WindowsNetworking.com Monthly Newsletter of December 2008 Sponsored by: ScriptLogic

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

1. Windows Server Virtual Private Networking

If you travel, work from home, or own a company with multiple offices, VPNs are the lifeblood of your networking strategy. If you already work with VPNs, you know how valuable they are in saving you and your company hundreds, thousands, or even millions of dollars a year on long distance dial-up phone charges. If you are new to VPNs, then you should learn all you can about them. A working knowledge of VPNs is your key to in the Microsoft networking business.

A VPN solution requires that you have a VPN Server to accept calls from VPN clients. The VPN clients require two connections to access resources on the VPN server's internal network. The first connection is to the Internet via an ISP, and the second connection is to the VPN server. Once the connection is established to the VPN server, the VPN client becomes a member of the remote network, just as if the client where directly attached to the network via Ethernet cabling.

Point-to-Point Tunneling Protocol (PPTP)

When Microsoft first rolled out a VPN solution for Microsoft networks, the only VPN tunneling protocol available was the Point-to-Point Tunneling Protocol (PPTP). The first version of PPTP (PPTP v1) got a black eye because of some major security flaws with the protocol. As with any security flaw discovered in a Microsoft product, this weakness in PPTP v1 was highly publicized and led to much pain and gnashing of teeth at Microsoft. They did fix the protocol and published security fixes, but the damage was done. It is hard to get a good reputation back after it has been damaged.

The good news for Windows admins is that the version of PPTP included in the box with Windows is a new and improved version of PPTP, sometimes called PPTP v2. PPTP v2 does not have the security weaknesses found in the initial version of PPTP. In addition, the protocol has been tightened up, and has much better performance than the earlier version of PPTP.

Although Microsoft fixed all the major and minor problems with PPTP, the level of security provided for any PPTP connection is highly dependent on the complexity of the password provided by the user. If users are allowed to use short and simple passwords like "mom" or "dog", then the level of protection provided by PPTP is severely hampered. It's up to you as the Windows network admin to make sure Group Policy is configured to require a certain level of password complexity.

Implementing a PPTP VPN is very easy thanks to the Windows RRAS Wizards. When you enable RRAS on a Windows Server, the Wizard will ask you what type of RAS server you want to create. Just select the VPN Server option, and the Wizard does almost all the work for you. There are some tweaks you need to make after the Wizard is done, but for the most part, the RRAS Wizard is a one-stop solution for configuring a PPTP VPN Server.

Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPSec)

The better solution in the Microsoft VPN game is L2TP/IPSec. This VPN tunneling and security protocol combination represents the highest level of security you can get with VPN networking. That's right, not just Microsoft VPN networking, but all VPN networking. L2TP is a tunneling protocol based on the melding of two technologies: the Cisco Layer 2 Forwarding Protocol (L2F) and Microsoft's PPTP. The IETF thought it would be best if Microsoft and Cisco got together to create an Internet standard based on these two protocols, and L2TP was the result of their joint efforts.

While PPTP uses Microsoft Point to Point Encryption (MPPE) to secure the information moving through the PPTP tunnel, L2TP uses IPSec to secure data moving inside the tunnel. Password authentication is done by any of the typical PPP authentication protocols, such as MS-CHAP, MS-CHAP v2 or EAP-TLS (actually, EAP-TLS is not a "typical" PPP authentication method, but an extension to the PPP authentication feature set).

Using L2TP/IPsec, In addition to user authentication via PPP authentication methods, computers are also authenticated. This allows both users and computers to be authenticated before connections are allowed. Computer authentication is accomplished by the exchange of machine certificates that are installed on both the VPN client and server.

When you run the RRAS Wizard, the Wizard automatically enables ports that accept calls from both PPTP and L2TP/IPSec VPN clients. PPTP tunnels start working right out of the box; that's why most Windows VPN admins choose to use PPTP, even though it provides a bit lower level of security. L2TP/IPSec calls don't start working automatically because certificates must be assigned to the VPN clients and server.

However, getting L2TP/IPSec working is not that difficult. You just need to install a machine certificate on both the VPN client and server. While you could purchase a third party certificate for the clients and servers, Microsoft has helped you out by including a certificate server with Windows Server. Just install the certificate server, configure it so that's its able to issue machine certificates using the machine certificate template, and then let it start issuing certificates.

The easiest way to do this is to configure Group Policy to auto-enroll domain members. When Group Policy is configured to autoenroll machines, a machine certificate is automatically installed. This certificate can be used by the machine when it wants to establish either a VPN client or server session. If you do not want to use autoenrollment, you can use the Certificates MMC to manually request a certificate.

Once both the client and server have machine certificates installed, L2TP/IPSec tunnels are created automatically. The reason for this is the default configuration on the Microsoft VPN client negotiates the type of VPN. The Microsoft VPN client tries L2TP/IPSec first, and if that does not work, it will try PPTP. As long as you have not deleted the L2TP listening ports on the VPN server, it will all happen automatically.

Conclusion

The Windows 2000 RRAS VPN server allows you to easily configure a VPN networking solution for your business, no matter what the size. You can use PPTP v2 and get your VPN network going right away without any addition software or services required. However, if you want the ultimate in VPN security, you should consider implementing an L2TP/IPSec VPN. The small amount of time required to setup and configure a certificate server will pay off in the long run because of the security and peace of mind you will have with a high security IPSec based solution. Next week we'll go over the details of installing and configuring a Certificate Server and how to enable autoenrollment.

TechGenix Holiday Offer!

TechGenix is pleased to offer a holiday special to our newsletter subscribers - 40% off SolarWinds ipMonitor until December 28, 2008. Many of you have downloaded the ipMonitor trial over the past couple months and as part of our ongoing partnership with SolarWinds they have provided us with a special year end discount for our subscribers. Simply mention the promo code PIPM40 to your SolarWinds rep to get this discount.

ipMonitor is an entry-level network, server and application monitoring solution that is easy to use and installs in minutes. ipMonitor auto discovers your network to deliver a clickable dashboard that immediately provides real-time statistics. If you have not yet had a chance to trial ipMonitor and think you would be interested in this offer then feel free to download a free trial version of the software here and use the promo code when you decide to buy before December 28, 2008 to take advantage of these savings.

Thanks!
Tom 

Got a networking question that you can't find the answer to? Send a note to Dr. Tom at tshinder@windowsnetworking.com and he'll answer your question in next month's newsletter.

=======================

Quote of the Month - "The future, according to some scientists, will be exactly like the past, only far more expensive". - John Sladek - John Sladek

======================

2. ISA Server 2006 Migration Guide - Order Today!

3. WindowsNetworking.com Articles of Interest

• How to configure Windows 2008 Server IP Routing
  
• Working with the Windows Server 2008 Task Scheduler (Part 1)
  
• Deploying Vista - Part 18: Managing Windows Deployment Services
  
• How to use the Windows Server License Manager Script - slmgr.vbs
  
• Network Access Protection, Revisited (Part 7)
  
• CFH Software LAN Survey - Voted WindowsNetworking.com Readers' Choice Award Winner - Network Inventory Category
  

4. KB Articles of the Month

• The IPv6 network interface status may not be displayed correctly in the Routing and Remote Access snap-in, depending on the properties of the network connection in Windows Server 2008
  
• When you open a Word 2007 document that is protected by a password on a network share, the document is opened as read-only
  
• How to use virtual private networking to join or access an internal domain from an external client by using Microsoft ISA Server 2006 or in ISA Server 2004 or Microsoft Forefront Threat Management Gateway, Medium Business Edition
  
• Network ports and URLs that are required for Windows Live Messenger 2009 to work
  
• How to block traffic from an Internet-based music sharing service in Microsoft Forefront Threat Management Gateway, Medium Business Edition
  
• Considerations when hosting Active Directory domain controller in virtual hosting environments
  
• Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
  

5. Windows Networking Tip of the Month

Microsoft Hyper-V is a great way to move your Windows networking environment into a virtual networking infrastructure. Many of you might already have embraced Windows networking in a virtual environment using Microsoft Virtual Server. If you have, you'll want to move those machines over to Windows Server 2008 Hyper-V so that you can get improved performance and reliability.

Here's a method you can use to move your Virtual Server machines to Hyper-V:

First, get your virtual machine ready at the Virtual Server machine so that it's ready to be moved:

1. In Virtual Server, start the virtual machine that you want to move.
2. Record the network settings for each network adapter if they must be reset identically after you move the virtual machine.
3. On the virtual machine, open Add or Remove Programs in Control Panel.
4. Click Virtual Machine Additions, and then click Remove.
5. Click Yes in the confirmation dialog box that appears.
6. After the Virtual Machine Additions are successfully removed, restart the virtual machine. Let the virtual machine completely restart so that the Virtual Machine Additions are completely removed.
7. Shut down the virtual machine.
8. If the Undo Disks feature is enabled, click Merge Undo Disks or Discard Undo Disks.
9. On the Virtual Server Administration Web site, point to the virtual machine name of the virtual machine that is being moved, and then click Edit Configuration.
10. Click General properties.
11. Note the path of the .vhd file that contains the operating system for the virtual machine. If you have multiple .vhd files attached to a virtual machine, also note those paths.
12. Copy the .vhd file from the location that you noted in step 11 to the Hyper-V server.

Now set up the VM on the Windows Server 2008 Hyper-V server:

1. On the Hyper-V server, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In the Action pane, click New, and then click Virtual Machine.
3. In the New Virtual Machine Wizard, click Next.
4. Type a name for the virtual machine in the Name box, type the location of where you want to store the virtual machine configuration files in the Location box, and then click Next.
5. Enter the amount of memory that you want to use for the virtual machine in the Memory box, and then click Next.
6. In the Connection list, click the network connection that you want to use, and then click Next.
7. Click the Use an existing virtual hard disk option.
8. In the Location box, type the location of the .vhd file that you noted in step 12 in the "Prepare the virtual machine in Virtual Server" section, and then click Next.
9. Configure the installation options that you want to use, and then click Next.
10. Review the installation summary, and then click Finish.
11. In the Virtual Machines list, right-click the name of the virtual machine that you just created, and then click Settings.
12. If the virtual machine has additional hard disk drives, attach them to the existing IDE controllers, or add a SCSI controller, and then add the hard disk drives to that controller.
13. Add a network adapter for each network that the virtual machine must connect to, and then click OK to close the Settings for VirtualMachineName dialog box.
14. In the Virtual Machines list, right-click the virtual machine name, and then click Connect.
15. On the Action menu, click Start.
16. Log on to the virtual machine.
17. When the Found New Hardware Wizard starts, click Cancel.
18. On the Action menu, click Insert Integration Services Setup Disk.
19. The Setup for Integration Services dialog box should start automatically. If it does not, start Windows Explorer, and then run the Setup.exe file from the CD-ROM. You will receive the following message: Before Installing the Hyper-V Integration services, the HAL in this virtual machine must be upgraded.
20. Click OK, and then restart the virtual machine when the installation is completed.
21. When you log back on, the Integration Services installation will begin. Restart the virtual machine when the installation is complete.
22. Log on to the virtual machine, and then configure the network settings for each adapter by using the settings that you saved in step 2 of the "Prepare the virtual machine in Virtual Server" section.

Be aware that if you move a Windows 2008 or Vista machine from Virtual Server to Hyper-V, the HAL won't be automatically updated. Check out this link to address this issue.

6. WindowsNetworking Links of the Month

• 802.1X Authenticated Wired Access
  
• 802.1X Authenticated Wireless Access
  
• Foundation Network Companion Guide: Deploying Server Certificates
  
• Telnet Operations Guide
  
• Configuring Network and Sharing Center Features in a Managed Network
  
• The Cable Guy Troubleshooting NAP Enforcement
  

7. Ask Dr. Tom

QUESTION:

Hi Tom,

I use virtual machines to test my Microsoft networking configurations. I would never consider deploying a new networking solution without first testing it in a virtual machine environment. However, I use time bound evaluation versions of Windows Server 2008 to do this. It takes me a long time to put my virtual labs together and I hate having to recreate them every 60 days. Is there a way for me to extend the life of my virtual machines so that I don't have to spend an entire weekend each month recreating my virtual labs?

Thanks! - Chester H.

ANSWER:

Hi Chester,

You bet! There is a feature called "rearm" in Windows Server 2008 trial editions that allow you to run your trial edition up to 240 days. Just remember that you should not use your trial editions in a production environment. Use them in your lab like you are doing and you'll be OK.

As you know, the original trial period is for 60 days. Using the rearm feature, you can rearm your trial version three more times, each time being good for 60 days. This additional 180 days, plus your original 60 day trial period, adds up to 240 days. In addition, if you have a Windows Server 2008 120 day trial version, you can also extend it for up to 240 days.

Here's how you do it. First, install Windows Server 2008 without activating it:

1. Run the Windows Server 2008 Setup program.
2. When you are prompted to enter a product key for activation, do not enter a key. Click No when Setup asks you to confirm your selection.
3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate. Select the edition that you want to install. Be aware that after Windows Server 2008 is installed, the edition cannot be changed without reinstalling it.
4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and then accept the terms.
5. When the Windows Server 2008 Setup program is finished, the initial 60-day evaluation period starts. To check the time that is left on your current evaluation period, run the Slmgr.vbs script that is in the System32 folder from the command prompt. Use the -dli switch to run this script. The slmgr.vbs -dli command displays the number of days that are left in the current 60-day evaluation period.

When the 60 days run out, you can run slmgr.vbs command again:

When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:

1. Click Start, and then click Command Prompt.
2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period.
3. To reset the evaluation period, type slmgr.vbs -rearm, and then press ENTER.
4. Restart the computer.

This resets the evaluation period to 60 days. Remember, you can rearm up to three times before you have to perform a clean install again.

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.