Data encryption in Server 2008

To ensure confidentiality of the data as it traverses the shared or public transit network, the data is encrypted by the sender and decrypted by the receiver. The encryption and decryption processes depend on both the sender and the receiver using a common encryption key.


Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyone who does not have the common encryption key. The length of the encryption key is an important security parameter. You can use computational techniques to determine the encryption key. However, such techniques require more computing power and computational time as the encryption keys get larger. Therefore, it is important to use the largest possible key size to ensure data confidentiality.


Site-to-site VPN

Site-to-site VPN connections (also known as router-to-router VPN connections) enable organizations to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.

A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router. In a site-to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.

Remote access VPN

Remote access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link.

What Is VPN? Virtual private networks

Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization’s private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header. The header provides routing information that enables the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data being sent is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is known as a VPN connection.


Removing the remote access VPN server role

If you need to reconfigure your server for a different role, you can remove existing server roles. When you remove the remote access VPN server role, your server will no longer provide dial-up or VPN access for remote access clients. Remote users will not be able to connect to your private network, and the computers on your private network might not be able to connect to the Internet.

To remove the remote access VPN server role, first restart the Add Roles Wizard by doing the following:

  • Open Server Manager by clicking Start, Administrative Tools, and then click Server Manager. Then, under Roles Summary, click Remove roles.

Then, in the Add Roles Wizard, remove the remote access VPN server role:

  • Advance to the Remove Server Roles page, click Network Policy and Access Services, click Next, click Remove, and then click Close. In the server restart confirmation dialog box, click Yes to restart your computer.

Configure a Remote Access VPN Server

Before adding a remote access/VPN server role Comments

Determine which network interface connects to the Internet and which network interface connects to your private network.

During configuration, you will be asked to choose which network interface connects to the Internet. If you specify the incorrect interface, your remote access VPN server will not operate correctly.

Determine whether remote clients will receive IP addresses from a Dynamic Host Configuration Protocol (DHCP) server on your private network or from the remote access VPN server that you are configuring.

If you have a DHCP server on your private network, the remote access VPN server can lease 10 addresses at a time from the DHCP server and assign those addresses to remote clients. If you do not have a DHCP server on your private network, the remote access VPN server can automatically generate and assign IP addresses to remote clients. If you want the remote access VPN server to assign IP addresses from a range that you specify, you must determine what that range should be.

Determine whether you want connection requests from VPN clients to be authenticated by a Remote Authentication Dial-In User Service (RADIUS) server or by the remote access VPN server that you are configuring.

Adding a RADIUS server is useful if you plan to install multiple remote access VPN servers, wireless access points, or other RADIUS clients to your private network. For more information, see Network Policy Server Help.

Determine whether VPN clients can send DHCP messages to the DHCP server on your private network.

If a DHCP server is on the same subnet as your remote access VPN server, DHCP messages from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server is on a different subnet from your remote access VPN server, make sure that the router between subnets can relay DHCP messages between clients and the server. If your router is running Windows Server® 2008, you can configure the DHCP Relay Agent service on the router to forward DHCP messages between subnets.

Verify that all users have user accounts that are configured for dial-up access.

Before users can connect to the network, they must have user accounts on the remote access VPN server or in Active Directory® Domain Services. Each user account on a stand-alone server or a domain controller contains properties that determine whether that user can connect. On a stand-alone server, you can set these properties by right-clicking the user account in Local Users and Groups and clicking Properties. On a domain controller, you can set these properties by right-clicking the user account in the Active Directory Users and Computers console and clicking Properties.

Simple routing scenario

In this configuration, there are three networks (Networks A, B, and C) and two routers (Routers 1 and 2). Router 1 is on Networks A and B, and Router 2 is on Networks B and C. Router 1 must notify Router 2 that Network A can be reached through Router 1, and Router 2 must notify Router 1 that Network C can be reached through Router 2. This information is automatically communicated through the use of a routing protocol, such as RIP. When a user on Network A wants to communicate with a user on Network C, the user's computer on Network A forwards the packet to Router 1. Router 1 then forwards the packet to Router 2. Router 2 then forwards the packet to the user's computer on Network C.

how to create Secure connection between two private networks

If you choose this path, two servers running Routing and Remote Access are configured to send private data securely across the Internet. You must choose this path when you run the Routing and Remote Access Server Setup Wizard on each server. The connection between the two servers can be persistent (always on) or on demand (demand-dial). To configure this type of server in the wizard, click Secure connection between two private networks, and follow the steps. After the wizard completes the steps, you can configure each server with additional options. For example, you can configure which routing protocols each server accepts and the way in which each server routes traffic between the two networks.


VPN and NAT

If you choose this path, the server running Routing and Remote Access is configured to provide NAT for the private network and to accept VPN connections. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. However, VPN clients will be able to connect to computers on the private network as if they were physically attached to the same network. To configure this type of server in the wizard, click Virtual Private Network (VPN) access and NAT, and follow the steps.

Network address translation Common Remote Access Configurations

If you choose this path, the server running Routing and Remote Access is configured to share an Internet connection with computers on the private network and to translate traffic between its public address and the private network. Computers on the Internet will not be able to determine the IP addresses of computers on the private network. To configure this type of server in the wizard, click Network address translation (NAT), and follow the steps. After the wizard completes the steps, you can configure additional options. For example, you can configure packet filters and choose which services to allow on the public interface.

Remote access (dial-up) Common Remote Access Configurations

If you choose this path, the server running Routing and Remote Access is configured to allow remote access clients to connect to the private network by dialing into a modem bank or other dial-up equipment. To configure this type of server in the wizard, click Remote Access, select the Dial-up check box, and follow the steps. After the wizard completes the steps, you can configure additional options. For example, you can configure how the server answers the call, how the server verifies which remote access clients have permission to connect to the private network, and whether the server routes network traffic between remote access clients and the private network.

Common Remote Access Configurations Remote access (VPN)

If you choose this path, the server running Routing and Remote Access is configured to allow remote access clients to connect to the private network across the Internet. To configure this type of server in the wizard, click Remote Access, select the VPN check box, and follow the steps. After the wizard completes the steps, you can configure additional options. For example, you can configure how the server verifies which VPN clients have permission to connect to the private network and whether the server routes network traffic between VPN clients and the private network.

Removed technologies From Windows Server 2008

  • Bandwidth Allocation Protocol (BAP). Removed from Windows Vista. Disabled in Windows Server 2008.

  • X.25.

  • Serial Line Interface Protocol (SLIP). SLIP-based connections will automatically be updated to PPP-based connections.

  • Asynchronous Transfer Mode (ATM).

  • IP over IEEE 1394.

  • NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.

  • Services for Macintosh.

  • Open Shortest Path First (OSPF) routing protocol component in Routing and Remote Access.

  • Basic Firewall in Routing and Remote Access (replaced with Windows Firewall).

  • Static IP filter application programming interfaces (APIs) for Routing and Remote Access (replaced with Windows Filtering Platform APIs).

  • The SPAP, EAP-MD5-CHAP, and MS-CHAP authentication protocols for PPP-based connections.

New cryptographic support on windows server 2008 OS

PPTP
Only 128-bit RC4 encryption algorithm is supported.


40 and 56-bit RC4 support is removed, but can be added (not recommended) by changing a registry key.



L2TP/IPsec
Data Encryption Standard (DES) encryption algorithm with Message Digest 5 (MD5) integrity check support is removed, but can be added (not recommended) by changing a registry key.

IKE Main Mode will support:

Advanced Encryption Standard (AES) 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.


Secure Hash Algorithm 1 (SHA1) integrity check algorithm.


Diffie-Hellman (DH) groups 19 (new) and 20 (new) for Main Mode negotiation.


IKE Quick Mode will support:

AES 256 (new), AES 192 (new), AES 128 (new), and 3DES encryption algorithms.


SHA1 integrity check algorithm.



What's New in Routing and Remote Access

Server Manager
Server Manager is a new feature designed to guide information technology (IT) administrators through the process of installing, configuring, and managing server roles and features that are part of Windows Server 2008. Server Manager is started automatically after the administrator completes the tasks listed in Initial Configuration Tasks. After that, it is started automatically when an administrator logs on to the server.

Use the following steps to install Routing and Remote Access using Server Manager:

To install Routing and Remote Access

Install Windows Server 2008.

Click Start, Administrative Tools, Server Manager.

Under Roles Summary, click Add roles.

Click Next. Select the Network Access Services role, and then click Next.

Click Next. Select the Routing and Remote Access Services role service, and then click Next.

Note
This will select all three Routing and Remote Access services.


Click Install. When the Installation Results dialog box appears, click Close.

Use the following steps to configure and enable the Routing and Remote Access service:

To configure and enable the Routing and Remote Access service

Click Start, Administrative Tools, Routing and Remote Access.

By default, the local computer is listed as a server. Right-click the server, and then click Configure and Enable Routing and Remote Access.

Click Next. Click Custom configuration, and then click Next.

Select all the services except NAT, click Next, and then click Finish.

Click OK, click Start service, and then click Finish.

SSTP tunneling protocol
Secure Socket Tunneling Protocol (SSTP) is a new form of virtual private networking (VPN) tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAP-TLS. The use of HTTPS means traffic will flow through TCP port 443, a port commonly used for Web access. Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking.

VPN enforcement for Network Access Protection
Network Access Protection (NAP) is a client health policy creation, enforcement, and remediation technology that is included in Windows Vista® client operating system and in the Windows Server 2008 operating system. With NAP, system administrators can establish and automatically enforce health policies, which can include software requirements, security update requirements, required computer configurations, and other settings.

When making VPN connections, client computers that are not in compliance with health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. Depending on how you choose to deploy NAP, noncompliant clients can be automatically updated so that users can quickly regain full network access without manually updating or reconfiguring their computers.

VPN enforcement provides strong limited network access for all computers accessing the network through a VPN connection. VPN enforcement with NAP is similar in function to Network Access Quarantine Control, a feature in Windows Server 2003, but it is easier to deploy.

Remote access policy configuration
You must use Network Policy Server to create and configure remote access policies. Use the following steps to set the remote access policy to grant user access:

To configure the remote access policy

Open Routing and Remote Access.

Right-click Remote Access Logging & Policies, and then click Launch NPS.

Click Network Policies.

Double-click Connections to Microsoft Routing and Remote Access server.

On the Overview tab, under Access Permission, click Grant access, and then click OK.

IPv6 support
Windows Server 2008 and Windows Vista support the following enhancements to Internet Protocol version 6 (IPv6):

Protocols
PPPv6. Native IPv6 traffic can now be sent over PPP-based connections. (RFC 2472). For example, PPPv6 support allows you to connect with an IPv6-based Internet service provider (ISP) through dial-up or PPP over Ethernet (PPPoE)-based connections that might be used for broadband Internet access.


PPPv6 over dial-up/Ethernet as well as VPN tunnels


L2TP over IPv6


DHCPv6 Relay Agent


Stateless filtering, based on the following parameters:


Source IPv6 address/prefix


Destination IPv6 address/prefix


Next hop type (IP protocol type)


Source Port number (TCP/UDP)


Destination Port number (TCP/UDP)


RADIUS over IPv6 transport


IPv6 configuration
By default, Routing and Remote Access is configured to accept only Internet Protocol version 4 (IPv4) connections. In Windows Server 2008, you can use the Routing and Remote Access Microsoft Management Console (MMC) to configure IPv6 routing and connections. Use the following steps to configure Routing and Remote Access to accept IPv6 and IPv4 connections.

To enable IPv6 connections

In the Routing and Remote Access MMC, right-click the server, and then click Properties.

Click the IPv6 tab.

Enter an IPv6 prefix (for example: 3ffe::).

Click the General tab.

Click IPv6 Router, and then click IPv6 Remote access server.

Click OK, and then click Yes to restart the Routing and Remote Access service.


What Is Routing and Remote Access on windows 2008 server?

Routing
A router is a device that manages the flow of data between network segments, or subnets. A router directs incoming and outgoing packets based on the information it holds about the state of its own network interfaces and a list of possible sources and destinations for network traffic. By projecting network traffic and routing needs based on the number and types of hardware devices and applications used in your environment, you can better decide whether to use a dedicated hardware router, a software-based router, or a combination of both. Generally, dedicated hardware routers handle heavier routing demands best, and less expensive software-based routers are sufficient to handle lighter routing loads.

A software-based routing solution, such as the Routing and Remote Access service in Windows Server® 2008, can be ideal on a small, segmented network with relatively light traffic between subnets. Conversely, enterprise network environments that have a large number of network segments and a wide range of performance requirements might need a variety of hardware-based routers to perform different roles throughout the network.

Remote access
By configuring Routing and Remote Access to act as a remote access server, you can connect remote or mobile workers to your organization's networks. Remote users can work as if their computers are physically connected to the network.

All services typically available to a LAN-connected user (including file and print sharing, Web server access, and messaging) are enabled by means of the remote access connection. For example, on a server running Routing and Remote Access, clients can use Windows Explorer to make drive connections and to connect to printers. Because drive letters and universal naming convention (UNC) names are fully supported by remote access, most commercial and custom applications work without modification.

A server running Routing and Remote Access provides two different types of remote access connectivity:

Virtual private networking (VPN)

VPN is the creation of secured, point-to-point connections across a private network or a public network such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols to make a virtual call to a virtual port on a VPN server. The best example of virtual private networking is that of a VPN client that makes a VPN connection to a remote access server that is connected to the Internet. The remote access server answers the virtual call, authenticates the caller, and transfers data between the VPN client and the corporate network.

In contrast to dial-up networking, VPN is always a logical, indirect connection between the VPN client and the VPN server over a public network, such as the Internet. To ensure privacy, you must encrypt data sent over the connection.



Dial-up networking

In dial-up networking, a remote access client makes a nonpermanent, dial-up connection to a physical port on a remote access server by using the service of a telecommunications provider, such as analog phone or ISDN. The best example of dial-up networking is that of a dial-up networking client that dials the phone number of one of the ports of a remote access server.

Dial-up networking over an analog phone or ISDN is a direct physical connection between the dial-up networking client and the dial-up networking server. You can encrypt data sent over the connection, but it is not required.



Routing and Remote Access

The Routing and Remote Access service in Windows Server® 2008 supports remote user or site-to-site connectivity by using virtual private network (VPN) or dial-up connections. Routing and Remote Access consists of the following components:

Remote Access
The remote access feature provides VPN services so that users can access corporate networks over the Internet as if they were directly connected. Remote access also enables remote or mobile workers who use dial-up communication links to access corporate networks.

Routing
Routing and Remote Access is a full-featured software router and an open platform for routing and networking. It offers routing services to businesses in local area network (LAN) and wide area network (WAN) environments or over the Internet by using secure VPN connections. Routing is used for multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and network address translation (NAT) routing services


A groan grasps the peanut near the offending anthology.