Enhancements for Connecting Remote Users and Networks in Windows 7 CHAPTER 27
1303
How DirectAccess Works
DirectAccess is built on several different technologies as described in the next sections.
ACTIVE DIRECTORY DOMAIN SERVICES
An Active Directory Domain Services (AD DS) infrastructure is required for DirectAccess, with
at least one domain controller in the domain running Windows Server 2008 or later versions.
DirectAccess clients and servers must be domain members.
WINDOWS 7 AND WINDOWS SERVER 2008 R2
Client computers must be running Windows 7 Enterprise or Ultimate operating systems or
Windows Server 2008 R2 to use DirectAccess. In addition, at least one server on the corporate
network must be running Windows Server 2008 R2 so it can act as the DirectAccess server.
This server typically resides on your perimeter network and acts as both a relay for IPv6 traffic
and also an IPsec gateway.
IP
V
6
DirectAccess uses IPv6 to enable client computers to maintain constant end-to-end connec-
tivity with remote intranet resources over a public Internet connection. Because most of the
public Internet currently uses IPv4, however, DirectAccess can use IPv6 transition technologies
such as Teredo and 6to4 to provide IPv6 connectivity over the IPv4 Internet. The preferred
connectivity method for the client computer depends on the type of IP address assigned to
the client. Specifically:
n
If the client is assigned a globally routable IPv6 address, the preferred connectivity
method is to use this address.
n
If the client is assigned a public IPv4 address, the preferred connectivity method is to
use 6to4.
n
If the client is assigned a private (NAT) IPv4 address, the preferred connectivity method

is to use Teredo.
n
If the client is assigned a private (NAT) IPv4 address and the NAT device also provides
6to4 gateway functionality, 6to4 will be used.
If none of these connectivity methods can be used in a particular scenario, DirectAccess
can also use IP-HTTPS, a new protocol developed by Microsoft for Windows 7 and Windows
Server 2008 R2, which enables hosts located behind a Web proxy server or firewall to estab-
lish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. For more
information about IPv6 transition technologies and about IP-HTTPS, see Chapter 28, “Deploy-
ing IPv6.”
For remote client computers to use DirectAccess to connect to computers on the internal
corporate network, these computers and their applications must be reachable over IPv6. This
means the following:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1304
n
The internal computers and the applications running on them support IPv6. Computers
running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2
support IPv6 and have IPv6 enabled by default.
n
You have deployed native IPv6 connectivity or Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP) on your intranet. ISATAP allows your internal servers and applications
to be reachable by tunneling IPv6 traffic over your IPv4-only intranet.
For computers and applications that do not support IPv6, you can use a Network Address
Translation-Protocol Translation (NAT-PT) device to translate IPv6 and IPv4 traffic. Microsoft
recommends using IPv6-capable computers and applications and native IPv6 or ISATAP-based
connectivity over the use of NAT-PT devices.
IPSEC
DirectAccess uses IPsec to provide protection for DirectAccess traffic across the Internet.

IPsec policies are used for authentication and encryption of all DirectAccess traffic across the
Internet. These policies can also be used to provide end-to-end traffic protection between
DirectAccess clients and intranet resources. These policies are configured and applied to client
computers using Group Policy. For more information on IPsec and how to configure it, see
Chapter 26.
PUBLIC KEY INFRASTRUCTURE
A Public Key Infrastructure (PKI) is required to issue computer certificates for authentication,
issue health certificates when NAP has been implemented, and providing certificate revoca-
tion checking services. These certificates can be issued by a certification authority (CA) on the
internal network—they do not need to be issued by a public CA.
PERIMETER FIREWALL EXCEPTIONS
If your corporate network has a perimeter firewall, the following traffic to and from the
DirectAccess server over the IPv4 Internet must be allowed:
n
UDP port 3544 for Teredo traffic
n
IPv4 protocol 41 for 6to4 traffic
n
TCP port 443 for IP-HTTPS traffic
If you need to support client computers that connect over the IPv6 Internet, the following
traffic to and from the DirectAccess server must be allowed:
n
Internet Control Message Protocol version 6 (ICMPv6)
n
UDP port 500
n
IPv4 protocol 50
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Enhancements for Connecting Remote Users and Networks in Windows 7 CHAPTER 27
1305

SMART CARDS
DirectAccess also supports the optional use of smart cards for authenticating remote users.
Implementing DirectAccess
To implement DirectAccess on the server side, you need a computer running Windows Server
2008 R2 with two physical network adapters and at least two consecutive public IPv4 addresses
that can be externally resolved through the Internet DNS. You can add the DirectAccess
Management Console feature using Server Manager and then use the DirectAccess Setup
Wizard in the DirectAccess Management Console to configure DirectAccess on your network.
For more information on setting up the server side of DirectAccess, click the Help links in the
DirectAccess Management Console.
To implement DirectAccess on the client side, your client computers must be running
Windows 7 Enterprise or Ultimate Edition, be domain joined, and be a member of a security
group for DirectAccess clients. Initial configuration is done automatically by the DirectAccess
Setup Wizard for the members of the specified security groups for DirectAccess clients.
Additional client configuration can be done using Group Policy settings or with scripts.
MoRe inFo
For more information on deploying a DirectAccess solution for your
organization, see the technical documentation found on the DirectAccess page on
TechNet at See also the
product documentation at />Understanding BranchCache
BranchCache is a new feature of Windows 7 and Windows Server 2008 R2 that allows content
from file servers and Web servers at a central office to be cached on computers at a local
branch office, thus improving application response time and reducing WAN traffic. This sec-
tion provides an overview of the benefits of BranchCache, how it works, and how it can be
implemented.
Benefits of BranchCache
BranchCache can provide the following benefits to enterprises and their users:
n
Reduces WAN link utilization By enabling branch office clients to use locally
cached copies of files instead of having to download them from the central office over

the WAN, BranchCache reduces WAN link utilization, thus freeing up bandwidth for
other applications that need to use the WAN.
n
Improves user productivity and reduces application response time Opening
a file located on a remote file server from a locally cached version of the file is typi-
cally much faster than downloading the file over a slow WAN link. BranchCache thus
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1306
increases user productivity when accessing content over the WAN for applications that
use Server Message Block (SMB; for example, using Microsoft Office Word to open a
document stored in a shared folder on a file server) or HTTP/HTTPS (for example, using
Windows Internet Explorer to open a page on an intranet Web site or using Windows
Media Player [WMP] to play a video embedded in an intranet Web page).
BranchCache adds significant value to Windows 7 and Windows Server 2008 R2 with
little overhead by providing significant bandwidth savings and an improved user experience.
BranchCache doesn’t require additional equipment in the branch offices, is easy to deploy,
supports your existing security requirements, and can be easily managed using Group Policy.
How BranchCache Works
Depending on how you implement it, BranchCache can function in one of two modes:
n
Hosted Cache This scenario uses a client/server architecture in which clients running
Windows 7 at a branch office site cache the content they’ve downloaded over the
WAN from the central office to a Windows Server 2008 R2 computer (called the
Hosted Cache) located at the same branch office site. Other clients that need this
content can then retrieve it directly from the Hosted Cache without needing to use the
WAN link.
Hosted Cache mode does not require a dedicated server. The BranchCache feature can
be enabled on a server that is running Windows Server 2008 R2, which is located in a
branch that is also running other workloads. In addition, BranchCache can be set up as

a virtual workload and can run on a server with other workloads, such as File and Print.
n
Distributed Cache This scenario uses a peer-to-peer architecture in which Windows
7 clients cache content that they retrieve by using the WAN, and then they send that
content directly to other authorized Windows 7 clients on request.
Distributed Cache mode allows IT professionals to take advantage of BranchCache
with minimal hardware deployments in the branch office. However, if the branch has
deployed other infrastructure (for example, servers running workloads such as File or
Print), using Hosted Cache mode may be beneficial for the following reasons:
•
Increased cache availability Hosted Cache mode increases the cache efficiency,
because content is available even if the client that originally requested the data is
offline.
•
Caching for the entire branch office Distributed Cache mode operates on a
single subnet. If a branch office that is using Distributed Cache mode has multiple
subnets, a client on each subnet needs to download a separate copy of each
requested file. With Hosted Cache mode, all clients in a branch office can access a
single cache, even if they are on different subnets.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Enhancements for Connecting Remote Users and Networks in Windows 7 CHAPTER 27
1307
Protocols Supported by BranchCache
BranchCache supports the SMB 2 and HTTP 1.1 protocols. Applications do not need to directly
communicate with BranchCache, although they can if they need to. However, applications
accessing SMB and HTTP interfaces in the Windows 7 and Windows Server 2008 R2 operating
systems automatically benefit from BranchCache.
Consequently, applications like Windows Explorer, Robocopy CopyFile, WMP, Internet
Explorer, and Silverlight automatically benefit. These benefits are also realized when using
HTTPS, IPsec, or SMB signing. However, applications that implement SMB or HTTP stacks will

not benefit from BranchCache, because BranchCache optimizations are leveraged directly by
the SMB and HTTP protocol stack implementations in the Windows 7 and Windows Server
2008 R2 operating systems.
Implementing BranchCache
To implement BranchCache for a file server located at your central site, the file server must
be running Windows Server 2008 R2 and you must install the BranchCache For Network Files
role service of the File Services role on the server using the Add Roles Wizard. After doing
this, you must also configure the shares on your file server to use BranchCache. Using Group
Policy, you can enable or disable BranchCache on all your file server’s shares, or you can mark
specific shares to use BranchCache.
To implement BranchCache for a Web or application server located at your central site, the
Web or application server must be running Windows Server 2008 R2, and you must install
the BranchCache feature on the server using the Add Features Wizard. After doing this, you
must also start the BranchCache service on your Web or application server by typing netsh
BranchCache set service mode=local at an administrative-level command prompt.
To configure a computer running Windows Server 2008 R2 located at a branch office as a
Hosted Cache server, you must install the BranchCache feature on the server, enable the fea-
ture and configure it to use Hosted Cache server mode, and install a certificate that is trusted
by your client computers on the server.
To configure clients running Windows 7 located at a branch office to use BranchCache, you
must enable BranchCache on the computers, configure the computers to use either Distrib-
uted Cache mode or Hosted Cache mode as needed, and open the necessary exceptions in
Windows Firewall to allow the computers to access the cache on other computers at the site.
BranchCache can be enabled and configured on computers running Windows 7 either by
using Group Policy or by using the netsh branchcache context of the Netsh command.
MoRe inFo
For more information on deploying a BranchCache solution for your organi-
zation, see the documentation found on the BranchCache section of the Networking and
Access Technologies TechCenter on Microsoft TechNet at
/en-us/network/dd425028.aspx.

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1308
Supported Connection Types
Windows 7 supports both outgoing and incoming network connections. For outgoing
connections, the computer running Windows 7 acts as a client that connects to a remote
computer, server, or network to access remote resources. For incoming connections,
Windows 7 acts as a server to allow other computers to connect to the computer and access
resources on it.
Outgoing Connection Types
As Windows Vista did before it, Windows 7 supports a number of different types of outgoing
(client-side) network connections:
n
LAN or high-speed Internet connections Connections to an Ethernet LAN or
broadband router providing high-speed access to the Internet. LAN connections are
computer-to-network connections that Windows creates automatically when it detects
the presence of an installed network interface card (NIC). Internet connections are
computer-to-network connections that you can create and configure manually using
the Set Up A Connection Or Network wizard to provide Internet access using a broad-
band Digital Subscriber Line (DSL) adapter or cable modem, an Integrated Services
Digital Network (ISDN) modem, or an analog (dial-up) modem. Broadband Internet
connections use Point-to-Point Protocol over Ethernet (PPPoE); dial-up Internet con-
nections use Point-to-Point Protocol (PPP).
n
Wireless network connections Connections to a WLAN through a wireless access
point or wireless router. Wireless network connections are computer-to-network con-
nections that you can create and configure manually using the Set Up A Connection Or
Network wizard, provided that the computer has a wireless network adapter installed.
Wireless network connections may be either secured or unsecured, depending on how
the access point has been configured.

n
Wireless ad hoc connections Connections to another computer that is enabled
for wireless networking. Wireless ad hoc connections are temporary computer-to-
computer connections that you can use to share files between users.
n
Wireless routers or access points Devices used to network wireless-enabled
computers primarily for Small Office/Home Office (SOHO) environments so that users
can share files and printers and connectivity to the Internet. Setting up this type of
connection in Windows Vista using the Connect To A Network wizard requires that the
computer has a wireless network adapter installed or attached to the computer and
the presence of an external wireless router or wireless access point device that can be
configured.
n
Dial-up connections Connections to a remote access server (RAS server) or modem
pool at a remote location. Dial-up connections are computer-to-server or computer-
to-network connections that you can create and configure manually using the Set Up
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Supported Connection Types CHAPTER 27
1309
A Connection Or Network wizard, provided that the computer has an analog or ISDN
modem installed or connected to it. Dial-up connections either provide remote access
to corporate networks or dial-up access to the Internet using the services of an Inter-
net service provider (ISP).
n
VPN connections Connections to a remote workplace by tunneling over the Internet.
VPN connections work by creating a secure tunnel that encapsulates and encrypts all
traffic between the client computer and the remote corporate network. This tunnel
creates a secure private link over a shared public infrastructure such as the Internet.
After the user is connected, her experience on the client computer is similar to what it
would be if her computer were directly attached to the remote LAN (with performance

limitations depending on the speed of the remote connection), with the exception of
any restrictions imposed on remote connections by the network administrator. VPN
connections are computer-to-server or computer-to-network connections that you can
create and configure manually using the Set Up A Connection Or Network wizard. VPN
connections can use Internet connectivity, or they can establish an existing broadband
Internet connection or an existing analog or ISDN dial-up connection to obtain the
Internet connectivity they require.
The rest of this chapter describes how to create and manage VPN and dial-up connections.
For information about LAN and wireless connections in Windows 7, see Chapter 25, “Config-
uring Windows Networking.”
Incoming Connection Types
As Windows Vista did before it, Windows 7 supports the following types of incoming (server-
side) network connections:
n
Incoming VPN connections Connections from a remote computer by tunneling
over the Internet, using either a broadband Internet connection or a dial-up connec-
tion to an ISP
n
Incoming dial-up connections Connections from a remote computer using an
analog or ISDN modem
For more information on how to create and configure incoming connections, see the
section titled “Configuring Incoming Connections” later in this chapter.
Deprecated Connection Types
The following connection technologies supported in Windows XP were deprecated in
Windows Vista and are no longer available in Windows 7:
n
X.25
n
Microsoft Ethernet permanent virtual circuit (PVC)
n

Direct cable connection using a serial, parallel, universal serial bus (USB), or IEEE 1394
cable
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1310
note
Most types of network connections available in Windows 7 support IPv6 out of the
box and can be used to establish pure-IPv6 connectivity with remote servers or networks
(provided they support incoming IPv6 connections). More information concerning IPv6
support for network connections in Windows 7 is provided throughout this chapter where
appropriate.
Configuring VPN Connections
Windows 7 supports both outgoing and incoming VPN connections. For outgoing connec-
tions, Windows 7 is the client and connects to a VPN server on a remote network, usually
the corporate intranet. For incoming connections, Windows 7 acts as a server and allows
a remote client computer to establish a VPN connection between the two computers. In
enterprise environments, outgoing VPN connections are commonly used to allow mobile
users to securely access resources on the corporate intranet from remote locations. Incoming
VPN connections to client computers are rarely used in enterprise environments, so most of
this discussion deals with outbound connections only. For information on how to create and
configure an inbound connection on Windows 7, see the section titled “Configuring Incoming
Connections” later in this chapter.
Supported Tunneling Protocols
Windows 7 supports four different tunneling protocols for creating secure VPN connections
to remote corporate networks:
n
Internet Key Exchange version 2 New in Windows 7, IKEv2 is an updated version
of the IKE protocol that uses the IPsec tunnel mode over UDP port 500. IKEv2 enables
VPN connections to be maintained when the VPN client moves between wireless
hotspots or switches from a wireless to a wired connection. Using IKEv2 and IPsec

together enables support for strong authentication and encryption methods. IKEv2 is
documented in RFC 4306.
n
Secure Socket Tunneling Protocol Supported in Windows Vista Service Pack 1
(SP1) and later versions, SSTP encapsulates PPP frames over HTTPS (HTTP over Secure
Sockets Layer [SSL]) to facilitate VPN connectivity when a client is behind a firewall,
NAT, or Web proxy that allows outgoing TCP connection over port 443. The SSL layer
provides data integrity and encryption while PPP provides user authentication. SSTP
was introduced in Windows Vista SP1 and Windows Server 2008. SSTP was developed
by Microsoft and the SSTP protocol specification can be found on MSDN at
/>n
Layer Two Tunneling Protocol An industry-standard Internet tunneling protocol
designed to run natively over IP networks and which encapsulates PPP frames like
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Configuring VPN Connections CHAPTER 27
1311
PPTP does. Security for L2TP VPN connections is provided by IPsec, which provides
the authentication, data integrity, and encryption needed to ensure that L2TP tunnels
are protected. The combination of L2TP with IPsec for tunneling purposes is usually
referred to as L2TP over IPsec or L2TP/IPsec. L2TP/IPsec is documented in RFC 3193,
while L2TP is documented in RFC 2661.
n
Point-to-Point Tunneling Protocol An open industry standard developed by
Microsoft and others, PPTP provides tunneling over PPP frames (which themselves
encapsulate other network protocols such as IP) and uses PPP authentication, compres-
sion, and encryption schemes. PPTP was first introduced in Microsoft Windows NT 4.0
and is simpler to set up than L2TP, but it does not provide the same level of security as
L2TP. PPTP is documented in RFC 2637.
Comparing the Different Tunneling Protocols
Table 27-1 compares the four different tunneling protocols that are available in Windows 7

and Windows Server 2008 R2.
TABLE 27-1
Comparison of VPN Tunneling Protocols Supported by Windows 7 and Windows Server 2008 R2


PROTOCOL

PROVIDES DATA
CONFIDENTIALITY
PROVIDES
DATA
INTEGRITY

PROVIDES DATA
AUTHENTICATION
REQUIRES A
PUBLIC KEY
INFRASTRUCTURE

SUPPORTED
VERSIONS
IKEv2 Yes Yes Yes Yes Windows
7, Windows
Server 2008
R2, and later
versions
SSTP Yes Yes Yes Yes for
issuing
computer
certificates

Windows
Vista SP1,
Windows
Server 2008,
and later
versions
L2TP/IPsec Yes Yes Yes Recommended
for issuing
computer
certificates;
an alternative
is using a
pre-shared key
Microsoft
Windows
2000
and later
versions
PPTP Yes No No No Windows
2000
and later
versions
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1312
Microsoft recommendations for choosing the right tunneling protocol for providing VPN
access to your corporate network are as follows:
n
For client computers running Windows 7 and VPN servers running Windows Server
2008 R2, implement IKEv2 as your tunneling protocol. In addition to providing data

confidentiality, data integrity, and data origin authentication (to confirm that the data
was sent by the authorized user), IKEv2 provides resiliency to VPN connections using
MOBIKE, which enables VPN connections to be maintained when the underlying
Layer 2 network connectivity changes.
n
For client computers running Windows 7 and VPN servers running Windows Server
2008 RTM or SP2, use SSTP as a fallback tunneling protocol. This way, whenever an
IKEv2 tunnel connection is blocked due to a firewall configuration or some other issue,
the client can use SSTP to achieve VPN connectivity to the corporate network. For
more information about the order in which different tunneling protocols are used
during a VPN connection attempt, see the section titled “Understanding the VPN
Connection Negotiation Process” later in this chapter.
n
For client computers running Windows 7 that need to connect to VPN servers running
older versions of Windows, use L2TP/IPsec if a PKI is available; otherwise use PPTP.
note
Microsoft may remove support for L2TP/IPsec and PPTP in future versions of
Windows, so enterprises deploying Windows 7 should implement IKEv2 with SSTP fallback
as their VPN solution wherever possible.
Understanding Cryptographic Enhancements
Beginning with Windows Vista, support for cryptographic algorithms and protocols used for
data integrity, encryption, and authentication is now updated to increase VPN security. These
updates include:
n
Addition of support for the Advanced Encryption Standard (AES).
n
Removal of support for weak cryptographic algorithms.
n
Removal of support for less secure authentication protocols.
The sections that follow provide more details concerning these security enhancements.

Support for AES
Support for the AES was first added in Windows Vista. AES is a Federal Information Process-
ing Standard (FIPS) encryption standard developed by the National Institute of Standards
and Technology (NIST) that supports variable key lengths and that replaces Data Encryption
Standard (DES) as the standard encryption algorithm for government and industry. For L2TP/
IPsec–based VPN connections, the following AES encryption levels are supported in Windows
Vista and later versions:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Configuring VPN Connections CHAPTER 27
1313
n
Main mode IPsec main mode supports AES 256- and 128-bit encryption using
Elliptical Curve Diffie-Hellman (ECDH) with 384- and 256-bit encryption, respectively.
n
Quick mode IPsec quick mode supports AES 128-bit and 3DES encryption when the
encryption setting in the Advanced Security Settings properties of the VPN connection
is either Optional Encryption or Require Encryption. IPsec quick mode supports AES
256-bit and 3DES encryption when the encryption setting inside the Advanced
Security Settings properties is Maximum Strength Encryption.
note
Using AES is a requirement for many U.S. government agencies.
Weak Cryptography Removal from PPTP/L2TP
Support for weak or nonstandard cryptographic algorithms has been removed beginning
with Windows Vista. This initiative was based on a desire by Microsoft to move customers
toward stronger crypto algorithms to increase VPN security, based on recommendations by
the NIST and the Internet Engineering Task Force (IETF) as well as mandates toward stronger
crypto algorithms from different industry standards bodies and regulators.
The following crypto algorithms are no longer supported on Windows Vista or later versions:
n
40- and 56-bit RC4 encryption, formerly used by the Microsoft Point-to-Point

Encryption (MPPE) Protocol for PPTP-based VPN connections
n
DES encryption, formerly used by IPsec policy within L2TP/IPsec-based VPN
connections
n
MD5 integrity checking, formerly used by IPsec policy within L2TP/IPsec-based VPN
connections
The removal of support from the default configuration for 40- and 56-bit RC4 encryption
means that PPTP-based VPN connections now support only 128-bit RC4 for data encryption
and integrity checking. This means the encryption strength remains the same as 128-bit
RC4—that is, independent of the encryption settings (Optional Encryption, Require Encryption,
or Maximum Strength Encryption) specified by the Advanced Security Settings properties
of the VPN connections. This also means that if your existing VPN server does not support
128-bit encryption and supports only incoming PPTP-based VPN connections, clients will not
be able to connect. If you are unable to upgrade your existing VPN servers to support 128-bit
encryption for PPTP or if 128-bit encryption is unavailable to you because of export restric-
tions, you can enable weak crypto for PPTP by editing the following registry value:
HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowPPTPWeakCrypto
The default value of this DWORD registry value is 0, and by changing it to 1, you can
enable 40- and 56-bit RC4 encryption on the computer for both outgoing and incoming
PPTP-based VPN connections. You must restart the computer for this registry change to
take effect. As an alternative to restarting the computer, you can restart the Remote Access
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1314
Connection Manager service by opening a command prompt and typing net stop rasman
followed by net start rasman.
The removal of support for DES encryption and MD5 integrity checking for L2TP/IPsec-
based VPN connections means that L2TP/IPsec-based VPN connections now support the
following data encryption and data integrity algorithms by default:

n
128-bit AES, 256-bit AES, and 3DES for data encryption using IPsec
n
Secure Hash Algorithm (SHA1) for data integrity using IPsec
The removal of support for DES and MD5 from the default configuration means that L2TP/
IPsec-based VPN connections will not work if your existing VPN server supports only DES for
data encryption and/or MD5 for data integrity checking. If you are unable to upgrade your
existing VPN servers to support AES or 3DES for data encryption and/or SHA1 for integrity
checking or if these crypto algorithms are unavailable to you because of export restrictions,
you can disable weak crypto for L2TP by editing the following registry value:
HKLM\System\CurrentControlSet\Services\Rasman\Parameters\AllowL2TPWeakCrypto
The default value of this DWORD registry value is 0, and by changing it to 1, you can
enable DES encryption and MD5 integrity checking on the computer for both outgoing and
incoming L2TP/IPsec-based VPN connections. You must restart the computer for this regis-
try change to take effect. As an alternative to restarting the computer, you can restart the
Remote Access Connection Manager service by opening a command prompt and typing net
stop rasman followed by net start rasman.
note
Microsoft recommends that you upgrade your VPN server to support 128-bit RC4
for PPTP and/or AES and SHA1 for L2TP instead of disabling weak crypto support on your
VPN clients.
Table 27-2 summarizes the differences between Windows 7, Windows Vista, and Windows
XP with regard to crypto support for data integrity and encryption for VPN connections.
TABLE 27-2
Data Integrity and Encryption Support for VPN Connections in Windows 7, Windows Vista,
and Windows XP
CRYPTO
ALGORITHM USE

WINDOWS 7 WINDOWS VISTA WINDOWS XP

40-bit RC4 Data encryption and
integrity checking for
PPTP only
3
56-bit RC4 Data encryption and
integrity checking for
PPTP only
3
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Configuring VPN Connections CHAPTER 27
1315
CRYPTO
ALGORITHM USE

WINDOWS 7 WINDOWS VISTA WINDOWS XP
128-bit RC4 Data encryption and
integrity checking for
PPTP only
3 3 3
DES Data encryption
3
3DES Data encryption
3 3 3
128-bit AES Data encryption
3
*
196-bit AES Data encryption
3
*
256-bit AES Data encryption

3
*
MD5 Integrity checking
3
SHA1 Integrity checking
3 3 3
256-bit SHA Integrity checking
(main mode only)
3
*
384-bit SHA Integrity checking
(main mode only)
3
*
An asterisk (*) in Table 27-2 means that configuration is possible, but only by using the Netsh command.
Supported Authentication Protocols
The following authentication protocols are supported for logon security for VPN connections
in Windows 7:
n
PAP Stands for Password Authentication Protocol; uses plaintext (unencrypted)
passwords.
n
CHAP Stands for Challenge Handshake Authentication Protocol; uses one-way MD5
hashing with challenge-response authentication.
n
MSCHAPv2 Stands for Microsoft Challenge Handshake Authentication Protocol
version 2; an extension by Microsoft of the CHAP authentication protocol that provides
mutual authentication of Windows-based computers and stronger data encryption.
MSCHAPv2 is an enhancement of the earlier MS-CHAP protocol that provided only
one-way authentication of the client by the server.

n
EAP Stands for Extensible Authentication Protocol; extends PPP by adding support
for additional authentication methods including using smart cards and certificates.
n
PEAP Stands for Protected Extensible Authentication Protocol, or Protected EAP;
enhances the protection provided by EAP by using Transport Layer Security (TLS) to
provide a secure channel for EAP negotiation. PEAP is also used in Windows 7 to
support NAP scenarios.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1316
Starting with Windows Vista, the following authentication protocols have been deprecated
for use by VPN connections:
n
SPAP (Shiva Password Authentication Protocol)
n
MS-CHAP
n
EAP using MD5
Note that by default PAP and CHAP are not enabled as authentication protocols on new
VPN connections you create using the Set Up A Connection Or Network wizard. This is
because PAP and CHAP are not considered secure; use them only when connecting to ISPs
whose network access devices support only these older authentication schemes. And although
PPTP in Windows 7 no longer supports MD5 for data integrity checking using L2TP/IPsec-
based VPN connections, support for MD5 usage in CHAP has been maintained because of
the continuing popularity of this authentication protocol with many broadband- and dial-up–
based ISPs.
Table 27-3 summarizes the differences between Windows 7, Windows Vista, and Windows
XP with regard to user authentication protocols used for VPN connections.
note

In addition to the user authentication protocols listed in Table 27-3, L2TP/IPsec
also supports machine-level authentication (using either pre-shared keys or machine
certificates), and SSTP supports the client validating the server (using the certificate sent
by the server to the client during the SSL negotiation phase).
TABLE 27-3
Authentication Protocols Supported for VPN Connections in Windows 7, Windows Vista, and
Windows XP
AUTHENTICATION PROTOCOL WINDOWS 7 WINDOWS VISTA WINDOWS XP
PAP
3 3 3
SPAP
3
CHAP
3 3 3
MS-CHAP
3
MS-CHAPv2
3 3 3
EAP with MD5 challenge
3
EAP with smart card
3 3 3
EAP with other certificate
3 3 3
PEAP
3 3
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Configuring VPN Connections CHAPTER 27
1317
diReCt FRoM tHe SoURCe

VPN Security Enhancements
Samir Jain and Santosh Chandwai, Lead Program Managers
Windows Enterprise Networking
B
eginning with Windows Vista, many extensions have been made regarding
VPN security. First, all the weak crypto algorithms have been removed and new
stronger crypto algorithms have been added to VPN tunnels. For PPTP, 40/56-bit
RC4 encryption has been removed by default. This means PPTP now supports only
128-bit RC4 encryption by default. So if your VPN server or VPN client doesn’t
support 128-bit encryption, your calls may fail. You can still get 40/56-bit RC4
encryption back by changing a registry key, but this is not recommended. It is
better to upgrade your client or server to one that supports the more secure 128-bit
RC4 encryption method.
For L2TP/IPsec, DES (for encryption) and MD5 (for integrity check) have been re-
moved, but AES support has been added. This means that Windows Vista and later
versions support AES 128-bit, AES 256-bit, and 3DES for encryption, and SHA1 for
integrity check. (AES is more CPU efficient than 3DES.) So if your VPN server or VPN
client doesn’t support either DES or MD5, your connectivity may fail. You can still
get DES and MD5 back by changing a registry key, but this is not recommended.
It is better to upgrade your client or server to one that supports the more secure
AES/3DES and SHA1 encryption methods.
Second, many new authentication algorithms have been added; EAP-MD5, SPAP,
and MSCHAPv1 are now deprecated. Windows Vista and later versions support (in
increasing order of strength) PAP, CHAP, MSCHAPv2, EAP-MSCHAPv2, EAP-smart
card/certificate, PEAP-MSCHAPv2, and PEAP-smart card/certificate. Using PAP or
CHAP as an authentication algorithm over a VPN tunnel is not recommended
because it is weaker than other authentication algorithms. Arguably, it might be
safe to use PAP/CHAP over a L2TP/IPsec VPN connection because IPsec provides a
secure session before PPP authentication begins. But always remember this subtle
security point: IPsec provides you with machine-level authentication, whereas PPP

authentication provides you with user-level authentication, and both are important.
Finally, the L2TP/IPsec client in Windows Vista and later versions has added more
verification of specific fields inside the server certificate used for IPsec negotiation
to avoid the trusted man-in-the-middle (TMITM) attack. The L2TP/IPsec client
checks for the Subject Alternative Name (SAN) field in the server’s X.509 certificate
to verify that the server you are connecting to is the same as the server that was
issued the certificate. It also checks for the Extended Key Usage (EKU) field to vali-
date that the certificate issued to the server is for the purpose of server authentica-
tion. For older deployments, Windows Vista and later versions provide a registry
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1318
key that if enabled will allow the VPN client to override the verification of the SAN
and EKU fields of the server’s certificate. However, it is recommended that you not
override these checks. Instead, if your VPN server offering L2TP/IPsec connectivity
is issued X.509 certificates that do not have the DNS name of the server in the SAN
field, it is recommended that you reissue appropriately configured certificates to
the server.
Understanding the VPN Connection Negotiation Process
When a client running Windows 7 tries to establish a connection with a remote VPN server,
the tunneling protocol, authentication protocol, data encryption algorithm, and integrity-
checking algorithm used depend on several factors:
n
The enabled authentication protocols and crypto algorithms on the client side
n
The remote access policy on the server side
n
The available network transports (IPv4 and/or IPv6)
By default, if Type Of VPN is set to Automatic on the client side, the client running Windows
7 attempts to establish a connection with the remote VPN server in the following order:

1.
IKEv2
2.
SSTP
3.
PPTP
4.
L2TP
The VPN client typically resolves the name of the VPN server using DNS. If the DNS lookup
provides only an IPv4 or IPv6 address to the client, the connection attempts using the various
tunneling protocols use only IPv4 or IPv6. If the DNS lookup provides the client with both the
IPv4 and IPv6 addresses of the server, then IPv6 is preferred and the following tunnel connec-
tions are attempted, in this order:
1.
IKEv2 over IPv6
2.
SSTP over IPv6
3.
PPTP over IPv4 (because PPTP doesn’t support IPv6)
4.
L2TP over IPv6
After a tunneling protocol has been selected for the connection, the authentication and
crypto algorithms are then negotiated between the client and the server.
note
You can reduce connection time by explicitly specifying the tunneling protocol
you want your client to use (provided that the remote server also supports this protocol)
instead of selecting the Automatic type of VPN on the Networking tab of the connection’s
properties. Note that doing so means that if the connection attempt using the specified
tunneling protocol fails then VPN connectivity cannot be established.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Configuring VPN Connections CHAPTER 27
1319
HoW it WoRKS
VPN Connections and IPv4/IPv6
Samir Jain, Lead Program Manager
Enterprise Networking (RRAS)
F
irst, a little background: After you establish VPN connectivity, you have two in-
terfaces on your client computer. One is your Internet interface (that is, Ethernet,
wireless, PPPoE, PPP over dial-up, and so on); the other is your corporate or WAN
interface (that is, a VPN tunnel). This really means that you have two sets of IP
addresses, and each of these can be IPv4 and/or IPv6.
How Do We Support IPv4 and IPv6 for VPN Connections?
In Windows 7, we support SSTP, L2TP, and IKEv2 VPN tunnels over IPv6 (in other
words, when your ISP connectivity is IPv6) and SSTP/L2TP/PPTP/IKEv2 VPN tunnels
over IPv4. In all scenarios, IPv4 and/or IPv6 packets can be sent on top of a VPN
tunnel. (Packets going to/from your corporate network can be IPv4/IPv6.)
n
If you are confused about the difference between “over” and ”on top of,”
here’s a rule of thumb: Look at the connectivity between the VPN client and
the VPN server (your ISP connectivity). This determines how the tunnel packets
flow over the Internet and indirectly determines which type of VPN tunnel to
be used.
n
Look at the connectivity between the VPN server and your corporate network
(your corporate connectivity). This determines what flows on top of (or inside)
the tunnel, and indirectly determines which network inside your corporate
network you can access (IPv4 and/or IPv6).
How Can I Identify This While Configuring a VPN Connection?
Open the Properties dialog box of your VPN connection and click the General

tab. Here is where you specify the IP address (v4 or v6) or host name of the VPN
server—the IP address that you are going to use to connect to the VPN server or the
IP address over which the VPN tunnel will be established. In other words, this deter-
mines your ISP connectivity. If you enter an IPv6 address here, L2TP, IKEv2, and SSTP
tunnels are supported. If you enter an IPv4 address, all tunnel types are supported.
But if you enter a host name, the type of tunnel selection is deferred until you actu-
ally connect and a name lookup is performed. The DNS server could return to you
both IPv4 and IPv6 addresses. In this scenario, IPv4 and IPv6 are tried in the order
in which the addresses were returned by the DNS server inside the DNS response.
The result also depends on the type of VPN tunnel type selection (PPTP, L2TP/IPsec,
SSTP, IKEv2, or Automatic).
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1320
Switch to the Networking tab and look at This Connection Uses The Following
Items. The protocols listed here include both IPv4 and IPv6, and this protocol will
be the one that gets negotiated “on top of” (or “inside”) the VPN tunnel. In other
words, this determines your corporate connectivity—whether you will be sending
IPv4 and/or IPv6 packets to the corporate network on top of the tunnel. You can
typically get both IPv4 and IPv6 addresses from your corporate VPN server if your
VPN server is configured accordingly. Depending on the name lookups, the appro-
priate address will be taken.
What Happens When I Select Automatic as My Type of VPN?
Automatic VPN tunnel logic is very simple:
n
First try IKEv2, and if that fails, try SSTP. If that fails, try PPTP. And if that fails,
try L2TP.
n
Let’s say you have configured an IPv4 address as the destination VPN server.
The logic remains the same: first IKEv2, then SSTP, then PPTP, and finally L2TP.

n
Let’s say instead that you have configured an IPv6 address as the destination
VPN server. Try IKEv2. If that fails, try SSTP. And if that fails, try L2TP.
n
Finally, let’s say that you have configured a host name as the destination VPN
server. Now if your DNS server returns only IPv4 addresses (A records), go
to bullet 2 above. If your DNS server returns only IPv6 addresses (AAAA
records), go to bullet 3. If your DNS server returns both IPv4 and IPv6
addresses, the logic will be to go through each IP address returned and
then go to either bullet 2 or 3 depending upon the IP address.
What Happens When I Select My Type of VPN Using Connection
Manager Administration Kit?
Connection Manager Administration Kit (CMAK), a tool for network administrators
on Windows Server 2008 R2, also supports the following tunnel order strategies:
n
Use PPTP only.
n
Try PPTP first, which means PPTP, IKEv2, SSTP, and then L2TP.
n
Use L2TP.
n
Try L2TP first, which means L2TP, IKEv2, PPTP, and then SSTP.
n
Use SSTP only.
n
Try SSTP first, which means SSTP, IKEv2, PPTP, and then L2TP.
n
Use IKEv2 only.
n
Try IKEv2 first, which means IKEv2, PPTP, SSTP, and then L2TP.

Note that you must use a computer running a version of Windows with the same
processor architecture as the clients on which you want to install the profile. A
32-bit connection profile can be created and installed on a 32-bit version of
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Configuring VPN Connections CHAPTER 27
1321
Windows only. A 64-bit connection profile can be created and installed on a 64-bit
version of Windows only. To create 64-bit connection profiles, use the Add Features
Wizard to install the CMAK feature on a computer running Windows Server 2008
R2. To create 42-bit connection profiles, use the Turn Windows Features On Or Off
option to install the RAS CMAK feature on a computer running a 32-bit version of
Windows 7.
What Will Happen if I Connect a Windows 7 Client to a VPN
Server That Doesn’t Support IPv6?
You won’t be able to use the VPN server “over” IPv6 (you can only have IPv4
connectivity to an ISP), which means your tunnel can be SSTP, L2TP, IKEv2, or PPTP.
Then, “on top of” the VPN tunnel, the client running Windows 7 will try to get an
IPv4 as well as an IPv6 address from the VPN server, but it will get only an IPv4
address. Hence the connection will still go through. In other words, the connection
fails only if you cannot get both IPv4 and IPv6 addresses on top of the VPN tunnel.
What Will Happen if I Connect a Windows 7 Client to a VPN
Server That Doesn’t Support SSTP?
The SSTP connection will fail (and then you should remove SSTP from the preceding
tunnel order).
Creating and Configuring VPN Connections
The Set Up A Connection Or Network wizard simplifies the task of creating VPN connections.
The screens displayed when you use this wizard vary depending on the choices you make as
you proceed through the wizard.
MoRe inFo
This chapter covers only configuring client connections for establishing

VPN connectivity. For information about configuring Windows Server 2008 VPN servers
including Network Policy Server (NPS) servers, see the “Windows Server 2008 Networking
and Network Access Protection (NAP)” volume in the “Windows Server 2008 Resource Kit”
from Microsoft Press at />In addition to creating and configuring new connections on clients running Windows 7,
administrators can use the new version of the CMAK included with Windows Server 2008.
CMAK is a set of tools that you can use to tailor the appearance and behavior of connections
made using Connection Manager, the built-in remote access client dialer included in Windows
Vista. Using CMAK, administrators can create and deploy custom connections for client com-
puters to simplify the user experience of connecting to remote networks. For instance, you
could create a client connection that tries only a single specified tunneling protocol when
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1322
attempting to establish a connection, or you could create a connection that tries each tunnel-
ing protocol in a specified order.
note
You must use the new Windows Server 2008 R2 version of CMAK to create and
configure connections for clients running Windows 7.
Creating a VPN Connection
To create a new VPN connection on a computer if you already have a broadband (PPPoE) or
dial-up connection to the Internet, follow these steps:
1.
Open Network And Sharing Center either from Control Panel or by clicking the net-
working icon in the system notification area followed by clicking Open Network And
Sharing Center.
2.
After Network And Sharing Center is displayed, click Set Up A New Connection Or
Network to start the Set Up A New Connection Or Network wizard.
3.
On the Choose A Connection Option page, select Connect To A Workplace and then

click Next.
4.
If this is the first connection you have created on the computer, proceed to step 5.
Otherwise, select Yes, I’ll Choose An Existing Connection and then select one of the
existing connections displayed on the Do You Want To Use A Connection That You
Already Have? page. For example, if you want to use an existing dial-up connection
(analog or ISDN modem) to provide Internet access for your new VPN connection,
select that connection and then click Dial when the Connect dialog box is displayed for
that connection. After you’ve used your existing connection to connect to the Internet,
you can continue setting up your new VPN connection.
5.
Click Use My Internet Connection (VPN).
6.
Specify the IPv4 or IPv6 address or fully qualified domain name (FQDN) of the remote
VPN server you want to connect to, as shown here. You can also give the connection a
descriptive name to distinguish it from other connections on the computer. Typically,
this will be the name of your remote network or remote VPN server.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.