VPN Remote Access Issue

[Guest]

I'm currently trying to configure a VPN server running on a Windows 2000
server in a test lab . This VPN server is located on a perimeter network
(i.e. DMZ zone). A router separates this perimeter network from the main
internal private network (i.e. Intranet or LAN). The Windows 2000 domain
controller is located within the internal network (192.168.1.0 /24) with an
IP address of 192.168.1.4 . It is also acting as a DHCP server. The VPN
server has a IP address of 192.168.2.2 on the perimeter network (i.e. the
192.168.2.0 /24 inner DMZ network). All traffic can be routed properly
between the internal network and the perimeter network. The domain
controller on the internal network has a domain user account set up in Active
Directory Users and Computers and the account is configured for allow access
permission in its Dial up/Remote Access properties. The VPN server on the
perimeter network is running Windows 2000 advanced server and is currently
functioning as a standalone server. Routing and Remote access is enabled on
this machine and it is configured as a VPN server as mentioned before. The
VPN clients are configured to obtain their IP addresses from a static pool
addresses (e.g. 192.168.1.100 - 192.168.1.120) on the VPN server. This
address pool assignment may have also been configured dynamically if the
router was configured as a DHCP relay agent.

However, the problem here is that I'm not sure how the VPN server is going
to authenticate or communicate with the Domain Controller in order to permit
or grant the incoming VPN client full access to shared resources on the
domain. Do I need to set up a local user account on the VPN server using the
Computer Management administrative tool with the same credentials as the
domain user account mentioned above? or should I configure the VPN server on
the perimeter network as a member server (i.e. make it a member of the
domain)? or should I configure it as a additional domain controller (backup
DC) whereby it can directly authenticate the incoming VPN client?. I would
appreciate your advice or assistance on this matter. Normally, as you know
already, it is recommended to place the VPN server in a perimeter network for
security reasons rather than the internal network so that intruders or
unauthorised users can't directly compromise the local area network.
Obviously, if the Domain Controller was acting as a VPN server in a simple
network with no perimeter network; then it would make things very easy as the
VPN clients from the Internet could authenticate directly with it. However,
this is not the case here. The problem here evolves around how the VPN
server authenticates the VPN clients when the Domain Controller is located on
the internal network. To finalise, what are the prerequisites of the VPN
server in this scenario? This is a authentication issue rather than a
routing issue etc. Furthermore, should the VPN server in this case be
configured with a static address pool taken from the perimeter network (e.g.
192.168.2.100 -192.168.2.120) or with a static address pool taken from the
internal network (e.g. 192.168.1.100 - 192.168.1.120) or does it make any
difference?

My apologies for the long description of this VPN network scenario but I
thought it might prove useful for anyone out there trying to resolve this
problem.

Trusting that you will kindly respond to this query.

Thanking You.

Martin Healy
Email: (e-mail address removed)

 

[Samir Jain [MSFT]]

Hi Martin,

Long mail but good idea about your topology. So long reply too )

Answer to you query related to DC
-> If you are using "Windows" as authentication provider on RRAS server. In
that case you can still use your DC inside internal network to verify your
username/passwords.
If remote clients enter username=domainA\usernameA on their connection,
then VPN server will try to authenticate this user to that "domainA", if VPN
server is member of "domainA" or registered to that domain (through
netsh ras add registered server).
If the remote client enter username= usernameA (without domain\), then
if VPN server is member of or registered to some domain (say domainB)- it
will try to authenticate the user against "domainB". But if VPN server was
not in domain (say workgroup) nor registered to some domain, it will try to
see local username/password store.
-> If you are using Radius as authentication provider and install Radius
server (like IAS) on some machine inside your internal network. Then
authentication request will be given by VPN server to radius server. And the
same rules above apply for radius server too.

Answer to your query related to ip address pool
-> Giving the IP address in range 192.168.1.100 - 192.168.1.120 may create
routing issues to you. Because LAN PCs (in 192.168.1.x network) will think
all the VPN clients are in same subnet and do ARP to find their MAC address.
And RRAS will not be able to do proxy ARP to them as there is a router
between perimeter network and internal network. Giving them address in range
of 192.168.2.x may solve it, as LAN PCs need to have a route (default route
or 192.168.2.x specific route) towards the router (that is between perimeter
and internal network).

Some more security questions to think about:-
-> Where are you deploying firewall ?
-> Is VPN server configured to accept only VPN packets on its public
interface and drop everything else
More deployment guidelines can be seen at
http://www.microsoft.com/resources/.../all/deployguide/en-us/dnsbf_vpn_overview.asp

Also the online help in RRAS MMC Snap-in (Open RRASMgmt.msc, click on
Help->Help topics) is very rich.

 

[Guest]

Thanks for the comprehensive reply as this answered my query. The firewall
is placed between the inner and outer DMZ networks. Packet filters are
applied on both the perimeter and internet/public interfaces. ACLs (i.e.
another form of packet filters) are applied on the routers at the two extreme
ends of the network in order to provide an additional layer of security.

Martin