Hello Customers,

In my last few articles, I discussed about the design guidelines to consider before deploying  a remote access solution.

In the next few articles, I will go through the steps to configure the various components  of the remote access solution. These articles will act as your jump-start guide to quickly build a solution in your pilot lab, test various combinations and then finally roll-it-out in your production environment.

All the steps given below are done on my Windows 7 client beta and Windows server 2008 R2 server beta. If you have other flavour of Windows (like Vista, XP, 2008), you may have to change few steps here and there. Hope you find it useful. 

Here is the first topic on this:  Configuring the remote access clients

1.1 In-built VPN client

To create a VPN client using in-built VPN client, please follow these steps:

  • Open “Control Panel” -> “Network and Sharing Center”. Click on “Set up new connection or network”. This launches a wizard
  • Click “Connect to a workplace”, click “Next”, click “Next”, double click on “Use my Internet connection (VPN)”, enter the hostname or IPv4/IPv6 address of the VPN server and specify the VPN connection name (as seen in network tray icon), click next, then enter username/password for the connection, click connect. This will try to connect.
  • The above steps will create a VPN client and tries to establish the VPN connection to the server. If that fails for any reason, select “Set-up the connection anyway” – so that configuration is saved.

To change the properties of VPN client created using in-built VPN client, please follow these steps:

  • Click on networking tray – on bottom right side of your desktop. Move the mouse on the appropriate VPN connection name, right-click and select Properties. This launches VPN connection Properties UI. This UI has four tabs – “General”, “Options”, “Security” and “Networking”.
  • “General” tab is used to change the VPN server hostname or IP address. Additionally underlying interface (like dial-up or broadband) to connect to public network can be configured – so that when user clicks on “connect” on VPN interface, it will first try to get underlying interface up (if not already) and then establish a VPN connection on top of it.
  • “Options” tab is used to configure some general connectivity options like redial attempts, idle disconnect time, etc
  • “Security” tab is used to configure the authentication and VPN tunnel options. By default the in-built VPN client is created with “Type of VPN” tunnel as Automatic (i.e. tunnel order is - try IKEv2 first, if that fails try SSTP, if that fails try PPTP, if that fails try L2TP). However “Type of VPN” can be changed to try specific VPN tunnel. “Advanced settings” button is used for L2TP/IPSec and IKEv2 tunnel type. Various authentication protocols can be configured under “Authentication” heading. To configure EAP based protocols, select the radio button “Use Extensible Authentication Protocol (EAP)” and then select the relevant EAP methods. If you select “Microsoft Protected EAP (PEAP)” to select other configuration like inner EAP method that gets tunneled inside PEAP TLS session and common configuration like “Enforce Network Access Protection”. If you select EAP-MSCHAPv2, you can optionally configure VPN client to pick-up username/password that was entered during Windows login time – avoiding the user to re-enter the credentials when dialing the VPN connection. This is the most commonly deployed scenario.
  • “Networking” tab is used to configure the transports (or protocols) that run on top of VPN tunnel. The most common ones are “Internet Protocol Version 4 (TCP/IPv4)” and “Internet Protocol Version 6 (TCP/IPv6)”. Select a particular transport, click on “Properties” to change common fields like default gateway, DNS server address, DNS suffix for the connection etc. If “User default gateway on remote network” is turned on, the VPN client on successful VPN tunnel connection adds the default route on VPN interface with highest precedence. This way all the IP packets (except those destined to local subnet) go to VPN server. If this parameter is turned off, the default route is not added on VPN tunnel. This scenario will require user to add specific network specific route on the VPN interface – in order to reach the corpnet resources.

To connect/disconnect the VPN connection, please follow these steps:

  • Click on networking tray – on bottom right side of your desktop. Move the mouse on the appropriate VPN connection name, right-click and select “Connect” (if already disconnected) and select “Disconnect” if already connected).

To view the status and statistics of the VPN connection, please follow these steps:

  • Click on networking tray – on bottom right side of your desktop. Move the mouse on the appropriate VPN connection name, right-click and select “Status” (if already connected).

This will launch the VPN connection status UI – where you can find the IP address of the client (inner and outer IP address), IP address of the server, bytes sent/received on the connection.

1.2 CM based VPN client

To create a CM client package as a network administrator, you first need to install “Connection Manager Administration Kit” (CMAK) tool on a Windows 2008 R2 server machine and then run the tool to create a CM package. This is done by following these steps: -

  • Open “Server Manager”. Click on “Features”, “Add Features”. Select “Connect Manager Administration Kit”, Click “Next” and install the same.
  • Open CMAK by clicking on “Start”->”All Programs”->”Administrative Tools”->”Connection Manager Administration Kit”. This launches the CMAK wizard
  • Click “Next”. Select the target OS (i.e. OS of the client machine on which the CM based VPN client will be eventually installed). Note: CM package for Vista and Windows 7 is same. Click “Next”. Select “New profile”. Click “Next”.
  • Enter the name of the VPN connection (e.g. “Contoso VPN connection”) and the filename of CM profile or package (e.g. contoso). Click “Next”. Click “Next” to skip the realm name. Click “Next” to skip merging of VPN profiles.
  • In the page titled “Add support for VPN connections”, click “Phone book from this profile”. You can then specify the VPN server name or IP address – if there is only one VPN server or cluster of server to which the VPN client connects. However to support scenarios where you have deployed VPN servers at different locations of your corporation (like in different countries), you can specify a list of VPN servers in a .txt file. This text file has a list of VPN servers each tagged with a friendly display name (e.g. Contoso India, Contoso US, etc) – that helps end user to connect to appropriate VPN server. A sample file format looks like:

[Settings]

Message=Select the location closest to your office.

[VPN Servers]

Contoso India=vpnserver.contoso.in

Contoso USA=1.2.3.4

Click “Next”

  • You will see “Create or Modify a VPN Entry” page with a default VPN entry created. To edit the connection properties, click “Edit”. You will see “Edit VPN Entry” UI through which you can change the connection properties like tunnel and authentication protocol selection, IPv4 and IPv6 properties, DNS suffix etc.

Once done, click “OK” to come back to previous page. Click “Next”

  • For dial-up access you can specify a phone book file. Turn off the “Automatically download phone book updates” checkbox. Click “Next”.
  • You will see “Specify Routing Table Updates” page. Here you can add a list of routing table entries in form of a text file that can be added on the client side after the VPN connection comes up. This is used when you turn off the “Make this connection the client’s default gateway” in “Create or Modify a VPN Entry” page and enable split-tunneling. In this scenario, you can enter the IP routes of all the subnets/host machines inside your corporate network that can be accessed by the client. The format of the text file is each line containing a route preceded by a command (ADD or DELETE)

Command Destination MASK Netmask Gateway METRIC Metric IF Interface

 

For example:

ADD 192.168.1.0 MASK 255.255.255.0 192.168.2.1 METRIC default IF default

Click “Next”

  • You will see “Configure Proxy Settings for Internet Explorer”. Here you can add the intranet web proxy settings that will be used after the VPN connection comes up. Click “Next” for default one (i.e. no web proxy configured or required to access the intranet web resources i.e. direct web access without going through proxy).
  • You will see “Add Custom Actions” page – where you can add different custom actions by running specific program on specific action. A sample custom action can be – after VPN connection is established (i.e. “post-connect”), download a new CM package file by doing net use to a file server. For more details see link below. Click “Next” to select default one (no actions).
  • You can then add a specific bitmap file (.bmp) to display your connection manager package – at the logon time as well as phone book dialog box. Click Next. Click “Next” to select the default one.
  • You can then add specific icon file (.ico) to specify the Program Icon and title bar icon of your connection manager package. Click “Next” to select the default one.
  • You can then specify the help file (.chm) which your user can refer to. Click “Next” to select the default one.
  • You can then specify the support string (e.g. For any issues related to your VPN connectivity, dial 040-12345678) that appears on the logon box. Click “Next” to select the blank one.
  • You can then add a text file (.txt) containing the license agreement that should be displayed to users once they install the CM package. Click “Next” to select none.
  • Click “Next” to skip adding additional files. Click “Next” to finish.

The above steps generate a CM package (.exe file) under %windir%\Program Files\CMAK\Profiles\Vista and above\ directory – with appropriate profile name on your server machine.

You can then send the CM package (.exe file) to your remote access users using any mechanism – like upload to a file or web server, send via email etc.

To install the CM package on the VPN client machine, double click on the CM package file. It will ask whether the package needs to be installed for single user or all users and then it installs the same.

To change the properties of the VPN connection (e.g. VPN destination) on the VPN client machine, please follow these steps:

  • Click on networking tray – on bottom right side of your desktop. Move the mouse on the appropriate VPN connection name, right-click and select Properties. This launches VPN connection Properties UI. This UI is different from the properties UI of in-the-box VPN client because the goal of CM based package is end user not changing any configuration – i.e. exposing minimal configuration.

To connect/disconnect the VPN connection, please follow these steps:

  • Click on networking tray – on bottom right side of your desktop. Move the mouse on the appropriate VPN connection name, right-click and select “Connect” (if already disconnected) and select “Disconnect” if already connected).

To view the status and statistics of the VPN connection, please follow these steps:

  • Click on networking tray – on bottom right side of your desktop. Move the mouse on the appropriate VPN connection name, right-click and select “Status” (if already connected).
  • This will launch the VPN connection status UI – where you can find the IP address of the client (inner and outer IP address), IP address of the server, bytes sent/received on the connection.

References: Please refer to this CM deployment guide and this technical reference for further details on the connection manager.

1.3 Further Readings

Remote Access Design Guidelines – Part 1: Overview

Remote Access Design Guidelines – Part 2: VPN client software selection

Remote Access Design Guidelines – Part 3: Tunnel selection, Authentication, Authorization and Accounting

Remote Access Design Guidelines – Part 4: IP Routing and DNS

Remote Access Design Guidelines – Part 5: Where to place RRAS server

Remote Access Deployment – Part 2: Configuring RRAS as a VPN server

Remote Access Deployment – Part 3: Configuring RADIUS Server for remote access

With Regards,

Samir Jain

Senior Program Manager

Windows Networking

[This posting is provided “AS IS” with no warranties, and confers no rights.]