WindowsNetworking.com Monthly Newsletter of December 2008 Sponsored by: ScriptLogic
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
If you travel, work from home, or own a company with multiple offices, VPNs are the lifeblood of your networking strategy. If you already work with VPNs, you know how valuable they are in saving you and your company hundreds, thousands, or even millions of dollars a year on long distance dial-up phone charges. If you are new to VPNs, then you should learn all you can about them. A working knowledge of VPNs is your key to in the Microsoft networking business.
A VPN solution requires that you have a VPN Server to accept calls from VPN clients. The VPN clients require two connections to access resources on the VPN server's internal network. The first connection is to the Internet via an ISP, and the second connection is to the VPN server. Once the connection is established to the VPN server, the VPN client becomes a member of the remote network, just as if the client where directly attached to the network via Ethernet cabling.
Point-to-Point Tunneling Protocol (PPTP)
When Microsoft first rolled out a VPN solution for Microsoft networks, the only VPN tunneling protocol available was the Point-to-Point Tunneling Protocol (PPTP). The first version of PPTP (PPTP v1) got a black eye because of some major security flaws with the protocol. As with any security flaw discovered in a Microsoft product, this weakness in PPTP v1 was highly publicized and led to much pain and gnashing of teeth at Microsoft. They did fix the protocol and published security fixes, but the damage was done. It is hard to get a good reputation back after it has been damaged.
The good news for Windows admins is that the version of PPTP included in the box with Windows is a new and improved version of PPTP, sometimes called PPTP v2. PPTP v2 does not have the security weaknesses found in the initial version of PPTP. In addition, the protocol has been tightened up, and has much better performance than the earlier version of PPTP.
Although Microsoft fixed all the major and minor problems with PPTP, the level of security provided for any PPTP connection is highly dependent on the complexity of the password provided by the user. If users are allowed to use short and simple passwords like "mom" or "dog", then the level of protection provided by PPTP is severely hampered. It's up to you as the Windows network admin to make sure Group Policy is configured to require a certain level of password complexity.
Implementing a PPTP VPN is very easy thanks to the Windows RRAS Wizards. When you enable RRAS on a Windows Server, the Wizard will ask you what type of RAS server you want to create. Just select the VPN Server option, and the Wizard does almost all the work for you. There are some tweaks you need to make after the Wizard is done, but for the most part, the RRAS Wizard is a one-stop solution for configuring a PPTP VPN Server.
Layer 2 Tunneling Protocol/Internet Protocol Security (L2TP/IPSec)
The better solution in the Microsoft VPN game is L2TP/IPSec. This VPN tunneling and security protocol combination represents the highest level of security you can get with VPN networking. That's right, not just Microsoft VPN networking, but all VPN networking. L2TP is a tunneling protocol based on the melding of two technologies: the Cisco Layer 2 Forwarding Protocol (L2F) and Microsoft's PPTP. The IETF thought it would be best if Microsoft and Cisco got together to create an Internet standard based on these two protocols, and L2TP was the result of their joint efforts.
While PPTP uses Microsoft Point to Point Encryption (MPPE) to secure the information moving through the PPTP tunnel, L2TP uses IPSec to secure data moving inside the tunnel. Password authentication is done by any of the typical PPP authentication protocols, such as MS-CHAP, MS-CHAP v2 or EAP-TLS (actually, EAP-TLS is not a "typical" PPP authentication method, but an extension to the PPP authentication feature set).
Using L2TP/IPsec, In addition to user authentication via PPP authentication methods, computers are also authenticated. This allows both users and computers to be authenticated before connections are allowed. Computer authentication is accomplished by the exchange of machine certificates that are installed on both the VPN client and server.
When you run the RRAS Wizard, the Wizard automatically enables ports that accept calls from both PPTP and L2TP/IPSec VPN clients. PPTP tunnels start working right out of the box; that's why most Windows VPN admins choose to use PPTP, even though it provides a bit lower level of security. L2TP/IPSec calls don't start working automatically because certificates must be assigned to the VPN clients and server.
However, getting L2TP/IPSec working is not that difficult. You just need to install a machine certificate on both the VPN client and server. While you could purchase a third party certificate for the clients and servers, Microsoft has helped you out by including a certificate server with Windows Server. Just install the certificate server, configure it so that's its able to issue machine certificates using the machine certificate template, and then let it start issuing certificates.
The easiest way to do this is to configure Group Policy to auto-enroll domain members. When Group Policy is configured to autoenroll machines, a machine certificate is automatically installed. This certificate can be used by the machine when it wants to establish either a VPN client or server session. If you do not want to use autoenrollment, you can use the Certificates MMC to manually request a certificate.
Once both the client and server have machine certificates installed, L2TP/IPSec tunnels are created automatically. The reason for this is the default configuration on the Microsoft VPN client negotiates the type of VPN. The Microsoft VPN client tries L2TP/IPSec first, and if that does not work, it will try PPTP. As long as you have not deleted the L2TP listening ports on the VPN server, it will all happen automatically.
The Windows 2000 RRAS VPN server allows you to easily configure a VPN networking solution for your business, no matter what the size. You can use PPTP v2 and get your VPN network going right away without any addition software or services required. However, if you want the ultimate in VPN security, you should consider implementing an L2TP/IPSec VPN. The small amount of time required to setup and configure a certificate server will pay off in the long run because of the security and peace of mind you will have with a high security IPSec based solution. Next week we'll go over the details of installing and configuring a Certificate Server and how to enable autoenrollment.
TechGenix Holiday Offer!
TechGenix is pleased to offer a holiday special to our newsletter subscribers - 40% off SolarWinds ipMonitor until December 28, 2008. Many of you have downloaded the ipMonitor trial over the past couple months and as part of our ongoing partnership with SolarWinds they have provided us with a special year end discount for our subscribers. Simply mention the promo code PIPM40 to your SolarWinds rep to get this discount.
ipMonitor is an entry-level network, server and application monitoring solution that is easy to use and installs in minutes. ipMonitor auto discovers your network to deliver a clickable dashboard that immediately provides real-time statistics. If you have not yet had a chance to trial ipMonitor and think you would be interested in this offer then feel free to download a free trial version of the software here and use the promo code when you decide to buy before December 28, 2008 to take advantage of these savings.
Got a networking question that you can't find the answer to? Send a note to Dr. Tom at email@example.com and he'll answer your question in next month's newsletter.
3. WindowsNetworking.com Articles of Interest
Microsoft Hyper-V is a great way to move your Windows networking environment into a virtual networking infrastructure. Many of you might already have embraced Windows networking in a virtual environment using Microsoft Virtual Server. If you have, you'll want to move those machines over to Windows Server 2008 Hyper-V so that you can get improved performance and reliability.
Here's a method you can use to move your Virtual Server machines to Hyper-V:
First, get your virtual machine ready at the Virtual Server machine so that it's ready to be moved:
Now set up the VM on the Windows Server 2008 Hyper-V server:
Be aware that if you move a Windows 2008 or Vista machine from Virtual Server to Hyper-V, the HAL won't be automatically updated. Check out this link to address this issue.
I use virtual machines to test my Microsoft networking configurations. I would never consider deploying a new networking solution without first testing it in a virtual machine environment. However, I use time bound evaluation versions of Windows Server 2008 to do this. It takes me a long time to put my virtual labs together and I hate having to recreate them every 60 days. Is there a way for me to extend the life of my virtual machines so that I don't have to spend an entire weekend each month recreating my virtual labs?
Thanks! - Chester H.
You bet! There is a feature called "rearm" in Windows Server 2008 trial editions that allow you to run your trial edition up to 240 days. Just remember that you should not use your trial editions in a production environment. Use them in your lab like you are doing and you'll be OK.
As you know, the original trial period is for 60 days. Using the rearm feature, you can rearm your trial version three more times, each time being good for 60 days. This additional 180 days, plus your original 60 day trial period, adds up to 240 days. In addition, if you have a Windows Server 2008 120 day trial version, you can also extend it for up to 240 days.
Here's how you do it. First, install Windows Server 2008 without activating it:
When the 60 days run out, you can run slmgr.vbs command again:
When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:
This resets the evaluation period to 60 days. Remember, you can rearm up to three times before you have to perform a clean install again.
Got a question for Dr. Tom? Send it to firstname.lastname@example.org.