Documents Menu

3Com
Alcatel
Altiga
Ascend
Assured Digital
AT&T
Aventail
Axent
Cabletron
Checkpoint
Cisco
Compatible
Concentric
Cosine
Counterpane
Cyberguard
Entrust
Extended Systems
Government Pubs
GTE
Hewlett Packard
IBM
ICSA
IDC
Indus River
Intel
Intellispan
Intermedia
IPass
IRE
Lasat Networks
Lucent Technologies
Microsoft
Miora
Miscellaneous
NetScreen
Newbridge Networks
Nokia
Nortel / Bay
Net Security
Pilot Networks
RadGuard
RedCreek
RFCs
RSA
Security Tutorial
Shiva
Springtide
SSH
Technologic
Timestep
Tradewave
Trusted Systems
UC Davis
Unknown
UUNET
V1
VeriSign
VPNet
Xedia

Research Menu

Research Home
Index
Articles
White Papers
Product Specs
Complete Providers
Hardware Providers
Software Providers
Integrators
ISPs Offering VPN
Other Providers
InfoSec Resources
Consortia


Building a Microsoft VPN:
A Comprehensive Collection of Microsoft Resources

Michael E. Huang
January 1, 2000
Version 2.10
201 Pages
 
Download the entire document
786K ZIP, Word 97

Overview

"Building a Microsoft VPN: A Comprehensive Collection of Microsoft Resources" contains copyright material originally published by Microsoft Corporation. This document has been compiled from public resources and indexed and linked as a public service. It is distributed without charge under the exception referred to by Microsoft as the "ten percent rule". Any re-distribution must leave the file intact.

The major topics include conceptual material as well as detailed instructions on configuration of the various client and server components involved in MS VPNs. An overview of sections is listed below:

 

Section 1 -- Virtual Private Networking
Section 2 -- Introduction to MS TCP/IP
Section 3 -- Unicast Routing Principals
Section 4 -- Unicast IP Routing
Section 5 -- IPX Routing
Section 6 -- Remote Access Server
Section 7 -- Demand Dial Routing - NT 4.0 with RRAS
Section 8 -- Installing, Configuring, and Using PPTP with MS Clients and Servers
Section 9 -- Frequently Asked Questions about Microsoft VPN Security
Section 10 -- Frequently Asked Questions about Microsoft RRAS
Section 11 -- Additional Microsoft Resources


The Table of Contents

Table of Contents

Section 1 -- Virtual Private Networking

 

Virtual Private Networking Overview
Elements of a VPN Connection
VPN Connections

Remote Access VPN Connection
Router-to-Router VPN Connection

VPN Properties

Encapsulation
Authentication
Data Encryption
Address and Name Server Allocation

Internet and Intranet-Based VPN Connections

Internet-Based VPN Connections
Remote Access over the Internet
Connecting Networks over the Internet
Connecting Networks Using Dedicated WAN Links
Connecting Networks Using Dial-Up WAN Links
Intranet-Based VPN Connections
Remote Access over an Intranet
Connecting Networks over an Intranet

Managing Virtual Private Networking

Managing Users
Managing Addresses and Name Servers
Managing Access
Managing Authentication
Managing Accounting
Network Management

Point-to-Point Tunneling Protocol
Tunnel Maintenance with the PPTP Control Connection
PPTP Data Tunneling

Encapsulation of PPP Frame
Encapsulation of GRE Packet
Data-Link Layer Encapsulation
Processing of the PPTP Tunneled Data
PPTP Packets and Windows NT 4.0 Networking Architecture

VPN Security
PPTP Connections
User Authentication with PPP
Encryption with MPPE
PPTP Packet Filtering
Addressing and Routing for VPNs
Remote Access VPN Connections

IP Addresses and the Dial-up VPN Client
Default Routes and Dial-up Clients
Default Routes and VPNs over the Internet
Public Address
Private Addresses
Overlapping or Illegal Addresses

Router-to-Router VPN Connections

Temporary vs. Persistent Router-to-Router VPNs
VPNs Using Dial-Up ISP Connections
Static vs. Dynamic Routing

VPNs and Firewalls
VPN Server and Firewall Configurations

VPN Server in Front of the Firewall
VPN Server Behind the Firewall

Troubleshooting VPNs
Common VPN Problems

Connection Attempt is Rejected when it Should be Accepted
Unable to Reach Locations Beyond the VPN Server
Unable to Establish Tunnel

Troubleshooting Tools

Unreachability Reason
Network Monitor
PPP Log or PPP Tracing

Section 2 -- Introduction to TCP/IP

The TCP/IP Protocol Suite
Microsoft TCP/IP
TCP/IP Standards
TCP/IP Protocol Architecture

Network Interface Layer
Internet Layer
Transport Layer
Application Layer

TCP/IP Core Protocols

IP
ARP
ICMP
IGMP
TCP
UDP

TCP/IP Application Interfaces

Windows Sockets Interface
NetBIOS Interface

IP Addressing
Address Classes

Class A
Class B
Class C
Class D
Class E

Network ID Guidelines
Host ID Guidelines
Subnets and Subnet Masks

Subnet Masks
Dotted Decimal Representation of Subnet Masks
Network Prefix Length Representation of Subnet Masks
Determining the Network ID
Subnetting
Variable Length Subnetting

Supernetting and Classless Interdomain Routing
The Address Space Perspective

Public and Private Addresses

Name Resolution

Host Name Resolution
Domain Names
Domain names are not case sensitive.
Host Name Resolution Using a HOSTS File
Host Name Resolution Using a DNS Server
Combining a Local Database File with DNS
NetBIOS Name Resolution

IP Routing
Direct and Indirect Delivery

IP routing is a combination of direct and indirect deliveries.

The IP Routing Table

IP Routing Table Entry Types

The Route Determination Process
Example Routing Table for Windows NT
Routing Processes

IP on the Sending Host
IP on the Router
IP on the Destination Host
Static and Dynamic IP Routers

Physical Address Resolution

The ARP Cache
The ARP Process

For More Information

Section 3 -- Unicast Routing Principals

Internetwork Routing
Routing Concepts
Host Determination of the First Hop
Host Routing Table

Dynamic Updates of Host Routing Table
Eavesdropping

Default Router

Querying the Network for the Best Route
Host Determination of the Entire Path

Routing Table Structure

Network ID
Forwarding Address
Interface
Metric
Lifetime
Locality of the Routing Table

Static Routing
Dynamic Routing
Routing Loops
Black Holes
Foundations of Routing Protocols
Routing Infrastructure

Interior Gateway Protocols (IGPs)
Exterior Gateway Protocols (EGPs)

For More Information

Section 4 -- Unicast IP Routing

Windows NT 4.0 with RRAS and IP Routing
Windows NT 4.0 with RRAS Router Features for IP Routing
RIP for IP
RIP and Large Internetworks
RIP and Hop Counts
RIP and Routing Table Entries
RIP Route Advertising
RIP Convergence

Convergence in RIP Internetworks
Reducing Convergence Time

RIP for IP Operation

Initialization
Ongoing Maintenance
Administrative Router Shutdown
Downed Link
Downed Router

RIP for IP Version 1

Version A 1-byte field set to the value of 0x01 for RIP v1.
Problems with RIP v1

RIP for IP Version 2

Features of RIP v2
RIP v2 Message Format
Authentication in RIP v2

Mixed RIP v1 and RIP v2 Environments
Windows NT 4.0 with RRAS as a RIP for IP Router
Troubleshooting RIP for IP

Improper Routes in a Mixed RIP v1 and RIP v2 Environment
Silent RIP Hosts Are Not Receiving Routes

OSPF
OSPF Operation

Formation of the LSDB Using Link State Advertisements
The Router ID
Calculating the SPF Tree Using Dijkstra’s Algorithm

OSPF Operation

Compiling the LSDB
Calculating the SPF Tree
Creating Routing Table Entries
OSPF Network Types
Synchronizing the LSDB Through Adjacencies
Forming an Adjacency
Neighbor States
Adjacency Configuration Parameters

Adding a Router to a Converged OSPF Internetwork
Designated Routers

DRs on Broadcast Networks
DRs on NBMA Nets
Backup Designated Router
Interface States

Communication on OSPF Networks

OSPF Areas
The Backbone Area

OSPF Router Types

Inter-Area Routing

External Routes

External Route Filters
ASBRs and Default Routes
Stub Areas

Troubleshooting OSPF

Adjacency Is Not Forming
Virtual Link Is Not Forming
Lack of OSPF Routes or Existence of Improper OSPF Routes

DHCP Relay Agent
DHCP Across IP Routers
Initial DHCP Configuration

DHCPDISCOVER
DHCPOFFER
DHCPREQUEST
DHCPACK
DHCPREQUEST
DHCPACK/DHCPNACK

Troubleshooting the DHCP Relay Agent
IP Packet Filtering
Windows NT 4.0 with RRAS IP Packet Filtering

IP Header
UDP Header
ICMP Header

Input Filters
Output Filters

Configuring a Filter
Filtering Scenarios
Preventing the Ping of Death
Denying Spoofed Packets from Private IP Addresses

ICMP Router Discovery
Additional Resources

Section 5 -- IPX Routing

Windows NT 4.0 with RRAS and IPX Routing
Windows NT 4.0 with RRAS Router Features for the IPX Protocol Suite
IPX Packet Filtering
IPX Header Structure
Demultiplexing an IPX Packet
The Windows NT 4.0 with RRAS Router IPX Packet Filtering
Configuring an IPX Filter
RIP for IPX
IPX Routing Tables
RIP for IPX Operation
RIP for IPX Packet Structure

Operation

RIP for IPX Route Filters
Static IPX Routes

To add a static route

SAP for IPX
IPX Routers and the Internal Network Number

IPX Traffic Before the IPX Internal Network
IPX Traffic After the IPX Internal Network
The Windows NT 4.0 with RRAS Router and the IPX Internal Network and Internal Adapter

SAP Tables
SAP Operation for an IPX Router
SAP Packet Structure
SAP Filters

Static Services

NetBIOS Broadcasts
The IPX WAN Broadcast

IPX WAN Broadcasts and Microsoft Networking
NetBIOS Over IPX Broadcast Packet Structure

Static NetBIOS Names
Additional Resources

Section 6 -- Remote Access Server

Remote Access Overview
Remote Access Versus Remote Control
Elements of a Dial-Up Remote Access Connection

Remote Access Client
Remote Access Server
Dial-Up Equipment and WAN Infrastructure
Remote Access Protocols
LAN Protocols

Elements of Secure Remote Access

Secure User Authentication
Mutual Authentication
Data Encryption
Callback

Managing Remote Access

Managing Users
Managing Addresses
Managing Access
Managing Authentication
Windows NT 4.0 Authentication
RADIUS Authentication
Managing Accounting
Network Management

Remote Access Server Architecture

IP and IPX Router
Packets from Remote Access Clients
Packets to Remote Access Clients

TCP/IP On-Subnet and Off-Subnet Addressing

On-Subnet Addressing and Proxy ARP
Off-Subnet Addressing and IP Routing
NetBIOS Gateway

The Point-to-Point Protocol

PPP Encapsulation
PPP on Asynchronous Links
PPP on Synchronous Links
PPP Link Negotiation with LCP

LCP Packet Structure

LCP Options
LCP Negotiation Process

Callback Negotiation with the Callback Control Protocol

Packet Structure
Negotiated Options
PPP Network Layer Negotiation with NCP

IPCP

Packet Structure
Negotiated Options

IPXCP

Packet Structure
Negotiated Options

NBFCP

Packet Structure
Negotiated Options

Compression Control Protocol

Packet Structure
Negotiated Options
MPPE and MPPC

ECP
The PPP Connection Process
Phase 1: PPP Configuration
Phase 2: Authentication
Phase 3: Callback
Phase 4: Protocol Configuration
A Sample PPP Connection
Network Monitor
PPP log for Windows NT 4.0 Remote Access Service

PPP Tracing for RRAS
Example of a PPP log or trace

PPP Connection Termination
PPP Authentication Protocols

PAP
SPAP
CHAP
MS-CHAP v1
MS-CHAP v2

Remote Access and LAN Protocols
TCP/IP

IP Address Allocation
DNS and WINS Address Assignment

IPX
Multilink
Troubleshooting the Remote Access Server
Common Remote Access Problems

Connection Attempt Is Rejected When It Should Be Accepted
Unable to Reach Locations Beyond the Remote Access Server

Miscellaneous Remote Access Problems

Multilink Is Not Working

Troubleshooting Tools
Network Monitor
PPP Log or PPP Tracing

Section 7 -- Demand Dial Routing NT 4.0 with RRAS

Introduction to Demand Dial Routing
Demand Dial Routing and Remote Access
On-Demand and Persistent Connections
Demand Dial Interface Configuration
Components of Demand Dial Routing

Calling Router
Answering Router
Connection Medium

Demand Dial Routing Process
On-Demand Router-to-Router VPN
Testing Demand Dial Connections

Manual Test
Automatic

Demand Dial Routing Security
Dialin Permission
Authentication

One-Way and Two-Way Authentication

Encryption
Demand Dial Interface Packet Filtering
Creating User Accounts with the Demand Dial Wizard
Demand Dial Routing and Routing Protocols
On-Demand Connections
Manual Configuration of Static Routes

Using a Default IP Route for an On-Demand Connection
Autostatic Updates
Manual Autostatic Updates
Scheduled Autostatic Updates

Persistent Connections
IPX Demand Dial Connections
Troubleshooting Demand Dial Routing
Troubleshooting Tools

Section 8 -- Installing, Configuring, and Using PPTP with Microsoft Clients and Servers

Using PPTP
Planning for PPTP and Virtual Private Networks
Hardware Requirements
The PPTP server
The PPTP client
Network Protocols on the Private Enterprise Network
Before Installing PPTP
Installing and Configuring PPTP on a PPTP Server
Installing PPTP on a PPTP Server
Adding VPN Devices as RAS Ports on a PPTP Server
Configuring PPTP Server Encryption and Authentication Options
Configuring Server Encryption for PPTP
Configuring PPTP Filtering on the PPTP Server
Configuring LAN Routing on the PPTP Server

Enable IP forwarding
Adding the DontAddDefaultGateway registry entry
Adding static routes for the private network

Installing and Configuring PPTP on a PPTP Client
Installing PPTP on a PPTP Client
Adding a VPN Device as a RAS Port on the PPTP Client

To configure a VPN device on the PPTP client:

Configuring Dial-Up Networking on the PPTP Client
Creating the Phonebook Entry to Dial a ISP

To create a new ISP entry by using the Phonebook Wizard:
To verify or edit your ISP phonebook entry:

Creating the Phonebook Entry to Dial a PPTP Server

To create an phonebook entry to dial-up a PPTP server by using a VPN device:
To verify or edit your phonebook entry for the PPTP server:

Using PPTP to Connect to a PPTP Server by Dialing an ISP

To connect to a PPTP server using a PPTP client to dial up an ISP:

Dialing-up an ISP PPTP Service to Connect to a PPTP Server
Using PPTP Over the LAN to Connect to a PPTP Server

To connect to a PPTP server over a LAN connection:

Section 9 -- Frequently Asked Questions about Microsoft VPN Security

Is Windows NT 4.0 Based Virtual Private Networking Secure?
Are There Other Aspects Of Security That I Should Consider When Making A Decision About A VPN Solution?
Are The Security Issues Different For RAS Than For VPN Access?
What Security Features Are Built Into PPTP?
How Is PPTP Secured?
What Types Of Attack Are Used Against VPNs?
What Has Microsoft Done To Protect Against Various Types Of Attacks?
How Important Is Good Password Security?
Are IPSec-Based VPNs More Secure Than PPTP-Based VPNs?
Are L2TP-Based VPNs More Secure Than PPTP-Based VPNs?
Is VPN Outsourcing Secure?
Is A Server-To-Server Based VPN Solution More Secure Than A Client-Server Solution?
What Are Smart Cards?
Does Microsoft Support Smart Card Authentication For VPNs?
What Are Token Cards?
What Are The Tradeoffs Between Smart Cards, Token Cards And Password Based Security?

References

Section 10 -- Update to Routing and Remote Access Service for Windows NT Server: FAQ

    What Is The Difference Between Microsoft's Update To Its Routing And Remote Access Service And "Steelhead"?
    What Are The New Features In The Routing And Remote Access Service Update?
    How Large Is The File To Download The Routing And Remote Access Service Update?
    What Are The System Requirements For Running The Update To Routing And Remote Access Service?
    Is There A Service Pack Needed To Use Routing And Remote Access Service For Windows NT Server?
    Are Client Access Licenses Required For Use With The Routing And Remote Access Service For Windows NT Server?
    Can Routing And Remote Access Service Run On Windows NT Workstation?
    Can Routing And Remote Access Service Run On Earlier Versions Of Windows NT Server?
    Will The New Routing And Remote Access Service Ship With Windows 2000 Server?
    Are There Limitations On The Number Of Simultaneous Connections One Can Have With Microsoft Routing And Remote Access Services For Windows NT Server?
    Does This New Service Replace The RAS And MPR That Are Currently Running On My Microsoft Windows NT Server Version 4.0 Machine?
    Can I Run Routing And Remote Access Service On The Same Machine As A Proxy Server Such As Microsoft Proxy Server?
    Is Microsoft Routing And Remote Access Service For Windows NT Server A Proprietary Solution?
    Why Am I Having Difficulty Accessing My Corporate Intranet Via PPTP?
    What LAN And WAN Cards Can Be Used With Microsoft Routing And Remote Access Service For Windows NT Server Version 4.0?
    Where Can I Get Training On Routing And Remote Access Services For Microsoft Windows NT Server?
    Are The Management Tools In Routing And Remote Access Service Capable Of Running Remotely Over A LAN Or WAN?

Section 11 -- Additional Microsoft Resources

Deployment Roadmap

 
home | search | products | services | research | company | partners | downloads | contact
Please contact our Webmaster with any questions or comments.
Copyright 1999, 2000, 2001 I.D.T., Inc.. All rights reserved.