Configure remote connections
Unless an organization has already deployed DirectAccess, it is likely that mobile computers will use a VPN to remotely access the organizational network. Setting up remote access involves understanding VPN protocols and authentication, dial-up, Network Access Protection quarantine, and Remote Desktop (RD) Gateway functionality.
Establishing VPN connections and authentication
You need to know what the VPN options are for computers running Windows 7 and what authentication options are appropriate for a given set of circumstances.
Every edition of Windows 7 supports VPNs that use the following protocols:
- PPTP: The least secure form of VPN. Does not require access to digital certificates. Can use MS-CHAP, MS-CHAPv2, EAP, and PEAP authentication protocols. Windows 7 uses PPTP to support incoming VPN connections.
- L2TP/IPsec: Requires a certificate services infrastructure or can be used with preshared keys. Traditionally, certificate services is deployed to provision both VPN clients and servers with certificates for authentication. Most thirdparty VPN solutions support L2TP/IPsec.
- SSTP: SSTP tunnels over port 443, meaning that it can pass across almost all firewalls that allow Internet access, something that is not true of other VPN protocols. SSTP requires a VPN server running Windows Server 2008 or Windows Server 2008 R2.
- IKEv2: Can be used only with computers running Windows 7 and Windows Server 2008 R2. Allows VPN Reconnect. (You'll learn more about VPN reconnect later in this tutorial.) IKEv2 does not support PAP, CHAP, or MS-CHAPv2 (without EAP) authentication protocols.
Creating a VPN involves specifying the address of the remote VPN server and providing authentication credentials. Users without local administrative privileges can create new VPN connections by clicking Set Up A New Connection Or Network and then Connect To A Workplace in the Network And Sharing Center. By default, newly created VPN connections use the automatic VPN type, which means that the client will attempt to use the most secure protocol. If that is not available or is unsupported, they switch to a less secure protocol. After you have created the connection, you can edit the VPN connection's properties and specify that a specific protocol is used, but the connection can use only that protocol and no others. Administrators can also simplify the deployment of VPNs by creating Connection Manager Administration Kit (CMAK) profiles that automate the setup of remote access connections.
Windows 7 supports the following authentication protocols for both VPN and dial-up connections:
- Password Authentication Protocol (PAP): Uses unencrypted passwords. Not enabled by default. Not supported by remote access servers running Windows Server 2008 or Windows Server 2008 R2. Used when connecting to older third-party VPN servers. Least secure option.
- Challenge Authentication Protocol (CHAP): Password-based authentication protocol. Not supported by remote access servers running Windows Server 2008 or Windows Server 2008 R2. Enabled by default for Windows 7 VPN connections.
- Microsoft Challenge Handshake Authentication Protocol (MSCHAPv2): Password-based authentication protocol. VPN connection can use credentials of currently logged-on user for authentication.
- Protected Extensible Authentication Protocol with Transport Layer Security (PEAP-EAP-TLS): Certificate-based authentication protocol. Requires deployment of computer certificate on VPN server.
- PEAP-EAP-MS-CHAPv2: Most secure password-based authentication protocol for Windows 7 VPN clients. Requires deployment of computer certificate on VPN server.
- Smart Card or Other Certificate: Use when supporting authentication of VPN connections is a smart card or other certificate.