5nsa session 11 vpn for remote clients 12101501

7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501

1/22

Virtual Private Network Access

for Remote Clients

5BCS Session 10


2/22

Objectives

Understanding VPN Concepts

Planning VPN Access

NAP Integration Configuring VPN Client Access


3/22

Understanding VPN Concepts VPNs are encrypted tunnels to a remote server

which routes the traffic into a remote network.

VPN connections are used to provide secure accessto a remote network through the publicinfrastructure of the internet.

A common misconception is that VPN tunnelsprovide unrestricted access to a remote network.

TMG traffic policies allows administrators to controltraffic to and from the VPN clients network.

Because VPN tunnels are intended to be secure andtrusted, they must provide strong encryption and

authentication methods. Additionally, they must employ tunnel managementto control the traffic flow through the tunnel.


4/22

What is a VPN?

TMG

Branch Office


5/22

Tunnel Types

In general, VPN tunnels fall into two operationalmodes: transport and tunnel. The primary differencebetween the modes is the way each is used:

Transport mode This mode operates in the context ofthe two endpoints only;

It cannot be used to route traffic between two remotenetworks. This is the mode generally used for remoteaccess between individual users and the office.

Tunnel mode This mode is intended to provide routingbetween two networks

This operational mode is typically used for site-to-siteVPN connections, where disjoint networks need tocommunicate. In this

mode, the non-VPN hosts in each network must usetheir VPN endpoint as a route to

the remote end of the tunnel if they are tocommunicate with each other.


6/22

ProtocolsSSTP L2TP/IPsec PPTP

Encapsulation PPP over HTTP

over TCP over SSL

IPsec GRE

Site -to-site

Capable

No Yes Yes

Encryption SSL with RC4

or AES

IPsec ESP with (3DES) or

(AES)

MPPE with RC4

Tunnelmaintenance

protocol

SSTP L2TP PPTP

NAT Traversal Native NAT

or Web proxy

IPsec NAT-T NAT editor on

the firewall

User

authentication

After the SSL session

is established

After the IPsec

encryption occurs

Before PPTP

encryption

Certificates

Server

Server certificate on

VPN server, root CA

certificate on VPN

client

Computer certificates

on

both the client and

server or pre-shared

keys

None


7/22

VPN Authentication Protocol

OptionsAuthentication

protocolConsiderations

PAPUses plaintext passwords and is the least secureauthentication protocol

SPAPUses a reversible encryption mechanism employed

by Shiva

CHAP

Requires passwords stored by using reversibleencryptionCompatible with Macintosh and UNIX-based clientsData cannot be encrypted

MS-CHAP

Does not require that passwords be stored by using

reversible encryptionEncrypts data

MS-CHAPv2Performs mutual authenticationData is encrypted by using separate session keys fortransmitted and received data

EAP-TLSMost secure remote authentication protocolEnables multifactor authentication


8/22

Planning VPN Access

Confidentiality Select the most

appropriate VPN protocol to use to

encrypt VPN traffic end to end.

Integrity Select the most appropriate

authentication protocol and allow

access to VPN resources based upon an

endpoint integrity health check.

Availability Make the resources

available to the users.


9/22

Planning VPN Access

OS Decide which OS you want to support

SSTP L2TP/IPsec PPTP

Windows Window Vista/7

Only

All All

Linux No Yes Yes (PPTP client

app)

Mac No Yes Yes (PPTP clientapp)


10/22

Planning VPN AccessSecurity

Which protocol is more secure? Which protocol is better foryour network? PPTP provides the essential security required for most networks

and is compatible with most of the platforms. The overall cost toimplement PPTP is lower as it doesnt require certificates or otherspecial settings

How ever the availability of using this protocol in a variety of

remote locations is an issue. Some locations dont allow outboundaccess for PPTP. They only allow HTTP and HTTPS outbound.

LT2P/IPsec offers the highest level of security, dataconfidentiality and integrity and origin authentication but has ahigher cost. You will need to deploy certificates. You will need additional

planning to support the Public Key Infrastructure (PKI) required toimplement IPsec.

SSTP provides the highest level of availability in remotelocations because it uses only HTTPS. But because it is thenewest VPN protocol, it has the lowest level of compatibilitywith older operating systems.


11/22

Planning VPN Access

Performance

IPsec is much more CPU-intensive than PPTP,which means that the same Forefront TMG VPNserver will consume more resources using L2TPthan PPTP or SSTP.

Authentication

You need to define whether you will use yourcurrent Active Directory infrastructure toauthenticate remote users or if you want to use a

separate entity (Remote Authentication Dial-InUser Service or RADIUS) protocol to handleauthentication

The general guideline is to provide the end userwith the smoothest experience, but with the most

secure access control.


12/22

Planning VPN Access

VPN Access Policy Administrative Controls Requirements that the user must

satisfy to be eligible for:

1. Does your job require remote access?

2. How often do you work from home?

3. Do you use one companys asset (e.g. laptop) to access VPNremotely?

4. What resources do you need to access remotely?

5. Can these resources be accessed via other means (such as Web

Publishing or Server Publishing)?

Technical Controls Use Forefront TMG firewall policy to

allow users to have access only to the resources that theyneed. Use the principle of least privilege.

Another technology that can be included as a technical control is

Network Access Protection (NAP). With NAP you can do endpoint

protection by evaluating the health of the clients workstation and

verify whether the client satisfies the minimum requirements to gain

VPN access.


13/22

NAP Integration

Windows Server 2008

Network Access

Protection (NAP) enforces

compliance with

computer health

requirements for networkaccess. TMG integrates

with that by acting as a

VPN server.


14/22

VPN Client Access Configuration

Options

Click the

Virtual

Private

Networks(VPN) node

to access the

VPN client

access

configurationoptions


15/22

Enable and Configure VPN Client

Access

Use user mapping is to apply firewall policies to users who do not

use Windows authentication


16/22

Default VPN Client Access

Configuration

Component Default Configuration

System policy rulesSystem policy rule that allows the use ofPPTP, L2TP, or both is enabled

VPN access network

TMG will listen for VPN client connections

only on the External network

VPN protocols Only PPTP is enabled for VPN client access

Network rules

A route relationship between the VPN Clientsnetwork and the Internal network

A NAT relationship between the VPN Clientsnetwork and the External network

Firewall access rules No firewall access rules are enabled

Remote access policyDefault policy requires MS-CHAPv2 authentication


17/22

How to Configure VPN Address

Assignment

Configure static IP

address

assignment or DHCP

Configure DNS and WINS

servers

using DHCP or manually


18/22

How to Configure VPN

Authentication

Configure EAP for

additional security

Configure less secure

options only if required

for client compatibility

Accept default for

secure authentication


19/22

How to Configure Authentication

Using RADIUS

Enable RADIUS forauthentication

and accounting, and then

configure a RADIUS server


20/22

How to Configure User Accounts

for VPN Access

Configure dial-in and

VPN access permissions


21/22

How to Configure VPN

Connections from a Client


22/22

Practice: Configuring VPN Access

for Remote Clients

Configuring VPN access on TMG

Configuring user account

dial-in permissions

Configuring and testing a VPN

client configuration

Internet

TMG

DC

Mobile Client

5nsa session 11 vpn for remote clients 12101501

Documents