Remote Access, Part II—VPNs and BackOffice Server

Remote network access has changed dramatically over the past few years. Administrators and network managers used to have to dial in to their systems over long-distance connections with expensive connect charges. Medium-size and large businesses typically used a system of owned or leased lines (which were private and available to only the companies that owned the lines) to manage these remote connections.

After the big Internet access explosion, VPNs began to appear. A VPN is a private data network that uses the public network infrastructure while ensuring security. VPNs use standard resources available to the public, rather than costly private resources, to give an organization the same capabilities as owned or leased lines at a much lower cost. Today, companies look to VPNs for extranet and wide-area intranet services.

VPNs encrypt data before sending it through the public infrastructure, then decrypt the data at the receiving end of the network. For additional security, you can encrypt originating and destination network addresses. The VPN provides a point-to-point connection between the remote user's computer, the VPN client, and the organization's server. In a sense, the public network's logistics don't matter because the data looks as if you sent it across a dedicated private link. Although the pathway doesn't matter to the VPN user, that pathway's performance does.

VPNs bring with them two performance concerns. First, users want assurance that their VPN solutions will deliver reliable and predictable service. Several potential solutions are under discussion at the Internet Engineering Task Force (IETF), including Differentiated Services (DiffServ), which would let you prioritize IP traffic, and multi-protocol label switching, which allows special treatment over the switched networks that underlie most ISPs. Second, the overhead of the encyption/decryption process reduces IP performance speed. Several manufacturers are making revisions to allow dedicated VPN devices that support wire-speed encryption, thus bypassing Windows 2000 VPN servers. Data compression and hardware encryption on special server NICs also alleviate the bottleneck that security over a VPN connection creates.

To use BackOffice Server 2000 as a VPN server, you must have a full-time VPN connection. You can create a dedicated VPN link with an existing network adapter or install a new card specifically for VPN use. Whichever you choose, the card must have a connection to the public infrastructure. BackOffice Server 2000 includes wizards that can help you set up the VPN, depending on the following firewall conditions:

  • If you use the Internet Security and Acceleration (ISA) Server 2000, which is part of BackOffice Server 2000, as a firewall between your local network and the VPN, use the ISA Server 2000 VPN Wizard to configure your VPN. The ISA Server 2000 VPN Wizard configures your connection so that everyday traffic from LAN users, as well as VPN traffic, can pass through the firewall.
  • If you aren't using a firewall, you can use the Routing and Remote Access Server (RRAS) Setup Wizard, which is native to Windows 2000 Server, to configure your server as a VPN server.
  • If you have another Win2K Server system available, you can make that system the VPN server. You must set up the VPN server machine as either a member server or an additional domain controller (DC) of the BackOffice Server domain to provide remote BackOffice Server 2000 access. You must also configure RRAS on the BackOffice Server system to point to, and use, the VPN server for remote access. All the above requirements for a VPN server also apply to this separate BackOffice Server system.

The following procedure configures RRAS to accept VPN connections without the ISA Server 2000 firewall. If you have a multi-homed machine (i.e., you have more than one network adapter), make sure each card connects to an active network segment. Otherwise, Win2K will configure the disconnected card to use a set of IP addresses that prevents Internet routing.

  1. Open the RRAS setup tool and select Start, Programs, Administrative Tools, Routing and Remote Access.
  2. By default, the active computer is your BackOffice Server system, but you can change the default by selecting Action, Add Server. Then, select All Routing and Remote Access Computers, and type the domain name of the server that you want to use. Click OK to add the new server.
  3. Choose the server you want to configure for VPN access in the console tree. Then, select Action, Configure and Enable Routing and Remote Access to start the RRAS wizard. Then, follow the prompts to set up the machine for VPN access.

If you use the ISA Server 2000 software as a firewall and you want to set up VPN access, follow these steps:

  1. Launch the BackOffice Server Management Console. Then, select Microsoft Internet Security and Acceleration Server, your computer, Network Configuration to access the Configure Network Connection taskpad.
  2. Click Configure VPN (Local) to start your VPN setup.
  3. Follow the on-screen instructions to configure ISA Server 2000 to accept VPN calls.
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.