method chosen to solve the problem, etc.

Author: Rashid Khan

Chapter 7 (Conclusion) This chapter states the purpose of the work and involves a
concise summary of the project.
Chapter 8 (Suggestions for further work) Here I discussed how I could have
improved things.
Chapter 9 contains the References.
Chapter 10 contains the Appendix.

Author: Rashid Khan

CONTENTS
Chapter 1 -

INTRODUCTION.6

1.1 What the Project is about...6


1.2 Organisational Structure............7
Chapter 2 -

THE PROJECT PROPOSAL..9

2.1 Background Information on the company10


2.2 The UNIX based solution.12
2.3 The Windows Based solution...13
Chapter 3 -

THE LITERATURE SEARCH..15

3.1 What is VPN? .16


3.2 What Makes a VPN? ..17
3.3 Types of VPN..18
3.4 Remote-Access VPN...18
3.5 Site-to-Site VPN..20
3.6 Extranet VPN...22
3.7 VPN Security...23
3.8 Firewalls..24
3.9 Encryption...25
3.10 IPSec.26
3.11 AAA Servers.28
3.12 VPN Technologies29
3.13 VPN Concentrator29
3.14 VPN-Optimized Router30
3.15 Cisco Secure PIX Firewall30
3.16 Tunnelling.30
3.17 Carrier protocol.31
3.18 Encapsulating protocol..31
3.19 Passenger protocol.31
3.20 Tunneling: Site-to-Site..32
3.21 Tunnelling: Remote-Access..32
3.22 L2F (Layer 2 Forwarding) ....32
3.23 PPTP (Point-to-Point Tunneling Protocol) ...33
3.24 L2TP (Layer 2 Tunneling Protocol) .33
3.25 MPLS.34

Author: Rashid Khan

Chapter 4 -

PROJECT PLAN....38

4.1 Step1.38
4.1 Step2.39
4.1 Step3.39
Chapter 5 -

INVESTIGATION AND RESULT...41

5.1 VPN using hardware based tools and technologies.42


5.2 VPN using software based tools and technologies..42
5.3 Protocol Selection....42
5.4 Performance needs..43
5.5 IP Address Planning....43
5.6 ISP Evaluation.44
5.7 Installing & configuring ISA Server 2000..44

Chapter 6 -

CRITICAL APPRAISAL OF THE WORK DONE45

Chapter 7 -

CONCLUSION...46

Chapter 8 -

SUGGESTIONS FOR FURTHER WORK..49

REFERENCES....51
APPENDICES..55
APPENDIX A Implementation Installing Windows Server 2003..56
APPENDIX B Implementation Installing ISA Server 2000...63
APPENDIX C Implementation Installing ISA Server Service Pack 1...74
APPENDIX D Implementation Installing Hotfix isahf255.exe..77
APPENDIX E Implementation Installing Feature Pack 1...80
APPENDIX F Implementation Configuring the ISA Server 2000/VPN Server.82
APPENDIX G Implementation Connecting to the VPN...100

Author: Rashid Khan

ACKNOWLEDGEMENTS
I would like to thank the following people, without their help the completion of this
project was not possible.

Special thanks to Peter Chalk, for all this help, guidance and encouragement.

Mr. Sri Adam for letting me implement this project in his organization.

All my friends and family, for their help, support and suggestions.

All the final year BSc. Computer Networking students for their feedback about
this report.

Any one who helped me whether knowingly or unknowingly, willingly or


unwillingly, directly or indirectly.

Author: Rashid Khan

Virtual Private Networking Introduction

Chapter 1 - Introduction
1.1 What the Project is about
This project is about the Virtual Private Network technology and its implementation
in a real work environment. This is the final year project implementation by me, I am
a final year undergraduate student in BSc Hons. Computer Networking. The chosen
topic for this project is Virtual Private Network implementation for Sun InfoSys Ltd.
http://www.suninfosys.co.uk/
Sun InfoSys Ltd. has a business of CCTV systems. Sun InfoSys Ltd. is established by
I.T and Security experts to provide total security solutions to retail business market.
They provide security systems by integrating Information Technology with their
digital and analogue CCTV systems. Sun InfoSys is the supplier and installer of
various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet
enabled CCTV systems and software and hardware (All types of software needed by
EPOS, CCTV, Client business) for retail business in the UK.
The company's aim is to add value in all areas of its involvement with customers
whether simply offering technical support, single hardware components or efficient
security monitoring systems in the form of digital CCTV systems. They also provide
24 hours digital CCTV remote monitoring facility.

Author: Rashid Khan

Virtual Private Networking Introduction

1.2 ORGANIZATIONAL STRUCTURE


Name of Organisation: Sun InfoSys Ltd.
Address: No 8, Exmouth Rd. London, e17 7qq.
Telephone & Fax numbers: Tel: 0870 609 2363
Name of Managing Director: Mr. Sri Adam
Managing Director

Customer Services

Accounts

Technical Support

Sales

Warehouse

The motivation behind this project for me is not only to enhance my knowledge of a
complex but very rewarding and currently hot technology of Virtual Private
Networking for an existing company called Sun InfoSys Ltd., but to actually
implement this project in that company. This can bear fruit for me in the form of
possible future job prospect in this company. I had to be able to liaise with the staff
and establish a nice rapport with them.
Furthermore In this project, I will also be developing an online website covering this
report that will be available with this documentation and will publish the web address
within the conclusion of this report.
Previously I actually have worked for several years as a Network Engineer in Pakistan
for several companies and have actually designed, deployed, managed and troubleshooted complex networks.

Author: Rashid Khan

Virtual Private Networking Introduction

I have also worked as a web developer and developed several websites for clients in
Pakistan. Clearly I have great interest in the field of Networking and this is the sole
reason for me taking up this degree to further my knowledge and career within this
field.

Author: Rashid Khan

Virtual Private Networking Project Proposal

Chapter 2 - The Project Proposal


2.1 Background Information on the company:
Sun Infosys Ltd. http://www.suninfosys.co.uk/ has a business of not only computer
hardware but software and CCTV systems as well. Because of the varied systems
there was a need for convergence and also availability so that the resources can be
tapped and checked from virtually everywhere as the sales team and director is mostly
mobile. This need coupled with the popularity of VPN systems gave me a chance to
offer myself for this project and offer a solution to their problems. Sun Infosys Ltd.
gladly accepted my offer.
The aims and objectives of this project is that to make proposals and then implement a
suitable proposal that will allow me to investigate the best method and solution of
implementing a Virtual Private Network for Sun InfoSys Ltd. between its Head
Office, Branch office and to provide connectivity to its Managing Director, Sales
team various Installers and Site Engineers requiring access to various resources.
Sun InfoSys Ltd. is established by I.T and Security experts to provide total solutions
to retail business market. Probably Sun InfoSys Ltd. is the only one which provides
total security systems by integrating with I.T Sun Infosys is the supplier and installer
of various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet
enabled CCTV systems and software and hardware (All types of software needed by
EPOS, CCTV, Client business) for retail business in the UK.
The companys aim is to add value in all areas of its involvement with customers
whether simply offering technical support, single hardware components or efficient
planning of a large systems integration and installation programme.

Author: Rashid Khan

10

Virtual Private Networking Project Proposal

By making a Virtual Private Network system, I plan to cater to the companys current
need of providing connectivity to its essential resources as the Managing Director Mr.
S. Peter Andy is always on the move and needs to connect to the company resources
from various national and international venues such as UK and Taiwan when doing

meetings & presentations with his suppliers in Taiwan. He needs to be able to have up
to the minute data about stocks, current requirements, current problems and sales
figures.
The company has a head office in the following location:
Head Office: No 8, Exmouth Rd. London, e17 7qq.
And also has a branch office in the following location:
Branch Office: No 772-776, Romford Rd., London e12.
The sales team need to commute to various organizations to give presentations and
also to convince potential clients, they frequently require on the move connections to
resources such as sales figures, Sage, presentations, Technical Date and live demos
and IP Based demonstrations if their digital CCTV systems.
The Support team and various installers and engineers require on the move access to
technical resources, software, patches, and contact information from the company &
Sage and when visiting client locations varied anywhere in London currently.
In light of the above data and information give to me, I propose a Virtual Private
Network solution. This solution can be delivered under a UNIX system or on a
Microsoft Windows based system.

Author: Rashid Khan

11

Virtual Private Networking Project Proposal

2.2 The UNIX based solution entitles the following to be done:


Installation and configuration of a LINUX box (server). Installation of LINUX
FreeS/WAN. LINUX FreeS/WAN is an implementation of IPSEC & IKE for Linux.
The abbreviation IPSEC stands for Internet Protocol SECurity. It uses strong
cryptography to offer both authentication and encryption services. The reason for
Authentication is that it ensures that packets are from the right sender and have not
been altered in transfer. The purpose of Encryption is that it prevents unauthorised
reading of packet contents. Hence proving even better security.
These services enable to build secure tunnels through untrustworthy and unreliable
networks. Everything that passes through the untrusted network is encrypted by the
IPSEC gateway machine and decrypted by the gateway at the other end. This results
in forming a Virtual Private Network or VPN, a network which is effectively private
even though it includes machines at several different sites connected by the insecure
and public Internet.
The IPSEC protocols were developed by the IETF (Internet Engineering Task Force)
and will be required as part of the next generation IPV or IPVersion 6. They are also
being widely implemented for IP V4. In particular, nearly all vendors of any type of
firewall or security software have IPSEC support either shipping or in development.
There are also several open source IPSEC projects. Several companies are cooperating in the Secure Wide Area Network (S/WAN) project to ensure that products
will interoperate. There is also a VPN Consortium fostering cooperation among
companies in this area.
The LINUX / FreeS/WAN solution requires basic knowledge of LINUX and a
moderate knowledge of networking protocols.

Author: Rashid Khan

12

Virtual Private Networking Project Proposal

There are three popular authentication methods that are being supported by LINUX
based FreeS/WAN:
RAW RSA keys - for FreeS/WAN to FreeS/WAN connections only.
A raw RSA key is literally a long string of alphanumeric characters,
which is the encoding of either a public or private key. The public and
private keys go together, so that with the private key the owner can
validate the public key.
X.509 certificates (which are essentially RSA keys in a glorified format)
The X.509 certificates are the same encryption scheme as raw RSA
keys, but use certificates. This allows a trust-inheritance scheme, and
also the certificates themselves contain useful supporting information.
The actual representation of a certificate is a file, and can be encoded
in many different ways (plain-text, binary or combinations of the two)
for example: - PEM, base64, pkcs12, etc.
PSKs (Pre-shared secret keys).
PSKs are not very secure at all. They are simply non-encrypted
passphrases stored in plain-text, eg my_secret_password. They help
get a connection set up if easy authentication is to be used (they are the
easiest of any of these three to set up), but are insecure and should not
be used in the long run.
Hardware Requirements for LINUX FreeS/WAN solution:
The hardware requirements are pretty basic. A 32-bit machine capable of running
Linux, with two NICs (network interface cards; one is connected towards the internet,
the other is connected to the clients).

Author: Rashid Khan

13

Virtual Private Networking Project Proposal

2.3 The Windows Based solution consists of the following:


Requirements: A Windows based Server operating system ideally Windows Server
2003 and Microsoft ISA Server 2000.

Hardware requirements for Windows Server 2003 / ISA Server 2000 solution:
Computer and processor:
PC with a 133-MHz processor required; 550-MHz or faster processor recommended
Memory:
128 MB of RAM required; 256 MB or more recommended; 4 GB maximum
Hard disk:
1.25 to 2 GB of available hard-disk space
Drive:
CD-ROM or DVD-ROM drive
Display:
VGA or hardware that supports console redirection required; Super VGA supporting
800 x 600 or higher-resolution monitor recommended

Author: Rashid Khan

14

Virtual Private Networking Literature Search

Chapter 3 - Literature Search


Hence I have accumulated key topics for research for Virtual Private Networking:
3.1

What is VPN?

3.2

What Makes a VPN?

3.3

Types of VPN

3.4

Remote-Access VPN

3.5

Site-to-Site VPN

3.6

Extranet VPN

3.7

VPN Security

3.8

Firewalls

3.9

Encryption

3.10

IPSec

3.11

AAA Servers

3.12

VPN Technologies

3.13

VPN Concentrator

3.14

VPN-Optimized Router

3.15

Cisco Secure PIX Firewall

3.16

Tunnelling

3.17

Carrier protocol

3.18

Encapsulating protocol

3.19

Passenger protocol

3.20

Tunneling: Site-to-Site

3.21

Tunnelling: Remote-Access

3.22

L2F (Layer 2 Forwarding)

3.23

PPTP (Point-to-Point Tunneling Protocol)

3.24

L2TP (Layer 2 Tunneling Protocol)

3.25

MPLS

Author: Rashid Khan

15

Virtual Private Networking Literature Search

3.1

What is VPN?

A VPN is a generic term that describes any combination of technologies that


can be used to secure a connection through an otherwise unsecured or
untrusted network.

Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[VPN is one of the most used words in networking today and has many
different meanings.
The broadest definition of a VPN is 'any network built upon a public network
and partitioned for use by individual customers'. This results in public frame
relay, X.25, and ATM networks being considered as VPNs. These types of
VPNs are generically referred to a Layer 2 VPNs. The emerging forms of
VPNs are networks constructed across shared IP backbones, referred to as 'IP
VPNs'. ]

Definition by VPN Consortium:


http://www.vpnc.org/vpn-technologies.html
[ A virtual private network (VPN) is a private data network that makes use of
the public telecommunication infrastructure, maintaining privacy through the
use of a tunneling protocol and security procedures. A virtual private network
can be contrasted with a system of owned or leased lines that can only be used
by one company. The main purpose of a VPN is to give the company the same
capabilities As private leased lines at much lower cost by using the shared
public Infrastructure. Phone companies have provided private shared resources
for voice messages for over a decade. A virtual private network makes it
possible to have the same protected sharing of public resources for data.

Author: Rashid Khan

16

Virtual Private Networking Literature Search


Companies today are looking at using a private virtual network for both
extranets and wide-area intranets. ]

My Definition:
Basically a VPN is a private network that uses a public network (usually the
Internet) to connect remote sites or users together. Instead of using a
dedicated, real-world connection such as leased line, a VPN uses "virtual"
connections routed through the Internet from the company's private network to
the remote site or employee.

3.2

What Makes a VPN?

A well-designed VPN can greatly benefit a company. For example, it can:

Extend geographic connectivity

Improve security

Reduce operational costs versus traditional WAN

Reduce transit time and transportation costs for remote users

Improve productivity

Simplify network topology

Provide global networking opportunities

Provide telecommuter support

Provide broadband networking compatibility

Provide faster ROI (return on investment) than traditional WAN

A well-designed VPN should have the following features:


It should incorporate:

Security

Reliability

Scalability

Network management

Policy management

Author: Rashid Khan

17

Virtual Private Networking Literature Search

3.3

Types of VPN:

1) Remote-Access VPN
2) Site-to-Site VPN
3) Extranet VPNs

3.4 Remote-Access VPN


Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html
[ Remote Access VPNs provide remote access to a corporate Intranet or
extranet over a shared infrastructure with the same policies as a private
network. Access VPNs enable users to access corporate resources whenever,
wherever, and however they require. Access VPNs encompass analog, dial,
ISDN, digital subscriber line (DSL), mobile IP, and cable technologies to
securely connect mobile users, telecommuters, or branch offices. ]

Remote-Access VPN
My Definition:
Remote-access, also called a virtual private dial-up network (VPDN), is a
user-to-LAN connection used by a company that has employees who need to
connect to the private network from various remote locations. Normally, a
company that wishes to set up a large remote-access VPN will outsource to an
enterprise service provider (ESP). The ESP sets up a network access server
(NAS) and provides the remote users with desktop client software for their
computers. The telecommuters can then dial a Low Call or Free number
(0800, 0500 etc) to reach the NAS and use their VPN client software to access
the corporate network.

Author: Rashid Khan

18

Virtual Private Networking Literature Search

Image source:Understanding Virtual Private Networking, from ADTRAN


http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/
EU0GPR0PEFB139RF038BE81ID8.pdf

** Source: Above picture is copyrighted & taken from Cisco website:


http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html

Author: Rashid Khan

19

Virtual Private Networking Literature Search

A good example of a company that needs a remote-access VPN would be a


company with a lot of sales people in the field. Remote-access VPNs permit
secure, encrypted connections between a company's private network and
remote users through a third-party service provider.

3.5 Site-to-Site VPN


Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html
[ Site-to-Site VPNs are an alternative WAN infrastructure that used to connect
branch offices, home offices, or business partners' sites to all or portions of a
company's network. VPNs do not inherently change private WAN
requirements, such as support for multiple protocols, high reliability, and
extensive scalability, but instead meet these requirements more costeffectively and with greater flexibility. ]
A company can connect multiple fixed sites over a public network such as the
Internet through the use of dedicated equipment and large-scale encryption.
Site-to-site VPNs can be one of two types:
Intranet-based - If a company has one or more remote locations that they wish
to join in a single private network, they can create an intranet VPN to connect
LAN to LAN.
Extranet-based - When a company has a close relationship with another
company (for example, a partner, supplier or customer), they can build an
extranet VPN that connects LAN to LAN, and that allows all of the various
companies to work in a shared environment.

Author: Rashid Khan

20

Virtual Private Networking Literature Search

Image source:Understanding Virtual Private Networking, from ADTRAN


http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/
EU0GPR0PEFB139RF038BE81ID8.pdf

** Source: Above picture is copyrighted & taken from Cisco website:


http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html

Author: Rashid Khan

21

Virtual Private Networking Literature Search

3.6 Extranet VPN


Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html
[ Extranet VPNs link customers, suppliers, partners, or communities of interest
to a corporate Intranet over a shared infrastructure using dedicated
connections. Businesses enjoy the same policies as a private network,
including security, QoS, manageability, and reliability. ]
* See reference section for resource detail.

** Source: Above picture is copyrighted & taken from Cisco website:


http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html

Author: Rashid Khan

22

Virtual Private Networking Literature Search

Image Source:
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf

3.7

VPN Security:

A well-designed VPN uses several methods for keeping your connection and
data secure:
1) Firewalls
2) Encryption
3) IPSec
4) AAA Server

Author: Rashid Khan

23

Virtual Private Networking Literature Search

3.8 Firewalls:
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/f/firewall.html
[ (frwl) (n.) A system designed to prevent unauthorized access to or from a
private network. Firewalls can be implemented in both hardware and software,
or a combination of both. Firewalls are frequently used to prevent
unauthorized Internet users from accessing private networks connected to the
Internet, especially intranets. All messages entering or leaving the intranet
pass through the firewall, which examines each message and blocks those that
do not meet the specified security criteria. ]
There are several types of firewall techniques:
Packet filter: Looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition, it
is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications,
such as FTP and Telnet servers. This is very effective, but can impose
performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets can
flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The
proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert.

Author: Rashid Khan

24

Virtual Private Networking Literature Search

A firewall is considered a first line of defense in protecting private


information. For greater security, data can be encrypted.

3.9

Encryption Definition:

Resource: Webopedia
http://www.webopedia.com/TERM/e/encryption.html
[ The translation of data into a secret code. Encryption is the most effective
way to achieve data security. To read an encrypted file, you must have access
to a secret key or password that enables you to decrypt it. Unencrypted data is
called plain text; encrypted data is referred to as cipher text. ]

My Definition:
Encryption is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to
decode. Most computer encryption systems belong in one of two categories:

Symmetric-key encryption

Public-key encryption

In symmetric-key encryption, each computer has a secret key (code) that it


can use to encrypt a packet of information before it is sent over the network to
another computer. One should know that which computers will be talking to
each other so the key can be installed on each computer. Symmetric-key
encryption is essentially the same as a secret code that each of the two
computers must know in order to decode the information. The code provides
the key to decoding the message.

Author: Rashid Khan

25

Virtual Private Networking Literature Search

This can be further understood by a simple example: you create a coded


message to send to a friend in which each letter is substituted with the letter
that is two down from it in the alphabet. So "A" becomes "C," and "B"
becomes "D". You have already told a trusted friend that the code is "Shift by
2". Your friend gets the message and decodes it. Anyone else who sees the
message will see only nonsense.
Public-key encryption uses a combination of a private key and a public key.
The private key is known only to our computer, while the public key is given
by our computer to any computer that wants to communicate securely with it.
To decode an encrypted message, a computer must use the public key,
provided by the originating computer, and its own private key. A very popular
public-key encryption utility is called Pretty Good Privacy (PGP), which
allows encrypting almost anything.

3.10 IPSec Definition:


Resource: Webopedia
http://www.webopedia.com/TERM/I/IPsec.html
[ Short for IP Security, a set of protocols developed by the IETF to support
secure exchange of packets at the IP layer. IPSec has been deployed widely to
implement Virtual Private Networks (VPNs). ]

My Definition:
Internet Protocol Security Protocol (IPSec) provides enhanced security
features such as better encryption algorithms and more comprehensive
authentication.

Author: Rashid Khan

26

Virtual Private Networking Literature Search

Image Source:
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf
IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the
header and the payload of each packet while transport only encrypts the
payload. Only systems that are IPSec compliant can take advantage of this
protocol. Also, all devices must use a common key and the firewalls of each
network must have very similar security policies set up. IPSec can encrypt
data between various devices, such as:

Router to router

Firewall to router

PC to router

PC to server

Author: Rashid Khan

27

Virtual Private Networking Literature Search

3.11 AAA Servers Definition:


Resource: Webopedia
http://www.webopedia.com/TERM/A/AAA.html
[ Short for authentication, authorization and accounting, a system in IP-based
networking to control what computer resources users have access to and to
keep track of the activity of users over a network. ]

My Definition:
AAA (authentication, authorization and accounting) servers are used for more
secure access in a remote-access VPN environment. When a request to
establish a session comes in from a dial-up client, the request is proxied to the
AAA server. AAA then checks the following:

Who you are (authentication)

What you are allowed to do (authorization)

What you actually do (accounting)

The accounting information is especially useful for tracking client use for
security auditing, billing or reporting purposes.

Author: Rashid Khan

28

Virtual Private Networking Literature Search

3.12 VPN Technologies


Depending on the type of VPN (remote-access or site-to-site), certain
components will need to be put in place to build the VPN. These might
include:

Desktop software client for each remote user

Dedicated hardware such as a VPN concentrator or secure PIX firewall

Dedicated VPN server for dial-up services

NAS (network access server) used by service provider for remote-user


VPN access

VPN network and policy-management center

Because there is no widely accepted standard for implementing a VPN, many


companies have developed turn-key solutions on their own.
I will discuss some of the solutions offered by Cisco, one of the most prevalent
networking technology companies:-

3.13 VPN Concentrator


Incorporating the most advanced encryption and authentication techniques
available, Cisco VPN concentrators are built specifically for creating a remoteaccess VPN. They provide high availability, high performance and scalability
and include components, called scalable encryption processing (SEP)
modules, which enable users to easily increase capacity and throughput. The
concentrators are offered in models suitable for everything from small
businesses with up to 100 remote-access users to large organizations with up
to 10,000 simultaneous remote users.

Author: Rashid Khan

29

Virtual Private Networking Literature Search

3.14 VPN-Optimized Router


Cisco's VPN-optimized routers provide scalability, routing, security and QoS
(quality of service). Based on the Cisco IOS (Internet Operating System)
software, there is a router suitable for every situation, from small-office/homeoffice (SOHO) access through central-site VPN aggregation, to large-scale
enterprise needs.

3.15 Cisco Secure PIX Firewall


Cisco PIX Firewall is a really technology, the PIX (private Internet exchange)
firewall combines dynamic network address translation, proxy server, packet
filtration, firewall and VPN capabilities in a single piece of hardware.
Instead of using Cisco IOS, this device has a highly streamlined OS that trades
the ability to handle a variety of protocols for extreme robustness and
performance by focusing on IP.

3.16 Tunnelling Definition:


Resource: Webopedia
http://www.webopedia.com/TERM/t/tunneling.html
[ (tun&l-ing) (n.) A technology that enables one network to send its data via
another network's connections. Tunneling works by encapsulating a network
protocol within packets carried by the second network. For example,
Microsoft's PPTP technology enables organizations to use the Internet to
transmit data across a VPN. It does this by embedding its own network
protocol within the TCP/IP packets carried by the Internet. ]

Author: Rashid Khan

30

Virtual Private Networking Literature Search

My Definition:
Most VPNs rely on tunneling to create a private network that reaches across
the Internet. Essentially, tunneling is the process of placing an entire packet
within another packet and sending it over a network. The protocol of the outer
packet is understood by the network and both points, called tunnel interfaces,
where the packet enters and exits the network.
To explain and simplify the process of Tunneling I will give an example: Its
like having a Mobile phone delivered by Royal Mail. The Mobile Phone
Company packs the Mobile Phone (passenger protocol) into a box
(encapsulating protocol) which is then put on a Royal Mail delivery truck
(carrier protocol) at the Mobile Phone Companys warehouse (entry tunnel
interface). The truck (carrier protocol) travels over the Motorways (Internet) to
customers home (exit tunnel interface) and delivers the Mobile Phone. The
customer opens the box (encapsulating protocol) and removes the Mobile
Phone (passenger protocol). Thats called Tunneling. Simple!

Tunneling requires three different protocols:

3.17

Carrier protocol - The protocol used by the network that the

information is traveling over

3.18

Encapsulating protocol - The protocol (GRE, IPSec, L2F,

PPTP, L2TP) that is wrapped around the original data

3.19

Passenger protocol - The original data (IPX, NetBeui, IP)

being carried
Tunneling has several nice uses for VPNs. For example, a packet that uses a
protocol not supported on the Internet (such as NetBeui) can be placed inside
an IP packet and sent safely over the Internet. Or a packet that uses a private
(non-routable) IP address can be put inside a packet that uses a globally unique
IP address to extend a private network over the Internet.

Author: Rashid Khan

31

Virtual Private Networking Literature Search

3.20 Tunnelling: Site-to-Site


In a site-to-site VPN, GRE (generic routing encapsulation) is normally the
encapsulating protocol that provides the framework for how to package the
passenger protocol for transport over the carrier protocol, which is typically
IP-based. This includes information on what type of packet is being
encapsulated and information about the connection between the client and
server. Instead of GRE, IPSec in tunnel mode is sometimes used as the
encapsulating protocol. IPSec works well on both remote-access and site-tosite VPNs. IPSec must be supported at both tunnel interfaces to use.

3.21 Tunnelling: Remote-Access


In a remote-access VPN, tunneling normally takes place using PPP. Part of the
TCP/IP stack, PPP is the carrier for other IP protocols when communicating
over the network between the host computer and a remote system. Remoteaccess VPN tunneling relies on PPP.

Each of the protocols listed below were built using the basic structure of
PPP and are used by remote-access VPNs.

3.22 L2F (Layer 2 Forwarding)


Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html
[ Often abbreviated as L2F, a tunneling protocol developed by Cisco Systems.
L2F is similar to the PPTP protocol developed by Microsoft, enabling
organizations to set up virtual private networks (VPNs) that use the Internet
backbone to move packets. ] Developed by Cisco, L2F will use any
authentication scheme supported by PPP.

Author: Rashid Khan

32

Virtual Private Networking Literature Search

3.23 PPTP (Point-to-Point Tunnelling Protocol)


Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/P/PPTP.html
[ Short for Point-to-Point Tunneling Protocol, a new technology for creating
Virtual Private Networks (VPNs) , developed jointly by Microsoft
Corporation, U.S. Robotics, and several remote access vendor companies,
known collectively as the PPTP Forum. A VPN is a private network of
computers that uses the public Internet to connect some nodes. Because the
Internet is essentially an open network, the Point-to-Point Tunneling Protocol
(PPTP) is used to ensure that messages transmitted from one VPN node to
another are secure. With PPTP, users can dial in to their corporate network via
the Internet. ]
PPTP was created by the PPTP Forum, a consortium which includes US
Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40bit and 128-bit encryption and will use any authentication scheme supported
by PPP.

3.24 L2TP (Layer 2 Tunneling Protocol)


Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/L/L2TP.html
[ Short for Layer Two (2) Tunneling Protocol, an extension to the PPP
protocol that enables ISPs to operate Virtual Private Networks (VPNs).

Author: Rashid Khan

33

Virtual Private Networking Literature Search

L2TP merges the best features of two other tunneling protocols: PPTP from
Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the
ISP's routers support the protocol. ]
L2TP is the product of a partnership between the members of the PPTP
Forum, Cisco and the IETF (Internet Engineering Task Force). Combining
features of both PPTP and L2F, L2TP also fully supports IPSec.
L2TP can be used as a tunneling protocol for site-to-site VPNs as well as
remote-access VPNs. In fact, L2TP can create a tunnel between:

Client and router


NAS and router
Router and router

3.25 MPLS:
** Note: MPLS Information & Description Is Taken From The Article
Resource:
The MPLS FAQ - MPLS-RC - The MPLS Resource Center
http://www.mplsrc.com/mplsfaq.shtml
Copyright 2000-2004, MPLSRC.COM
**

MPLS History
a. What is MPLS?
MPLS stands for "Multiprotocol Label Switching". In an MPLS network,
incoming packets are assigned a "label" by a "label edge router (LER)".
Packets are forwarded along a "label switch path (LSP)" where each "label
switch router (LSR)" makes forwarding decisions based solely on the contents
of the label. At each hop, the LSR strips off the existing label and applies a
new label which tells the next hop how to forward the packet.

Author: Rashid Khan

34

Virtual Private Networking Literature Search


Label Switch Paths (LSPs) are established by network operators for a variety
of purposes, such as to guarantee a certain level of performance, to route
around network congestion, or to create IP tunnels for network-based virtual
private networks. In many ways, LSPs are no different than circuit-switched
paths in ATM or Frame Relay networks, except that they are not dependent on
a particular Layer 2 technology.
An LSP can be established that crosses multiple Layer 2 transports such as
ATM, Frame Relay or Ethernet. Thus, one of the true promises of MPLS is
the ability to create end-to-end circuits, with specific performance
characteristics, across any type of transport medium, eliminating the need for
overlay networks or Layer 2 only control mechanisms.
To truly understand ["What is MPLS", RFC 3031 - Multiprotocol Label
Switching Architecture], is required reading.

b. How did MPLS evolve?


MPLS evolved from numerous prior technologies including Cisco's "Tag
Switching", IBM's "ARIS", and Toshiba's "Cell-Switched Router". More
information on each of these technologies can be found at
http://www.watersprings.org/links/mlr/. The IETF's MPLS Working Group
was formed in 1997.

c. What problems does MPLS solve?


The initial goal of label based switching was to bring the speed of Layer 2
switching to Layer 3. Label based switching methods allow routers to make
forwarding decisions based on the contents of a simple label, rather than by
performing a complex route lookup based on destination IP address. This
initial justification for technologies such as MPLS is no longer perceived as
the main benefit, since Layer 3 switches (ASIC-based routers) are able to
perform route lookups at sufficient speeds to support most interface types.

Author: Rashid Khan

35

Virtual Private Networking Literature Search

However, MPLS brings many other benefits to IP-based networks, they


include:
Traffic Engineering - the ability to set the path traffic will take through the
network, and the ability to set performance characteristics for a class of traffic

VPNs - using MPLS, service providers can create IP tunnels throughout


their network, without the need for encryption or end-user applications
Layer 2 Transport - New standards being defined by the IETF's PWE3 and
PPVPN working groups allow service providers to carry Layer 2 services
including Ethernet, Frame Relay and ATM over an IP/MPLS core
Elimination of Multiple Layers - Typically most carrier networks employ an
overlay model where SONET/SDH is deployed at Layer 1, ATM is used at
Layer 2 and IP is used at Layer 3. Using MPLS, carriers can migrate many of
the functions of the SONET/SDH and ATM control plane to Layer 3, thereby
simplifying network management and network complexity. Eventually,
carrier networks may be able to migrate away from SONET/SDH and ATM
all-together, which means elimination of ATM's inherent "cell-tax" in carrying
IP traffic.

d. What is the status of the MPLS standard?


Most MPLS standards are currently in the "Internet Draft" phase, though
several have now moved into the RFC-STD phase. See "MPLS Standards" for
a complete listing of current ID's and RFC's. For more information on the
current status of various Internet Drafts, see the IETF's MPLS Working Group
home page at http://www.ietf.org/html.charters/mpls-charter.html

Author: Rashid Khan

36

Virtual Private Networking Literature Search

There's no such thing as a single MPLS "standard". One day there will be a
set of RFCs that together will allow you to build an MPLS system. For
example today, a typical IP router spec. sheet will list about 20 RFCs to which
this router will comply. If you go to the IETF web site (http://www.ietf.org),
then click on "I-D Keyword Search", enter "MPLS" as your search term, and
crank up the number of items to be returned, (or visit
http://www.mplsrc.com/standards.shtml) you'll find over 100 drafts currently
stored. These drafts have a lifetime of 6 months. Some of these drafts have
been adopted by the IETF WG for MPLS.

Further reading:
Additional information on MPLS:
For articles, papers, and additional resources, see the MPLS Resource Center
at http://www.mplsrc.com
**

Author: Rashid Khan

37

Virtual Private Networking Project Plan

Chapter 4 - Project Plan


My project plan consisted of three major steps:
4.1 Step1) My first step would be to collect information and data about the companys
existing hardware and software. To visit and inspect the premises, furthermore I
would need to make an inventory to determine what would be suitable next step for
their organization.
When I visited the premises I did a small survey and noted that they were using ten
computers in a Local Area Network Domain based environment connected together
through a Router. These computers are comprised of Shuttle workstations see
[Shuttle], running Microsoft Windows 2000 Professional operating systems, a Fujitsu
Siemens Server see [Fujitsu] running Microsoft Windows Server 2003 operating
system. The hardware configurations are as following:

Figure1. Shuttle workstation


Shuttle Small form factor CPUs.
AMD Athlon XP processor.
Kingston 512 MB DDR RAM
Seagate 160 GB Hard Disk Drives
NVidia 64 MB Graphics Card
Lite-On CD-Writer
Sony Floppy Drive
1 Gigabit Ethernet Adaptor

Author: Rashid Khan

38

Virtual Private Networking Project Plan


Logitech Keyboard
Logitech Mouse
The server is a Fujitsu Siemens server and has the following hardware specifications:

Figure2. Fujitsu Siemens Server


Intel Pentium 4 3.0 Ghz processor
Kingston 3 GB DDR RAM
320 GB SATA Hard disk drives
NVidia 128 MB Graphics Card
Lite-On DVD Rewriter
1 Gigabit Ethernet Adaptors (two in quantity)
Sony Floppy Drive
Logitech Keyboard
Logitech Mouse
4.2 Step 2) After taking the inventory the next step would be to prepare Windows
Server 2003 for configuration changes. Following that, the next step was to install
ISA Server 2000 and to configure it for VPN.
These steps in great detail are demonstrated and documented in the Appendices A, B,
C, D, E and F.
4.3 Step3) To educate the staff about connecting to the VPN. Please [see Appendix
G.]

Author: Rashid Khan

39

Virtual Private Networking Project Plan

RESOURCES AND ASSIGNMENTS

START
DATE

FINISH
DATE

Abstract

17/02/2005 22/02/2005

Introduction

24/02/2005 24/02/2005

The project proposal

25/02/2005 03/03/2005

Investigation and result

04/03/2005 28/04/2005

Conclusion & Completion of Final Report

29/04/2005 18/05/2005

Web Site

19/05/2005 20/05/2005

Article

20/05/2005 20/05/2005

Author: Rashid Khan

40

Virtual Private Networking Investigation and result

Chapter 5 - Investigation and result


When I analyzed the problem I saw two problems instead of one! First being
convergence of various services and platforms and second being remote availability.
However these are two separate problems but they can actually be addressed by just
one solution. Virtual Private Networking!
Virtual Private Networking offers scalability, remote availability and eventually offers
convergence as well. How does VPN offer convergence? You might ask? Well lets
take Sun Infosys Ltds Scenario. They have CCTV systems which are currently
offline systems, PC hardware assembling and sales. By leveraging VPN the offline
CCTV systems can be linked to the internet and intranet eventually and effectively
making the CCTV systems ONLINE system, the PC assembling department has to go
through various procedures such as hardware procurement, supplier chain
management, stock, sales, dispatch, returns, technical support and marketing. All
these aspects can be brought together via a single either online system or networked
system in both cases VPN again is the answer bridging the gap.
In my view the possible methods to achieve the objective would be:

5.1 Virtual Private Networking using hardware based tools and technologies.
5.2 Virtual Private Networking using software based tools and technologies.
5.3 Protocol Selection
5.4 Performance needs
5.5 IP Address Planning
5.6 ISP Evaluation
5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003
for Remote VPN

Author: Rashid Khan

41

Virtual Private Networking Investigation and result

5.1 Hardware Based Solutions:


For hardware based solutions, various tools and devices are available by a number of
vendors; these include Cisco as the foremost mentioned, Sonicwall, Shiva etc. The list
is endless. These are VPN enabled / pass through routers, VPN Concentrators, VPN
Optimized Routers and VPN Firewalls etc.

5.2 Software Based Solutions:


For software based solutions there are numerous products in the market each catering
to all the needs of any kind of scenario. The good side about software based solutions
is that they are very much customizable and upgradeable, scaleable. The bad point is
that they are prone to fallouts, attacks, viruses, and performance issues.
Software based solutions are best offered by the software giant Microsoft, Then
Symantec, Check point software, Cisco and many others.

5.3 Protocol Selection


When talking about protocol selection for a VPN implementation I have to take into
account Sun InfoSys Ltds existing infrastructure, scale of the company, the costs and
budget.
Keeping in view of the above factors Sun InfoSys is a small to medium sized
organization and in my view the best protocol to go for would be IPSec, with IPSec to
IPSec implementation, given its various qualities which is discussed and researched
further in the proposal.
When talking about software based solutions a point to note is that they are all
platform dependent. Hence they can incur overhead costs and expensive expertise to
pay for installation and or management. I chose ISA Server 2000 for this
implementation. I decided to show the work done and with the help of figures to
better understand each step that I took. The next steps were:
Performance needs of the remote applications
IP Address Planning
Author: Rashid Khan

42

Virtual Private Networking Investigation and result


ISP Evaluation
Installing and configuring ISA Server 2000 and on Windows Server
2003 for Remote VPN

5.4 Performance needs:


The applications that are being used in Sun InfoSys Ltd. are SAGE, MSOffice,
Internet Explorer, Microsoft Outlook, Microsoft Remote Desktop, and IP cameras
and DVRs propriety softwares. The most resource hungry applications are SAGE and
the IP Cameras and DVRs remote viewing softwares.
My analysis after actual testing is that these applications are not incredibly resource
hungry yet are not on the basic level as well, in other words they are nor enterprise
class application on the other hand they are not basic or home applications, they are
medium level moderate application which requite a fairly consistent performance if
not super fast performance.
Because of the nature of the Camera and DVR software, they need to have the highest
frames per second and need no frames to be dropped, the reason being if any frame is
dropped and a burglary is occurring in that given time and frame then the evidence
could become lost. Therefore I decided that I should choose a solution that should
provide me consistency and little amount of errors while also delivering adequate
speed levels and performance.

5.5 IP Address Planning:


Sun InfoSys Ltd. does not need a huge amount of IP addresses to be purchased from
an ISP because the whole network only need to be available for certain individuals
and they can log on the internet.

Author: Rashid Khan

43

Virtual Private Networking Investigation and result

In my investigation I found out that they need 5 static IP addresses which should be
purchased by their ISP. One for the remote connection capability, one for backup
purposes, another for network allotment and rest two for future requirements like
windows media server as they are planning to do web casting for some of their
customers.

5.6 ISP Evaluation:


Sun InfoSys Ltd. already is on a business plan with an Internet Service Provider called
Eclipse Internet. The service provider is excellent and already providing all the
necessary broadband needs and bandwidth, the requested 5 static IP address were
readily provided by them. I did not find any need to move on to another ISP and this
ISP is excellent.

5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003 for
Remote VPN:
I installed and configured (partitioning the hard drive, formatting the hard drive
etc) a Windows Server 2003 for the purpose of VPN. See Appendix A. for the
detailed procedures.
After this step I followed the excellent articles and help available in abundance by
Microsoft and on the internet on how to install and configure VPN on Microsoft
Windows Server 2003.
I installed ISA Server 2000 because it was cheap, offered everything that this project
required and fairly easy to deploy. See Appendix B, C, D, E and F.
The articles can be found at:
[ http://www.microsoft.com/ ]
[ http://www.microsoft.com/isaserver/default.mspx ]

Author: Rashid Khan

44

Virtual Private Networking Critical Appraisal

Chapter 6 -

Critical appraisal of the work done

The work done in this project was analysis of the current situation for Sun InfoSys
Ltd. and coming up with solutions, the solution I followed for implementation was
real time implementation of Virtual Private Networking. I decided to follow the
software based route rather than the hardware based route because of companys
budget and size considerations. I eventually did manage to implement the solution and
generally had a most pleasant time in doing so.
I encountered problems in actually communicating with the company as to make them
aware of the demands of this project. I found it quite a difficult task to communicate
with non technical management for such a technical task. I think I should improve my
project management skills which would have enabled me to communicate effectively
and on their level. Point noted!
Looking back at the work that I carried out, I could have tried to implement this
solution on Unix platform but I still think that the time frame that would have required
to complete would have exceeded the given time frame by the company and hence
would invalidate this research, however the really low cost involved in deploying
Unix based solutions are quite enticing for companies. In the end I am satisfied I
chose the right solution and the company is satisfied as well.

Website: http://www.rashidkhan.co.uk

Author: Rashid Khan

45

Virtual Private Networking - Conclusion

Chapter 7 - Conclusion
I developed a Website for this project and it can be found at:
http://www.rashidkhan.co.uk/
When Microsoft released Windows 2000 in the year 2000 it caused a stir in the
industry by announcing that Windows 2000 would offer Virtual Private Networking.
There were several concerns and complaints in the industry such as that Microsoft's
implementation adds data overhead and slows down transaction processing. And
Will established VPN products from other vendors work with Microsoft's
technology?
"If you're using IP, we don't see the reason to use L2TP," comments Iris Tal [see
CNN], RadGuard's technical support manager. "It only causes overhead for network
traffic because it's 'double-tunneling.' But because of Microsoft's L2TP client
software, I'm sure we'll do the support for it in our product."
Many VPN vendors have opposed Microsoft's VPN implementation, complaining that
it adds data overhead and slows down transaction processing. On the other hand some
companies, such as Check Point Software and Newbridge Networks, acknowledge
that they can't afford to ignore that hundreds of thousands of desktops will probably
end up running Microsoft's new software. This fact by far is most significant and very
crucial and has to be taken into account as most companies have a Microsoft
environment already in place and this is the scenario in Sun InfoSys Ltd as well.
Another point that I noted is that Microsoft has since releasing Windows 2000 have
progressed, updated and made advanced changes on their Windows Server 2003
operating system.

Author: Rashid Khan

46

Virtual Private Networking - Conclusion

I did several meetings With Mr. Andy the managing director, the sales team, support
team, technicians and visited both head office and branch offices. I took inventory of
existing hardware, [see Project Plan] computer systems, budget and the time frame
required. Their budget was simply low and literally spelt out that I must use the
existing systems.
I had proposed two options in my Project Proposal but the UNIX based proposal was
declined due to their low budget and inability to adopt an abrupt system wide change
of operating systems, especially since everything was already functioning and in
place. A key note to be taken into account here is that they already had Windows
Server 2003 as part of their Server. That meant that they did not need to purchase it.
Consequently these facts made the Windows based solution the winning choice.
I found out that installing Microsoft's ISA server 2000 and using it to its full potential
is quite a complicated and difficult task to perform even though it might look simple.
The minute intricacies and planning procedures involve a great deal of time and effort
and if miscalculated or carried out improperly can result in complete failure and
double the time frame required implementing.
The related personnel were briefed and shown how to use the new system to its full
potential. It took a bit of time and effort on my behalf, I gave them instructions on
how to connect to their VPN [see Appendix G] and doing their related tasks of
managing warehouse, despatch, sales and technical support all remotely. It was not an
easy task as this was quite a new and complex task to grasp for them. But it was not
be a major issue and eventually it was overcome by trying and trying again.
This placement has had many positive effects on me. I have learnt a lot, for example
how to communicate, how to analyze problems, analyzing company expectations,
how to come up with various solutions that might be possible and feasible. I found out
that planning things, taking personal notes, being highly observant and determined at
all times really does help.
Author: Rashid Khan

47

Virtual Private Networking - Conclusion

After this work placement I am able to identify with the real life professional work
environment. I am able to organize myself, able to face challenges and complete
personal and professional milestones.
I have come to conclude that this company actually did benefit enormously with a
Virtual Private Network because they have made gains in managing their recourses
which shows in their Sales figures and better customer feedback made possible by
even better and informed technical support because they are in touch all the time. This
project was also successful partly because they already had most of the infrastructure
in place most importantly the Windows Server 2003 operating system software. That
was definitely a deciding factor for the management to take up my Windows based
solution as they did not had to incur extra cost in procuring any other operating
system software or expertise to maintain it.
I am very pleased with the outcome of this project and so is the company. The project
was well managed and finished on time with a small budget. A nice possible outcome
for me could be that they might even offer a permanent position in their company.

Author: Rashid Khan

48

Virtual Private Networking Suggestions for further work

Chapter 8 -

Suggestions for further work

The project can be implemented using the Unix operating system on a much more
cheaper scale and surprisingly more secure manner but the down side is the time
frame required to install, configure and deploy such an option is often too long for
organization.
Another fact is that organizations generally do not have Unix administrators and find
that costly to obtain. If Sun InfoSys Ltd.s company size and operations increases two
folds then I would suggest to implement a Unix solution and hire a Unix
Administrator to maintain the network.
The benefits & advantages of a UNIX based solution are that it is a cheaper option to
procure and implement than the more proprietary Windows based solutions by
Microsoft , it is more effective on a larger scale and offers more stability and security.
The biggest advantage that lies in the UNIX platform is its security since the
Microsoft platform is plagued by security loopholes, viruses, hackings, bugs, patches
etc hence not offering the stability a larger organization would require to keep its
operations up and running all the time.
Another advantage of the UNIX environment is that it does not require expensive new
hardware or updated to run and can run on an old cheaper computer. Its offers more
speed.
UNIX operating system was originally adopted by big financial institutions like banks
etc which required ultimate security and stability as they have huge amounts of money
and consumer confidentiality etc at stake. UNIX was written with these requirements
in mind so it utilizes less memory and hardware, furthermore it is a centralized
operating system with one source being accessed by thousand of users
simultaneously.

Author: Rashid Khan

49

Virtual Private Networking Suggestions for further work

With all the above in mind my suggestions for further work would be to research a
solution offering Virtual Private Networking under a UNIX platform rather than the
Microsoft Platform. Just like Microsoft, UNIX is an operating system but is more
stable and secure, in order to implement Virtual Private Networking there are
applications that can be installed and configured namely the Apache Tomcat server
which is very similar to the Microsoft Internet Information Server (IIS). The Apache
server can then be configured to offer Virtual Private Networking via third party
software.

One key point to note is to consider the organizations size and its budget to
implement a solution. At the given time this organization had a very low budget but
also a small organization size. In my opinion a UNIX based solution would have not
been feasible because there are underlying factors namely expensive staff to manage
and monitor UNIX. Because UNIX is generally used in big financial organizations
they have a complex structure and quite difficult to manage and require expert UNIX
staff to maintain their facilities. These staff work in high paid postitions and would
not consider working in a smaller organization such as Sun InfoSys Ltd. with lower
wages.
Therefore I would only recommend such a UNIX based solution, when this company
expands and increases in size exponentially. As only then it will have the adequate
resources to justify the expensive labour.

Author: Rashid Khan

50

Virtual Private Networking - References

Chapter 9 - References
Sun InfoSys Ltd.
http://www.suninfosys.co.uk/
email:- sp@suninfosys.co.uk
The company has a head office in the following location:
Head Office: No 8, Exmouth Rd. London, e17 7qq.
And also has a branch office in the following location:
Branch Office: No 772-776, Romford Rd., London e12.
Telephone: 0044 0870 609 2363
[Microsoft1]
Deploying Virtual Private Networks with Microsoft Windows Server 2003
by Joseph Davies and Elliot Lewis
Microsoft Press 2004 (496 pages)
ISBN:0735615764
[Microsoft2]
Microsoft Privacy Protected Network Access: Virtual Private Networking and
Intranet Security
Resource:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/re
moteaccess/nwpriv.asp
[CNN]
Windows 2000 VPN technology causes stir
Resource:
http://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.html
[Shuttle]
Shuttle XPC Workstations
Resource: Shuttle
http://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/
[Fujitsu-Siemens]
Fujitsu-Siemens Server
Recourse: Fujitsu-Siemens
http://www.fujitsusiemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.html

Author: Rashid Khan

51

Virtual Private Networking - References

[Cisco1]
Virtual Private Network Design:Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[Cisco2]
Remote Access VPNs:
Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html
[Cisco3]
Site-to-Site VPNs:Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html
[Cisco4]
Extranet VPNs:Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html
[Cisco5]
Resource2: Cisco IPSec White Paper
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf
[Webopedia1]
Firewalls:Resource: Webopedia
http://www.webopedia.com/TERM/f/firewall.html
[Webopedia2]
Encryption:Resource: Webopedia
http://www.webopedia.com/TERM/e/encryption.html
[Webopedia3]
IPSec:Resource1: Webopedia
http://www.webopedia.com/TERM/I/IPsec.html
[Webopedia4]
AAA Servers:Resource: Webopedia
http://www.webopedia.com/TERM/A/AAA.html

Author: Rashid Khan

52

Virtual Private Networking - References

[Webopedia5]
Tunnelling
Resource: Webopedia
http://www.webopedia.com/TERM/t/tunneling.html
[Webopedia6]
L2F (Layer 2 Forwarding)
Resource: Webopedia
http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html
[Webopedia7]
PPTP (Point-to-Point Tunneling Protocol)
Resource: Webopedia
http://www.webopedia.com/TERM/P/PPTP.html
[Webopedia8]
L2TP (Layer 2 Tunneling Protocol)
Resource: Webopedia
http://www.webopedia.com/TERM/L/L2TP.html
[MPLS1]
Resource: The MPLS FAQ - MPLS-RC - The MPLS Resource Center
Copyright 2000-2004, MPLSRC.COM
http://www.mplsrc.com/mplsfaq.shtml
[MPLS2]
The MPLS Resource Center
Resource:
http://www.mplsrc.com/
[VPNC]
Resource:
Virtual Private Network Consortium
http://www.vpnc.org
[VPN Whitepapers]
Virtual Private Network White papers:Resource:
http://www.vpnc.org/white-papers.html
[Adtran]
Understanding Virtual Private Networking, from ADTRAN
Resource:
http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU
0GPR0PEFB139RF038BE81ID8.pdf

Author: Rashid Khan

53

Virtual Private Networking - References

[FreeS/WAN]
http://www.freeswan.org/
[Linux]
Resourse:
http://www.samag.com/documents/s=4072/sam0203c/sam0203c.htm

Author: Rashid Khan

54

APPENDICES
APPENDIX A
APPENDIX B
APPENDIX C
APPENDIX D
APPENDIX E
APPENDIX F

Author: Rashid Khan

55

APPENDIX A
Implementation Installing Windows Server 2003

Author: Rashid Khan

56

Virtual Private Networking Appendix A Installing Windows Server 2003

WEBSITE:

http://www.rashidkhan.co.uk/
AND ALSO AVAILABLE ON CD
INSTALLING WINDOWS SERVER 2003

To install Windows Server 2003 following actions were taken:


Booted directly from the Windows Server 2003 CD.
Setup loaded all the needed files and drivers.
The setup process begins loading a blue-looking text screen. I was asked to accept the
EULA and choose a partition on which to install 2003, then I was asked to format it
by using either FAT, FAT32 or NTFS. I chose NTFS.
Selected to Setup Windows Server 2003 by pressing ENTER.
Read and accepted the licensing agreement by pressing F8 to accept it.
The hard disk was unpartitioned, created and sized the partition on which to install
Windows Server 2003.

Selected the NTFS file system for the installation partition.


Setup then began copying necessary files from the installation CD.

Author: Rashid Khan

57

Virtual Private Networking Appendix A Installing Windows Server 2003


The computer then restarted in graphical mode, and the installation continued in a
GUI mode phase. It then began to load device drivers based upon what hardware was
found on the computer.

I didn't need to make any changes to the system local etc and just pressed Next.
Setup then copied the necessary files from the installation CD.
I was then prompted to enter a name, organization name, the product key, the
appropriate license type and number of purchased licenses.
I was prompted to type the computer name and a password for the local Administrator
account. Selected the date, time, and time zone settings. Setup then installed the
networking components. I then highlighted the TCP/IP selection and pressed
Properties. In the General tab entered the required information. I had to specify the IP
address of the computer and Subnet Mask. Next step was to finish copying files and
the setup. After the copying and configuring phase finished, setup finished and booted
Windows Server 2003.

Author: Rashid Khan

58

Virtual Private Networking Appendix A Installing Windows Server 2003

After carefull study I found out that the following procedures must be performed to
install ISA Server 2000 on a Windows Server 2003 computer and they must be in the
following order:

Install Windows Server 2003


Install ISA Server 2000
Install ISA Server Service Pack 1
Install isahf255.exe
Install Feature Pack 1

ISA Server 2000 can be installed in one of thee mode:

Cache Mode
Caching mode ISA Server is designed to have one or two network interfaces.
Each interface must be located on the internal network because packet filtering
is not enforceable on a caching only ISA Server machine.

Firewall Mode
Firewall mode provides a high level of firewall protection from external
intruders and also protects your network by enabling granular outbound access
control. Firewall mode does not include the Web caching features that are part
of the Cache mode server.

Integrated Mode
Integrated mode provides all the firewall and caching features available with
ISA Server 2000

The Windows Server 2003 server machine that I was using for VPN deployment
had to have the following characteristics:

At least two network interfaces one internal and one external


DNS setting on the internal interface uses an internal DNS server that can
resolve Internet host names
All non-essentials services on the ISA Server 2000 machine are disabled

An Integrated mode ISA Server firewall requires at least one internal and one external
interface.

The internal interface is never configured with a default gateway address. The
IP address on the internal interface is always on the LAT.
The external interface is configured with a default gateway that routes packets
to the Internet. The external interface is never on the LAT.

Author: Rashid Khan

59

Virtual Private Networking Appendix A Installing Windows Server 2003


Windows Server 2003, like Windows 2000, allows a single default gateway. The
result is ISA Server 2000 on Windows Server 2003 supports a single external
interface or single Internet interface. I can have multiple public address DMZ
interfaces, but only a single interface can connect the internal network to the Internet.
The DNS settings on the ISA Server interfaces must be configured correctly.
Misconfiguration of the DNS settings is the most common configuration error made
on ISA Server firewalls in production. The preferred setup is to

Configure the internal interface of the ISA Server with the address of a DNS
server on the internal network that is capable of resolving Internet host names

Place the internal interface on the top of the interface list. Windows Server
2003 uses the interface order to determine which name server addresses to
query first.

Do not enter a DNS server address on the external interface

I had to perform the following steps to configure the interface order on the ISA Server
computer:
1. Clicked Start, pointed to Control Panel and right clicked on Network
Connections. Clicked the Open command (figure 1).
Figure 1

2. In the Network Connections window, clicked the Advanced menu and then
clicked the Advanced Settings command (figure 2).

Author: Rashid Khan

60

Virtual Private Networking Appendix A Installing Windows Server 2003

Figure 2

3. In the Advanced Settings dialog box, selected the interface representing the
internal interface and clicked the up arrow to move the internal interface to the
top of the interface list. Clicked OK in the Advanced Settings dialog box
after making the changes to the interface order.

Author: Rashid Khan

61

Virtual Private Networking Appendix A Installing Windows Server 2003


Figure 3

I disabled all non-essential services on the ISA Server firewall computer. While
individual implementations of ISA Server firewalls require a customized set of
services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should
not run on the ISA Server firewall.

Author: Rashid Khan

62

APPENDIX B
Implementation Installing ISA Server 2000

Author: Rashid Khan

63

Virtual Private Networking Appendix B Installing ISA Server 2000

Installing ISA Server 2000


I located the ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive. Performed the
following steps to install ISA Server on a Windows Server 2003 machine:
1. Double click on the ISAAutorun.exe file on the ISA Server CD (figure 4), local hard
disk, or network share point.
Figure 4

2. Click on the Install ISA Server link on the Internet Security & Acceleration Server
2000 splash page (Figure 5).
Figure 5

Author: Rashid Khan

64

Virtual Private Networking Appendix B Installing ISA Server 2000

3. I saw an ISA 2000 dialog box informing that I need to install ISA 2000 Service Pack
1 (figure 6). Error messages occurred during the installation. I was not concerned
about these errors as I will perform the required procedures to prevent them from
becoming a problem. Clicked Continue.
Figure 6

4. Clicked Continue on the Welcome to the Microsoft ISA Server installation


program page (figure 7).

Author: Rashid Khan

65

Virtual Private Networking Appendix B Installing ISA Server 2000

Figure 7

5. Entered the CD Key in the CD Key dialog box (figure 8). Clicked OK.
Figure 8

6. Wrote down the Product ID as list in the Product ID dialog box. Clicked OK in the
Product ID dialog box after writing this number down.

Author: Rashid Khan

66

Virtual Private Networking Appendix B Installing ISA Server 2000

7. Clicked I Agree in the Microsoft ISA Server Setup dialog box (figure 9).
Figure 9

8. Clicked the Full Installation button in the installation type dialog box (figure 10). This
allows me to use all ISA Server features. I can use the Add/Remove Programs
applet later if I need to remove some ISA Server features.

Author: Rashid Khan

67

Virtual Private Networking Appendix B Installing ISA Server 2000

Figure 10

9. Here I am installing ISA Server in standalone mode, not in enterprise array mode.
Clicked Yes in the dialog box that asked if I want to continue (figure 11).
Figure 11

Author: Rashid Khan

68

Virtual Private Networking Appendix B Installing ISA Server 2000

10. Selected the Integrated mode option on the Select the mode for this server page
(figure 12). I wanted to take advantage of the full power of your ISA Server firewall.
Integrated mode gives everything the Web Proxy and Firewall services have to offer.
Clicked Continue.
Figure 12

11. On the Web cache page (figure 13), selected a drive to put the Web cache file on.
The drive had to be NTFS, so I made sure of that. Typed in a size of the cache in the
Cache size (MB) text box and then clicked the Set button. Then clicked OK.

Author: Rashid Khan

69

Virtual Private Networking Appendix B Installing ISA Server 2000

Figure 13

12. On the LAT page (figure 14), clicked the Construct Table button. On the Local
Address Table page, removed the checkmark in the Add the following private
ranges checkbox. Put a checkmark in the Add address ranges based on the
Windows 2000 Routing Table checkbox. Removed the checkmark from the
checkbox representing the external interface, and left the checkmark in the checkbox
for the internal interface. Clicked OK in the Local Address Table dialog box, then
clicked OK in the Setup Message dialog box that informed me that the LAT was
constructed based on the Windows 2000 routing table (in spite of the fact that I am
installing ISA Server on a Windows Server 2003 machine).

Author: Rashid Khan

70

Virtual Private Networking Appendix B Installing ISA Server 2000

Figure 14

13. Clicked OK on the LAT dialog box after reviewing the list listing in the Internal IP
ranges list (figure 15). Figure 15

14. Unlike Windows 2000, Windows Server 2003 does not install IIS by default. I saw a
dialog box telling me that I will have to install the SMTP service if I want to run the
SMTP Message Screener. Clicked OK to continue (figure 16).

Author: Rashid Khan

71

Virtual Private Networking Appendix B Installing ISA Server 2000

Figure 16
15. When installation is complete, I saw a warning balloon informing me that ISA 2000
will cause Windows to become unstable. Closed the balloon, removed the
checkmark from the Start ISA Server Getting Started Wizard checkbox, and then
clicked OK in the Launch ISA Management Tools dialog box (figure 17).

Figure 17
16. Clicked OK in the dialog box informing me that setup was completed (figure 18).

Author: Rashid Khan

72

Virtual Private Networking Appendix B Installing ISA Server 2000

Figure 18
17. Clicked OK in the dialog box informing me that setup has failed to start one or more
services (figure 19).
Figure 19

Now I was ready to install ISA Server Service Pack 1.

Author: Rashid Khan

73

APPENDIX C
Implementation Installing ISA Server Service Pack 1

Author: Rashid Khan

74

Virtual Private Networking Appendix C Installing ISA Server Service Pack 1

Installing ISA Server Service Pack 1


The next step was to immediately install ISA Server Service Pack 1. I got Service Pack 1 from
http://www.microsoft.com/isaserver/downloads/sp1.asp Downloaded SP1. Downloaded the
Service Pack to a machine on the internal network, scanned it for viruses, and then copied it
to the ISA Server. Performed the following steps after copying the service pack to the ISA
Server:
1. Double clicked on the isasp1.exe file. Typed in a path to put the temporary files in the
Choose Directory for Extracted Files dialog box (figure 20). Clicked OK.
Figure 20

Author: Rashid Khan

75

Virtual Private Networking Appendix C Installing ISA Server Service Pack 1

2. Clicked I Agree in the End User License Agreement (EULA) dialog box (figure 21).

Figure 21
3. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box (figure 22).
The computer restarted after that (Thats normal).
Figure 22

This finished installing ISA Server service pack 1.

Author: Rashid Khan

76

APPENDIX D
Implementation Installing Hotfix isahf255.exe

Author: Rashid Khan

77

Virtual Private Networking Appendix D Installing Hotfix isahf255.exe

Installing HotFix isahf255.exe


Logged on the ISA Server, service pack 1 installation routine restarts the machine. There are
a few hotfixes and updates that I needed to install on the Windows Server 2003/ISA Server
machine to insure ISA Server compatibility with Windows Server 2003. I downloaded the
HotFix pack, isahf255.exe at
http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1abfc338283b2d9&displaylang=en
Downloaded the file to a machine on the internal network, scanned it for viruses, and then
copied it to the ISA Server. Performed the following steps after copying the file to the ISA
Server:
1. Double clicked on the isahf255.exe file. Clicked I Agree in the ISA Server 2000 hot
fix 255 (331062) dialog box. Typed in a path for the temporary files in the Choose
Directory for Extracted Files dialog box, then clicked OK (figure 23).
Figure 23

2. Clicked I Agree in the EULA dialog box.


3. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box that
informed me that the update was successful applied (figure 24).

Author: Rashid Khan

78

Virtual Private Networking Appendix D Installing Hotfix isahf255.exe

Figure 24

I did need to restart the server. The next step was to install Feature Pack 1.

Author: Rashid Khan

79

APPENDIX E
Implementation Installing Feature Pack 1

Author: Rashid Khan

80

Virtual Private Networking Appendix E Installing Feature Pack 1

Installing Feature Pack 1


Feature Pack 1 (FP1) is not required. I dont have to install ISA Server Feature Pack 1 on the
Windows Server 2003/ISA Server machine. However, it is highly recommended that I install
ISA Server Feature Pack 1 because it adds several new and useful features. I downloaded
ISA Server Feature Pack 1 at
http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c5be084b345f9&DisplayLang=en
Downloaded the feature pack to a machine on the internal network and scanned it for viruses.
Then copied the file to the ISA Server and performed the following steps:
1. Double clicked on the isaftp1.exe file. Typed in a path for the extracted files in the
Choose Directory For Extracted Files dialog box (figure 25).
Figure 25

2. Clicked I Agree in the Feature Pack 1 EULA dialog box.


3. Clicked OK in the Microsoft ISA Server 2000 Feature Pack 1 dialog box. Left the
checkmark in the Read about ISA Server Feature Pack 1 checkbox to learn more
about what I get with Feature Pack 1.
At this point the ISA Server was ready to use but needed to be configured.

Author: Rashid Khan

81

APPENDIX F
Implementation
Configuring the ISA Server 2000/VPN Server

Author: Rashid Khan

82

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

CONFIGURING THE ISA SERVER 2000/VPN SERVER


A Windows Server 2003/ISA Server 2000 computer uses the Routing and Remote Access
Service (RRAS) to manage VPN connections. The ISA Server 2000 component creates
packet filters to allow inbound and outbound VPN communications. Although the Routing and
Remote Access Service controls and manages all VPN connections, ISA Server 2000
provides critical protection against attack. In addition, ISA Server provides easy to use
Wizards that perform many of the complex RRAS and VPN configuration tasks.
I created a Windows Server 2003-based ISA Server firewall/VPN server by completing the
following procedures:

The ISA Virtual Private Network Configuration Wizard


Customized the VPN Server configuration in the Routing and Remote Access to
meet my requirements
Assigned a machine certificate to the VPN server to support L2TP/IPSec connections

The ISA Virtual Private Networking Configuration Wizard


The ISA Virtual Private Network Configuration Wizard starts the Routing and Remote
Access service and configures the RRAS server to accept incoming PPTP and L2TP/IPSec
VPN connections. The Wizard also creates ISA Server packet filters to allow incoming PPTP
and L2TP/IPSec connections. If the Routing and Remote Access Service is already started,
the Wizard will create the packet filters and configure the Routing and Remote Access
Service to accept incoming PPTP and L2TP/IPSec VPN connections.

Author: Rashid Khan

83

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Performed the following steps to start the ISA Virtual Private Network Configuration
Wizard on the ISA Server machine:

Author: Rashid Khan

84

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

85

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Customizing the VPN Server Configuration


The ISA Server VPN Wizard has done most of the work. However, because not all network
environments are the same, the changes the VPN Wizard makes might work for one
organization but not for another. Its important to review the VPN server related changes and
confirm that they fit the networking environment.

Author: Rashid Khan

86

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Performed the following steps to review and customize your VPN configuration:

Author: Rashid Khan

87

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

88

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

89

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

90

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

91

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Assigning a Machine Certificate to the ISA Server firewall/VPN Server


The ISA Server firewall/VPN server requires a machine certificate before it can create
L2TP/IPSec connections with VPN clients. There are several ways that can assign a machine
certificate to the ISA Server firewall/VPN server:

Via The Certificate Server Web Enrollment Site


Via the Certificates standalone snap-in MMC
Via Group Policy-based Autoenrollment

The Certificate Server Web Enrollment Site


The Web enrollment site requires that the Internet Information Servers W3SVC be running on
the Certificate Server. The certificate request is made via the browser interface and the
certificate is obtained via the browser. The advantage of using the Web enrollment site is that
the ISA Server firewall/VPN server doesnt not need to belong to the Internet network domain.
The disadvantage is that the Web browser is installed and being used on a firewall, which can
be considered to be a security risk.
Group Policy-based Autoenrollment
Group Policy based autoenrollment allows to deploy machine certificates automatically by
configuring domain policy to assign machine certificates to all machines in the domain. The
disadvantage of using Group Policy based autoenrollment is that the ISA Server firewall/VPN
server must belong to the internal network domain, or that I must create a domain for the ISA
Server firewall/VPN servers to use that is separate from the user domain and then create a
one-way trust between the ISA Server firewall/VPN server domain and the internal network
domain that contains the users/groups I want to use for outbound and inbound access control.
The Certificates Standalone Snap-in
The Certificates snap-in allows to use the Microsoft Management Console (MMC) interface to
request and install a certificate directly from an enterprise Certificate Authority. The
advantage of using the certificates MMC is that its very simple to request and install a
machine certificate using the built-in Wizard. The disadvantage is that the ISA Server
firewall/VPN server must belong to the same domain as the enterprise CA.
Performed the following steps on ISA Server firewall/VPN server to request a machine
certificate:
1. Clicked Start and clicked the Run command. Typed mmc in the open text box and
clicked OK.
2. In the Console 1 console, clicked the File menu and then clicked the Add/Remove
Snap-in command.

Author: Rashid Khan

92

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

93

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

94

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

95

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

96

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

97

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

Author: Rashid Khan

98

Virtual Private Networking Appendix F Configuring ISA Server 2000/VPN Server

The ISA Server firewall/VPN server was then ready to accept incoming PPTP and
L2TP/IPSec calls from VPN clients.

Author: Rashid Khan

99

APPENDIX G
Implementation Connecting to the VPN

Author: Rashid Khan

100

Virtual Private Networking Appendix G Connecting to the VPN


Connecting to the VPN:
Navigate to Network Connections.
Click on File and then New Connection.
On the first screen of the wizard, which contains just information about the wizard's
purpose, click Next.
The first screen of the wizard asks to determine exactly what kind of network
connection I would like to create. Since I was connecting to a VPN, I chose the
"Connect to the network at my workplace" option. It doesn't really matter where the
VPN resides. Clicked next.
Then I selected the Virtual Private Network connection option and click the Next
button.
The next step of the wizard asks to name the new connection. I can use just about
anything here since this just helps to keep track of what's what on the client machine.
A name is useful if more than one VPN connection is to be managed.
The next step of the wizard asked to decide which users should be able to use this new
connection. I then enabled the VPN connection for my use only.
Finally, the process of how to create the initial connection was finished. Clicked
Finish.

Author: Rashid Khan

101

Virtual Private Networking Appendix G Connecting to the VPN

Author: Rashid Khan

102

Você também pode gostar