Computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2 support IPv6 and have IPv6 enabled by default .n You have deployed native IPv6 connectivity or
Trang 1How Directaccess Works
DirectAccess is built on several different technologies as described in the next sections
aCTIVE DIRECTORY DOMaIN SERVICES
An Active Directory Domain Services (AD DS) infrastructure is required for DirectAccess, with
at least one domain controller in the domain running Windows Server 2008 or later versions DirectAccess clients and servers must be domain members
WINDOWS 7 aND WINDOWS SERVER 2008 R2
Client computers must be running Windows 7 Enterprise or Ultimate operating systems or Windows Server 2008 R2 to use DirectAccess In addition, at least one server on the corporate network must be running Windows Server 2008 R2 so it can act as the DirectAccess server This server typically resides on your perimeter network and acts as both a relay for IPv6 traffic and also an IPsec gateway
Ip V 6
DirectAccess uses IPv6 to enable client computers to maintain constant end-to-end tivity with remote intranet resources over a public Internet connection Because most of the public Internet currently uses IPv4, however, DirectAccess can use IPv6 transition technologies such as Teredo and 6to4 to provide IPv6 connectivity over the IPv4 Internet The preferred connectivity method for the client computer depends on the type of IP address assigned to the client Specifically:
connec-n If the client is assigned a globally routable IPv6 address, the preferred connectivity method is to use this address
n If the client is assigned a public IPv4 address, the preferred connectivity method is to use 6to4
n If the client is assigned a private (NAT) IPv4 address, the preferred connectivity method
For remote client computers to use DirectAccess to connect to computers on the internal corporate network, these computers and their applications must be reachable over IPv6 This means the following:
Trang 2n The internal computers and the applications running on them support IPv6 Computers running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2 support IPv6 and have IPv6 enabled by default
n You have deployed native IPv6 connectivity or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet ISATAP allows your internal servers and applications
to be reachable by tunneling IPv6 traffic over your IPv4-only intranet For computers and applications that do not support IPv6, you can use a Network Address Translation-Protocol Translation (NAT-PT) device to translate IPv6 and IPv4 traffic Microsoft recommends using IPv6-capable computers and applications and native IPv6 or ISATAP-based connectivity over the use of NAT-PT devices
IpSEC
DirectAccess uses IPsec to provide protection for DirectAccess traffic across the Internet IPsec policies are used for authentication and encryption of all DirectAccess traffic across the Internet These policies can also be used to provide end-to-end traffic protection between DirectAccess clients and intranet resources These policies are configured and applied to client computers using Group Policy For more information on IPsec and how to configure it, see Chapter 26
pUBLIC KEY INFRaSTRUCTURE
A Public Key Infrastructure (PKI) is required to issue computer certificates for authentication, issue health certificates when NAP has been implemented, and providing certificate revoca-tion checking services These certificates can be issued by a certification authority (CA) on the internal network—they do not need to be issued by a public CA
pERIMETER FIREWaLL EXCEpTIONS
If your corporate network has a perimeter firewall, the following traffic to and from the DirectAccess server over the IPv4 Internet must be allowed:
n UDP port 3544 for Teredo traffic
n IPv4 protocol 41 for 6to4 traffic
n TCP port 443 for IP-HTTPS traffic
If you need to support client computers that connect over the IPv6 Internet, the following traffic to and from the DirectAccess server must be allowed:
n Internet Control Message Protocol version 6 (ICMPv6)
n UDP port 500
n IPv4 protocol 50
Trang 3SMaRT CaRDS
DirectAccess also supports the optional use of smart cards for authenticating remote users
Implementing Directaccess
To implement DirectAccess on the server side, you need a computer running Windows Server
2008 R2 with two physical network adapters and at least two consecutive public IPv4 addresses that can be externally resolved through the Internet DNS You can add the DirectAccess Management Console feature using Server Manager and then use the DirectAccess Setup Wizard in the DirectAccess Management Console to configure DirectAccess on your network For more information on setting up the server side of DirectAccess, click the Help links in the DirectAccess Management Console
To implement DirectAccess on the client side, your client computers must be running Windows 7 Enterprise or Ultimate Edition, be domain joined, and be a member of a security group for DirectAccess clients Initial configuration is done automatically by the DirectAccess Setup Wizard for the members of the specified security groups for DirectAccess clients Additional client configuration can be done using Group Policy settings or with scripts
MoRe inFo For more information on deploying a Directaccess solution for your organization, see the technical documentation found on the Directaccess page on
TechNet at http://technet.microsoft.com/en-us/network/dd420463.aspx See also the product documentation at http://www.microsoft.com/directaccess/.
Understanding BranchCache
BranchCache is a new feature of Windows 7 and Windows Server 2008 R2 that allows content from file servers and Web servers at a central office to be cached on computers at a local branch office, thus improving application response time and reducing WAN traffic This sec-tion provides an overview of the benefits of BranchCache, how it works, and how it can be implemented
Benefits of BranchCache
BranchCache can provide the following benefits to enterprises and their users:
n Reduces WAN link utilization By enabling branch office clients to use locally
cached copies of files instead of having to download them from the central office over the WAN, BranchCache reduces WAN link utilization, thus freeing up bandwidth for other applications that need to use the WAN
n Improves user productivity and reduces application response time Opening
a file located on a remote file server from a locally cached version of the file is cally much faster than downloading the file over a slow WAN link BranchCache thus
Trang 4typi-increases user productivity when accessing content over the WAN for applications that use Server Message Block (SMB; for example, using Microsoft Office Word to open a document stored in a shared folder on a file server) or HTTP/HTTPS (for example, using Windows Internet Explorer to open a page on an intranet Web site or using Windows Media Player [WMP] to play a video embedded in an intranet Web page)
BranchCache adds significant value to Windows 7 and Windows Server 2008 R2 with little overhead by providing significant bandwidth savings and an improved user experience BranchCache doesn’t require additional equipment in the branch offices, is easy to deploy, supports your existing security requirements, and can be easily managed using Group Policy
How BranchCache Works
Depending on how you implement it, BranchCache can function in one of two modes:
n Hosted Cache This scenario uses a client/server architecture in which clients running
Windows 7 at a branch office site cache the content they’ve downloaded over the WAN from the central office to a Windows Server 2008 R2 computer (called the Hosted Cache) located at the same branch office site Other clients that need this content can then retrieve it directly from the Hosted Cache without needing to use the WAN link
Hosted Cache mode does not require a dedicated server The BranchCache feature can
be enabled on a server that is running Windows Server 2008 R2, which is located in a branch that is also running other workloads In addition, BranchCache can be set up as
a virtual workload and can run on a server with other workloads, such as File and Print
n Distributed Cache This scenario uses a peer-to-peer architecture in which Windows
7 clients cache content that they retrieve by using the WAN, and then they send that content directly to other authorized Windows 7 clients on request
Distributed Cache mode allows IT professionals to take advantage of BranchCache with minimal hardware deployments in the branch office However, if the branch has deployed other infrastructure (for example, servers running workloads such as File or Print), using Hosted Cache mode may be beneficial for the following reasons:
• Increased cache availability Hosted Cache mode increases the cache efficiency,
because content is available even if the client that originally requested the data is offline
• Caching for the entire branch office Distributed Cache mode operates on a
single subnet If a branch office that is using Distributed Cache mode has multiple subnets, a client on each subnet needs to download a separate copy of each requested file With Hosted Cache mode, all clients in a branch office can access a single cache, even if they are on different subnets
Trang 5protocols Supported by BranchCache
BranchCache supports the SMB 2 and HTTP 1 1 protocols Applications do not need to directly communicate with BranchCache, although they can if they need to However, applications accessing SMB and HTTP interfaces in the Windows 7 and Windows Server 2008 R2 operating systems automatically benefit from BranchCache
Consequently, applications like Windows Explorer, Robocopy CopyFile, WMP, Internet Explorer, and Silverlight automatically benefit These benefits are also realized when using HTTPS, IPsec, or SMB signing However, applications that implement SMB or HTTP stacks will not benefit from BranchCache, because BranchCache optimizations are leveraged directly by the SMB and HTTP protocol stack implementations in the Windows 7 and Windows Server
2008 R2 operating systems
Implementing BranchCache
To implement BranchCache for a file server located at your central site, the file server must
be running Windows Server 2008 R2 and you must install the BranchCache For Network Files role service of the File Services role on the server using the Add Roles Wizard After doing this, you must also configure the shares on your file server to use BranchCache Using Group Policy, you can enable or disable BranchCache on all your file server’s shares, or you can mark specific shares to use BranchCache
To implement BranchCache for a Web or application server located at your central site, the Web or application server must be running Windows Server 2008 R2, and you must install the BranchCache feature on the server using the Add Features Wizard After doing this, you
must also start the BranchCache service on your Web or application server by typing netsh BranchCache set service mode=local at an administrative-level command prompt
To configure a computer running Windows Server 2008 R2 located at a branch office as a Hosted Cache server, you must install the BranchCache feature on the server, enable the fea-ture and configure it to use Hosted Cache server mode, and install a certificate that is trusted
by your client computers on the server
To configure clients running Windows 7 located at a branch office to use BranchCache, you must enable BranchCache on the computers, configure the computers to use either Distrib-uted Cache mode or Hosted Cache mode as needed, and open the necessary exceptions in Windows Firewall to allow the computers to access the cache on other computers at the site BranchCache can be enabled and configured on computers running Windows 7 either by
using Group Policy or by using the netsh branchcache context of the Netsh command
MoRe inFo For more information on deploying a BranchCache solution for your zation, see the documentation found on the BranchCache section of the Networking and
organi-access Technologies TechCenter on Microsoft TechNet at http://technet.microsoft.com /en-us/network/dd425028.aspx.
Trang 6Supported Connection Types
Windows 7 supports both outgoing and incoming network connections For outgoing connections, the computer running Windows 7 acts as a client that connects to a remote computer, server, or network to access remote resources For incoming connections, Windows 7 acts as a server to allow other computers to connect to the computer and access resources on it
Outgoing Connection Types
As Windows Vista did before it, Windows 7 supports a number of different types of outgoing (client-side) network connections:
n lAN or high-speed Internet connections Connections to an Ethernet LAN or
broadband router providing high-speed access to the Internet LAN connections are computer-to-network connections that Windows creates automatically when it detects the presence of an installed network interface card (NIC) Internet connections are computer-to-network connections that you can create and configure manually using the Set Up A Connection Or Network wizard to provide Internet access using a broad-band Digital Subscriber Line (DSL) adapter or cable modem, an Integrated Services Digital Network (ISDN) modem, or an analog (dial-up) modem Broadband Internet connections use Point-to-Point Protocol over Ethernet (PPPoE); dial-up Internet con-nections use Point-to-Point Protocol (PPP)
n Wireless network connections Connections to a WLAN through a wireless access
point or wireless router Wireless network connections are computer-to-network nections that you can create and configure manually using the Set Up A Connection Or Network wizard, provided that the computer has a wireless network adapter installed Wireless network connections may be either secured or unsecured, depending on how the access point has been configured
con-n Wireless ad hoc connections Connections to another computer that is enabled
for wireless networking Wireless ad hoc connections are temporary computer connections that you can use to share files between users
computer-to-n Wireless routers or access points Devices used to network wireless-enabled
computers primarily for Small Office/Home Office (SOHO) environments so that users can share files and printers and connectivity to the Internet Setting up this type of connection in Windows Vista using the Connect To A Network wizard requires that the computer has a wireless network adapter installed or attached to the computer and the presence of an external wireless router or wireless access point device that can be configured
n Dial-up connections Connections to a remote access server (RAS server) or modem
pool at a remote location Dial-up connections are to-server or to-network connections that you can create and configure manually using the Set Up
Trang 7computer-A Connection Or Network wizard, provided that the computer has an analog or ISDN modem installed or connected to it Dial-up connections either provide remote access
to corporate networks or dial-up access to the Internet using the services of an net service provider (ISP)
Inter-n VPN connections Connections to a remote workplace by tunneling over the Internet
VPN connections work by creating a secure tunnel that encapsulates and encrypts all traffic between the client computer and the remote corporate network This tunnel creates a secure private link over a shared public infrastructure such as the Internet After the user is connected, her experience on the client computer is similar to what it would be if her computer were directly attached to the remote LAN (with performance limitations depending on the speed of the remote connection), with the exception of any restrictions imposed on remote connections by the network administrator VPN connections are computer-to-server or computer-to-network connections that you can create and configure manually using the Set Up A Connection Or Network wizard VPN connections can use Internet connectivity, or they can establish an existing broadband Internet connection or an existing analog or ISDN dial-up connection to obtain the Internet connectivity they require
The rest of this chapter describes how to create and manage VPN and dial-up connections For information about LAN and wireless connections in Windows 7, see Chapter 25, “Config-uring Windows Networking ”
Incoming Connection Types
As Windows Vista did before it, Windows 7 supports the following types of incoming side) network connections:
(server-n Incoming VPN connections Connections from a remote computer by tunneling
over the Internet, using either a broadband Internet connection or a dial-up tion to an ISP
connec-n Incoming dial-up connections Connections from a remote computer using an
analog or ISDN modemFor more information on how to create and configure incoming connections, see the section titled “Configuring Incoming Connections” later in this chapter
Deprecated Connection Types
The following connection technologies supported in Windows XP were deprecated in Windows Vista and are no longer available in Windows 7:
n X 25
n Microsoft Ethernet permanent virtual circuit (PVC)
n Direct cable connection using a serial, parallel, universal serial bus (USB), or IEEE 1394 cable
Trang 8note Most types of network connections available in Windows 7 support Ipv6 out of the box and can be used to establish pure-Ipv6 connectivity with remote servers or networks (provided they support incoming Ipv6 connections) More information concerning Ipv6 support for network connections in Windows 7 is provided throughout this chapter where appropriate.
Configuring VPN Connections
Windows 7 supports both outgoing and incoming VPN connections For outgoing tions, Windows 7 is the client and connects to a VPN server on a remote network, usually the corporate intranet For incoming connections, Windows 7 acts as a server and allows
connec-a remote client computer to estconnec-ablish connec-a VPN connection between the two computers In enterprise environments, outgoing VPN connections are commonly used to allow mobile users to securely access resources on the corporate intranet from remote locations Incoming VPN connections to client computers are rarely used in enterprise environments, so most of this discussion deals with outbound connections only For information on how to create and configure an inbound connection on Windows 7, see the section titled “Configuring Incoming Connections” later in this chapter
Supported Tunneling protocols
Windows 7 supports four different tunneling protocols for creating secure VPN connections
to remote corporate networks:
n Internet Key Exchange version 2 New in Windows 7, IKEv2 is an updated version
of the IKE protocol that uses the IPsec tunnel mode over UDP port 500 IKEv2 enables VPN connections to be maintained when the VPN client moves between wireless hotspots or switches from a wireless to a wired connection Using IKEv2 and IPsec together enables support for strong authentication and encryption methods IKEv2 is documented in RFC 4306
n Secure Socket Tunneling Protocol Supported in Windows Vista Service Pack 1
(SP1) and later versions, SSTP encapsulates PPP frames over HTTPS (HTTP over Secure Sockets Layer [SSL]) to facilitate VPN connectivity when a client is behind a firewall, NAT, or Web proxy that allows outgoing TCP connection over port 443 The SSL layer provides data integrity and encryption while PPP provides user authentication SSTP was introduced in Windows Vista SP1 and Windows Server 2008 SSTP was developed
by Microsoft and the SSTP protocol specification can be found on MSDN at
http://msdn.microsoft.com/en-us/library/cc247338.aspx.
n layer Two Tunneling Protocol An industry-standard Internet tunneling protocol
designed to run natively over IP networks and which encapsulates PPP frames like
Trang 9PPTP does Security for L2TP VPN connections is provided by IPsec, which provides the authentication, data integrity, and encryption needed to ensure that L2TP tunnels are protected The combination of L2TP with IPsec for tunneling purposes is usually referred to as L2TP over IPsec or L2TP/IPsec L2TP/IPsec is documented in RFC 3193, while L2TP is documented in RFC 2661
n Point-to-Point Tunneling Protocol An open industry standard developed by
Microsoft and others, PPTP provides tunneling over PPP frames (which themselves encapsulate other network protocols such as IP) and uses PPP authentication, compres-sion, and encryption schemes PPTP was first introduced in Microsoft Windows NT 4 0 and is simpler to set up than L2TP, but it does not provide the same level of security as L2TP PPTP is documented in RFC 2637
Comparing the Different Tunneling protocols
Table 27-1 compares the four different tunneling protocols that are available in Windows 7 and Windows Server 2008 R2
TABlE 27-1 Comparison of VPN Tunneling Protocols Supported by Windows 7 and Windows Server 2008 R2
PROTOCOl
PROVIDES DATA CONFIDENTIAlITy
PROVIDES DATA INTEgRITy
PROVIDES DATA AUTHENTICATION
REQUIRES A PUBlIC KEy INFRASTRUCTURE
SUPPORTED VERSIONS
7, Windows Server 2008 R2, and later versions
issuing computer certificates
Windows Vista SP1, Windows Server 2008, and later versions
for issuing computer certificates;
an alternative
is using a pre-shared key
Microsoft Windows
2000 and later versions
2000 and later versions
Trang 10Microsoft recommendations for choosing the right tunneling protocol for providing VPN access to your corporate network are as follows:
n For client computers running Windows 7 and VPN servers running Windows Server
2008 R2, implement IKEv2 as your tunneling protocol In addition to providing data confidentiality, data integrity, and data origin authentication (to confirm that the data was sent by the authorized user), IKEv2 provides resiliency to VPN connections using MOBIKE, which enables VPN connections to be maintained when the underlying Layer 2 network connectivity changes
n For client computers running Windows 7 and VPN servers running Windows Server
2008 RTM or SP2, use SSTP as a fallback tunneling protocol This way, whenever an IKEv2 tunnel connection is blocked due to a firewall configuration or some other issue, the client can use SSTP to achieve VPN connectivity to the corporate network For more information about the order in which different tunneling protocols are used during a VPN connection attempt, see the section titled “Understanding the VPN Connection Negotiation Process” later in this chapter
n For client computers running Windows 7 that need to connect to VPN servers running older versions of Windows, use L2TP/IPsec if a PKI is available; otherwise use PPTP
note Microsoft may remove support for L2Tp/Ipsec and ppTp in future versions of Windows, so enterprises deploying Windows 7 should implement IKEv2 with SSTp fallback
as their VpN solution wherever possible.
Understanding Cryptographic Enhancements
Beginning with Windows Vista, support for cryptographic algorithms and protocols used for data integrity, encryption, and authentication is now updated to increase VPN security These updates include:
n Addition of support for the Advanced Encryption Standard (AES)
n Removal of support for weak cryptographic algorithms
n Removal of support for less secure authentication protocols The sections that follow provide more details concerning these security enhancements
Support for aES
Support for the AES was first added in Windows Vista AES is a Federal Information ing Standard (FIPS) encryption standard developed by the National Institute of Standards and Technology (NIST) that supports variable key lengths and that replaces Data Encryption Standard (DES) as the standard encryption algorithm for government and industry For L2TP/IPsec–based VPN connections, the following AES encryption levels are supported in Windows Vista and later versions:
Trang 11Process-n Main mode IPsec main mode supports AES 256- and 128-bit encryption using
Elliptical Curve Diffie-Hellman (ECDH) with 384- and 256-bit encryption, respectively
n Quick mode IPsec quick mode supports AES 128-bit and 3DES encryption when the
encryption setting in the Advanced Security Settings properties of the VPN connection
is either Optional Encryption or Require Encryption IPsec quick mode supports AES 256-bit and 3DES encryption when the encryption setting inside the Advanced Security Settings properties is Maximum Strength Encryption
note Using aES is a requirement for many U.S government agencies.
Weak Cryptography Removal from ppTp/L2Tp
Support for weak or nonstandard cryptographic algorithms has been removed beginning with Windows Vista This initiative was based on a desire by Microsoft to move customers toward stronger crypto algorithms to increase VPN security, based on recommendations by the NIST and the Internet Engineering Task Force (IETF) as well as mandates toward stronger crypto algorithms from different industry standards bodies and regulators
The following crypto algorithms are no longer supported on Windows Vista or later versions:
n 40- and 56-bit RC4 encryption, formerly used by the Microsoft Point-to-Point Encryption (MPPE) Protocol for PPTP-based VPN connections
n DES encryption, formerly used by IPsec policy within L2TP/IPsec-based VPN connections
n MD5 integrity checking, formerly used by IPsec policy within L2TP/IPsec-based VPN connections
The removal of support from the default configuration for 40- and 56-bit RC4 encryption means that PPTP-based VPN connections now support only 128-bit RC4 for data encryption and integrity checking This means the encryption strength remains the same as 128-bit RC4—that is, independent of the encryption settings (Optional Encryption, Require Encryption,
or Maximum Strength Encryption) specified by the Advanced Security Settings properties
of the VPN connections This also means that if your existing VPN server does not support 128-bit encryption and supports only incoming PPTP-based VPN connections, clients will not
be able to connect If you are unable to upgrade your existing VPN servers to support 128-bit encryption for PPTP or if 128-bit encryption is unavailable to you because of export restric-tions, you can enable weak crypto for PPTP by editing the following registry value:
HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowPPTPWeakCryptoThe default value of this DWORD registry value is 0, and by changing it to 1, you can enable 40- and 56-bit RC4 encryption on the computer for both outgoing and incoming PPTP-based VPN connections You must restart the computer for this registry change to take effect As an alternative to restarting the computer, you can restart the Remote Access
Trang 12Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman
The removal of support for DES encryption and MD5 integrity checking for based VPN connections means that L2TP/IPsec-based VPN connections now support the following data encryption and data integrity algorithms by default:
L2TP/IPsec-n 128-bit AES, 256-bit AES, and 3DES for data encryption using IPsec
n Secure Hash Algorithm (SHA1) for data integrity using IPsecThe removal of support for DES and MD5 from the default configuration means that L2TP/IPsec-based VPN connections will not work if your existing VPN server supports only DES for data encryption and/or MD5 for data integrity checking If you are unable to upgrade your existing VPN servers to support AES or 3DES for data encryption and/or SHA1 for integrity checking or if these crypto algorithms are unavailable to you because of export restrictions, you can disable weak crypto for L2TP by editing the following registry value:
HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCryptoThe default value of this DWORD registry value is 0, and by changing it to 1, you can enable DES encryption and MD5 integrity checking on the computer for both outgoing and incoming L2TP/IPsec-based VPN connections You must restart the computer for this regis-try change to take effect As an alternative to restarting the computer, you can restart the
Remote Access Connection Manager service by opening a command prompt and typing net stop rasman followed by net start rasman
note Microsoft recommends that you upgrade your VpN server to support 128-bit RC4 for ppTp and/or aES and SHa1 for L2Tp instead of disabling weak crypto support on your VpN clients.
Table 27-2 summarizes the differences between Windows 7, Windows Vista, and Windows
XP with regard to crypto support for data integrity and encryption for VPN connections
TABlE 27-2 Data Integrity and Encryption Support for VPN Connections in Windows 7, Windows Vista, and Windows XP
CRyPTO
40-bit RC4 Data encryption and
integrity checking for PPTP only
3
56-bit RC4 Data encryption and
integrity checking for PPTP only
3
Trang 13CRyPTO
128-bit RC4 Data encryption and
integrity checking for PPTP only
256-bit SHA Integrity checking
(main mode only)
384-bit SHA Integrity checking
(main mode only)
An asterisk (*) in Table 27-2 means that configuration is possible, but only by using the Netsh command.
Supported authentication protocols
The following authentication protocols are supported for logon security for VPN connections
in Windows 7:
n PAP Stands for Password Authentication Protocol; uses plaintext (unencrypted)
passwords
n CHAP Stands for Challenge Handshake Authentication Protocol; uses one-way MD5
hashing with challenge-response authentication
n MSCHAPv2 Stands for Microsoft Challenge Handshake Authentication Protocol
version 2; an extension by Microsoft of the CHAP authentication protocol that provides mutual authentication of Windows-based computers and stronger data encryption MSCHAPv2 is an enhancement of the earlier MS-CHAP protocol that provided only one-way authentication of the client by the server
n EAP Stands for Extensible Authentication Protocol; extends PPP by adding support
for additional authentication methods including using smart cards and certificates
n PEAP Stands for Protected Extensible Authentication Protocol, or Protected EAP;
enhances the protection provided by EAP by using Transport Layer Security (TLS) to provide a secure channel for EAP negotiation PEAP is also used in Windows 7 to support NAP scenarios
Trang 14Starting with Windows Vista, the following authentication protocols have been deprecated for use by VPN connections:
n SPAP (Shiva Password Authentication Protocol)
n MS-CHAP
n EAP using MD5Note that by default PAP and CHAP are not enabled as authentication protocols on new VPN connections you create using the Set Up A Connection Or Network wizard This is because PAP and CHAP are not considered secure; use them only when connecting to ISPs whose network access devices support only these older authentication schemes And although PPTP in Windows 7 no longer supports MD5 for data integrity checking using L2TP/IPsec-based VPN connections, support for MD5 usage in CHAP has been maintained because of the continuing popularity of this authentication protocol with many broadband- and dial-up–based ISPs
Table 27-3 summarizes the differences between Windows 7, Windows Vista, and Windows
XP with regard to user authentication protocols used for VPN connections
note In addition to the user authentication protocols listed in Table 27-3, L2Tp/Ipsec also supports machine-level authentication (using either pre-shared keys or machine certificates), and SSTp supports the client validating the server (using the certificate sent
by the server to the client during the SSL negotiation phase).
TABlE 27-3 Authentication Protocols Supported for VPN Connections in Windows 7, Windows Vista, and Windows XP
AUTHENTICATION PROTOCOl WINDOWS 7 WINDOWS VISTA WINDOWS XP
Trang 15diReCt FRoM tHe SoURCe
VPN Security Enhancements
Samir Jain and Santosh Chandwai, Lead program Managers
Windows Enterprise Networking
Beginning with Windows Vista, many extensions have been made regarding VpN security First, all the weak crypto algorithms have been removed and new stronger crypto algorithms have been added to VpN tunnels For ppTp, 40/56-bit RC4 encryption has been removed by default This means ppTp now supports only 128-bit RC4 encryption by default So if your VpN server or VpN client doesn’t support 128-bit encryption, your calls may fail You can still get 40/56-bit RC4 encryption back by changing a registry key, but this is not recommended It is better to upgrade your client or server to one that supports the more secure 128-bit RC4 encryption method.
For L2Tp/Ipsec, DES (for encryption) and MD5 (for integrity check) have been moved, but aES support has been added This means that Windows Vista and later versions support aES 128-bit, aES 256-bit, and 3DES for encryption, and SHa1 for integrity check (aES is more CpU efficient than 3DES.) So if your VpN server or VpN client doesn’t support either DES or MD5, your connectivity may fail You can still get DES and MD5 back by changing a registry key, but this is not recommended
re-It is better to upgrade your client or server to one that supports the more secure aES/3DES and SHa1 encryption methods.
Second, many new authentication algorithms have been added; Eap-MD5, Spap, and MSCHapv1 are now deprecated Windows Vista and later versions support (in increasing order of strength) pap, CHap, MSCHapv2, Eap-MSCHapv2, Eap-smart card/certificate, pEap-MSCHapv2, and pEap-smart card/certificate Using pap or CHap as an authentication algorithm over a VpN tunnel is not recommended because it is weaker than other authentication algorithms arguably, it might be safe to use pap/CHap over a L2Tp/Ipsec VpN connection because Ipsec provides a secure session before ppp authentication begins But always remember this subtle security point: Ipsec provides you with machine-level authentication, whereas ppp authentication provides you with user-level authentication, and both are important.
Finally, the L2Tp/Ipsec client in Windows Vista and later versions has added more verification of specific fields inside the server certificate used for Ipsec negotiation
to avoid the trusted man-in-the-middle (TMITM) attack The L2Tp/Ipsec client checks for the Subject alternative Name (SaN) field in the server’s X.509 certificate
to verify that the server you are connecting to is the same as the server that was issued the certificate It also checks for the Extended Key Usage (EKU) field to vali- date that the certificate issued to the server is for the purpose of server authentica- tion For older deployments, Windows Vista and later versions provide a registry
Trang 16key that if enabled will allow the VpN client to override the verification of the SaN and EKU fields of the server’s certificate However, it is recommended that you not override these checks Instead, if your VpN server offering L2Tp/Ipsec connectivity
is issued X.509 certificates that do not have the DNS name of the server in the SaN field, it is recommended that you reissue appropriately configured certificates to the server.
Understanding the VpN Connection Negotiation process
When a client running Windows 7 tries to establish a connection with a remote VPN server, the tunneling protocol, authentication protocol, data encryption algorithm, and integrity-checking algorithm used depend on several factors:
n The enabled authentication protocols and crypto algorithms on the client side
n The remote access policy on the server side
n The available network transports (IPv4 and/or IPv6)
By default, if Type Of VPN is set to Automatic on the client side, the client running Windows
7 attempts to establish a connection with the remote VPN server in the following order:
1. IKEv2
2. SSTP
3. PPTP
4. L2TPThe VPN client typically resolves the name of the VPN server using DNS If the DNS lookup provides only an IPv4 or IPv6 address to the client, the connection attempts using the various tunneling protocols use only IPv4 or IPv6 If the DNS lookup provides the client with both the IPv4 and IPv6 addresses of the server, then IPv6 is preferred and the following tunnel connec-tions are attempted, in this order:
1. IKEv2 over IPv6
2. SSTP over IPv6
3. PPTP over IPv4 (because PPTP doesn’t support IPv6)
4. L2TP over IPv6After a tunneling protocol has been selected for the connection, the authentication and crypto algorithms are then negotiated between the client and the server
note You can reduce connection time by explicitly specifying the tunneling protocol you want your client to use (provided that the remote server also supports this protocol) instead of selecting the automatic type of VpN on the Networking tab of the connection’s properties Note that doing so means that if the connection attempt using the specified tunneling protocol fails then VpN connectivity cannot be established.
Trang 17HoW it WoRKS
VPN Connections and IPv4/IPv6
Samir Jain, Lead program Manager
Enterprise Networking (RRAS)
First, a little background: after you establish VpN connectivity, you have two terfaces on your client computer One is your Internet interface (that is, Ethernet, wireless, pppoE, ppp over dial-up, and so on); the other is your corporate or WaN interface (that is, a VpN tunnel) This really means that you have two sets of Ip addresses, and each of these can be Ipv4 and/or Ipv6.
in-How Do We Support IPv4 and IPv6 for VPN Connections?
In Windows 7, we support SSTp, L2Tp, and IKEv2 VpN tunnels over Ipv6 (in other words, when your ISp connectivity is Ipv6) and SSTp/L2Tp/ppTp/IKEv2 VpN tunnels over Ipv4 In all scenarios, Ipv4 and/or Ipv6 packets can be sent on top of a VpN tunnel (packets going to/from your corporate network can be Ipv4/Ipv6.)
n If you are confused about the difference between “over” and ”on top of,”
here’s a rule of thumb: Look at the connectivity between the VpN client and the VpN server (your ISp connectivity) This determines how the tunnel packets flow over the Internet and indirectly determines which type of VpN tunnel to
be used.
n Look at the connectivity between the VpN server and your corporate network (your corporate connectivity) This determines what flows on top of (or inside) the tunnel, and indirectly determines which network inside your corporate network you can access (Ipv4 and/or Ipv6).
How Can I Identify This While Configuring a VPN Connection?
Open the properties dialog box of your VpN connection and click the General tab Here is where you specify the Ip address (v4 or v6) or host name of the VpN server—the Ip address that you are going to use to connect to the VpN server or the
Ip address over which the VpN tunnel will be established In other words, this mines your ISp connectivity If you enter an Ipv6 address here, L2Tp, IKEv2, and SSTp tunnels are supported If you enter an Ipv4 address, all tunnel types are supported
deter-But if you enter a host name, the type of tunnel selection is deferred until you ally connect and a name lookup is performed The DNS server could return to you both Ipv4 and Ipv6 addresses In this scenario, Ipv4 and Ipv6 are tried in the order
actu-in which the addresses were returned by the DNS server actu-inside the DNS response
The result also depends on the type of VpN tunnel type selection (ppTp, L2Tp/Ipsec, SSTp, IKEv2, or automatic).
Trang 18Switch to the Networking tab and look at This Connection Uses The Following Items The protocols listed here include both Ipv4 and Ipv6, and this protocol will
be the one that gets negotiated “on top of” (or “inside”) the VpN tunnel In other words, this determines your corporate connectivity—whether you will be sending Ipv4 and/or Ipv6 packets to the corporate network on top of the tunnel You can typically get both Ipv4 and Ipv6 addresses from your corporate VpN server if your VpN server is configured accordingly Depending on the name lookups, the appro- priate address will be taken.
What Happens When I Select Automatic as My Type of VPN?
automatic VpN tunnel logic is very simple:
n First try IKEv2, and if that fails, try SSTp If that fails, try ppTp and if that fails, try L2Tp.
n Let’s say you have configured an Ipv4 address as the destination VpN server The logic remains the same: first IKEv2, then SSTp, then ppTp, and finally L2Tp.
n Let’s say instead that you have configured an Ipv6 address as the destination VpN server Try IKEv2 If that fails, try SSTp and if that fails, try L2Tp.
n Finally, let’s say that you have configured a host name as the destination VpN server Now if your DNS server returns only Ipv4 addresses (a records), go
to bullet 2 above If your DNS server returns only Ipv6 addresses (aaaa records), go to bullet 3 If your DNS server returns both Ipv4 and Ipv6 addresses, the logic will be to go through each Ip address returned and then go to either bullet 2 or 3 depending upon the Ip address.
What Happens When I Select My Type of VPN Using Connection Manager Administration Kit?
Connection Manager administration Kit (CMaK), a tool for network administrators
on Windows Server 2008 R2, also supports the following tunnel order strategies:
n Try SSTp first, which means SSTp, IKEv2, ppTp, and then L2Tp.
n Use IKEv2 only.
n Try IKEv2 first, which means IKEv2, ppTp, SSTp, and then L2Tp.
Note that you must use a computer running a version of Windows with the same processor architecture as the clients on which you want to install the profile a 32-bit connection profile can be created and installed on a 32-bit version of
Trang 19Windows only a 64-bit connection profile can be created and installed on a 64-bit version of Windows only To create 64-bit connection profiles, use the add Features Wizard to install the CMaK feature on a computer running Windows Server 2008 R2 To create 42-bit connection profiles, use the Turn Windows Features On Or Off option to install the RaS CMaK feature on a computer running a 32-bit version of Windows 7.
What Will Happen if I Connect a Windows 7 Client to a VPN Server That Doesn’t Support IPv6?
You won’t be able to use the VpN server “over” Ipv6 (you can only have Ipv4 connectivity to an ISp), which means your tunnel can be SSTp, L2Tp, IKEv2, or ppTp
Then, “on top of” the VpN tunnel, the client running Windows 7 will try to get an Ipv4 as well as an Ipv6 address from the VpN server, but it will get only an Ipv4 address Hence the connection will still go through In other words, the connection fails only if you cannot get both Ipv4 and Ipv6 addresses on top of the VpN tunnel.
What Will Happen if I Connect a Windows 7 Client to a VPN Server That Doesn’t Support SSTP?
The SSTp connection will fail (and then you should remove SSTp from the preceding tunnel order).
Creating and Configuring VpN Connections
The Set Up A Connection Or Network wizard simplifies the task of creating VPN connections The screens displayed when you use this wizard vary depending on the choices you make as you proceed through the wizard
MoRe inFo This chapter covers only configuring client connections for establishing VpN connectivity For information about configuring Windows Server 2008 VpN servers including Network policy Server (NpS) servers, see the “Windows Server 2008 Networking and Network access protection (Nap)” volume in the “Windows Server 2008 Resource Kit”
from Microsoft press at http://www.microsoft.com/learning/en/us/books/11160.aspx.
In addition to creating and configuring new connections on clients running Windows 7, administrators can use the new version of the CMAK included with Windows Server 2008 CMAK is a set of tools that you can use to tailor the appearance and behavior of connections made using Connection Manager, the built-in remote access client dialer included in Windows Vista Using CMAK, administrators can create and deploy custom connections for client com-puters to simplify the user experience of connecting to remote networks For instance, you could create a client connection that tries only a single specified tunneling protocol when
Trang 20attempting to establish a connection, or you could create a connection that tries each ing protocol in a specified order
tunnel-note You must use the new Windows Server 2008 R2 version of CMaK to create and configure connections for clients running Windows 7.
2. After Network And Sharing Center is displayed, click Set Up A New Connection Or Network to start the Set Up A New Connection Or Network wizard
3. On the Choose A Connection Option page, select Connect To A Workplace and then click Next
4. If this is the first connection you have created on the computer, proceed to step 5 Otherwise, select Yes, I’ll Choose An Existing Connection and then select one of the existing connections displayed on the Do You Want To Use A Connection That You Already Have? page For example, if you want to use an existing dial-up connection (analog or ISDN modem) to provide Internet access for your new VPN connection, select that connection and then click Dial when the Connect dialog box is displayed for that connection After you’ve used your existing connection to connect to the Internet, you can continue setting up your new VPN connection
5. Click Use My Internet Connection (VPN)
6. Specify the IPv4 or IPv6 address or fully qualified domain name (FQDN) of the remote VPN server you want to connect to, as shown here You can also give the connection a descriptive name to distinguish it from other connections on the computer Typically, this will be the name of your remote network or remote VPN server
Trang 217. To use a smart card for authentication, select Use A Smart Card You must have a smart card reader installed on the computer to use this option If you select this option, pro-ceed to step 10
8. To allow other users of the computer to use the connection, select Allow Other People
To Use This Connection Selecting this option configures your connection to be of the All Users type rather than a Private connection, which can be used only by the user who created it The All Users connection type is also used for Windows logon over your VPN connection
9. To create a new connection that needs further configuration before you can use it, select Don’t Connect Now Just Set It Up So I Can Connect Later
10. Click Next and specify the credentials (user name, password, and optionally the domain) you will use to be authenticated by the remote VPN server (This option is available only if you left the Use A Smart Card option cleared earlier in the wizard )
11. If you chose to create a connection that needs further configuring before being used, click Create and then either click Close to create the connection or click Connect Now
to initiate the connection
note You can also start the Connect To a Network wizard by adding a Connect To option to your Start menu To do this, right-click the Start menu and select properties, click Customize, and select the check box labeled Connect To.
Initiating a Connection
To initiate a previously created connection, perform the following steps:
1. Click the networking icon in the system tray to display the View Available Networks (VAN) UI Any VPN client connections configured on the computer will be displayed in the Dial-up And VPN section of the VAN UI, as shown here
Trang 222. Click the VPN client connection you want to initiate, as shown here, and then click Connect
3. In the Connect <connection name> dialog box that appears, specify the credentials to
be used for the connection, as shown here, and then click Connect
Trang 234. When the connection has been established, the connection is displayed as Connected
in the VAN UI, as shown here
note You can also initiate a connection by opening the Network Connections folder, double-clicking the connection, and clicking Connect You can also drag a connection to the desktop from the Network Connections folder to create a desktop shortcut to your connection, which allows you to initiate your connection by double-clicking the shortcut and clicking Connect.
Trang 24Terminating a Connection
To disconnect an active connection, click the connection in the VAN UI and then click nect (see Figure 27-1) You can also right-click a connection to view its status, open its proper-ties, or to connect or disconnect the connection
Discon-FIgURE 27-1 You can connect or disconnect a connection, view its properties, or display its status using the VAN user interface
note Windows 7 supports Fast User Switching (FUS) on both domain-joined and group computers active VpN connections of the all Users variety are not terminated when you switch your computer to another user.
work-diReCt FRoM tHe SoURCe
Using a VPN Connection at logon
Santosh Chandwani, Lead program Manager
Windows Enterprise Networking
To establish a RaS (VpN or dial-up) connection during logon, or to log on to a domain over a RaS connection, the user must have a connection for use by all users on the computer (called an all User connection) To log on to a domain over a RaS connection, follow these steps:
Trang 251 On the Logon screen, click the Network Logon icon in the lower-right corner
This will display tiles representing each of the all User connections that can be dialed during logon.
2 Click the tile representing the connection you want to dial This will display the
UI for entering the connection credentials.
3 If the RaS connection requires a smart card and you want to use user name/
password for logging on to Windows, select the Use password For Logon To Windows check box below the RaS credential user interface This will display the
UI for entering the user name and password that will be used for Winlogon.
4 Similarly, if the RaS connection requires user name/password and you want
to use a smart card for logging on to Windows, select the Use Smart Card For Logon To Windows check box below the RaS credential to display the smart card UI.
If the RaS connection and the logon to Windows require the same type of credentials, Windows will by default attempt to use the same credentials for establishing the RaS connection and for Winlogon If the credentials required are different, you will establish a successful RaS connection, but logon to Windows will fail and the following error message will be displayed: “The net- work connection has been established successfully, but the logon to the local machine has failed using the credentials provided please click OK to retry logon
to Windows.” Clicking OK will give you the opportunity to enter the appropriate credentials for logging on to Windows.
5 If the RaS connection has been successfully established but the logon to Windows has failed, and you want to disconnect the RaS connection instead, click Disconnect Network Connection on the logon screen.
Viewing Connection Details
You can view the details of connections on your computer by using the Network Connections folder and selecting Details using the More Options toolbar item Using this method, you can view the connection status, device name, connectivity, network category, owner, type, and phone number of the host address of the remote server (see Figure 27-2)
FIgURE 27-2 Use the Network Connections folder to view detailed information about connections