Beruflich Dokumente
Kultur Dokumente
ABSTRACT
This project will provide an introduction, research, theory, analysis, solutions & real
time implementation and study of Virtual Private Networking for Sun Infosys Ltd. It
also will provide a structure of content of this document. It will consist of various
concepts, theories and main terminology to understand and implement a Virtual
Private Network.
Chapter 1 (Introduction) will explain the introduction of the project proposal and
project implementation and a presentation in front of students and teachers after the
submission of this documentation. The presentation will clarify; demonstrate the
understanding of this project the actual implementation of this project by myself, and
to see through to implementation of this project.
Chapter 2 (Project Proposal) this is the project proposal report completed in the
previous module and detailed in theory how best to implement this project.
In this Chapter 3 (Literature Search) I will also be using the relevant literature
research, to justify some of the aims and objectives.
Chapter 4 (Project Plan) Here I discuss the project plan which is to examine how
and what I would like to implement.
Chapter 5 (Investigation and Result) This section describes the details of the
experiments or investigations carried out.
Chapter 6 (A critical appraisal of the work done) This section examines the project
in its entirety with a critique of what is achieved, discussion of problems encountered,
examination of the validity of the method chosen to solve the problem, etc.
Chapter 7 (Conclusion) This chapter states the purpose of the work and involves a
concise summary of the project.
Chapter 8 (Suggestions for further work) Here I discussed how I could have
improved things.
Chapter 9 contains the References.
Chapter 10 contains the Appendix.
CONTENTS
Chapter 1 -
INTRODUCTION.6
Chapter 4 -
PROJECT PLAN....38
4.1 Step1.38
4.1 Step2.39
4.1 Step3.39
Chapter 5 -
Chapter 6 -
Chapter 7 -
CONCLUSION...46
Chapter 8 -
REFERENCES....51
APPENDICES..55
APPENDIX A Implementation Installing Windows Server 2003..56
APPENDIX B Implementation Installing ISA Server 2000...63
APPENDIX C Implementation Installing ISA Server Service Pack 1...74
APPENDIX D Implementation Installing Hotfix isahf255.exe..77
APPENDIX E Implementation Installing Feature Pack 1...80
APPENDIX F Implementation Configuring the ISA Server 2000/VPN Server.82
APPENDIX G Implementation Connecting to the VPN...100
ACKNOWLEDGEMENTS
I would like to thank the following people, without their help the completion of this
project was not possible.
Special thanks to Peter Chalk, for all this help, guidance and encouragement.
Mr. Sri Adam for letting me implement this project in his organization.
All my friends and family, for their help, support and suggestions.
All the final year BSc. Computer Networking students for their feedback about
this report.
Chapter 1 - Introduction
1.1 What the Project is about
This project is about the Virtual Private Network technology and its implementation
in a real work environment. This is the final year project implementation by me, I am
a final year undergraduate student in BSc Hons. Computer Networking. The chosen
topic for this project is Virtual Private Network implementation for Sun InfoSys Ltd.
http://www.suninfosys.co.uk/
Sun InfoSys Ltd. has a business of CCTV systems. Sun InfoSys Ltd. is established by
I.T and Security experts to provide total security solutions to retail business market.
They provide security systems by integrating Information Technology with their
digital and analogue CCTV systems. Sun InfoSys is the supplier and installer of
various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet
enabled CCTV systems and software and hardware (All types of software needed by
EPOS, CCTV, Client business) for retail business in the UK.
The company's aim is to add value in all areas of its involvement with customers
whether simply offering technical support, single hardware components or efficient
security monitoring systems in the form of digital CCTV systems. They also provide
24 hours digital CCTV remote monitoring facility.
Customer Services
Accounts
Technical Support
Sales
Warehouse
The motivation behind this project for me is not only to enhance my knowledge of a
complex but very rewarding and currently hot technology of Virtual Private
Networking for an existing company called Sun InfoSys Ltd., but to actually
implement this project in that company. This can bear fruit for me in the form of
possible future job prospect in this company. I had to be able to liaise with the staff
and establish a nice rapport with them.
Furthermore In this project, I will also be developing an online website covering this
report that will be available with this documentation and will publish the web address
within the conclusion of this report.
Previously I actually have worked for several years as a Network Engineer in Pakistan
for several companies and have actually designed, deployed, managed and troubleshooted complex networks.
I have also worked as a web developer and developed several websites for clients in
Pakistan. Clearly I have great interest in the field of Networking and this is the sole
reason for me taking up this degree to further my knowledge and career within this
field.
10
By making a Virtual Private Network system, I plan to cater to the companys current
need of providing connectivity to its essential resources as the Managing Director Mr.
S. Peter Andy is always on the move and needs to connect to the company resources
from various national and international venues such as UK and Taiwan when doing
meetings & presentations with his suppliers in Taiwan. He needs to be able to have up
to the minute data about stocks, current requirements, current problems and sales
figures.
The company has a head office in the following location:
Head Office: No 8, Exmouth Rd. London, e17 7qq.
And also has a branch office in the following location:
Branch Office: No 772-776, Romford Rd., London e12.
The sales team need to commute to various organizations to give presentations and
also to convince potential clients, they frequently require on the move connections to
resources such as sales figures, Sage, presentations, Technical Date and live demos
and IP Based demonstrations if their digital CCTV systems.
The Support team and various installers and engineers require on the move access to
technical resources, software, patches, and contact information from the company &
Sage and when visiting client locations varied anywhere in London currently.
In light of the above data and information give to me, I propose a Virtual Private
Network solution. This solution can be delivered under a UNIX system or on a
Microsoft Windows based system.
11
12
There are three popular authentication methods that are being supported by LINUX
based FreeS/WAN:
RAW RSA keys - for FreeS/WAN to FreeS/WAN connections only.
A raw RSA key is literally a long string of alphanumeric characters,
which is the encoding of either a public or private key. The public and
private keys go together, so that with the private key the owner can
validate the public key.
X.509 certificates (which are essentially RSA keys in a glorified format)
The X.509 certificates are the same encryption scheme as raw RSA
keys, but use certificates. This allows a trust-inheritance scheme, and
also the certificates themselves contain useful supporting information.
The actual representation of a certificate is a file, and can be encoded
in many different ways (plain-text, binary or combinations of the two)
for example: - PEM, base64, pkcs12, etc.
PSKs (Pre-shared secret keys).
PSKs are not very secure at all. They are simply non-encrypted
passphrases stored in plain-text, eg my_secret_password. They help
get a connection set up if easy authentication is to be used (they are the
easiest of any of these three to set up), but are insecure and should not
be used in the long run.
Hardware Requirements for LINUX FreeS/WAN solution:
The hardware requirements are pretty basic. A 32-bit machine capable of running
Linux, with two NICs (network interface cards; one is connected towards the internet,
the other is connected to the clients).
13
Hardware requirements for Windows Server 2003 / ISA Server 2000 solution:
Computer and processor:
PC with a 133-MHz processor required; 550-MHz or faster processor recommended
Memory:
128 MB of RAM required; 256 MB or more recommended; 4 GB maximum
Hard disk:
1.25 to 2 GB of available hard-disk space
Drive:
CD-ROM or DVD-ROM drive
Display:
VGA or hardware that supports console redirection required; Super VGA supporting
800 x 600 or higher-resolution monitor recommended
14
What is VPN?
3.2
3.3
Types of VPN
3.4
Remote-Access VPN
3.5
Site-to-Site VPN
3.6
Extranet VPN
3.7
VPN Security
3.8
Firewalls
3.9
Encryption
3.10
IPSec
3.11
AAA Servers
3.12
VPN Technologies
3.13
VPN Concentrator
3.14
VPN-Optimized Router
3.15
3.16
Tunnelling
3.17
Carrier protocol
3.18
Encapsulating protocol
3.19
Passenger protocol
3.20
Tunneling: Site-to-Site
3.21
Tunnelling: Remote-Access
3.22
3.23
3.24
3.25
MPLS
15
3.1
What is VPN?
Cisco Definition:
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[VPN is one of the most used words in networking today and has many
different meanings.
The broadest definition of a VPN is 'any network built upon a public network
and partitioned for use by individual customers'. This results in public frame
relay, X.25, and ATM networks being considered as VPNs. These types of
VPNs are generically referred to a Layer 2 VPNs. The emerging forms of
VPNs are networks constructed across shared IP backbones, referred to as 'IP
VPNs'. ]
16
My Definition:
Basically a VPN is a private network that uses a public network (usually the
Internet) to connect remote sites or users together. Instead of using a
dedicated, real-world connection such as leased line, a VPN uses "virtual"
connections routed through the Internet from the company's private network to
the remote site or employee.
3.2
Improve security
Improve productivity
Security
Reliability
Scalability
Network management
Policy management
17
3.3
Types of VPN:
1) Remote-Access VPN
2) Site-to-Site VPN
3) Extranet VPNs
Remote-Access VPN
My Definition:
Remote-access, also called a virtual private dial-up network (VPDN), is a
user-to-LAN connection used by a company that has employees who need to
connect to the private network from various remote locations. Normally, a
company that wishes to set up a large remote-access VPN will outsource to an
enterprise service provider (ESP). The ESP sets up a network access server
(NAS) and provides the remote users with desktop client software for their
computers. The telecommuters can then dial a Low Call or Free number
(0800, 0500 etc) to reach the NAS and use their VPN client software to access
the corporate network.
18
19
20
21
22
Image Source:
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf
3.7
VPN Security:
A well-designed VPN uses several methods for keeping your connection and
data secure:
1) Firewalls
2) Encryption
3) IPSec
4) AAA Server
23
3.8 Firewalls:
Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/f/firewall.html
[ (frwl) (n.) A system designed to prevent unauthorized access to or from a
private network. Firewalls can be implemented in both hardware and software,
or a combination of both. Firewalls are frequently used to prevent
unauthorized Internet users from accessing private networks connected to the
Internet, especially intranets. All messages entering or leaving the intranet
pass through the firewall, which examines each message and blocks those that
do not meet the specified security criteria. ]
There are several types of firewall techniques:
Packet filter: Looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to configure. In addition, it
is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications,
such as FTP and Telnet servers. This is very effective, but can impose
performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP
connection is established. Once the connection has been made, packets can
flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The
proxy server effectively hides the true network addresses.
In practice, many firewalls use two or more of these techniques in concert.
24
3.9
Encryption Definition:
Resource: Webopedia
http://www.webopedia.com/TERM/e/encryption.html
[ The translation of data into a secret code. Encryption is the most effective
way to achieve data security. To read an encrypted file, you must have access
to a secret key or password that enables you to decrypt it. Unencrypted data is
called plain text; encrypted data is referred to as cipher text. ]
My Definition:
Encryption is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to
decode. Most computer encryption systems belong in one of two categories:
Symmetric-key encryption
Public-key encryption
25
My Definition:
Internet Protocol Security Protocol (IPSec) provides enhanced security
features such as better encryption algorithms and more comprehensive
authentication.
26
Image Source:
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf
IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the
header and the payload of each packet while transport only encrypts the
payload. Only systems that are IPSec compliant can take advantage of this
protocol. Also, all devices must use a common key and the firewalls of each
network must have very similar security policies set up. IPSec can encrypt
data between various devices, such as:
Router to router
Firewall to router
PC to router
PC to server
27
My Definition:
AAA (authentication, authorization and accounting) servers are used for more
secure access in a remote-access VPN environment. When a request to
establish a session comes in from a dial-up client, the request is proxied to the
AAA server. AAA then checks the following:
The accounting information is especially useful for tracking client use for
security auditing, billing or reporting purposes.
28
29
30
My Definition:
Most VPNs rely on tunneling to create a private network that reaches across
the Internet. Essentially, tunneling is the process of placing an entire packet
within another packet and sending it over a network. The protocol of the outer
packet is understood by the network and both points, called tunnel interfaces,
where the packet enters and exits the network.
To explain and simplify the process of Tunneling I will give an example: Its
like having a Mobile phone delivered by Royal Mail. The Mobile Phone
Company packs the Mobile Phone (passenger protocol) into a box
(encapsulating protocol) which is then put on a Royal Mail delivery truck
(carrier protocol) at the Mobile Phone Companys warehouse (entry tunnel
interface). The truck (carrier protocol) travels over the Motorways (Internet) to
customers home (exit tunnel interface) and delivers the Mobile Phone. The
customer opens the box (encapsulating protocol) and removes the Mobile
Phone (passenger protocol). Thats called Tunneling. Simple!
3.17
3.18
3.19
being carried
Tunneling has several nice uses for VPNs. For example, a packet that uses a
protocol not supported on the Internet (such as NetBeui) can be placed inside
an IP packet and sent safely over the Internet. Or a packet that uses a private
(non-routable) IP address can be put inside a packet that uses a globally unique
IP address to extend a private network over the Internet.
31
Each of the protocols listed below were built using the basic structure of
PPP and are used by remote-access VPNs.
32
33
L2TP merges the best features of two other tunneling protocols: PPTP from
Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the
ISP's routers support the protocol. ]
L2TP is the product of a partnership between the members of the PPTP
Forum, Cisco and the IETF (Internet Engineering Task Force). Combining
features of both PPTP and L2F, L2TP also fully supports IPSec.
L2TP can be used as a tunneling protocol for site-to-site VPNs as well as
remote-access VPNs. In fact, L2TP can create a tunnel between:
3.25 MPLS:
** Note: MPLS Information & Description Is Taken From The Article
Resource:
The MPLS FAQ - MPLS-RC - The MPLS Resource Center
http://www.mplsrc.com/mplsfaq.shtml
Copyright 2000-2004, MPLSRC.COM
**
MPLS History
a. What is MPLS?
MPLS stands for "Multiprotocol Label Switching". In an MPLS network,
incoming packets are assigned a "label" by a "label edge router (LER)".
Packets are forwarded along a "label switch path (LSP)" where each "label
switch router (LSR)" makes forwarding decisions based solely on the contents
of the label. At each hop, the LSR strips off the existing label and applies a
new label which tells the next hop how to forward the packet.
34
35
36
There's no such thing as a single MPLS "standard". One day there will be a
set of RFCs that together will allow you to build an MPLS system. For
example today, a typical IP router spec. sheet will list about 20 RFCs to which
this router will comply. If you go to the IETF web site (http://www.ietf.org),
then click on "I-D Keyword Search", enter "MPLS" as your search term, and
crank up the number of items to be returned, (or visit
http://www.mplsrc.com/standards.shtml) you'll find over 100 drafts currently
stored. These drafts have a lifetime of 6 months. Some of these drafts have
been adopted by the IETF WG for MPLS.
Further reading:
Additional information on MPLS:
For articles, papers, and additional resources, see the MPLS Resource Center
at http://www.mplsrc.com
**
37
38
39
START
DATE
FINISH
DATE
Abstract
17/02/2005 22/02/2005
Introduction
24/02/2005 24/02/2005
25/02/2005 03/03/2005
04/03/2005 28/04/2005
29/04/2005 18/05/2005
Web Site
19/05/2005 20/05/2005
Article
20/05/2005 20/05/2005
40
5.1 Virtual Private Networking using hardware based tools and technologies.
5.2 Virtual Private Networking using software based tools and technologies.
5.3 Protocol Selection
5.4 Performance needs
5.5 IP Address Planning
5.6 ISP Evaluation
5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003
for Remote VPN
41
42
43
In my investigation I found out that they need 5 static IP addresses which should be
purchased by their ISP. One for the remote connection capability, one for backup
purposes, another for network allotment and rest two for future requirements like
windows media server as they are planning to do web casting for some of their
customers.
5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003 for
Remote VPN:
I installed and configured (partitioning the hard drive, formatting the hard drive
etc) a Windows Server 2003 for the purpose of VPN. See Appendix A. for the
detailed procedures.
After this step I followed the excellent articles and help available in abundance by
Microsoft and on the internet on how to install and configure VPN on Microsoft
Windows Server 2003.
I installed ISA Server 2000 because it was cheap, offered everything that this project
required and fairly easy to deploy. See Appendix B, C, D, E and F.
The articles can be found at:
[ http://www.microsoft.com/ ]
[ http://www.microsoft.com/isaserver/default.mspx ]
44
Chapter 6 -
The work done in this project was analysis of the current situation for Sun InfoSys
Ltd. and coming up with solutions, the solution I followed for implementation was
real time implementation of Virtual Private Networking. I decided to follow the
software based route rather than the hardware based route because of companys
budget and size considerations. I eventually did manage to implement the solution and
generally had a most pleasant time in doing so.
I encountered problems in actually communicating with the company as to make them
aware of the demands of this project. I found it quite a difficult task to communicate
with non technical management for such a technical task. I think I should improve my
project management skills which would have enabled me to communicate effectively
and on their level. Point noted!
Looking back at the work that I carried out, I could have tried to implement this
solution on Unix platform but I still think that the time frame that would have required
to complete would have exceeded the given time frame by the company and hence
would invalidate this research, however the really low cost involved in deploying
Unix based solutions are quite enticing for companies. In the end I am satisfied I
chose the right solution and the company is satisfied as well.
Website: http://www.rashidkhan.co.uk
45
Chapter 7 - Conclusion
I developed a Website for this project and it can be found at:
http://www.rashidkhan.co.uk/
When Microsoft released Windows 2000 in the year 2000 it caused a stir in the
industry by announcing that Windows 2000 would offer Virtual Private Networking.
There were several concerns and complaints in the industry such as that Microsoft's
implementation adds data overhead and slows down transaction processing. And
Will established VPN products from other vendors work with Microsoft's
technology?
"If you're using IP, we don't see the reason to use L2TP," comments Iris Tal [see
CNN], RadGuard's technical support manager. "It only causes overhead for network
traffic because it's 'double-tunneling.' But because of Microsoft's L2TP client
software, I'm sure we'll do the support for it in our product."
Many VPN vendors have opposed Microsoft's VPN implementation, complaining that
it adds data overhead and slows down transaction processing. On the other hand some
companies, such as Check Point Software and Newbridge Networks, acknowledge
that they can't afford to ignore that hundreds of thousands of desktops will probably
end up running Microsoft's new software. This fact by far is most significant and very
crucial and has to be taken into account as most companies have a Microsoft
environment already in place and this is the scenario in Sun InfoSys Ltd as well.
Another point that I noted is that Microsoft has since releasing Windows 2000 have
progressed, updated and made advanced changes on their Windows Server 2003
operating system.
46
I did several meetings With Mr. Andy the managing director, the sales team, support
team, technicians and visited both head office and branch offices. I took inventory of
existing hardware, [see Project Plan] computer systems, budget and the time frame
required. Their budget was simply low and literally spelt out that I must use the
existing systems.
I had proposed two options in my Project Proposal but the UNIX based proposal was
declined due to their low budget and inability to adopt an abrupt system wide change
of operating systems, especially since everything was already functioning and in
place. A key note to be taken into account here is that they already had Windows
Server 2003 as part of their Server. That meant that they did not need to purchase it.
Consequently these facts made the Windows based solution the winning choice.
I found out that installing Microsoft's ISA server 2000 and using it to its full potential
is quite a complicated and difficult task to perform even though it might look simple.
The minute intricacies and planning procedures involve a great deal of time and effort
and if miscalculated or carried out improperly can result in complete failure and
double the time frame required implementing.
The related personnel were briefed and shown how to use the new system to its full
potential. It took a bit of time and effort on my behalf, I gave them instructions on
how to connect to their VPN [see Appendix G] and doing their related tasks of
managing warehouse, despatch, sales and technical support all remotely. It was not an
easy task as this was quite a new and complex task to grasp for them. But it was not
be a major issue and eventually it was overcome by trying and trying again.
This placement has had many positive effects on me. I have learnt a lot, for example
how to communicate, how to analyze problems, analyzing company expectations,
how to come up with various solutions that might be possible and feasible. I found out
that planning things, taking personal notes, being highly observant and determined at
all times really does help.
Author: Rashid Khan
47
After this work placement I am able to identify with the real life professional work
environment. I am able to organize myself, able to face challenges and complete
personal and professional milestones.
I have come to conclude that this company actually did benefit enormously with a
Virtual Private Network because they have made gains in managing their recourses
which shows in their Sales figures and better customer feedback made possible by
even better and informed technical support because they are in touch all the time. This
project was also successful partly because they already had most of the infrastructure
in place most importantly the Windows Server 2003 operating system software. That
was definitely a deciding factor for the management to take up my Windows based
solution as they did not had to incur extra cost in procuring any other operating
system software or expertise to maintain it.
I am very pleased with the outcome of this project and so is the company. The project
was well managed and finished on time with a small budget. A nice possible outcome
for me could be that they might even offer a permanent position in their company.
48
Chapter 8 -
The project can be implemented using the Unix operating system on a much more
cheaper scale and surprisingly more secure manner but the down side is the time
frame required to install, configure and deploy such an option is often too long for
organization.
Another fact is that organizations generally do not have Unix administrators and find
that costly to obtain. If Sun InfoSys Ltd.s company size and operations increases two
folds then I would suggest to implement a Unix solution and hire a Unix
Administrator to maintain the network.
The benefits & advantages of a UNIX based solution are that it is a cheaper option to
procure and implement than the more proprietary Windows based solutions by
Microsoft , it is more effective on a larger scale and offers more stability and security.
The biggest advantage that lies in the UNIX platform is its security since the
Microsoft platform is plagued by security loopholes, viruses, hackings, bugs, patches
etc hence not offering the stability a larger organization would require to keep its
operations up and running all the time.
Another advantage of the UNIX environment is that it does not require expensive new
hardware or updated to run and can run on an old cheaper computer. Its offers more
speed.
UNIX operating system was originally adopted by big financial institutions like banks
etc which required ultimate security and stability as they have huge amounts of money
and consumer confidentiality etc at stake. UNIX was written with these requirements
in mind so it utilizes less memory and hardware, furthermore it is a centralized
operating system with one source being accessed by thousand of users
simultaneously.
49
With all the above in mind my suggestions for further work would be to research a
solution offering Virtual Private Networking under a UNIX platform rather than the
Microsoft Platform. Just like Microsoft, UNIX is an operating system but is more
stable and secure, in order to implement Virtual Private Networking there are
applications that can be installed and configured namely the Apache Tomcat server
which is very similar to the Microsoft Internet Information Server (IIS). The Apache
server can then be configured to offer Virtual Private Networking via third party
software.
One key point to note is to consider the organizations size and its budget to
implement a solution. At the given time this organization had a very low budget but
also a small organization size. In my opinion a UNIX based solution would have not
been feasible because there are underlying factors namely expensive staff to manage
and monitor UNIX. Because UNIX is generally used in big financial organizations
they have a complex structure and quite difficult to manage and require expert UNIX
staff to maintain their facilities. These staff work in high paid postitions and would
not consider working in a smaller organization such as Sun InfoSys Ltd. with lower
wages.
Therefore I would only recommend such a UNIX based solution, when this company
expands and increases in size exponentially. As only then it will have the adequate
resources to justify the expensive labour.
50
Chapter 9 - References
Sun InfoSys Ltd.
http://www.suninfosys.co.uk/
email:- sp@suninfosys.co.uk
The company has a head office in the following location:
Head Office: No 8, Exmouth Rd. London, e17 7qq.
And also has a branch office in the following location:
Branch Office: No 772-776, Romford Rd., London e12.
Telephone: 0044 0870 609 2363
[Microsoft1]
Deploying Virtual Private Networks with Microsoft Windows Server 2003
by Joseph Davies and Elliot Lewis
Microsoft Press 2004 (496 pages)
ISBN:0735615764
[Microsoft2]
Microsoft Privacy Protected Network Access: Virtual Private Networking and
Intranet Security
Resource:
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/re
moteaccess/nwpriv.asp
[CNN]
Windows 2000 VPN technology causes stir
Resource:
http://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.html
[Shuttle]
Shuttle XPC Workstations
Resource: Shuttle
http://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/
[Fujitsu-Siemens]
Fujitsu-Siemens Server
Recourse: Fujitsu-Siemens
http://www.fujitsusiemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.html
51
[Cisco1]
Virtual Private Network Design:Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/vpn.html
[Cisco2]
Remote Access VPNs:
Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html
[Cisco3]
Site-to-Site VPNs:Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html
[Cisco4]
Extranet VPNs:Resource: Cisco
http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html
[Cisco5]
Resource2: Cisco IPSec White Paper
http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf
[Webopedia1]
Firewalls:Resource: Webopedia
http://www.webopedia.com/TERM/f/firewall.html
[Webopedia2]
Encryption:Resource: Webopedia
http://www.webopedia.com/TERM/e/encryption.html
[Webopedia3]
IPSec:Resource1: Webopedia
http://www.webopedia.com/TERM/I/IPsec.html
[Webopedia4]
AAA Servers:Resource: Webopedia
http://www.webopedia.com/TERM/A/AAA.html
52
[Webopedia5]
Tunnelling
Resource: Webopedia
http://www.webopedia.com/TERM/t/tunneling.html
[Webopedia6]
L2F (Layer 2 Forwarding)
Resource: Webopedia
http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html
[Webopedia7]
PPTP (Point-to-Point Tunneling Protocol)
Resource: Webopedia
http://www.webopedia.com/TERM/P/PPTP.html
[Webopedia8]
L2TP (Layer 2 Tunneling Protocol)
Resource: Webopedia
http://www.webopedia.com/TERM/L/L2TP.html
[MPLS1]
Resource: The MPLS FAQ - MPLS-RC - The MPLS Resource Center
Copyright 2000-2004, MPLSRC.COM
http://www.mplsrc.com/mplsfaq.shtml
[MPLS2]
The MPLS Resource Center
Resource:
http://www.mplsrc.com/
[VPNC]
Resource:
Virtual Private Network Consortium
http://www.vpnc.org
[VPN Whitepapers]
Virtual Private Network White papers:Resource:
http://www.vpnc.org/white-papers.html
[Adtran]
Understanding Virtual Private Networking, from ADTRAN
Resource:
http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU
0GPR0PEFB139RF038BE81ID8.pdf
53
[FreeS/WAN]
http://www.freeswan.org/
[Linux]
Resourse:
http://www.samag.com/documents/s=4072/sam0203c/sam0203c.htm
54
APPENDICES
APPENDIX A
APPENDIX B
APPENDIX C
APPENDIX D
APPENDIX E
APPENDIX F
55
APPENDIX A
Implementation Installing Windows Server 2003
56
WEBSITE:
http://www.rashidkhan.co.uk/
AND ALSO AVAILABLE ON CD
INSTALLING WINDOWS SERVER 2003
57
I didn't need to make any changes to the system local etc and just pressed Next.
Setup then copied the necessary files from the installation CD.
I was then prompted to enter a name, organization name, the product key, the
appropriate license type and number of purchased licenses.
I was prompted to type the computer name and a password for the local Administrator
account. Selected the date, time, and time zone settings. Setup then installed the
networking components. I then highlighted the TCP/IP selection and pressed
Properties. In the General tab entered the required information. I had to specify the IP
address of the computer and Subnet Mask. Next step was to finish copying files and
the setup. After the copying and configuring phase finished, setup finished and booted
Windows Server 2003.
58
After carefull study I found out that the following procedures must be performed to
install ISA Server 2000 on a Windows Server 2003 computer and they must be in the
following order:
Cache Mode
Caching mode ISA Server is designed to have one or two network interfaces.
Each interface must be located on the internal network because packet filtering
is not enforceable on a caching only ISA Server machine.
Firewall Mode
Firewall mode provides a high level of firewall protection from external
intruders and also protects your network by enabling granular outbound access
control. Firewall mode does not include the Web caching features that are part
of the Cache mode server.
Integrated Mode
Integrated mode provides all the firewall and caching features available with
ISA Server 2000
The Windows Server 2003 server machine that I was using for VPN deployment
had to have the following characteristics:
An Integrated mode ISA Server firewall requires at least one internal and one external
interface.
The internal interface is never configured with a default gateway address. The
IP address on the internal interface is always on the LAT.
The external interface is configured with a default gateway that routes packets
to the Internet. The external interface is never on the LAT.
59
Configure the internal interface of the ISA Server with the address of a DNS
server on the internal network that is capable of resolving Internet host names
Place the internal interface on the top of the interface list. Windows Server
2003 uses the interface order to determine which name server addresses to
query first.
I had to perform the following steps to configure the interface order on the ISA Server
computer:
1. Clicked Start, pointed to Control Panel and right clicked on Network
Connections. Clicked the Open command (figure 1).
Figure 1
2. In the Network Connections window, clicked the Advanced menu and then
clicked the Advanced Settings command (figure 2).
60
Figure 2
3. In the Advanced Settings dialog box, selected the interface representing the
internal interface and clicked the up arrow to move the internal interface to the
top of the interface list. Clicked OK in the Advanced Settings dialog box
after making the changes to the interface order.
61
I disabled all non-essential services on the ISA Server firewall computer. While
individual implementations of ISA Server firewalls require a customized set of
services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should
not run on the ISA Server firewall.
62
APPENDIX B
Implementation Installing ISA Server 2000
63
2. Click on the Install ISA Server link on the Internet Security & Acceleration Server
2000 splash page (Figure 5).
Figure 5
64
3. I saw an ISA 2000 dialog box informing that I need to install ISA 2000 Service Pack
1 (figure 6). Error messages occurred during the installation. I was not concerned
about these errors as I will perform the required procedures to prevent them from
becoming a problem. Clicked Continue.
Figure 6
65
Figure 7
5. Entered the CD Key in the CD Key dialog box (figure 8). Clicked OK.
Figure 8
6. Wrote down the Product ID as list in the Product ID dialog box. Clicked OK in the
Product ID dialog box after writing this number down.
66
7. Clicked I Agree in the Microsoft ISA Server Setup dialog box (figure 9).
Figure 9
8. Clicked the Full Installation button in the installation type dialog box (figure 10). This
allows me to use all ISA Server features. I can use the Add/Remove Programs
applet later if I need to remove some ISA Server features.
67
Figure 10
9. Here I am installing ISA Server in standalone mode, not in enterprise array mode.
Clicked Yes in the dialog box that asked if I want to continue (figure 11).
Figure 11
68
10. Selected the Integrated mode option on the Select the mode for this server page
(figure 12). I wanted to take advantage of the full power of your ISA Server firewall.
Integrated mode gives everything the Web Proxy and Firewall services have to offer.
Clicked Continue.
Figure 12
11. On the Web cache page (figure 13), selected a drive to put the Web cache file on.
The drive had to be NTFS, so I made sure of that. Typed in a size of the cache in the
Cache size (MB) text box and then clicked the Set button. Then clicked OK.
69
Figure 13
12. On the LAT page (figure 14), clicked the Construct Table button. On the Local
Address Table page, removed the checkmark in the Add the following private
ranges checkbox. Put a checkmark in the Add address ranges based on the
Windows 2000 Routing Table checkbox. Removed the checkmark from the
checkbox representing the external interface, and left the checkmark in the checkbox
for the internal interface. Clicked OK in the Local Address Table dialog box, then
clicked OK in the Setup Message dialog box that informed me that the LAT was
constructed based on the Windows 2000 routing table (in spite of the fact that I am
installing ISA Server on a Windows Server 2003 machine).
70
Figure 14
13. Clicked OK on the LAT dialog box after reviewing the list listing in the Internal IP
ranges list (figure 15). Figure 15
14. Unlike Windows 2000, Windows Server 2003 does not install IIS by default. I saw a
dialog box telling me that I will have to install the SMTP service if I want to run the
SMTP Message Screener. Clicked OK to continue (figure 16).
71
Figure 16
15. When installation is complete, I saw a warning balloon informing me that ISA 2000
will cause Windows to become unstable. Closed the balloon, removed the
checkmark from the Start ISA Server Getting Started Wizard checkbox, and then
clicked OK in the Launch ISA Management Tools dialog box (figure 17).
Figure 17
16. Clicked OK in the dialog box informing me that setup was completed (figure 18).
72
Figure 18
17. Clicked OK in the dialog box informing me that setup has failed to start one or more
services (figure 19).
Figure 19
73
APPENDIX C
Implementation Installing ISA Server Service Pack 1
74
75
2. Clicked I Agree in the End User License Agreement (EULA) dialog box (figure 21).
Figure 21
3. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box (figure 22).
The computer restarted after that (Thats normal).
Figure 22
76
APPENDIX D
Implementation Installing Hotfix isahf255.exe
77
78
Figure 24
I did need to restart the server. The next step was to install Feature Pack 1.
79
APPENDIX E
Implementation Installing Feature Pack 1
80
81
APPENDIX F
Implementation
Configuring the ISA Server 2000/VPN Server
82
83
Performed the following steps to start the ISA Virtual Private Network Configuration
Wizard on the ISA Server machine:
84
85
86
Performed the following steps to review and customize your VPN configuration:
87
88
89
90
91
92
93
94
95
96
97
98
The ISA Server firewall/VPN server was then ready to accept incoming PPTP and
L2TP/IPSec calls from VPN clients.
99
APPENDIX G
Implementation Connecting to the VPN
100
101
102