Internet Connection Sharing (ICS)
Internet
Connection Sharing (ICS) is a feature that permits you to use Windows
Server 2008 to connect a small office network or home network over the
Internet. Not much has changed in this version of Windows Server 2008,
and you may find that most of the features and set up procedures are
very similar to that of Windows Server 2003. As it always has, ICS
provides NAT, IP addressing, and name resolution services for all the
computers on a small network. This method is best used for sharing an
Internet connection among a small business network.
ICS
routes TCP/IP packets that are present in a small LAN environment to
the Internet. ICS will calculate and map individual IP addresses
belonging to the clients of the LAN to unused port numbers in the
TCP/IP stack. Because it uses NAT, IP addresses belonging to the local
computer will not be visible on the Internet. All packets leaving or
entering the LAN are sent from or to the IP address of the external
adapter on the ICS host computer. This IP address is static and will
always be 192.168.0.1, and will provide NAT services to the whole
192.168.0.x subnet.
ICS
is not customizable in terms of which addresses are used for the
internal subnet. It does not contain provisions for bandwidth limiting
or other features common to more advanced systems. ICS is also not
compatible and cannot be combined with Wi-Fi and dial-up mobile modems.
ICS does offer limited configuration for other standard services and
some configuration of NAT.
Virtual
private networks (VPNs), which we discuss later, are common in most
companies today. When configuring an ICS, there are several things you
should bear in mind concerning these types of connections and hazards
that may occur if the proper precautions are not met.
Never
create a VPN connection to a corporate network from the ICS computer.
By doing so, you will cause the default setting for all traffic from
the ICS computer to be forwarded over the VPN connection to the
corporate network. This includes traffic from LAN clients. This will
suspend Internet resources across the network and all the client
computers will be sending data over the logical connection created with
the credentials of the ICS computer user.
Never
configure ICS on a computer that is a VPN server. If your Windows
Server 2008-based computer is serving as a VPN server, you must use
Windows Server 2008 NAT role.
These are very important configuration mistakes that, if avoided, can save wasted time and energy for you as an administrator.
|
Here is a list of required hardware and software for enabling ICS:
A DSL or cable modem with an ISP connected to it and an active DSL or cable account.
Two network adapters installed in the ICS machine.
A network already configured with functioning TCP/IP.
Due
to the nature of the way ISC works and its drawbacks, you should never
install ICS on a machine that incorporates any of the following
stipulations:
ICS
creates a static IP address for your network adapter and allocates IP
addresses to other computers on your network. This means you will lose
your connection to the rest of the network if other network computers
already provide those services. If any of these conditions already
exist in your network, you must use Windows Server 2008 NAT server
instead of ICS.
Also bear in mind these other warnings:
Do
not create a VPN connection to a corporate network from the ICS
computer. If you do, by default all traffic from the ICS computer,
including traffic from local area network clients, will be forwarded
over the VPN connection to the corporate network. This means that
Internet resources will no longer be reachable, and all the client
computers will be sending data over the logical connection created with
the credentials of the ICS computer user.
Do
not configure ICS on a computer that is a VPN server. If your Windows
Server 2008-based computer is serving as a VPN server, you must use
Windows Server 2008 NAT role.
The
ICS host computer provides a connection through the second network
adapter to the existing TCP/IP network. Log on as member of the
Administrators group to set up the ICS host computer.
1. | Click Start.
| 2. | Click Control Panel.
| 3. | Click Network Connections.
| 4. | Right-click Local Area Connection (for the installed network card) and rename it “Internet Connection.”
| 5. | In the Network and Dial-up Connections dialog box, two connections are displayed (for different network adapters): the Internet Connection and Local Area Connection.
| 6. | Right-click Internet Connection and then click Properties.
| 7. | Click the General tab, and then verify that Client for Microsoft Networks and Internet Protocol (TCP/IP) are displayed.
| 8. | Click the Advanced tab, and then click to select the Enable Internet Connection Sharing for this Connection check box.
Note
Make sure that firewall software or other Internet-sharing software from any third-party manufacturer has been removed.
| 9. | Click OK
|
|
Remote Access Protocols
Setting
up remote access servers and connections in Windows Server can be
somewhat overwhelming and confusing if you don’t understand the
protocol configuration options available to you. You have a number of
remote access protocol options to choose from, and deciding which ones
to use will be based on the exact task and functionality you seek to
accomplish. This will depend on your system configurations, your
hardware, you’re your communications capabilities.
You
must try to organize and make sense of all these options. To start,
let’s take a look at the categories of protocols and the advantages and
disadvantages of the various protocols within each one.
Microsoft’s
PPTP is most commonly used for voluntary authenticated and encrypted
tunneling between dial-up clients and a PPTP Network Server located
just inside the customer’s network.
The
PPTP Network Server authenticates the tunnel user with
Challenge-Handshake Authentication Protocol (CHAP) and negotiates data
compression and encryption as dictated by security policies. PPTP offers payload privacy, but does not encrypt session control traffic.
The
L2TP consolidates the best of other protocols within a single standard.
L2TP Access Concentrators terminate PPP Link Control Protocol (LCP) and
carry out dial session authentication. L2TP can be used with a separate
LAC at the ISP NAS, or with a LAC Client on the end-user’s PC. L2TP
Network Servers terminate PPP NCP, provide routing and bridging for the
PPP session, and make the user appear directly connected to the “home”
network.
L2TP
is transparent in compulsory mode, multiprotocol support, and leaving
authentication, authorization, and addressing responsibility within the
customer’s network. L2TP is a tunneling protocol, not an encryption
protocol. If customers require data confidentiality, you’ll need to run
L2TP over IPSec.
Features
have been added to the IP protocol to provide greater security for IP
packets that transit public networks. The Encapsulating Security
Payload (ESP) encrypts packets, usually by encapsulating a private IP
packet inside an outer public IP packet. Another standard known as
Internet Security Association and Key Management Protocol (ISAKMP) can
be used for strong authentication of tunnel endpoints and key
management. Collectively, these extensions are called IPSec.
IPSec
supports Site-to-Site VPNs by building security associations between
gateways at the edge of customer networks. Every packet that enters or
leaves each network will be tunneled according to customer-defined
policy, with filtering down to the individual host and port level.
IPSec-compatible encryption and packet authentication algorithms
support a wide variety of security policies, allowing customers to
strike their own balance between security and performance.
IPSec
can also be used to support Remote Access VPNs, by tunneling from an
individual host to a security gateway, topologically similar to
voluntary PPTP tunnels. IP packets sent by an IPSec host to a protected
network are encrypted and delivered to the security gateway for that
network. IP packets to public destinations are sent without the
addition of IPSec protocols.
Windows
Server 2008 has offered many new upgrades. Their newest to the realm of
VPNs is the addition of SSTP, which is the latest alternative form of
VPN tunnel. SSTP is an application-layer protocol. It uses a
synchronous communication, which works in unilateral motion between two
programs allowing a constant exchange and comparison of data. By doing
this, it allows for many application endpoints over a single network
connection. This allows for a very efficient usage of the communication
resources that are available to that network. SSTP is based on SSL as
opposed to IPSec or PPTP, and thereby uses port 443 for traffic.
When
developing SSTP to be a viable and improved VPN tunneling protocol,
Microsoft had many available resources to build upon. Two of the most
commonly used were IPSec and SSL. Both had benefits, but it took much
consideration to determine which would provide the better ground work
to allow the most benefits. At the conclusion of their decision-making
process, SSL was chosen as the basis for the SSTP, which is used in
Windows Server 2008.
There
are many obvious reasons for this choice. Most become apparent when you
examine the downsides of IPSec. IPSec main function is supporting
site-to-site VPN connectivity and no roaming. SSL was obviously a
better base for SSTP development, as it supports roaming. Besides the
obvious, there are several other reasons for not basing SSTP on IPSec:
Strong authentication is not required. User Clients must be present. No sense of conformity in regards to support and coding from one vendor to the next. No Default non-IP protocols. Remote
users attempting to connect via a site with limited IP addresses would
cause problems due to the inherent site-to-site secure connections
design.
With
SSL, VPN static IP addresses are not required, clients are unnecessary
in most cases, and since connections are made via a browser over the
Internet, the default connection protocol is TCP/IP. This makes
connections transparent to the user. Microsoft hopes that this sort of
forethought in their development will ensure more user friendly
interactions when using SSTP in Windows Server2008.
|
SSTP
allows for the passage of traffic through firewalls that would normally
inhibit PPTP and L2TP/IPSec traffic. SSTP is able to incorporate PPP
traffic over the SSL channel of the HTTPS protocol. By using PPP, SSTP
can utilize well-protected authentication methods such as EAP-TLS. By
involving HTTPS, traffic is directed and flows through TCP port 443.
This port is commonly used for Web access, which is why the SSTP is so
versatile compared to past VPN protocols. Key negotiation, integrity
checking, and encryption are handled via SSL VPN. This also allows for
transport-level security when dealing with these functions.
Tip
As
you can see there are many similarities between the new features
available in Windows Server 2008 and previous versions of Windows
Server. Try to be certain of the distinguishing elements that separate
the two. Although two features may have similar uses and applications,
their exact functionality may be very different.
For
example, you should remember that although STTP may be closely related
to SSL, no cross comparison can be made between the two. You should be
sure not to confuse the two, as SSTP is only a tunneling protocol,
unlike SSL.
SSL
uses a cryptographic system. This system uses two encrypted keys to
secure data. One is the public key and the other is the private key.
The public key is recognizable to everyone and the private key can only
be identified by the recipient. A secure connection between a client
and a server is created by this method of encryption. You can thereby
establish secure remote access from almost any Internet connected to a
Web browser, which was not possible using traditional VPN. Thanks to
this new method, there are not issues with instability in connection
and loss of service due to connectivity issues for the client. The
added bonus is that with SSL VPN, the session is completely secured.
Remember
that while SSTP is a strong method for client-to-site VPN connections,
it is not designed for site-to-site VPN connections. Let’s review the
assets that SSTP can provide to you and your organization:
SSTP takes advantage of HTTPS to establish a secure and stable connection.
The
SSTP (VPN) tunnel will function over Secure-HTTP. This means that Web
proxies, firewalls, and NAT routers present on the path between clients
and servers will no longer block VPN connections.
Port blocking is greatly decreased.
Clients will be able to connect from anywhere on the Internet.
SSTP is built into Windows Server 2008, providing higher compatibility.
SSTP allows simpler training procedures, because the end-user VPN controls are identical to previous versions.
The SSTP-based VPN tunnel will directly plug into the current interfaces for Microsoft VPN client and server software.
IPv6 is fully supported.
It takes advantage of the new integrated network access protection support for client health-check.
MS RRAS client and server are strongly supported, allowing for two-factor authentication capabilities.
VPN coverage is expanded from limited points of access to almost any Internet connection.
The use of port 443 for SSL encapsulation.
Acts as a full network VPN solution over all applications.
NAP integration.
SSL tunnel is created in s single session.
Stronger forced authentication process than other methods like IPSec.
Supports non-IP protocols.
No
additional costs or hard-to-configure hardware firewalls that do not
support Active Directory integration and integrated two-factor
authentication.
Now
that we know the benefits of using Secure Socket Protocol, lets examine
the data flow for an SSTP-based VPN connection in action:
If a user on a computer running Windows Server 2008 initiates an SSTP-based VPN connection, the following occurs:
A
TCP connection between the STTP client and the SSTP server is made.
This happens between a dynamically allocated TCP port on the SSTP
client. The same connection occurs on the TCP port 443 on the SSTP
server.
An
SSL Client-Hello message is sent by the SSTP client. This Client-Hello
Message acts as an invitation from the SSTP client to create an SSL
session with the SSTP server.
The SSTP server responds by providing and sending its computer certificate to the SSTP client.
The computer certificate is validated by the STTP client.
Next, the STTP determines the encryption method for the SSL session.
Then the SSTP Client creates an SSL session key.
This SSL session key is then encrypted with the public key of the SSTP server’s certificate.
Warning
SSL
uses a cryptographic system, which uses two encrypted keys to secure
data. One is the public key and the other is the private key. The
public key is recognizable to everyone and the private can only be
identified by the recipient. A secure connection between a client and a
server is created by this method of encryption. You can thereby
establish secure remote access from almost any Internet-connected Web
browser, which was not possible using traditional VPN.
Please
remember that while SSTP is a strong method for client-to-site VPN
connection, it is not designed for site-to-site VPN connections. If you
need a site-to-site VPN connection, you should use a traditional VPN.
The SSL session key is then sent as the encrypted form of the SSL session key to the SSTP server.
The
SSTP server decrypts the encrypted SSL session key with the private key
of its computer certificate. Now any further communication between the
SSTP client and the SSTP server will be encrypted with the negotiated
encryption method and SSL session key.
The SSTP client sends an HTTP over SSL request message to the SSTP server.
The SSTP client attempts to negotiate for an SSTP tunnel with the SSTP server.
The
SSTP client attempts to negotiate a PPP connection with the SSTP
server. All user credentials are negotiated at this time with a PPP
authentication method. Also during the negotiation they configure
settings for IPv4 or IPv6 traffic.
Once negotiation is completed, the SSTP client begins sending IPv4 or IPv6 traffic over the PPP link.
Microsoft
Windows 2008 has a variety of new networking options available to you,
but it also offers other peripheral roles that can helpful in a
variety. One huge trend in today’s networking is virtual networking.
This allows you to more efficiently economize and consolidate the
number of physical machines by replacing them with virtual ones. While
testing out different aspects of networking in this chapter such as
creating a VPN using SSTP protocol, it will be helpful to you to work
in real-world testing environments. Normally, in previous editions of
Windows, this would require many physical computers to create an
accurate test case or a program like Virtual PC 2007 to simulate this.
Using
the Hyper V role of Windows Server 2008, you can create the same test
scenario with only one or two physical computers and still accurately
test your deployment cases. This will allow you to more effectively
test a variety of VPN configurations using only a limited number of
physical machines. It will also familiarize you with other aspects of
the Windows Server 2008 roles that are available to you as an
administrator, and also gain more proficiency with the operating system
(OS).
By
utilizing all of the new features of Windows Server 2008 in unison, you
can take advantage of the full power of real-world networking benefits
that Windows Server 2008 has to offer your organization. This will also
present the option of virtualization and the benefits it can bring to
your organization.
|
Now
that we understand how STTP using the SSL VPN works, let’s go over the
steps required to set up an SSTP connection in Windows Server 2008.
1. | On SSTP client, click on Network and Sharing Center.
| 2. | Click Manage network connections.
| 3. | Double-click the VPN Connection, and then click on Properties.
| 4. | Click on the Networking tab and find the Type of VPN drop-down list.
| 5. | Select Secure Socket Tunneling Protocol (SSTP) from the Type of VPN drop-down list.
| 6. | Click OK.
| 7. | Click Connect on the Connect VPN Connection dialog box. The Client will then connect to the VPN server using the SSTP connection.
|
|