Wintivity

How To Configure a SBS 2008 Virtual Private Network ( VPN )

VPN ( Virtual Private Networks ) are essential vehicles for mobile and home office based employees to gain access to resources on their company internal networks. Included in the software of Small Business Server are the components that also support VPN access. Today’s post is a guide to understanding the setup of up a virtual private network on your Small Business Server as well as an open discussion of some of key aspects of completing that configuration sucessfully.

BTW… our VPN walkthrough for SBS 2003 is here

Remote Access Services ( RRAS ) : using the Windows SBS Console to configure RAS and open TCP port 1723 in Windows Firewall

The first step to granting remote access to mobile or home based workers directly to the internal network is to allow that type of access to occur. In Small Business Server 2008, the process is simple and can be completed using the built in Remote Access wizards. Here’s how:

• Launch Windows SBS Console
• select the Network tab
• select the Connectivity tab
  • in the main section, observe the list of connections (their Names, Descriptions and their status)
• in the right hand pane, under Tasks, select Configure a Virtual Private Network
  • this will launch the Setup Virtual Private Networking wizard
• select Allow users to connect to the server by using a VPN , click Next
  • the system will configure virtual private networking on server and if possible, configure your Internet Router as well.
  • These functions functions combine what Small Business Server 2003 accomplished with the CEICW and Remote Access Wizard.
  • NOTE: your Firewall and/or Internet Router must have PNP configuration enabled for SBS to configure the Firewall/Internet Router. In many cases it will be necessary to manually configure the router/firewall opening TCP port 1723 for Virtual Private Networking.
• The Setup Virtual Private Networking Wizard will execute at this point configurin VPN on the Server and the Firewall/Internet Router (if possible)
• If the Wizard completes “successfully”, a confirmation is displayed.
  • “IF” there are any issues or failures in configuring the VPN or the Firewall/Internet Router, Details on the failure(s) will be linked
• once complete, move on to the Users and Groups and allow VPN access (content below)

HERE ARE A SERIES OF SCREENSHOTS OUTLINING THESE STEPS

Windows SBS Console Small Business Server 2008

SBS Console Configure a Virtual Private Network Small Business Server 2008

Allow Users to connect to the server by using a VPN Small Business Server 2008

Setting up virtual private networking Wizard Small Business Server 2008

The Virtual Private Networking Wizard makes all this look easy (and that’s a good thing unless you like books as much as this writer does ). So that we gain understanding of what accomplished by the wizard, let’s look a little deepr at what VPN Setup wizard is being asked to do:

Virtual Private Networking wizard finished successfully Small Business Server 2008

If any Warnings are present, we should View Warning Details

Warning Details - Server cannot open ports on the router. Manually open port 1723. Small Business Server 2008

What we see here is a reminder to open TCP Port 1723 on our Firewall/Internet Router (i.e. create and Inboud rule passing PPTP traffic). Since our Firewall/Internet Router does not have PNP configuration enabled, we will do this manually later in the article.

Grant SBS 2008 Users permission to remotely access the Small Business Server network

Because Small Business Server takes care of configuring the Routing and Remote Access Service policies for us including which “Security Groups” are allowed VPN access, all that is left for us to do is make sure our VPN users are placed in the appropriate Group.

On Small Business Server 2008 that group is named: Windows SBS Virtual Private Network Users

Group assignment is still entirely wizard based in the new SBS, so being an Admin on the box is still very easy. Here’s how to assign VPN access rights to a User:

• Launch the SBS Console
• Select Users and Groups, then select the Users tab

SBS Console - Users and Groups - User Properties - Small Business Server 2008

• Select the User to whom you wish to assign the right to access the VPN.
• Open the Properties dialog for the User, select Remote Access
• click OK, your done! (and of course… move on to the next User until all users have been granted access)

Remote Access - User can access Virtual Private Network Small Business Server 2008

A quick note about the new Groups in SBS 2008: Small Business Server has become far more granular with it’s permissions in the 2008 release. One aspect of this granularity can be found in the variety of new security Groups. To view these groups, select the Users and Groups [tab] in the WIndows SBS Console.

Groups tab in SBS Console Users and Groups - Small Business Server 2008

We can also view our specific target Group in assigning a User access to the Virtual Private Network: The Windows SBS Virtual Private Networking Users. This SBS specific VPN Group can be seen here in the Windows SBS Console.

Windows SBS Virtual Private Network Users - Small Business Server 2008

Once Remote Access Services have been configured and once Users have been added to the Windows SBS Virtual Private Network Users security group, it’s time to configure the external Firewall and/or Internet Router Firewall.

Configuring the External Hardware Firewall for VPN Virtual Private Network access

Most Small Business Networks deploy a hardware firewall of some sort (or at least enable the firewall in the Internet Router). “How To” configure a hardware firewall varies from device to device so do your homework. You will need to consult the manufacturers resources and owners manual for specifics. In general , the key first step for our VPN is to open TCP port 1723 allowing PPTP Point to Point Tunneling Protocol traffic INBOUND to your SBS Server. The second step is to allowGRE and IPSec passthrough.

STEPS:

• PPTP “FIRST STEP” – TCP Port 1723 must be allowed to pass PPTP traffic INTO your SBS 2003 server. This is accomplished by port mapping traffic from the Firewall to the IP address of the Small Business Server (remember, the new SBS uses only 1 NIC).
  • 1 NIC – create an INBOUND rule “port-mapping” TCP Port 1723 to the Local Area Network (LAN) facing Network Interface card – port mapping is generally done when only one network interface is installed on the SBS Server (NOTE: 1 NIC is the default now in SBS 2008). To pass VPN connection requests from a public facing IP, map them to the internal IP of the SBS 2008 Server.
  • Your firewall may describe terms such as: PPTP, Port 1723, VPN, Remote Access, etc….
• GRE “SECOND STEP” – GRE Protocol 47 must be allowed to pass traffic also (this allows “Authentication” to occur over PPTP VPN connection once the connection has been made)

… Generic Routing Encapsulation (the GRE Protocol 47) passes IPSec traffic (Internet Protocol Security) for the IPSec session that is part of Client Computer connection process. If the GRE protocol does not pass, the connection cannot “authenticate”. This “Authentication” failure will occur even when PPTP traffic has been allowed by opening TCP Port 1723 (PPTP) on your firewall. GRE issues most often occur client side when a GRE block results in the Username and Password authentication failing to finish the authentication process because of the block. In this case, the VPN connection attempt simply times-out on the client side. This is experienced by the User as a Verifying User name and password dialog (show during the connection process) that just hangs there with the progress bar running on and on.

To pass GRE Protocol 47 on your firewalls (Client side -and- Server side) look for features that:

• enable the “VPN feature” (if one exists)
• enable “IPSec pass through” (if  IPSec pass through exists)
• expressly allows the GRE protocol (GRE = Protocol 47)
• explicitly creates Inbound and Outbound rules allowing GRE and IPSec passthrough
• NOTE: you may have to upgrade your Router’s Firmware or your Firewall’s Firmware to enable/access these features on older devices

An explicit Rule (if you have to define one) would take on these objectives:

#PPTP Virtual Private Network
pass protocol tcp, to port 1723 >> state, done
pass protocol 47 >> done

Whatever the case, passing GRE Protocol 47 from inside>out is needed to allow IPSec traffic for your authentication. This is most often a concern for the end user at their home or reote location (meaning not the Server side – BUT ON THE CLIENT SIDE). Many home firewalls may block (and often do block) GRE traffic by default. Please provide these helpful links about GRE and passing Generic Routing Encapsulation traffic to your users.

• Troubleshooting remote access VPNs
• You receive an “Error 721″ error message when you try to establish a VPN connection through your Windows Server-based remote access server
• VPN Tunnels – GRE Protocol 47 Packet Description and Use

Testing a Client VPN Connection and confirming DHCP is assigning VPN IP Addresses

Once your VPN is setup and the Firewall rules established, testing your VPN is the next step. A Client Computer should be used to create a VPN Connection to the SBS 2008 Server and test the SBS 2008 VPN. Workstations have this connectivity built in and making the connection is as easy as using the Network Connection wizard available in both Windows Vista or Windows XP.

Since this article is about the Server side, I want to focus on one particularly “overlooked” aspect of VPN connections…. DHCP.

Earlier in our article (when we described just exactly what the Remote Access Setup Wizard accomplishes) we learned the RAS wizard completes this task:

• Use DHCP to assign IP addresses to remote client computers

The importance of this can be most effectivly communicated with a screenshot of the DHCP  management console. This screen shot is taken after VPN connections have been made.

DHCP leases assigned to the Remote Access Service in Small Business Server 2008

Looking at the DHCP console, we can see a series of leases assigned to the Remote Access Service (you can confirm a RAS lease is made just by looking under the Unique ID column for the word RAS ). In viewing DHCP we confirm both the RAS description on Unique ID as well as a different icon (computer with phone) for IP leases from RAS. Realizing then that RAS is handing out IP’s from DHCP , we recognize why the SBS DHCP service is so important to the Client VPN connections made through RAS.

When the Remote Acccess service is properly configured and a remote connection is made the the VPN, the Remote Access service grabs a range of IP addresses from DHCP. These IP’s are reserved for additional VPN clients “immediately” upon the first VPN connection being made. The default number of additional leases requested by RAS (and reserved from DHCP) is 10.

The reason we discuss this here is that Small Business Server 2008 is designed to shut down the DHCP Service “automatically” if it senses another DHCP Server anywhere on the network (routers, wireless routers, DSL modems, Firewalls, etc…).  Although this may seem a little “off-topic”, in reality it’s not. In short, if DHCP fails or is disabled on SBS, there is no way for SBS DHCP to provide DHCP leases to RAS.

While most administrators review their network topology and know exactly how DHCP is implemented (some small offices do not). When the LAN has been happily functioning based on DHCP “working somewhere”, it’s not always a big deal. However, being clear on where and how IP’s are handed is very important for your VPN Connections. Not only this, but in some Small Business Server deployments I have been asked to review, DHCP is intentionally given over to the Internet Router so that if there is a Server failure, client computers can still access the internet. While this may be a reasonable solution on some levels (one I do not support BTW), it does negate all the additional DHCP configurations that are made or customized by the SBS DHCP Server. Failing to use the SBS DHCP Service in this case can lead to incorrect scope options, proper DNS Server not being defined, entires in SBS DNS never being seen by the network, and so on.

The key point for our article is this, if the DHCP Service has been assigned to an Internet Router or some other device in your network, the Remote Access Service may not be able to provide (or authorized to request) DHCP address to client computers making VPN connections.

A properly configured VPN that can appropriately access DHCP on Small Business Server 2008 will effectivvely provide DHCP leases to both client computers on the LAN and remote access computers connecting on the VPN.

To see this in it’s VPN form, let’s take a look at this sample IP Configuration from a client computer which has connected to a SBS VPN. In this Configuration please note there are two IP leases that have been made.

1. one using the PPP WIGITAL VPN Connection
   1. note the ourcompany.pri Domain (provided by DHCP on the SBS 2008 Server)
   2. note the 10.13.15.x subnet (provided by DHCP on the SBS 2008 Server)
2. one using the Wireless Network Connection
   1. note the my.homenetwork.local Domain (provided by the home network Wireless Service Set)
   2. note the 192.168.1.x subnet (provided by the home network Wireless Service Set)

To view this data: from the computer connected to the VPN, go to Start, Run, type CMD, at the command line type IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : my-mackbookpro
Primary Dns Suffix . . . . . . . : ourcompany.pri
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourcompany.pri
my.homenetwork.local

PPP adapter WIGITAL VPN Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WIGITAL VPN Connection
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.13.15.18(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 10.13.15.1
Primary WINS Server . . . . . . . : 10.13.15.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8058 PCI-E Gigabit Ethernet
net Controller
Physical Address. . . . . . . . . : 00-2F-F3-D0-EE-93
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : my.homenetwork.local
Description . . . . . . . . . . . : Brodcom 802.11n Network Adapter
Physical Address. . . . . . . . . : 00-2F-6B-CC-37-2C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b81a:ccdf:b0b4:254d%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, March 08, 2009 7:34:16 PM
Lease Expires . . . . . . . . . . : Monday, March 09, 2009 7:34:18 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Reviewing the IPCONFIG DATA should give us all ample reminder to check out DHCP, confirm DHCP is providing leases to the Remote Access Server and work with our client connections to make sure those leases are being handed out properly.

That concludes our article.

Thanks for reading. Please comment for the community. If this information has helped you, please link back here. It helps us as well as others who may need the information.

Thank you.
Mark Raborn
WIGITAL

PS…

more