Best Technology Articles

IT Tips, Networking Articles, Networking Tutorials, Programming Tutorials, ASP Tutorials, PhP Tutorials, ADS Installation, Network Setup, Networking Tips and Tricks, Hacking Articles, Software Tips, Macintosh Articles, Macintosh Tips, Technology Tips, Mobile Softwares, Mobiles Rates in Pakistan

Well yesterday a friend came to me and said that his usb drive was not working, i plugged it into my computer and my pc detected it but was unable to format it or access it. so i googled for a solution and found a tool called "On Belay". a shareware with some days before it asks for registeration so i decided it and gave it a try. there was a format button , and it detected the usb drive and formatted it and it told me to plug out the usb and plug back in and when i plugged it back in the usb drive was working. here is the link for the tool.

Download Link

The same day another friend came to me and said that the usb drive was not working. well now that i had the solution i tried the same tool again. but to my surprise it did not work. the message it gave was that there was no media present. well that gave me a shock and i googled again for another tool. well i found two other tools. here they are

HP Usb Drive Format Tool

HDD Low Level Format Tool

i tried the same and both of them did not work, the same media message , i started googling again and finally i read about it in a forum , that some times the power outage or extra power simply burns the usb chip which is usually what the media is located on. but one thing is still bugging me if the chip has burnt why the window is still detecting it and showing it as a removable drive. could some body please explain that to me. i have also tried the manufacturer's tool too.

Try the following techniques to improve the performance of the VPN tunnel:

  1. On the client
    1. Increase CPU processing power.
    2. Eliminate or stop nonessential processes that use CPU time.
    3. Increase the bandwidth of the Internet connection by using direct access (cable/DSL) in place of dial-up connections, if possible.
  2. On the server
    To free memory, stop unnecessary proxy services on the firewall such as SQLNetd, NNTPd, and others.
Note: Disabling proxy daemons lessens the ability of the firewall to fully examine packets at the application layer and may lower the degree of security established on the system. Only disable proxy services if you are certain that they are not in use by the firewall either directly (for instance, DNSd) or indirectly (in rules). If you are not sure of the effect of disabling certain proxy services, consult a Technical Support representative before disabling proxy services.
  1. Tunnel Parameters
    1. VPN Policy parameters
      1. Disable Compression on the VPN Policy
      2. Set rekey limits to their defaults (Data Volume: 2100000, Lifetime: 480, Inactivity: 0)
      3. You may also try using a DES VPN Policy in lieu of a 3DES VPN Policy if CPU power is a concern.
    2. Disabling/Enabling VPN tunnel use of the Proxy Services
      1. In most cases, a VPN Policy that uses the Proxy services is only required when the administrator wishes to:
        1. Restrict access to services through the tunnel (for instance, only telnet is allowed through the tunnel)
        2. NAT'ing is necessary for packets to return to the firewall (that is, the internal hosts behind the firewall/VPN server do not use the firewall/VPN server in any way, shape or form as their default gateway).
      2. If you do not need to restrict access to specific services through the tunnel (all ports and protocols are allowed through a VPN tunnel to the defined Local Entity of the Secure Tunnel) and, NAT is not necessary because internal hosts use the firewall/VPN server as their default gateway, this setting can be disabled. However, if you wish to restrict services to the tunnel or must use the NAT feature of the firewall/VPN server, this setting must be enabled.
      3. To disable the Proxy Services feature, on the VPN Policy used by the tunnel, clear the "Pass Traffic from the Secure Tunnel to the Proxy Services (Required for NAT)" check box.
  2. Proxy Services
    There are several rule-based items you can analyze and change to improve the throughput of a VPN tunnel that uses the Proxy services:
    1. Make the VPN rules as specific as possible (including Source, Destination, Out Via, and the Services). If possible, try to avoid multiple rules identifying as a source as the firewall scans the entire rule database to determine a "best fit" application.
    2. If possible, avoid using "all*" as a service in rules, but rather specify the individual services for the VPN rule.
    3. Disable "Log Normal Activity" (on the Miscellaneous tab). This will stop the Logging daemon from logging activity that this rule applies to.
    4. Disable "Application Data Scanning." Disabling this feature invokes the FastPath mechanism (HTTP) or the Kernel Proxy (all other Proxy services) for those services that apply to the specific rule. For information on FastPath and the Kernel Proxy, review the Firewall documentation provided with your product.
  3. Address Transforms
    If you need to use Address Transforms (the firewall/VPN server NAT functionality), try the following to improve performance:
    1. Use the "Use Gateway Address" option in the Address Transform in place of a NAT pool.
    2. Make the Address Transform specific to your VPN Tunnel (the "best fit" method applies to Address Transforms as it does to rules. See item 4.1, above), and leave the default VPNTunnelExitTransform and VPNTunnelEntryTransform at their defaults.

Question/Issue:

Your client VPN tunnels are experiencing high latency or slower throughput than expected. For instance, file transfers through the VPN tunnel take extended periods of time, or client requests such as telnet or FTP receive slow responses.


Solution:
VPN Client performance depends on several factors including processor (CPU) power, levels of encryption, Internet connection bandwidth, and others. Use the following information to troubleshoot VPN performance issues:

The following items affect VPN performance
On the client

    • CPU processing power of the client computer.
    • Bandwidth (speed) of the Internet connection.
On the server
    • CPU processing power of the firewall/VPN server.
    • The VPN Policy being used for the tunnel such as encryption and integrity level, data compression, and rekey intervals.
    • Proxy analysis of packets (configuration of rules to pass traffic to the proxy services).
    • NAT types, if being used.
    • The patch level of the firewall/VPN server.

Chances are you're in the process of rolling out a new VPN client server setup, or you're already managing one. Windows 2000 VPNs are fun to design and configure because there are so many options available. Spoke and Hub or Mesh? PPTP or L2TP/IPSec? VPN Server or VPN Gateway? Policy via user account or RAS Policy? What's really great is configuring VPN client/ server setups are easy, in spite of the fact you have so many options.

I was talking to a friend yesterday about a VPN he was setting up. He was very excited about the whole thing and spent over an hour telling me each and every detail of his design. During a breathless moment at the end of his story, I asked him if he planned to disable split tunneling for his VPN clients. He gave me a cross-eyed look and finally asked "what's split tunneling?"

What are you supposed to do when you haven't heard of something? Hit the TechNet CD! So we went to a computer with a TechNet CD on it and searched for "split tunneling". No results. Then we tried "split tunnel". Still nothing. Then we tried "'split' near ‘tunnel'". Still nothing. No wonder my friend had never heard of split tunneling. Clearly no one at Microsoft had heard of it either!

You can run into some real security problems with VPNs that allow split tunneling. The problem centers around VPN client configuration. The default Microsoft VPN client configuration is secure. That's because the default Microsoft VPN client configuration does NOT allow split tunneling. You only run into problems when you change the default setting. Sometimes you need to make this change, and sometimes the change is made to subvert network security.

Now what is this mysterious setting I'm talking about? It's the "Use default gateway on remote network" Option on the VPN client. This option appears in various places, depending on the version of Microsoft VPN client you're using. On a Windows XP Pro Computer, you'll find it this way:

1) Right click the My Network Places icon on the desktop and click Properties.

2) Right click on your VPN client connections in the Network Connections window and click Properties.

3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.

4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.

5) On the General tab of the Advanced TCP/IP Settings dialog box, note the "Use Default Gateway on Remote Network" option.

This is a significant setting. It makes the difference between a secure VPN client connection, and VPN clients that are hacker, virus, and worm gateways.


VPN Client Default Route

The "Use Default Gateway on the Remote Network" option is enabled by default. When the VPN client connects to the VPN server, a new default route is created on the VPN client and it appears in the VPN client's routing table. You can view this new route by opening a command prompt and typing the "route print" command. The new default route replaces the old default gateway that was set on the VPN client when the initial dial-up connection was established (assuming the VPN client connected to the ISP via a modem). The default gateway is set as the ISP's router when a dial-up connection is used. This allows the dial-up clients to access the Internet.

A VPN client with the "Use Default Gateway on Remote Network" setting enabled cannot access the Internet because the VPN client now uses the VPN interface to route packets to remote (non-local) networks after the new default route is added. Since all networks except for those on the network ID assigned by the ISP to the modem interface are non-local, all packets are forwarded to the VPN server through the client's VPN interface.

This is exactly what you want. You do not want VPN clients accessing your private network *and* the Internet at the same time. Allowing a VPN client to directly access the Internet and your internal network at the same time is like spraying nerve gas on your network security infrastructure. The reason for this is that the VPN client can become a gateway between the Internet and your private network.

You have a split tunnel configuration when you allow clients to connect to the VPN and the Internet at the same time. Split tunneling is enabled when the "Use Default Gateway on Remote Network" option is *disabled* for the VPN interface. Now you understand why split tunneling can be so toxic to network security.

Installing and Configuring a Windows Server 2003 Enterprise Certification Authority

Certification Authorities (CAs) issue certificates for a number of different purposes. In the context of your ISA Server firewall/VPN server, a CA can provide a certificate that allows:

  • L2TP/IPSec VPN connections from VPN clients

VPN clients can establish L2TP/IPSec connections to the ISA Server firewall/VPN server. A machine certificate is required to create the IPSec encrypted tunnel.

  • L2TP/IPSec VPN connections from VPN gateways (VPN routers)

Remote VPN gateways can call the ISA Server firewall/VPN server and establish a gateway to gateway link. VPN gateways act as VPN routers and allow packets to be routed between networks through a the VPN tunnel established between the VPN gateways.

  • L2TP/IPSec VPN connections to VPN servers

The ISA Server firewall/VPN server may need to establish a VPN client connection to a VPN server. For example, some Internet Service Providers require machines to establish a VPN connection with their own VPN server to obtain a public address for the ISA Server firewall/VPN server’s external interface. In this case. the ISA Server firewall/VPN server is a VPN client to the ISP’s VPN server.

  • Certificate-based user authentication using a certificate stored on the user machine

Users can obtain certificates and use those certificates to authenticate with the VPN server. The user certificate is stored on the user’s computer and a VPN connectoid (dial-up connection) can be configured to present this certificate during the PPP (in this case, EAP-TLS) user authentication process.

  • Certificate-based user authentication using a certificate stored on a Smart Card

A user certificate can be stored on a Smart Card. The user certificate is stored on a Smart Card and the VPN connectoid is configured to present the Smart Card certificate during the PPP (in this case, EAP-TLS) user authentication process.

A Microsoft Certificate Server can take on one of four roles:

  • Enterprise Root CA
  • Enterprise Subordinate CA
  • Stand-alone Root CA
  • Stand-alone Subordinate CA

A Microsoft Enterprise CA has the following characteristics:

  • The enterprise CA must be a member of a Windows 2000 or Windows Server 2003 Active Directory domain
  • The enterprise Root CA certificate is automatically added to the Trusted Root Certification Authorities node for all users and computers in the domain
  • User certificates can be issued that allow users to log on to the Active Directory domain using computer-stored certificates or certificates installed on Smart Cards
  • User certificates and the Certificate Revocation List (CRL) are stored in the Active Directory
  • In contrast to stand-alone CAs, an enterprise CA issues certificates via certificate templates that can be added and customized by the CA administrator
  • In contrast to the stand-alone CA, the enterprise CA confirms the credentials of the user requesting a certificate
  • The subject name (the name of the user or computer) on the certificate can be entered manually or automatically

We recommend that you install an Enterprise CA if:

  • You have an Active Directory domain, and/or
  • You require automatic deployment of certificates to users and computers

The enterprise CA is the ideal solution for any network with a Windows 2000 or Windows Server 2003 domain. All domain members can be assigned certificates via Group Policy based certificate autoenrollment. You can limit the scope of autoenrollment by assigning permissions to the certificate template used for autoenrollment. Users and computers that are not domain members can use the Web enrollment site to obtain certificates.

If you want to support certificate enrollment via Web enrollment site, then you must install the Internet Information Services World Wide Web service before installing Microsoft Certificate Services.

In this ISA Server 2000 VPN Deployment Kit document we cover the following procedures:

  • Installing the Internet Information Services 6.0 World Wide Web service (W3SVC) to support the enterprise CA Web enrollment site
  • Installing the Windows Server 2003 Certificate Services on a domain controller. The CA is installed as an enterprise CA.

* Note:
You can install an enterprise CA on any domain member. The machine does not need to be a domain controller.

Installing Microsoft Internet Information Services World Wide Web Service

Perform the following steps to install IIS 6.0 on the Windows Server 2003 member server or domain controller computer that will be the enterprise CA:

  1. Click Start, point to Control Panel and click Add or Remove Programs.
  2. Click the Add/Remove Windows Components button in the Add or Remove Programs window (figure 1).

Figure 1 (fig111)

  1. On the Windows Components window, click on the Application Server entry and click the Details button (figure 2).

Figure 2 (fig112)

  1. On the Application Server page, click on the Internet Information Services (IIS) entry and click the Details button (figure 3).

Figure 3 (fig113)

  1. IN the Internet Information Service (IIS) dialog box, put a checkmark in the World Wide Web Service checkbox and click OK (figure 4).

Figure 4 (fig114)

  1. Click OK on the Application Server dialog box (figure 5).

Figure 5 (fig115)

  1. Click Next on the Windows Components dialog box (figure 6).

Figure 6 (fig116)

  1. Click Finish on the Completing the Windows Components Wizard page (figure 7).

Figure 7 (fig117)

Installing Microsoft Certificate Services

Perform the following steps to install and configure an enterprise CA on a Windows Server 2003 computer:

* Note:
You must install the enterprise CA on a member server or domain controller on your internal network.

  1. At a member server or domain controller in your internal network, log on as a domain administrator. Click Start, point to Control Panel and click Add/Remove Programs.
  2. In the Add or Remove Programs window (figure 8), click the Add/Remove Windows Components button.

Figure 8 (fig100)

  1. In the Windows Components dialog box (figure 9), click on the Certificate Services entry and click the Details button.

Figure 9 (fig101)

  1. In the Certificate Services dialog box, put a checkmark in the Certificate Services CA checkbox (figure 10). A Microsoft Certificate Services dialog box appears and informs you that you can not change the machine name or the domain membership of the machine while it acts as a certificate server. Read the information in the dialog box and click Yes.

Figure 10 (fig102)

  1. Both the Certificate Services CA and Certificate Services Web Enrollment Support checkboxes are checked (figure 11). Click OK in the Certificate Services dialog box.

Figure 11 (fig103)

  1. Click Next in the Windows Components dialog box (figure 12).

Figure 12 (fig104)

  1. Select the Enterprise root CA option on the CA Type page (figure 13). Click Next.

Figure 13 (fig118)

  1. On the CA Identifying Information page (figure 14), type in a Common name for this CA. The common name of the CA is typically the DNS host name or NetBIOS name (computer name) of the machine running Certificate Services. In this example, the name of the machine is WIN2003DC, so we enter WIN2003DC in the Common name for this CA text box. The default Validity Period of the CA’s self-signed certificate is 5 years. Accept this default value unless you have a reason to change it. Click Next.

Figure 14 (fig106)

  1. On the Certificate Database Settings page (figure 15), use the default locations for the Certificate Database and Certificate Database Log. You do not need to specify a shared folder to store configuration information because this information will be stored in the Active Directory. Click Next.

Figure 15 (fig107)

  1. Click Yes on the Microsoft Certificate Services dialog box (figure 16) informing you Internet Information Services must be temporarily stopped.

Figure 16 (fig108)

  1. Click Yes on the Microsoft Certificate Services dialog box (figure 17) informing you Active Server Pages must be enabled on IIS if you wish to use the Certificate Services Web enrollment site.

Figure 17 (fig109)

  1. Click Finish on the Completing the Windows Components Wizard page (figure 18).

Figure 18 (fig110)

  1. Close the Add or Remove Programs window.

The Enterprise Certificate Authority is now installed and can issue certificates without requiring a machine restart.

For Windows to automatically log on a user account during the startup process, the following must be met:

- The Welcome screen must be available
- Guest account access must be turned off
- There must be only one user account on the computer
- The user account must not have a password


Auto-Dial: Disconnect/Disable

Check your settings here:

Right click the My computer icon (Desktop), open Manage/Services and Applications/Services. In the right pane scroll down to Remote Access Auto Connection Manager and double click it. Use the Startup type drop box and choose Disabled.

Network Connections/Advanced/Dial-Up Preferences/Enable Auto-Dial by Location/Uncheck all locations and Always ask me before Auto-Dialing.

Also check all programs with a Notification Area icon (system tray) for an option to disable or not start at startup. Most can be unselected here: Start/Run/Msconfig/Startup and/or removed from here: Start/Run/Regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Windows has the option to automatically dial your Internet Service Provider (ISP) to establish an Internet connection. This option can be controlled using this tweak.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Create a new binary value named "EnableAutodial", and set the new value to equal "01 00 00 00" to enable autodial or "00 00 00 00" to disable it.

Note: This restriction can be used either on a user by user basis by adding it to HKEY_CURRENT_USER or on a computer wide basis by adding it to HKEY_LOCAL_MACHINE.

To view the list of names and addresses recorded by AutoDial, type the following command at a command
prompt: rasautou -s

To delete a name or address entry from the list: Start/Run/Regedit

HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses

You can delete any TCP/IP addresses that you see under this key. Note that AutoDial can use IP addresses, DNS fully qualified domain names (FQDN), and NetBIOS names.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To enable this option so that it is always checked, use the following steps to edit the registry:

1.Start Registry Editor (Regedt32.exe).
2.Locate and select the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
3.From the Edit menu, click Add Value, and type the following information:
Value Name: RasForce Data Type: REG_SZ Value: 1
NOTE: After you add this value, the Log on using dial-up connection option will be permanently selected. If the remote network is not available to authenticate your logon, then you will not be able to logon to the computer until one of the following conditions is met:
The remote network becomes available.
You use the Emergency Repair Disk (ERD).
You use another computer to edit the registry remotely and change the RasForce value from 1 to 0, which turns off the Log on using dial-up connection option.
NOTE: This will only be possible if the computer is also on a LAN. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

A VPN is a private network created over a public one. It’s done with encryption, this way, your data is encapsulated and secure in transit – this creates the ‘virtual’ tunnel. A VPN is a method of connecting to a private network by a public network like the Internet. An internet connection in a company is common. An Internet connection in a Home is common too. With both of these, you could create an encrypted tunnel between them and pass traffic, safely - securely.

If you want to create a VPN connection you will have to use encryption to make sure that others cannot intercept the data in transit while traversing the Internet. Windows XP provides a certain level of security by using Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP). They are both considered tunneling protocols – simply because they create that virtual tunnel just discussed, by applying encryption.

Configure a VPN with XP

If you want to configure a VPN connection from a Windows XP client computer you only need what comes with the Operating System itself, it's all built right in. To set up a connection to a VPN, do the following:

  1. On the computer that is running Windows XP, confirm that the connection to the Internet is correctly configured.
  • You can try to browse the internet
  • Ping a known host on the Internet, like yahoo.com, something that isn’t blocking ICMP
  1. Click Start, and then click Control Panel.

  1. In Control Panel, double click Network Connections

  1. Click Create a new connection in the Network Tasks task pad

  1. In the Network Connection Wizard, click Next.

  1. Click Connect to the network at my workplace, and then click Next.

  1. Click Virtual Private Network connection, and then click Next.
  2. If you are prompted, you need to select whether you will use a dialup connection or if you have a dedicated connection to the Internet either via Cable, DSL, T1, Satellite, etc. Click Next.

  1. Type a host name, IP or any other description you would like to appear in the Network Connections area. You can change this later if you want. Click Next.

  1. Type the host name or the Internet Protocol (IP) address of the computer that you want to connect to, and then click Next.
  2. You may be asked if you want to use a Smart Card or not.

  1. You are just about done, the rest of the screens just verify your connection, click Next.

  1. Click to select the Add a shortcut to this connection to my desktop check box if you want one, if not, then leave it unchecked and click finish.
  2. You are now done making your connection, but by default, it may try to connect. You can either try the connection now if you know its valid, if not, then just close it down for now.

  1. In the Network Connections window, right-click the new connection and select properties. Let’s take a look at how you can customize this connection before it’s used.
  2. The first tab you will see if the General Tab. This only covers the name of the connection, which you can also rename from the Network Connection dialog box by right clicking the connection and selecting to rename it. You can also configure a First connect, which means that Windows can connect the public network (like the Internet) before starting to attempt the ‘VPN’ connection. This is a perfect example as to when you would have configured the dialup connection; this would have been the first thing that you would have to do. It's simple, you have to be connected to the Internet first before you can encrypt and send data over it. This setting makes sure that this is a reality for you.

  1. The next tab is the Options Tab. It is The Options tab has a lot you can configure in it. For one, you have the option to connect to a Windows Domain, if you select this check box (unchecked by default), then your VPN client will request Windows logon domain information while starting to work up the VPN connection. Also, you have options here for redialing. Redial attempts are configured here if you are using a dial up connection to get to the Internet. It is very handy to redial if the line is dropped as dropped lines are very common.

  1. The next tab is the Security Tab. This is where you would configure basic security for the VPN client. This is where you would set any advanced IPSec configurations other security protocols as well as requiring encryption and credentials.

  1. The next tab is the Networking Tab. This is where you can select what networking items are used by this VPN connection.

  1. The Last tab is the Advanced Tab. This is where you can configure options for configuring a firewall, and/or sharing.

Connecting to Corporate

Now that you have your XP VPN client all set up and ready, the next step is to attempt a connection to the Remote Access or VPN server set up at the corporate office. To use the connection follow these simple steps. To open the client again, go back to the Network Connections dialog box.

  1. One you are in the Network Connection dialog box, double-click, or right click and select ‘Connect’ from the menu – this will initiate the connection to the corporate office.

  1. Type your user name and password, and then click Connect. Properties bring you back to what we just discussed in this article, all the global settings for the VPN client you are using.
  1. To disconnect from a VPN connection, right-click the icon for the connection, and then click “Disconnect”

Configuring the Windows Server 2003 ISA Server 2000/VPN Server

A Windows Server 2003/ISA Server 2000 computer uses the Routing and Remote Access Service (RRAS) to manage VPN connections. The ISA Server 2000 component creates packet filters to allow inbound and outbound VPN communications. Although the Routing and Remote Access Service controls and manages all VPN connections, ISA Server 2000 provides critical protection against attack. In addition, ISA Server provides easy to use Wizards that perform many of the complex RRAS and VPN configuration tasks for you.

You can create a co-located Windows Server 2003-based ISA Server firewall/VPN server by completing the following procedures:

  • Run the ISA Virtual Private Network Configuration Wizard
  • Customize the VPN Server configuration in the Routing and Remote Access to meet your unique requirements
  • Assign a machine certificate to the VPN server to support L2TP/IPSec connections

* Note:
This ISA Server 2000 VPN Deployment Kit document assumes that you have already installed Windows Server 2003 and ISA Server 2000 using the guidelines provided in ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server

Running the ISA Virtual Private Networking Configuration Wizard

The ISA Virtual Private Network Configuration Wizard starts the Routing and Remote Access service and configures the RRAS server to accept incoming PPTP and L2TP/IPSec VPN connections. The Wizard also creates ISA Server packet filters to allow incoming PPTP and L2TP/IPSec connections. If the Routing and Remote Access Service is already started, the Wizard will create the packet filters and configure the Routing and Remote Access Service to accept incoming PPTP and L2TP/IPSec VPN connections.

* Note:
While the Wizard configures RRAS to accept incoming L2TP/IPSec VPN connections, both the VPN client and VPN server must have machine certificates installed before an L2TP/IPSec link can be established. Please refer to ISA Server 2000 VPN Deployment Kit VPN client configuration documents for
information on how to assign the appropriate certificate to the VPN client.

Perform the following steps to run the ISA Virtual Private Network Configuration Wizard on the ISA Server machine:

  1. At the ISA Server 200 machine, open the ISA Management console. Expand the Server and Arrays node and then expand the server name. Right click on the Network Configuration node and click the Allow VPN client connections command (figure 1).

Figure 1 (Fig1)

  1. Click Next on the Welcome to the ISA Virtual Private Network Configuration Wizard page (figure 2).

Figure 2 (Fig2)

  1. You have three choices on the Completing the ISA VPN Server Configuration Wizard page (figure 3):

    • When you click the Details button you see the changes the Wizard makes to the Routing and Remote Access Service and to the ISA Server configuration.
    • The View help on how to configure the Routing and Remote Access Server option will bring up the RRAS Help File after the Wizard is finished so that you can learn more about how RRAS and VPN services work.
    • The View help on how to configure IP packet filtering brings up the ISA Server Help file after the Wizard is finished so that you can learn more about how ISA Server packet filtering works.

Fig3

  1. Click the Details button on the Completing the ISA VPN Server Configuration Wizard page (figure 3). This brings up the ISA Virtual Private Network (VPN) Server Summary page (figure 4). This page includes the details of the configuration changes made the to RRAS and ISA Server services. The Wizard makes the following changes:

    • Configure Routing and Remote Access Server as Virtual Private Network (VPN) Server.
    • Enforce secured authentication and encryption methods.
    • Open static packet filters to allow PPTP and L2TP over IPSEC protocols.
    • The number of ports available for clients to connect is 128, but this number can be changed from Routing and Remote Access console.

Figure 4 (Fig4)

  1. Click the Back button on the ISA Virtual Private Network (VPN) Server Summary page (figure 5). Put a checkmark in both the View help on how to configure the Routing and Remote Access Server and View help on how to configure IP packet filtering options. Then click Finish.

Figure 5 (Fig5)

  1. If the Routing and Remote Access Service has not been started on the ISA Server machine, the ISA Virtual Private Network (VPN) Wizard dialog box appears informing you that RRAS must be started before the VPN Wizard can continue. Click Yes to continue (figure 6).

Figure 6 (Fig6)

  1. The Routing and Remote Access service starts and the Microsoft Internet Security and Acceleration Server and Routing and Remote Access Help files open. At this time you can review the Help files for more information on how RRAS and packet filtering work. Close the Help files after reviewing this information.

Customizing the VPN Server Configuration

The ISA Server VPN Wizard has done most of the work. However, because not all network environments are the same, the changes the VPN Wizard makes might work for one organization but not for another. It’s important to review the VPN server related changes and confirm that they fit your networking environment.

Perform the following steps to review and customize your VPN configuration:

  1. Click Start, point to Administrative Tools and click on Routing and Remote Access (figure 7).

Figure 7 (Fig7)

  1. Expand the server name in the Routing and Remote Access console. Then right click on your server name and click the Properties command (figure 8).

Figure 8 (Fig8)

  1. The General tab is the first one you’ll see on in the (local) Properties dialog box. The VPN Wizard configures the RRAS server for both LAN and demand-dial routing and Remote access server. The LAN routing component allows ISA Server to route packets between LAT interfaces (however, these routed packets are not subject to firewall policies). The demand-dial option allows ISA Server to create VPN gateway to gateway links to join entire networks over the Internet. The remote access server option allows the ISA Server machine to accept incoming VPN client connections.

Figure (Fig9)

  1. Click on the Security tab. You have the following options on the Security tab (figure 10):

  • Authentication provider. The VPN server can authenticate using either Windows Authentication or RADIUS Authentication. Windows Authentication uses the local user account database on the ISA Server firewall/VPN server and the domain user database, when the ISA Server belongs to the domain containing the user account, or trusts the domain containing the user accounts. RADIUS Authentication allows the ISA Server firewall/VPN server to forward authentication requests to a RADIUS server. If you have a single ISA Server firewall/VPN server, then you should use Windows Accounting. If you have multiple ISA Server firewall/VPN servers, then you may want to consider using RADIUS Authentication. Please see ISA Server 2000 VPN Deployment Kit document Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication for details on installing and configuring a RADIUS server and how to configure the ISA Server firewall/VPN server to use the RADIUS server.

  • Accounting Provider. The VPN server can log connection requests using Windows RRAS based log files when the Windows Accounting option is selected. The RADIUS Account option allows you to log to a RADIUS server. In almost all cases the Windows Accounting option is adequate for small and medium sized businesses..

  • Enable the Allow custom IPSec Policy for L2TP connection checkbox if you want to use L2TP/IPSec and do not or can not use certificates. You can enter a pre-shared key that is used to create L2TP/IPSec connections with VPN clients when this option is enabled. The L2TP/IPSec VPN clients must all use the same pre-shared key. PPTP using MS-CHAPv2 or EAP-TLS authentication is more secure than pre-shared key authentication. Only use Pre-shared keys if you have a compelling reason to do so. Note that you can use both certificates and pre-shared keys concurrently. The pre-shared keys can be used for clients that do not have certificates, while machine certificates can be used when available.

Figure 10 (Fig10)

  1. Click on the Authentication Methods button. You can select the authentication methods you want to allow in the Authentication Methods dialog box. You should only allow Extensible authentication protocol (EAP) and Microsoft encrypted authentication version 2 (MS-CHAP v2). All 32-bit Microsoft VPN clients support MS-CHAP version 2, so there is no reason to allow other, less secure, PPP authentication methods (figure 11).

Figure 11 (Fig11)

  1. Click on the EAP Methods button. The EAP Methods dialog box shows what EAP methods can be used in remote access policies. The Smart Card or other certificate option appears after a certificate has been successfully installed on the ISA Server firewall/VPN server. Click OK in the EAP Methods dialog box. Click OK in the Authentication Methods dialog box (figure 12).

Figure 12 (Fig12)

  1. Click on the IP tab (figure 13). Make sure the Enable IP routing and the Allow IP-based remote access and demand-dial connections checkboxes are enabled.

In the IP address assignment frame, you have two options:

· Dynamic Host Configuration Protocol (DHCP)

· Static address pool.

If you have a DHCP server on the same network segment (subnet) as the internal interface of the ISA Server firewall/VPN server, then you can select the Dynamic Host Configuration Protocol (DHCP) option. If you do not have a DHCP server on the directly connected network segment (subnet), you can create a Static address pool.

If you want to create a static address pool, click the Add button. In the New Address Range dialog box, type a Start IP address and a End IP address. Make sure you have enough addresses for all your VPN clients and one for the ISA Server firewall/VPN server itself to use. Click OK in the New Address Range dialog box to save the static address pool.

Enable the Enable broadcast name resolution checkbox if you want your VPN clients to be able to resolve the NetBIOS names of the clients on the networks directly connected to the ISA Server. This is useful when the VPN client connects to small networks that have all their hosts on a single network segment directly connected to the ISA Server firewall/VPN server.

Click the down arrow for the Adapter drop down list box and select the internal interface of the ISA Server firewall/VPN server. When you use a static address pool, the ISA Server firewall/VPN server will assign the WINS and DNS server addresses configured on the internal interface to the VPN clients.

Figure 13 (Fig13)

  1. Click the Logging tab. Here you can configure a custom level of logging. The default setting is to Log errors and warnings only. This is appropriate for most situations. You can select the Log all events option and the Log additional Routing and Remote Access information (used for debugging) options if you need to troubleshoot problems with VPN connections. Click Apply. Click No in the Routing and Remote Access dialog box asking if you want to see more information on authentication methods (figure 14).

Figure 14 (Fig14)

  1. Right click on the Ports node in the left pane of the console and click the Properties command. This brings up the Ports Properties dialog box (figure 15). Click on either the WAN Miniport (PPTP) or WAN Miniport (L2TP) entry, then click the Configure button.

Figure 15 (Fig15)

  1. There are several important options in the Configure Device – WAN Miniport dialog box (figure 16):

  • Remote access connections (inbound only). This option allows VPN clients to make calls to the VPN server. If this option were not selected, VPN clients could not connect to the VPN server.
  • Demand-dial routing connections (inbound and outbound). This option allows the ISA Server firewall/VPN server to be a VPN router (VPN gateway) that can initiate a call to a remote gateway or receive a call from a remote gateway.
  • Maximum ports. Set the number of ports your require for each protocol. The number has no effect on the number of resources used on the ISA Server firewall/VPN server until there is a VPN connection established.

Figure 16 (Fig16)

If you intend to use only PPTP with username and password based authentication, then you are done. You will not need to create a certificate server and you do not need to assign a certificate to the ISA Server firewall/VPN server or the VPN clients. However, if you wish to use the L2TP/IPSec VPN protocol to create VPN client/server and VPN gateway to gateway connections, then you need to assign a machine certificate to the ISA Server firewall/VPN server and VPN clients.

Assigning a Machine Certificate to the ISA Server firewall/VPN Server

The ISA Server firewall/VPN server requires a machine certificate before it can create L2TP/IPSec connections with VPN clients. There are several ways that you can assign a machine certificate to the ISA Server firewall/VPN server:

  • Via The Certificate Server Web Enrollment Site
  • Via the Certificates standalone snap-in MMC
  • Via Group Policy-based Autoenrollment

The Certificate Server Web Enrollment Site

The Web enrollment site requires that the Internet Information Server’s W3SVC be running on the Certificate Server. The certificate request is made via the browser interface and the certificate is obtained via the browser. The advantage of using the Web enrollment site is that the ISA Server firewall/VPN server doesn’t not need to belong to the Internet network domain. The disadvantage is that the Web browser is installed and being used on a firewall, which can be considered to be a security risk.

* Note:
ISA Server 2000 VPN Deployment Kit
Documents Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA and Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Enterprise CA contain detailed information on how to obtain certificates via Web enrollment.

Group Policy-based Autoenrollment

Group Policy based autoenrollment allows you to deploy machine certificates automatically by configuring domain policy to assign machine certificates to all machines in the domain. The disadvantage of using Group Policy based autoenrollment is that the ISA Server firewall/VPN server must belong to the internal network domain, or you must create a domain for the ISA Server firewall/VPN servers to use that is separate from the user domain and then create a one-way trust between the ISA Server firewall/VPN server domain and the internal network domain that contains the users/groups you want to use for outbound and inbound access control.

* Note:
ISA Server 2000 VPN Deployment Kit
document Assigning Certificates to Domain Members via Autoenrollment in a Windows Server 2003 Active Directory Domain contains detailed instructions on how to configure Group Policy-based certificate autoenrollment.

The Certificates Standalone Snap-in

The Certificates snap-in allows you to use the Microsoft Management Console (MMC) interface to request and install a certificate directly from an enterprise Certificate Authority. The advantage of using the certificates MMC is that it’s very simple to request and install a machine certificate using the built-in Wizard. The disadvantage is that the ISA Server firewall/VPN server must belong to the same domain as the enterprise CA.

In the following discussion we assume the ISA Server firewall/VPN server is a member of the internal network domain and that the internal network domain has an enterprise Certificate Authority (CA) installed on a domain controller on the internal network. This is a typical configuration for a small or medium sized business. You can use the Certificates MMC standalone snap-in to request and bind a certificate to the ISA Server firewall/VPN server.

* Note:
You can also use autoenrollment to assign a machine certificate to the ISA Server firewall/VPN server if the ISA Server when the ISA Server firewall/VPN server is a member of the internal network domain. If the ISA Server firewall/VPN server does not belong to the internal network domain, you can use the Web enrollment site. Please refer to ISA Server 2000 VPN Deployment Kit documents noted above on obtaining a machine certificate via the Web enrollment site and autoenrollment.

Perform the following steps on ISA Server firewall/VPN server to request a machine certificate from an enterprise CA belonging to the same domain as the ISA Server firewall/VPN server:

  1. Click Start and click the Run command. Type mmc in the open text box and click OK.
  2. In the Console 1 console, click the File menu and then click the Add/Remove Snap-in command (figure 17).

Figure 17 (Fig17)

  1. In the Add/Remove Snap-in dialog box, click the Add button (figure 18).

Figure 18 (fig18)

  1. In the Add Standalone Snap-in dialog box, click on the Certificates snap-in and click the Add button (figure 19).

Figure 19 (Fig19)

  1. Select the Computer account option on the Certificates snap-in page. It’s very important that you select the computer account option because the certificate must be assigned to the machine account (computer account). Click Next.

Figure 20 (Fig20)

  1. On the Select Computer page, select the Local computer option. Click Finish (figure 21).

Figure 21 (Fig21)

  1. Click the Close button in the Add Standalone Snap-in dialog box, and then click on the OK button in the Add/Remove Snap-in dialog box.
  2. In the Console1 console, right click on the Personal node in the left pane, point to All Tasks and click on the Request New Certificate command (figure 22).

Figure 22 (Fig22)

  1. Click Next on the Welcome to the Certificate Request Wizard page of the Certificate Request Wizard (figure 23).

Figure 23 (Fig23)

  1. You can see the certificate types available on the Certificate Types page. Note that in this example that the only certificate type available is the Computer certificate. Click on the Computer certificate and click Next (figure 24).

Figure 24 (Fig24)

  1. On the Certificate Friendly Name and Description page, type in a Friendly name for the certificate and type in a Description for the purpose of the certificate. The friendly name and the description have no effect on the functioning of the certificate but they do help identify the reason you requested and installed the certificate. Click Next.

Figure 25 (Fig25)

  1. Review your settings on the Completing the Certificate Request Wizard page and click Finish (figure 26).

Figure 26 (Fig26)

  1. Click OK in the Certificate Request Wizard dialog box that informs you that the certificate request was successful (figure 27).

Figure 27 (Fig27)

  1. A new node, the Certificates\Personal\Certificates node appears in the left pane of the Console. You can see the machine certificate in the right pane of the console (figure 28).

Figure 28 (Fig28)

  1. Click Start, point to Administrative Tools and click on Routing and Remote Access. In the Routing and Remote Access console, right click on the server name in the left pane, point to All Tasks and click on the Restart command (figure 29). This will allow the Routing and Remote Access service to begin using the machine certificate to create L2TP/IPSec connections.

Figure 29 (Fig29)

The ISA Server firewall/VPN server is now ready to accept incoming PPTP and L2TP/IPSec calls from VPN clients. However, the default settings on the ISA Server firewall/VPN server prevent all users from creating a VPN connection with the server. The next step is to configure Remote Access (RAS) Permissions and Remote Access Policies. Please refer to ISA Server 2000 VPN Deployment Kit document Creating Routing and Remote Access Policy and Remote Access Permissions in Windows Server 2003 – Including EAP-TLS Authentication for PPTP and L2TP/IPSec Clients for complete instructions on how to configure RAS Permissions and Remote Access Policies.