Routing and Remote Access Blog

VPN articles - straight from Windows development team

Browse by Tags

Related Posts
  • Blog Post: Quick snap-shot of IPv6 scenarios and features supported in RRAS

    Hi All, In Longhorn, Routing and remote access server role supports IPv6 (in addition to IPv4). In this blog, I will give a quick summary on what are the scenarios that are supported and what changes are required to enable the same. This will also help you to decide a roll-out plan to enable you to...
  • Blog Post: Remote Access Design Guidelines – Part 5: Where to place RRAS server

    Hello Customers, In this post, I will highlight on various placement requirements related to RAS server. 5. 1 NAT Routers A VPN server machine can sit behind a NAT router as long as following requirements are met: For SSTP, NAT port redirection or bi-directional should be configured on NAT router – to...
  • Blog Post: RRAS showcase in Microsoft IT

    If you think RRAS based VPN server solution cannot scale to large enterprise requirements - due to any reasons - look at the numbers below - of VPN users within Microsoft using our solution "As of November 2004, an average of 46,000 Microsoft workers worldwide use remote access each month. In a typical...
  • Blog Post: VPN – NLB

    Network Load Balancing is intended for stateless applications that do not have long-running in-memory state. Such application treats each client request as an independent operation, and therefore it can load-balance each request independently. Stateless applications often have read-only data or data...
  • Blog Post: How SSTP based VPN connection works

    In this blog, I will explain how SSTP based VPN tunnel works - i.e. the data flow during VPN connection coming up and how data transfer occurs. The flow to get VPN connection up looks like: 1) Client gets Internet connectivity and then establishes TCP connectivity to server over port 443. Let us...
  • Blog Post: What are the main requirements and factors to configure VPN based remote access?

    To start with you need to decided on VPN client and VPN server :). Lets say you are using inbuilt VPN client in Windows 98/2000/2003/XP and Windows 2000/2003 Server running RRAS. Now lets break-up remote access requirement into following factors: 1) VPN Client : Your remote access users can use...
  • Blog Post: Remote Access Design Guidelines – Part 3: Tunnel selection, Authentication, Authorization and Accounting

    Hello Customers, In this post, I will walk through the most important topic – which authentication protocol, VPN tunnel to use, how to authorize access of your VPN users. Lets have a look: 3. 1 User Authentication The remote access user is authenticated by the VPN server during VPN tunnel establishment...
  • Blog Post: Smart Defaults for VPN Strategy and Authentication Protocol in CMAK

    In W7 the CMAK wizard can be used to create CM profiles that can run on both Vista and W7 machines (a separate profile is still required for XP). When creating the profile if a VPN strategy or authentication protocol is specified which is not supported by Vista then CMAK automatically assigns default...
  • Blog Post: How Automatic Tunnel type works in VPN

    With the various previous blogs, we already know that SSTP (Secure Socket Tunneling Protocol) is a new VPN tunnel type which is added to the list of the already existing tunnel types, PPTP and L2TP. With this addition, there have been some changes in the definition of the existing tunnel type configuration...
  • Blog Post: RRAS Remote Access Policy

    I have seen a lot of queries related to remote access policy configuration - why, how, when... Let me try to clarify few of these: What is remote access policy? What is its usage? Remote access policies are an ordered set of rules that define whether remote access connection attempts are...
  • Blog Post: Vista, WS08: Security changes for remote access scenarios

    In Vista, following changes have been done in remote access from security perspective 1) All the weak crypto algorithms have been removed and new stronger crypto algorithms are added to VPN tunnels Let us take case by case – per tunnel basis 1.1) PPTP: 40/56 bit RC4 encryption is removed...
  • Blog Post: Advantages of SSTP based VPN tunnel

    In last week blog, I wrote about SSTP - the new VPN tunnel which goes over HTTPS - hence increasing the coverage area of VPN connection to "everywhere". Today I am going to talk about advantages of SSTP compared to "network extension or full tunnel" solution delivered by other SSL products. Note:...
  • Blog Post: Verification of Additional Fields in Peer Certificates during IKE Negotiation in Windows Vista for L2TP/IPSec Tunnel Connections

    In Windows Vista IKE Layer authentication for L2TP/IPSec tunnel connections using machine certificates has been strengthened by verifying additional fields in the certificate presented by the peer during the IKE negotiation apart from validating that the certificate chains to the correct root certificate...
  • Blog Post: Provisioning VPN client settings using Group Policy

    Problem: Today, Microsoft VPN client can be configured in two ways as discussed in this article – a) in-built VPN client b) CM based VPN client. The first method requires end user to know the VPN settings and then create a VPN connection – which needs to be repeated by each user and prone to errors...
  • Blog Post: How to secure the server running RRAS role after doing upgrade or fresh install of Windows server 2008

    Hello, As you know in Windows server 2008 (WS08) we have removed “Basic Firewall” functionality in RRAS which exist in Windows Server 2003 (WS03). This leads to following security implications which you should be carefully consider when configuring RRAS on WS08: 1) If you were running...
  • Blog Post: RRAS Performance results

    Hello Customers, A lot of you have requested directly or through the field channels about performance results of RRAS for different VPN tunnel types – specifically SSTP. I am writing this blog to share the results for the tests done internally by our test team (thanks Sai and other test team members...
  • Blog Post: VPN NAP Overview

    Network Access Protection provides a policy enforcement platform that helps in enforcing compliance on the client machines connecting to the network. This is governed by system health policies. Using VPN Enforcement, VPN servers can enforce health policy requirements any time a computer attempts to...
  • Blog Post: Remote Access Design Guidelines – Part 1: Overview

    Hello Customers, In last few releases, we have added plenty of “cool” features in RAS – like NAP based health check, SSTP based SSL tunnel, IPv6 support in Vista SP1/WS08 and IKEv2 based IPSec tunnel in Windows 7/WS08 R2. As a result, we have seen a lot of interesting questions from you- about various...
  • Blog Post: VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC

    Hi Folks, I have seen a lot of IP addressing, NIC, NAT related queries in different newsgroups. This blog is aimed to give you a quick view on this. First the basics on IP address/routing on RRAS perspective: Broadly there are two set of machines (or subnets) which needs IP address - one...
  • Blog Post: Difference between VPN/Firewall capabilities in RRAS and ISA

    RRAS Firewall functionality consists of two parts: static filters and basic firewall. Static filters are pure stateless filters (source/dest ip, port numbers, etc.) and can be used for VPN alone scenarios - both for protecting the box as well as network behind it. Whereas basic firewall is a simple stateful...
  • Blog Post: How VPN automatic tunnel type works

    RAS supports 3 types of tunnels namely Point to Point Tunneling Protocol (PPTP), Layer 2 Tunnelingu Protocol (L2TP) and Secure Socket Tunneing Protocol (SSTP) for connecting to work from home securely. When connecting from home you have option to either use automatic tunnel or PPTP, L2TP or SSTP tunnel...
  • Blog Post: What type of certificate to install on the VPN server

    Hello Friends, In my previous posting related to VPN tunnel selection , I discussed various scenarios in which you need to install a certificate on the VPN server. To summarize this requirement in a nutshell: except PPTP tunnel, for all the other tunnel types (i.e. IKEv2, SSTP and L2TP/IPSec) VPN...
  • Blog Post: Remote Access Design Guidelines – Part 2: VPN client software selection

    Hello Customers, In this post, I will walk through the different ways in which you can enable VPN functionality on the remote access devices (desktops, laptops used by your remote access users). Lets look at the various choices: 2.1 Operating Systems The remote access users in your organization will...
  • Blog Post: Differnet ways to add the routes

    Adding DOD static and Non-DOD static routes :- netsh routing ip add persistant Adding NETMGMT routes:- Preferred way is i)- route add ii)- netsh interface ip add route but there is an alternate way also to add the NETMGMT routes. netsh routing add rtmr
  • Blog Post: VPN tunnel strategy - defining the connection order between various tunnel types

    Hello Customers, As I wrote in this blog, there are four types of VPN tunnel supported by Windows 7 based VPN clients. In this blog I will focus on following things: how do you configure tunnel types on the client, how to decide on the tunnel type order while establishing connection, ... ...