PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2004 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by
any means without the written permission of the publisher.
Library of Congress Cataloging-in-Publication Data
Davies, Joe
Deploying Virtual Private Networks with Microsoft Windows Server 2003 / Joe Davies, Elliot Lewis.
p. cm.
Includes index.
ISBN 0-7356-1576-4
1. Extranets (Computer networks). 2. Microsoft Windows Server. I. Title.
TK5105.875.E87W45 2003
004.6 dc21 2003042174
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWT 8 7 6 5 4 3
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further information
about international editions, contact your local Microsoft Corporation office or contact Microsoft Press
International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send
comments to
Active Directory, ActiveX, Microsoft, Microsoft Press, MSDN, MSN, Outlook, Visual Basic, Windows, the
Windows logo, Windows Mobile, Windows NT, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries. Other product and
company names mentioned herein may be the trademarks of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people,

places, and events depicted herein are fictitious. No association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Acquisitions Editor: Martin DelRe
Project Editor: Valerie Woolley
Technical Editor: Jim Johnson
Body Part No. X08-68739
iii
Contents
Acknowledgments xiii
Introduction xv
PART I VPN Technology
1 The Business Case for Virtual Private Networks 3
Overview of VPNs 4
The World as It Was 4
The World as It Is Today 5
The World as It Will Be 7
The Need for Security and Control 8
VPN Technology 9
Summary 10
2 VPN Overview 11
Virtual Private Network Definitions 11
Common Uses of VPNs 13
Basic VPN Requirements 16
Tunneling Basics 17
Tunneling Protocols 19
Point-to-Point Protocol (PPP) 20
Point-to-Point Tunneling Protocol (PPTP) 23
Layer Two Tunneling Protocol (L2TP) 23
Tunnel Types 29
VPN Administration 30

Authorizing VPN Connections 31
Scalability 31
RADIUS 32
Connection Manager and Managed VPN Connections 32
iv | Table of Contents
Accounting, Auditing, and Alarming 34
Summary 35
3 VPN Security 37
Basic Elements of Windows VPN Security 37
Authentication Security 38
Authorization Security 41
Encryption Security 41
Packet Filtering Security 43
Advanced VPN Security Features 44
EAP-TLS and Certificate-Based Authentication 44
Network Access Quarantine Control 46
Remote Access Account Lockout 47
Remote Access Policy Profile Packet Filtering 48
Summary 49
4 VPN Interoperability 51
VPN Technologies and Internet Standards 53
Remote Access VPN Requirements and IPSec-Based
Implementations 54
User Authentication 54
Address Assignment 56
PPTP: An Alternative to IPSec-Based VPNs 56
Future Directions for Microsoft VPN Support 58
Issues Customers Should Examine 58
Recommendations to VPN Vendors 59
Summary 59

PART II VPN Deployment
5 Remote Access VPN Components and Design Points 63
VPN Clients 64
The Connection Manager System 66
Single Sign-On 69
Installing a Certificate on a Client Computer 69
Design Point: Configuring the VPN Client 70
Table of Contents | v
Internet Network Infrastructure 71
VPN Server Name Resolvability 71
VPN Server Reachability 72
Authentication Protocols 73
Design Point: Which Authentication Protocol To Use 74
VPN Tunneling Protocols
Point-to-Point Tunneling Protocol
Layer Two Tunneling Protocol with IPSec
Design Point: PPTP or L2TP/IPSec?
VPN Server
Design Point: Configuring the VPN Server
Intranet Network Infrastructure
Name Resolution
Routing
Quarantine Resources
AAA Infrastructure
Remote Access Policies
Preventing Traffic Routed from VPN Clients
Windows Domain User Accounts and Groups
Design Point: AAA Infrastructure
Certificate Infrastructure
Computer Certificates for L2TP/IPSec

Certificate Infrastructure for Smart Cards
Certificate Infrastructure for User Certificates
Design Point: Certificate Infrastructure
Summary
75
75
75
76
77
79
82
82
84
88
89
90
92
94
95
96
96
97
98
99
100
6 Deploying Remote Access VPNs 101
Deploying PPTP or L2TP/IPSec Remote Access 102
Deploying a Certificate Infrastructure 102
Installing Computer Certificates 103
Deploying Smart Cards 106

Installing User Certificates 107
Deploying an Internet Infrastructure 111
Placing VPN Servers in a Perimeter Network or
on the Internet 111
vi | Table of Contents
Installing Windows Server 2003 on the VPN Server
and Configuring Internet Interfaces 111
Adding Address Records to Internet DNS Servers 112
Deploying an AAA Infrastructure 112
Configuring Active Directory for User Accounts and Groups 112
Configuring the Primary IAS Server Computer 113
Configuring IAS with RADIUS Clients 116
Configuring a VPN Remote Access Policy with
Windows Server 2003 IAS 117
Configuring the Secondary IAS Server Computer 119
Deploying VPN Servers 120
Configuring the VPN Server’s Connection to the Intranet 120
Running the Routing And Remote Access
Server Setup Wizard 120
Deploying an Intranet Infrastructure 121
Configuring Routing on the VPN Server 122
Verifying Name Resolution and Intranet Reachability
from the VPN Server 122
Configuring Routing for Off-Subnet Address Ranges 122
Configuring Quarantine Resources 123
Deploying VPN Clients 123
Manually Configuring VPN clients 123
Configuring CM Packages with CMAK 124
Summary 124
7 Using Connection Manager for Quarantine Control and

Certificate Provisioning 127
Deployment and Quarantine Control Using Connection
Manager 128
Creating L2TP/IPSec Connections with Connection
Manager 128
Deploying Network Access Quarantine Control with
Connection Manager 128
Configuring the Initial Test Lab 130
DC1 132
CA1 134
Install IIS 134
Table of Contents | vii
Configure a shared folder 135
IIS1 136
VPN1 136
CLIENT1 139
Configuring and Testing Network Access Quarantine
Control and Certificate Provisioning 140
DC1 140
Update Group Policy 151
Update Group Policy 154
VPN1 155
Summary 168
8 Site-to-Site VPN Components and Design Points 169
Demand-Dial Routing in Windows Server 2003 169
Demand-Dial Routing Updates 171
Introduction to Site-to-Site VPN Connections 172
Components of Windows Server 2003 Site-to-Site VPNs 176
VPN Routers
Internet Network Infrastructure

Authentication Protocols
VPN Protocols
Site Network Infrastructure
AAA Infrastructure
Certificate Infrastructure
Summary
177
185
187
189
191
194
201
203
9 Deploying Site-to-Site VPNs 205
Deploying a Site-to-Site VPN Connection 205
Deploying the Certificate Infrastructure 206
Deploying the Internet Infrastructure 214
Deploying the Answering Router 215
Deploying the Calling Router 220
Deploying the AAA Infrastructure 222
viii | Table of Contents
Deploying the Site Network Infrastructure 228
Deploying the Intersite Network Infrastructure 235
Summary 241
10 A VPN Deployment Example 243
Introducing Contoso, LTD 243
Common Configuration for the VPN Server 244
Network Configuration 244
Remote Access Policy Configuration 248

Domain Configuration 248
Security Configuration 249
VPN Remote Access for Employees 249
Domain Configuration 250
Remote Access Policy Configuration 250
PPTP-Based Remote Access Client Configuration 250
L2TP/IPSec-Based Remote Access Client Configuration 250
On-Demand Branch Office 251
Additional Configuration 252
PPTP-Based On-Demand Branch Office 253
L2TP/IPSec-Based On-Demand Branch Office 255
Persistent Branch Office 257
Additional Configuration 258
PPTP-Based Persistent Branch Office 260
L2TP/IPSec-Based Persistent Branch Office 263
Extranet for Business Partners 265
Additional Configuration 266
PPTP-Based Extranet for Business Partners 268
L2TP/IPSec-Based Extranet for Business Partners 269
Dial-Up and VPNs with RADIUS Authentication 270
Domain Configuration 271
RADIUS Configuration 272
Dial-Up Remote Access Client Configuration 272
Summary 273
Table of Contents | ix
PART III VPN Troubleshooting
11 Troubleshooting Remote Access VPN Connections 277
Troubleshooting Tools 278
TCP/IP Troubleshooting Tools 278
Authentication and Accounting Logging 278

Event Logging 279
IAS Event Logging 279
PPP Logging 280
Tracing 280
Oakley Logging 281
Network Monitor 282
Troubleshooting Remote Access VPNs 282
Unable to Connect 283
Unable to Reach Locations Beyond the VPN Server 292
Summary 293
12 Troubleshooting Site-to-Site VPN Connections 295
Troubleshooting Tools 295
Troubleshooting Site-to-Site VPN Connections 296
Unable to Connect 297
Unable to Reach Locations Beyond the VPN Routers 306
Unable To Reach the Virtual Interfaces of VPN Routers 308
On-Demand Connection Is Not Made Automatically 309
Summary 309
PART IV Appendixes
A VPN Deployment Best Practices 313
Stick to the Standards 313
Choice of Tunneling Protocols 313
Choice of Authentication Protocols 314
Scalability 315
Use of IAS/RADIUS 315
VPN Privileges for Users 316
Packet Filters 316
Split Tunneling 317
x | Table of Contents
Use of Quarantine—Being Realistic 317

Two-Factor Authorization: Smart Cards with
Tokens or Biometrics 318
Connection Manager and Phone Book Administrator 318
Site-to-Site 319
Troubleshooting: Do It by the Book! 321
Summary 321
B Configuring Firewalls for VPN 323
VPN Server in Front of the Firewall 323
Packet Filters for PPTP 324
Packet Filters for L2TP/IPSec 325
VPN Server Behind the Firewall 326
Packet Filters for PPTP 327
Packet Filters for L2TP/IPSec 329
Filters on the Internet Interface 329
VPN Server Between Two Firewalls 331
C Deploying a Certificate Infrastructure 333
Certificate Revocation and EAP-TLS Authentication 334
Using Third-Party CAs for EAP-TLS Authentication 337
Certificates on the Authenticating Servers 337
Certificates on VPN Client Computers 337
Summary 338
D Setting Up Remote Access VPN Connections in a Test Lab 339
PPTP-Based Remote Access VPN Connections 339
DC1 341
IAS1 345
IIS1 348
VPN1 349
CLIENT1 351
L2TP/IPSec-Based Remote Access VPN Connections 354
DC1 354

VPN1 355
CLIENT1 356
Table of Contents | xi
EAP-TLS-Based Remote Access VPN Connections 357
DC1 358
IAS1 362
CLIENT1 363
Summary 365
E Setting Up Connection Manager in a Test Lab 367
Configuring the Initial Test Lab 367
DC1 369
IAS1 371
IIS1 373
VPN1 373
CLIENT1 375
Configuring and Testing a Dial-Up Profile 376
DC1 376
IAS1 376
IIS1 377
VPN1 379
CLIENT1 385
Configuring and Testing a PPTP Profile 387
DC1 388
IAS1 388
IIS1 389
VPN1 389
CLIENT1 392
Configuring and Testing an L2TP/IPSec Profile 393
DC1 394
VPN1 396

IAS1 398
CLIENT1 398
Configuring and Testing an EAP Profile 399
DC1 399
IAS1 401
VPN1 401
CLIENT1 404
Summary 405
xii | Table of Contents
F Setting Up a PPTP-Based Site-to-Site
VPN Connection in a Test Lab 407
Setting Up the Test Lab 407
Configuration for CLIENT1 409
Configuration for CLIENT2 410
Computer Setup for the Answering and Calling Routers 410
Computer Setup for the Internet Router 411
Configuring a PPTP-Based Site-to-Site VPN Connection 412
Configuring VPN on the Answering Router 413
Configuring the Demand-Dial Interface
on the Answering Router 414
Configuring VPN on the Calling Router 416
Configuring the Demand-Dial Interface
on the Calling Router 417
Initiating the VPN Connection 418
Testing the VPN Connection 418
Summary 419
G Frequently Asked Questions 421
Virtual Private Networks Defined 421
Microsoft Support for VPNs 422
VPN Standards and Interoperability 424

VPN Deployment 430
Index 435
xiii
Acknowledgments
From the beginning, writing Deploying Virtual Private Networks with Microsoft Win-
dows Server 2003 was a labor of love for me. As the lead program manager for
Secure Network Access in Windows Networking, I have seen the VPN features of
Window Server 2003 deployed for many customers, and it is a matter of passion for
me to make sure that everyone and anyone who wants to use these awesome fea-
tures has the resources to do so. That’s why, when Microsoft Press came to ask me
to write this book, I immediately went to the very best technical author and domain
expert I knew to ask him for the privilege to partner on it. Thank goodness, Joseph
Davies honored me by accepting my request, and he helped lead the way to mak-
ing this book a reality. Joe, it has been a privilege—and an honor—to work with
the very best. Thank you!
Joe and I also want to thank Susan Ferrell and Douglas Goodwin, who assisted in
providing content, and Rany El Housieny, who provided key pieces of the technical
information for the CD. You guys are awesome—thanks for helping to bring this
book together.
The team at Microsoft Press is simply hands-down the best publishing group I have
ever worked with. Jean Trenary and Valerie Woolley were instrumental throughout
the writing process. They helped me stay on track and to get the tools I needed to
write this book; they crunched the schedules, kept us moving, and hounded me in
all the right ways. Completing and publishing the book wouldn’t have been possi-
ble without their help! Through tight schedules, changing staff, and all kinds adver-
sity, you two kept this machine moving. Well done—and thank you!
Any author will tell you that the most painful part of writing a book is not creating
the chapter content—it’s having the editorial staff tear through the work and bring
you back to reality on your writing skills. Jim Johnson was the technical editor for
the book, and I want to say that I have never had a better technical editor in any of

the writing projects I have done. Jim, you’re the best—thanks for keeping the bar
high! Roger LeBlanc was our copyeditor and an excellent technical resource, as
well. Roger, thank you for critiquing our work in all the right ways. Al Valvano, Jeff
Koch, and Martin DelRe, thank you for your help throughout this project and for
making this book a reality.
Most importantly, I want to thank my wife, Meg, and my sons, Zack, Ben, and
James, for all your patience and understanding. You sacrificed many months of per-
sonal time without me so that I could write this book, and you deserve all the credit
for making it happen. I love you very much.
And finally—my father, Mark Lewis, told me recently that it’s one of his great
dreams to see his name in print in a published book. My mother, Adrianne Yaffe, is
an aspiring author herself, and I’m sure that she will accomplish this feat on her
own. But for you, Dad, well, some wishes do come true. (Now, if only the New
York Giants could win another Super Bowl for us, J.) I love you both.

xv
Introduction
Welcome to Deploying Virtual Private Networks with Microsoft Windows Server
2003, your complete source for the information you need to design and deploy Vir-
tual Private Networks (VPNs) using Windows Server 2003 and all of the Windows
Client operating systems. This book includes overview explanations of the various
technologies involved in deploying both remote access and site-to-site VPNs over
the Internet and/or within a private network. It also includes step-by-step instruc-
tions on how to deploy basic remote access and site-to-site VPNs using various tun-
neling protocols and authentication methods, step-by-step instructions on advanced
features such as Connection Manager and Network Access Quarantine Control, and
detailed procedures on how to troubleshoot your VPN deployments.
Virtual private networking is all about ensuring privacy and security on the Internet
so that you can use the Internet as a communications network for your users and
remote offices. In today’s world of open communications and connectivity on the

Internet, you should remember the following quotation when thinking about security:
Security is not binary. It is not a switch or even a series of switches. It can-
not be expressed in absolute terms. Do not believe anyone who tries to con-
vince you otherwise. Security is relative—there is only more secure and
less secure. Furthermore, security is dynamic—people, process, and tech-
nology all change. The bottom line is that all of these factors make man-
aging security difficult.
—Ben Smith and Brian Komar, Microsoft Windows Security Resource Kit, Microsoft
Press, 2003.
Deploying Virtual Private Networks with Microsoft® Windows Server
TM
2003
describes the combination of technologies in Windows that supports the strongest
set of industry standards for VPN access that was available at the time of the writing
of this book.
How This Book Is Structured
Deploying Virtual Private Networks with Microsoft Windows is structured to pro-
vide a conceptual overview of not only VPNs, but also of all the other components
of the authentication infrastructure, such as Remote Authentication Dial-In User Ser-
vice (RADIUS), authentication protocols, certificate services, and Active Directory.
Many companies have not implemented some of these services, so this book takes
the time to explain them in a conceptually as they pertain to VPN technologies. We
cover the basic operations and setup of all necessary services, and as the issues go
xvi | Introduction
into deeper detail, we point you toward the appropriate resources external to this
book. We start off with conceptual overviews of all of the pertinent services and
components, and then we go into describing the steps of deploying both remote
access VPNs for many users to access corporate resources. From there, we cover
site-to-site VPNs to connect remote offices to each other over the Internet. Finally,
this book describes how to troubleshoot the full architecture of VPN deployments,

with both remote access and site-to-site configurations.
Part I, “VPN Technology,” provides an introduction to the business case of VPNs,
an overview of the two types of VPN connections—remote access and site-to-site—
an overview of VPN security issues, and a discussion of interoperability issues with
VPN technologies from other vendors. Part I includes the following chapters:
• Chapter 1, “The Business Case for Virtual Private Networks,” presents the
case for deploying VPN services and mobile computing in today’s busi-
nesses. The world of the Internet has changed the way that corporations do
business with mobile computers of all kinds, and VPN technology keeps all
of the transmissions and communications secure on the Internet. We address
the issues that every business owner needs to be aware of when building
out a VPN solution on the Internet, and we also describe how integral a
good VPN solution is to businesses of all sizes today.
• Chapter 2, “VPN Overview,” describes the basic concepts of VPN solutions,
such as remote access for individual users and site-to-site for remote office
connectivity. We then cover the technologies that comprise a VPN, such as
tunneling protocols, authentication protocols, and the server and client com-
puting components to the VPN solutions built into Windows operating
systems.
• Chapter 3, “VPN Security,” presents the basics of VPN security, from the use
of certificates versus preshared keys, the various authentication protocols,
and the pros and cons of each, to the differences between Point-to-Point
Tunneling Protocol (PPTP), Layer Two Tunneling Protocol with Internet Pro-
tocol Security (L2TP/IPSec). We make recommendations regarding your
choices for secure VPN connections and for the options you need to con-
sider when designing your VPN deployment.
• Chapter 4, “VPN Interoperability,” examines interoperability issues with
third-party VPN providers. We go over the protocol interoperations and
authentication protocol issues that you need to know to mesh Microsoft VPN
technologies with your existing solutions.

Part II, “VPN Deployment,” provides you with the information you need to plan
and deploy your remote access or site-to-site VPN solutions. To understand how to
deploy and troubleshoot VPNs, you must have an understanding of the underlying
technologies and how they work. These technologies include VPN gateway ser-
Introduction | xvii
vices, VPN client services, authentications services and protocols (including
RADIUS, and Certificate Services), Connection Manager, and Network Access Quar-
antine Control. Part II includes the following chapters:
• Chapter 5, “Remote Access VPN Components and Design Points,” presents
the components for remote access VPN connections, which is the technol-
ogy you use to connect individual users to a private network by using tun-
neling protocols over the Internet. We cover design points that you will need
to consider prior to deployment, as well as an in-depth overview of each
related service and the options to consider when deploying those services
for remote access VPNs.
• Chapter 6, “Deploying Remote Access VPNs,” includes complete step-by-
step instructions for deploying a basic remote-access VPN solution using
Windows Server 2003 as the VPN server and Windows XP or Windows 2000
Professional as the VPN client and all of the supporting services that go with
VPN deployment, including Internet Authentication Service (a RADIUS
server), Certificate Services, and Active Directory.
• Chapter 7, “Using Connection Manager for Quarantine Control and Certifi-
cate Provisioning,” describes the advanced features you need to make the
client VPN experience secure and seamless for the users. We cover creating
Connection Manager profiles with Network Access Quarantine Control acti-
vated, and we run you through how to set up a test lab to use Connection
Manager and quarantine to deploy certificates for secure access for your
users. You can use the basic setup for Connection Manager and quarantine
in this test lab to deploy a completely customized quarantine solution to
ensure the configurations of your VPN clients conform to network policy

requirements.
• Chapter 8, “Site-to-Site VPN Components and Design Points,” discusses the
components for site-to-site VPN connections, which is the technology you
use to connect remote offices to each other by using tunneling protocols
over the Internet. We cover design points that you will need to consider
prior to deployment, as well as providing an in-depth overview of each
related service and the options to consider when deploying those services
for site-to-site VPN.
• Chapter 9, “Deploying Site-to-Site VPNs,” provides complete step-by-step
instructions on deploying a basic site-to-site VPN solution using Windows
Server 2003 as the VPN routers, and all of the support services that go with
the deployment, including Internet Authentication Service, Certificate Ser-
vices, and Active Directory.
xviii | Introduction
• Chapter 10, “A VPN Deployment Example,” pulls together all of the material
from the previous nine chapters to show you a complete solution with
remote access and site-to-site VPN solutions deployed for a typical business.
You will see all of the services and components functioning together. You
can use this chapter to review a typical VPN deployment, which will allow
you to plan your deployment with various options in mind.
Part III, “VPN Troubleshooting,” provides you with troubleshooting information and
advice.
VPN deployment involves the mutual operations of many different services, compo-
nents, and Internet connectivity solutions, so you will need to have a defined pro-
cedure for troubleshooting the environment that enables you to identify problems
quickly and easily.
• Chapter 11, “Troubleshooting Remote Access VPN Connections,” steps
through detailed testing and troubleshooting solutions for your remote
access VPN deployment. By following the procedures in the order in which
they are delivered in the chapter, you should be able to find and resolve

most of the problems that you are experiencing with your remote access
VPN connections.
• Chapter 12, “Troubleshooting Site-to-Site VPN Connections,” steps you
through detailed testing and troubleshooting solutions for your site-to-site
VPN deployment. By following the procedures in the order in which they
are delivered in the chapter, you should be able to find and resolve most of
the problems that you are experiencing with your site-to-site VPN connec-
tions.
Part IV, “Appendixes,” includes the following:
• Appendix A, “VPN Deployment Best Practices,” is a collection of all the best
practices from the entire book for deploying VPN solutions, for your quick
reference. By referring to this section, you will be able to make the best
decisions for your VPN deployment.
• Appendix B, “Configuring Firewalls for VPN,” is a comprehensive overview
of the ports and protocols for packet filters that you will need to configure
on your firewall in order for VPN solutions to function across firewall
boundaries.
• Appendix C, “Deploying a Certificate Infrastructure,” describes the design ele-
ments of deploying a certificate infrastructure, also known as a public key
infrastructure (PKI), using Windows Server 2003 and certificate requirements
for third-party certification authorities.
• Appendix D, “Setting Up Remote Access VPN Connections in a Test Lab,”
provides step-by-step instructions for the setup of a test lab for remote
access VPN connections.
Introduction | xix
• Appendix E, “Setting Up Connection Manager in a Test Lab,” provides step-
by-step instructions for the setup of a test lab for Connection Manager
Administration Kit and Phone Book Services.
• Appendix F, “Setting Up a PPTP-Based Site-to-Site VPN Connections in a
Test Lab,” provides step-by-step instructions for the setup of a test lab for

PPTP-based site-to-site VPN connections.
• Appendix G, “Frequently Asked Questions,” is a comprehensive list of fre-
quently asked questions for Windows VPN deployments.
About the CD-ROM
• This book includes a Supplemental CD-ROM that contains a few informa-
tional aids to complement the book content:
• An electronic version of this book (eBook) that you can view onscreen
using the Adobe Reader. For more information, see the Readme.txt file
included in the root folder of the Supplemental CD-ROM.
• Additional information and sample logs for troubleshooting L2TP, IPSec,
PPTP, and other protocols
Additional Resources
Deploying Virtual Private Networks with Microsoft Windows Server 2003 is primarily
a deployment book, not a technical reference. It is designed to provide enough
background information so that you can understand the basic workings of the vari-
ous technologies to plan and deploy secure remote access and site-to-site VPN
solutions. There are many topics that, for a completely thorough treatment, would
fill their own books. For more detailed technical or deployment information about
specific elements of secure network access deployment, such as RADIUS using
Internet Authentication Service, Active Directory, or PKI, see the following Web
sites:
• Internet Authentication Service:
• Active Directory:
• Windows 2000 Security Services:
/technologies/security/default.asp
• Windows Server 2003 Security Services:
/windowsserver2003/technologies/security/default.mspx
For the latest information about support for VPNs in Windows, see the Microsoft
VPN Web site at
xx | Introduction

Conventions Used in This Book
Throughout the book, you will find special sections set aside from the main text.
These sections draw your attention to topics of special interest and importance or
to problems that implementers invariably face during the course of a deployment.
These features include the following:
Informational Notes
Note This feature is used to underscore the importance of a specific concept
or to highlight a special case that might apply only to certain situations.
More Info When additional material is available on a subject, whether in other
sections in the book or from outside sources such as Web sites or white
papers, the links to these extra sources are provided in the More Info sections.
Caution The Caution feature points out the places where you can get yourself
into trouble if you do something or fail to do something. Pay close attention to
these sections because they could save you a great deal of aggravation.
Tip This feature directs your attention to advice on timesaving or strategic
moves.
Best Practices Getting the most stable performance and the highest quality
deployment often means knowing a few ins and outs. The Best Practices sec-
tions are where you’ll find such pieces of knowledge.
Planning There are times when an ounce of prevention through planning is
worth many hours of troubleshooting and downtime. Such times merit the Plan-
ning feature.
Notational Conventions
The following conventions are used throughout the book.
• Characters or commands that you type appear in bold type.
• Italic in syntax statements indicates placeholders for variable information.
Italic is also used in book titles and URLs, and in key words and terms when
they are first introduced.
Introduction | xxi
• Names of files and folders appear in Title caps, except when you are to type

them in directly. Unless otherwise indicated, you can use all lowercase let-
ters when you type a filename in a dialog box or at a command prompt.
• Filename extensions appear in all lowercase.
• Acronyms appear in all uppercase.
• Monospace type represents code samples, examples of screen text, or entries
that you might type at a command prompt or in initialization files.
• Square brackets [] are used in syntax statements to enclose optional items.
For example, [filename] in command syntax indicates that you can choose to
type a filename with the command. Type only the information within the
brackets, not the brackets themselves.
• Braces {} are used in syntax to enclose required items. Type only the infor-
mation within the braces, not the braces themselves.
System Requirements
The Supplemental CD-ROM consists of the eBook and a number of files and folders
containing content intended to augment this book. To view the eBook, you need
any system that is capable of running the Adobe Reader or Adobe Acrobat (http:
//www.adobe.com).
The basic requirements of processor speed, memory size, hard disk space, display
color depth and resolution, and a pointing device are determined by the version of
Microsoft Windows that you use to process the contents of the CD.
The CD-ROM drive should be 4X or faster. A faster drive is recommended if you
intend to access the files from the CD rather than copy them to a hard disk. Copy-
ing the CD contents to a hard disk will require approximately 365 MB of hard disk
space.
There are no audio or video files on the CD; therefore, there are no requirements
for sound cards.

Part I
VPN Technology


3
Chapter 1
The Business Case for Virtual
Private Networks
Congratulations on purchasing this book! You have just taken a major step in bring-
ing the power of the Internet to your company’s arsenal of business tools. This
book will show you how to design, implement, and use virtual private networks
(VPNs) that are based on Microsoft Windows Server 2003 and Microsoft client oper-
ating systems. VPN can be a very complex topic—it is the convergence of several
networking protocols and services, some of which you might already know and
some of which you will be encountering for the first time. Don’t worry, though,
because we’ll help you through that complexity, and in the end you’ll be able to
use the power of the Internet to enable your business to reach new heights of com-
munications, collaboration, and productivity. The beauty of VPN is that it is a net-
work layer technology, which means that the applications your company runs do
not need to know about it or support it. VPN will operate across the board for all
applications, extending your company’s reach and user productivity with full secu-
rity and functionality to the mobile-computing world.
For any technology this powerful and that adds this much functionality and value to
your company, most IT administrators are willing to invest heavily in third-party
VPN concentrators, special client applications, and special services from different
vendors to enable secure remote access for their users. The really good news is that
VPN services are built into the Windows Server 2003 family, and all Windows client
operating systems have VPN client software built in as well. If you are running Win-
dows servers and clients, you are capable of deploying VPN today with no extra
software or hardware costs. In this book, we’ll show you how to implement a fully
functioning remote access solution based solely on Windows features you already
own in the server and client operating systems.
To cover VPN properly, we need to set the stage by telling you what brings VPN to
the forefront of your networking needs. VPN is not a luxury anymore. In the cur-

rent day business environment, it is a necessity. Without VPN, you are missing a
major portion of your potential as a business—no matter what type of business you
are in.