ADMIN

Recommendations

Info

Nuts and Bolts VPNs with SSTP Setting Up a Certification Authority To set up your own (private) certification authority in Active Directory, you need to launch the MMC console on your Windows server and add the certificate snap-in. Then, in the Certificate Snap‐In dialog box, select Computer account and Local computer for Select computer. n To begin, right-click on Own certificate in the MMC, followed by All tasks | Request new certificate. n You will see a selection of templates: Web Server will do the trick here. Now you need to provide a name, such as fw.example.local. For this certificate, the name of the certificate requestor must match the hostname of the device with which the VPN client will open the connection. This step is essential for a successful SSL handshake. n If the request worked as intended, the certificate will install automatically and should be visible in the MMC console: Certificates snap-in below Certificates (local computer) | Own certificates. The CA certificate must also be visible in Certificates (local computer) | Trusted root certificate authorities; you can check this if you experience difficulty with the certificate request. by the domain controller and placed in the client’s local certificate store along with the certification authority certificate. If you are unable or prefer not to purchase a commercial certificate, you can use a private certificate issued by Active Directory’s built-in CA. The “Setting up a Certification Authority” box explains how to do this. You need to configure the firewall to allow network traffic to pass through to the certificate authority in order for the certificate request to work. To get this to happen, the firewall must also be authorized to request certificates (Figure 2). You can set this up under the Web Server Properties Security tab; Read and Enroll privileges are required at minimum. In production, it often makes more sense to purchase a commercial certificate and install a dedicated firewall server with Microsoft’s new Forefront Threat Management Gateway (TMG) 2010 [2]. The gateway offers a wizard-based configuration in the TMG management console. Note that you cannot install the Forefront 2010 server component on a domain controller. Additionally, you will want to publish a certificate revocation list in a production scenario. Revocation A Certificate Revocation List (CRL) details any certificates revoked before their expiry date. Revocation lists are always available at CLR Distribution Points (CDPs). A CDP can be set in the Extensions tab of the CA Properties dialog box (Figure 3). Additionally, the certificate revocation list must be accessible to all clients at all times via the Internet, which will mean configuring the packet filter on the local firewall. In Forefront TMG 2010, you can use the website publishing wizard for this. VPN Server Setting up the VPN server itself is easily done. Once you have added the network policy and access services role by clicking Add roles in Figure 2: If you are unable to request a certificate, you can check the privileges in the certificate template for web servers to see whether Enroll is allowed. Figure 3: A CLR distribution point controls the availability of the certificate revocation list, which all clients need to be able to access at any time. 96 Admin 01 www.admin-magazine.com
VPNs with SSTP Nuts and Bolts Figure 4: You need to set up the RAS services to run a VPN server. Microsoft’s SSTP encapsulation structure is like a Russian doll. Just as with PPTP, Microsoft uses the PPP protocol with SSTP, which leads to a fairly complex encapsulation structure (see Figure 6), in which an IP header contains a TCP header, which in turn contains an SSTP header, which then contains a PPP header, which finally contains the IP packets themselves. Although the method seems to be slightly more efficient than Encapsulating Security Payload (ESP), with an overhead of 8 bytes in the PPP header, compared with 20 bytes in IPsec over HTTPS, there is actually no real need to encapsulate in PPP packthe Customize this server section of the Server Manager, the Routing and Remote Access tool is available below Management. The Action | Configure and enable routing and RAS button takes you to the Routing and Remote Access Server Setup Wizard. At the second Configuration step (Figure 4), you’ll want to enable Virtual private network (VPN) access and NAT, then click Next and select the required network interface. At the following step, Address assignment defines how the VPN server assigns IP addresses to remote clients. If you have the DHCP service running, Automatic is the quickest and cleanest option. Then you can define an IP address pool for the DHCP server to use in the next step, Address range assignment. In the final step, you can choose whether or not to use a Radius server to authenticate clients on a large-scale network; this is disabled by default. The wizard will then instruct you to set up the DHCP relay agent for Windows to support the forwarding of DHCP messages to RAS clients. To do this, you need to enable the Relay DHCP packets option in the DHCP Relay Properties dialog box (Figure 5). Conclusions IPv4 or IPv6 TCP SSTP PPP IPv4 or IPv6 packet Encapsulated SSL session Figure 6: The SSTP encapsulation structure is like a Russian doll. Microsoft has gone to considerable trouble to make something proprietary from what are basically open protocols. From a technical point of view, there seems to be no real reason to use PPP. Figure 5: Configuring Windows to forward DHCP messages to the RAS clients. ets. In IPsec, ESP builds directly on IP. Microsoft is quite obviously seeking to set itself apart by encapsulating in PPP. Apart from the fairly complex Windows server configuration, which mainly involves setting up the certificate services, and possibly packet filters for transporting the certificate requests, SSTP offers a secure, wellperforming tunnel technology for the future. n Info [1] Microsoft support for SSTP: [http:// support. microsoft. com/ kb/ 947032/] [2] TMG 2010: [http:// www. microsoft. com/ downloads/ details. aspx? familyid=e05a ecbc‐d0eb‐4e0f‐a5db‐8f236995bccd& displaylang=en] The Author Thomas Drilling has been a freelance journalist and editor for scientific and IT magazines for more than 10 years. With his editorial office team, he regularly writes on the subject of open source, Linux, servers, IT administration, and Mac OS X. In addition to this, Thomas Drilling is also a book author and publisher, a consultant to small and medium-sized companies, and a regular speaker on Linux, open source, and IT security. www.admin-magazine.com Admin 01 97
Page 1 and 2:
ADMIN Network & Security Rescue CD
Page 3 and 4:
Welcome to Admin WELCOME ALL FOR AD
Page 5 and 6:
Table of Contents SERVICE 8 Spacewa
Page 7 and 8:
POWERHOUSE PERL 11 cool projects! F
Page 9 and 10:
Spacewalk Features configuration fi
Page 11 and 12:
Spacewalk Features Figure 2: Assign
Page 13 and 14:
Spacewalk Features kickstart profil
Page 15 and 16:
Icinga Features Table 1: States Opt
Page 17 and 18:
Icinga Features ministrators only n
Page 19 and 20:
Icinga Features Figure 6: Network o
Page 21 and 22:
MySQL Forks and Patches Features th
Page 23 and 24:
MySQL Forks and Patches Features In
Page 25 and 26:
Exchange 2010 Features © peapop, F
Page 27 and 28:
they can now synchronize text messa
Page 29 and 30:
Backup Software Features data. One
Page 31 and 32:
Backup Software Features tended), l
Page 33 and 34:
Backup Software Features Two “wiz
Page 35 and 36:
Backup & Disaster Recovery Georgeto
Page 37 and 38:
OCFS2 Tools ing. OCFS2 is fairly si
Page 39 and 40:
OCFS2 Tools F Figure 2: Unspectacul
Page 41 and 42:
To do this, you need to change the
Page 43 and 44:
Synergy Tools Figure 1: Synergy as
Page 45 and 46: SystemTap Tools The SystemTap [3] t
Page 47 and 48: SystemTap Tools Instead of searchin
Page 49 and 50: Package Your Scripts Virtualization
Page 51 and 52: Linux Magazine ACADEMY curl U http:
Page 53 and 54: openVz VirtuAlizAtion live migratio
Page 55 and 56: OpenVZ Virtualization a number of c
Page 57 and 58: OpenVZ Virtualization OpenVZ kernel
Page 59 and 60: AND SAVE 30%! ADMIN Network & Secur
Page 61 and 62: Virtual Machine Manager Virtualizat
Page 63 and 64: Virtual Machine Manager Virtualizat
Page 65 and 66: Teamviewer Management and be contro
Page 67 and 68: NOV. 7-12 2010 24th Large Installat
Page 69 and 70: Chef Management Server Provides rec
Page 71 and 72: Chef Management ‐r http://s3.amaz
Page 73 and 74: Chef Management Figure 5: The clien
Page 75 and 76: Sysinternals Management AdInsight a
Page 77 and 78: Sysinternals Management Name Table
Page 79 and 80: PAM and Hardware Nuts and Bolts Fig
Page 81 and 82: November 13-19, 2010 • Ernest N.
Page 83 and 84: PAM and Hardware Nuts and Bolts to
Page 85 and 86: ON NEWSSTANDS NOW ! UBUNTU USER MAG
Page 87 and 88: modSecurity nutS And boltS complex
Page 89 and 90: ModSecurity Nuts and bolts Insider
Page 91 and 92: REAL SOLUTIONS FOR REAL NETWORKS Ea
Page 93 and 94: Daemon Monitoring Nuts and Bolts Fi
Page 95: VPns with SSTP nuTS And BoLTS Hands
Page 100: DEDICATED SERVERS £59 FROM PER MON
show all

ADMIN

Create successful ePaper yourself

Delete template?

Save as template?