Windows Remote Access Server Overview
Installing and configuring a RAS remote access server and successfully configuring it to allow a VPN connection from outside the network whether that will be over LANs or over the WAN involves three areas of configuration on the server: 1) Connection, 2) Authentication, and 3) Authorization. Below is a summary of some of the key points in that process as well as some video tutorials demonstrating the details of the setting up a RAS server for VPN connections.
Remote Access Server Connection
Three types of connections:
1. Dialup – Telephone connections use SLIP or PPP protocols
2. VPN (Virtual Private Network) – A virtual private network is a private encrypted tunnel or channel through a public or open network like the internet. To connect via VPN you need a VPN client software program to connect to a VPN Server. The server needs a public ip address if you are connecting from the internet. You could also connect to a VPN server with a private ip address if you are on the same private local area network. VPN Protocols:
PPTP – Microsoft proprietary, built in encryption, TCP port 1723
L2TP – Open standard, IPSec, TCP port 1701, and UDP port 500
3. SSTP (Secure Sockets Tunneling Protocol) – Uses the SSL on TCP port 443
Remote Access Server Authentication
- PAP (Password Authentication Protocol) – username and password sent in cleartext this is not secure
- SPAP (Shiva Password Authentication Protocol) – Used with Shiva devices, deprecated.
- CHAP (Challenge Handshake Authentication Protocol) – Three way handshake using MD5 hashing of the shared secret. Does not protect against impersonation
- MS-CHAPv1 – Microsoft version of CHAP, deprecated
- MS-CHAPv2 – Encrypts the shared secret, mutual authentication
- EAP (Extensible Authentication Protocol) – flexible authentication method based on PPP, smart cards, certificates, biometrics, custom add-on authentication methods are supported as well as MD5 challenge and TLS.
PEAP (Protected EAP) – Used with wireless clients for a secure channel for EAP, fast reconnect for wireless clients, enable quarantine checks (NAP)
- 802.1x – port based authentication with a Radius client to a Radius server. Used in wireless implementations.
- EAP-TLS transport layer security – next generation of ssl, (smart cards, certificates)
- PEAP-EAP-MS-CHAPv2 – password based
Remote Access Server Authorization
Once you have authenticated you need to pass through three stages. In the 1st stage you need to meet conditions of network policies. Once you have met at least one condition of the network policy you go on to the two other authorization stages. The 2nd stage is the dial-in access stage, the active directory dial-in tab under user properties is a powerful way to control dial-in access. The 3rd stage is the contraints and settings stage. You can be granted or prevented access through policy contraints and settings on the server.
Step by Step Tutorial Demonstration