IT tutorials
 
Technology
 

Windows 7 : Understanding the Remote Access VPN Connectivity Process

10/2/2013 1:49:06 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

When a VPN client requests access to a corporate network running Windows, a number of steps need to occur before the client is able to connect to that network successfully. If an error occurs at any stage of the process, no connectivity will be established. Knowing the steps in the VPN connection process is a prerequisite for troubleshooting because it enables you to understand how particular connection failures might relate to particular errors in your VPN configuration.

Remote access VPN connectivity occurs in the following steps:

  1. The VPN client contacts the VPN server.

    In the first stage of a VPN connection attempt, the VPN client attempts to contact the VPN server. Successful completion of this stage requires the client to be properly configured with the IP address of the VPN server. The VPN server also needs to be publicly available. If the VPN server is located behind a firewall, the firewall needs to be configured to allow the VPN client access.

  2. The VPN tunnel is negotiated.

    After the VPN client contacts the VPN server, it submits a request for a tunnel type. A VPN network connection can be set to any of five settings: Automatic, PPTP, L2TP/IPSec, SSTP, and IKEv2, as shown in Figure 1.

    Configuring the VPN type

    Figure 1. Configuring the VPN type

    The default setting is Automatic. According to this setting, the VPN connection makes VPN protocol requests in the following order: IKEv2, SSTP, PPTP and L2TP/IPSec. The VPN type that is negotiated eventually is the first for which the VPN server can answer the request.

    During this phase, the authentication protocol is also negotiated. For IKEv2 VPNs, the EAP-MSCHAPv2 authentication protocol is used. For other VPN types, MS-CHAPv2 is preferred if it is also available on the VPN server. Otherwise, CHAP is requested.

    Finally, encryption is negotiated during this phase. Like authentication settings, encryption settings are defined on the Security tab in a VPN connection Properties dialog box in Windows 7, as shown in Figure 2. For encryption to be negotiated properly, the client settings defined here must be compatible with those defined on the VPN server. For example, if Maximum Strength Encryption is defined on the client, the server must be able to provide maximum strength encryption or the VPN connection fails.

    Configuring data encryption in the VPN connection

    Figure 2. Configuring data encryption in the VPN connection

  3. The VPN tunnel is created.

    If the VPN tunnel type, authentication protocol, and encryption strength can be agreed upon, the VPN tunnel is created between the VPN client and VPN server. After this point, all exchanges are encrypted.

    In the case of IKEv2 and SSTP VPNs, the tunnel creation is performed with the help of the VPN server's computer certificate. The VPN client must therefore be able to validate the certificate; to do so, the certificate of the issuing root CA must be installed in the Trusted Root Certification Authorities store on the VPN client computer.

    In the case of L2TP/IPSec VPNs, preshared keys or computer certificates are used to create the encryption terms for the tunnel. These elements must therefore be configured properly for the negotiation to work. (PPTP VPNs use Microsoft Point-to-Point Encryption to create the secure tunnel and do not require a PKI.)

    A final requirement for a VPN tunnel to be negotiated is that the VPN client-server communication must be able to traverse the network elements that lie between them. For example, if a firewall is located between the VPN client and server, the ports used by the VPN protocol must be left open. If a NAT device is located between the VPN client and server, the VPN protocol must be able to traverse that NAT device.

  4. Remote access authentication is performed.

    During this phase, the user credentials submitted with the VPN connection request are sent to the VPN server by using the previously agreed upon authentication protocol. The VPN server then either performs the authentication locally, or forwards the authentication request to an available domain controller, or forwards the authentication request to a RADIUS server. For this step to occur, the VPN user must submit proper credentials, and the VPN server must be configured to forward the authentication to the appropriate location.

  5. Remote access authorization is performed.

    In this phase, the user account properties are checked to verify that the user is authorized for remote access. Then, the list of network policies configured on the VPN server or NPS server is checked. The first policy whose conditions match the connection request is applied to that request and then either allows or denies the request. Note that constraints (such as time of day) that affect the authorization of the connection request might also be defined in the policy.

  6. The VPN connection is established.

    If the remote access connection request is authorized, the VPN server allows the VPN user to log on to the domain. After domain logon occurs, the VPN user has access to the corporate network.
 
Others
 
- Understanding Windows 7 VPN Tunneling Protocols
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 4) - Upgrading Site Collections
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 3) - Attach Content Databases
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 2) - Attach Service Applications
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Upgrade (part 1) - Copying Legacy Databases
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Planning (part 2) - Pre-Upgrade Maintenance, Managing Customizations
- Sharepoint 2013 : Upgrading from SharePoint 2010 - Planning (part 1) - Database Attach Process, Minimizing Downtime
- SQL Server 2008 : Data management - Filegroups - Backup and restore flexibility
- SQL Server 2008 : Database file configuration (part 2) - Multiple data files, Sizing database files
- SQL Server 2008 : Database file configuration (part 1) - Volume separation
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us