Need solid VPN solution w/ Win2K Domain, Win clients, PIX 515 firewall, Logon scripts
I need a recommended solution for configuring a VPN for one of my clients. It's urgent, and I need answers from experienced people only. This is a production environment, with a fully-configured firewall, and I can't take it down without scheduling an outage for the wee hours of the morning. Finally, I am *not* a Cisco expert -- and not sure that I want to be -- and prefer to see solutions that use the "training wheels" interface (PDM) wherever possible.
The desired solution:
- will provide the "must haves" shown below
- will not require the purchase of additional equipment or software
- will be relatively straightforward to setup
- will not require extensive maintenance
- will require few or no firewall reboots (24x7 production websites are running)
- will handle up to 20 remote users (VoIP phones and users)
- will work with workgroup routers that use NAT
- can use either the built-in Windows client or the Cisco VPN Client
NOTE: I can live with a solution that bypasses the PIX -- please no comments, Cisco experts, I can hear you cringing already! -- and uses PPTP/EAP-TLS (or similar config) directly to the Win2K RRAS server. Ease of maintenance is very important and I'm very familiar with setting up PPTP VPNs.
SERVER ENVIRONMENT
- Windows 2000 Server domain controller running Active Directory
- Windows 2000 Server member server running IAS, RRAS, Certificate Services
- Several other Win2K servers, including SQL Servers, IIS servers, file/print servers, etc.
- Cisco PIX 515e Restricted (3 interfaces: WAN/outside, LAN/inside, DMZ/dmz)
> PIX 6.3(3); PDM 3.0(1), DES encryption only
- Cisco 2620 T-1 router
- Full data T-1 (44 static IP addresses)
CLIENT ENVIRONMENTS
- Win2K Pro (SP4) or WinXP Pro
- Mixture of cable and DSL connections
- Linksys-class routers (running NAT) and firewall/routers (NAT/PAT)
- Cisco VPN Client 4.0.5(C) or later is an option
- Some are stay-at-home PCs, some are work laptops brought home
- All PCs can be brought into the office, connected to domain and configured
"MUST HAVES"
- Ability to automatically run logon scripts without resorting to tricks like using Windows Scheduler to run them
> Preferred: Server-based logon scripts
> Preferred: Execution of logoff scripts
- Ability to browse network resources without re-entering credentials
- IPSec-based certificates or equivalent authentication method (e.g., EAP-TLS)
- Ability to connect and disconnect from the VPN without logging out
- Software-based client VPN endpoint solution
WHAT I'VE TRIED
- Cisco Windows Client 4.x to PIX using Group Authentication & UDP IPSec
> Logon scripts do not execute
> Couldn't get any domain policies to run
- Built-in Windows Client to PIX using L2TP and IPSec Certificates
> Using MSCEP tool proved too complicated - never got it off the ground
- Built-in Windows Client to Win2K RRAS using PPTP
> PPTP passes through PIX with no problem
> No secure authentication (we have a standalone, not enterprise, CA)
THINGS I CAN CHANGE, IF NECESSARY
- Certificate Server
- RRAS server
- Domain IPSec policies
- VPN Settings on PIX
- VPN protocol can be PPTP, L2TP or other
THINGS I CAN'T CHANGE
- Can't reboot firewall without advance notice
- Server operating system
- PIX hardware configuration (can't add interfaces or IPsec card)
Let me know what other info you need.
This is an urgent situation, and any help is greatly appreciated. I may not able to respond during business hours (East coast) for the next few days, as I'll be out on clients sites during the day, but will respond each evening.
Thanks,
David
The desired solution:
- will provide the "must haves" shown below
- will not require the purchase of additional equipment or software
- will be relatively straightforward to setup
- will not require extensive maintenance
- will require few or no firewall reboots (24x7 production websites are running)
- will handle up to 20 remote users (VoIP phones and users)
- will work with workgroup routers that use NAT
- can use either the built-in Windows client or the Cisco VPN Client
NOTE: I can live with a solution that bypasses the PIX -- please no comments, Cisco experts, I can hear you cringing already! -- and uses PPTP/EAP-TLS (or similar config) directly to the Win2K RRAS server. Ease of maintenance is very important and I'm very familiar with setting up PPTP VPNs.
SERVER ENVIRONMENT
- Windows 2000 Server domain controller running Active Directory
- Windows 2000 Server member server running IAS, RRAS, Certificate Services
- Several other Win2K servers, including SQL Servers, IIS servers, file/print servers, etc.
- Cisco PIX 515e Restricted (3 interfaces: WAN/outside, LAN/inside, DMZ/dmz)
> PIX 6.3(3); PDM 3.0(1), DES encryption only
- Cisco 2620 T-1 router
- Full data T-1 (44 static IP addresses)
CLIENT ENVIRONMENTS
- Win2K Pro (SP4) or WinXP Pro
- Mixture of cable and DSL connections
- Linksys-class routers (running NAT) and firewall/routers (NAT/PAT)
- Cisco VPN Client 4.0.5(C) or later is an option
- Some are stay-at-home PCs, some are work laptops brought home
- All PCs can be brought into the office, connected to domain and configured
"MUST HAVES"
- Ability to automatically run logon scripts without resorting to tricks like using Windows Scheduler to run them
> Preferred: Server-based logon scripts
> Preferred: Execution of logoff scripts
- Ability to browse network resources without re-entering credentials
- IPSec-based certificates or equivalent authentication method (e.g., EAP-TLS)
- Ability to connect and disconnect from the VPN without logging out
- Software-based client VPN endpoint solution
WHAT I'VE TRIED
- Cisco Windows Client 4.x to PIX using Group Authentication & UDP IPSec
> Logon scripts do not execute
> Couldn't get any domain policies to run
- Built-in Windows Client to PIX using L2TP and IPSec Certificates
> Using MSCEP tool proved too complicated - never got it off the ground
- Built-in Windows Client to Win2K RRAS using PPTP
> PPTP passes through PIX with no problem
> No secure authentication (we have a standalone, not enterprise, CA)
THINGS I CAN CHANGE, IF NECESSARY
- Certificate Server
- RRAS server
- Domain IPSec policies
- VPN Settings on PIX
- VPN protocol can be PPTP, L2TP or other
THINGS I CAN'T CHANGE
- Can't reboot firewall without advance notice
- Server operating system
- PIX hardware configuration (can't add interfaces or IPsec card)
Let me know what other info you need.
This is an urgent situation, and any help is greatly appreciated. I may not able to respond during business hours (East coast) for the next few days, as I'll be out on clients sites during the day, but will respond each evening.
Thanks,
David
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I know the Cisco client has an option to load before windows starts which I think gives you an option to log into the domain.
I have never used this myself however as I don't want the extra traffic over the VPN as we dont have a fast link.
I have never used this myself however as I don't want the extra traffic over the VPN as we dont have a fast link.
ASKER
Yes, the Cisco client *does* have this option, which we've used. My memory is getting a little fuzzy, because I've set up several networks and VPNs in the past month, but I believe the problem was the only scripts that would execute would be user logon scripts that are entered in the user's profile in AD Users and Computers. We wanted to have domain-level script processing happen, and the Cisco client doesn't give us that.
Also, if you connect with the Cisco client after you've already logged onto the computer (that is, you don't have the Connect before Logon option enabled), there is no mechanism for automatically launching logon scripts, and likewise there's no mechanism for auto-launching logoff scripts when you disconnect. The Microsoft RRAS Connection Manager has this capability, but I don't think it allows for domain script processing.
It's a tough one, and maybe nothing exists out there that will do this.
Failing that, can someone then at least point me in the direction of a technical explanation of how to implement ONE of the following:
- Authentication using user or machine certificates with Windows 2000 Certificate Services and either the Cisco 4.x client or the native Windows client (I have found numerous documents that describe parts of the process, but nothing that puts it all together for me, especially the usage of MSCEP on the Win2K Cert Server to allow processing of certificate requests by the PIX)
- Certificate authentication using PPTP bypassing the Cisco PIX entirely
Thanks,
David
Also, if you connect with the Cisco client after you've already logged onto the computer (that is, you don't have the Connect before Logon option enabled), there is no mechanism for automatically launching logon scripts, and likewise there's no mechanism for auto-launching logoff scripts when you disconnect. The Microsoft RRAS Connection Manager has this capability, but I don't think it allows for domain script processing.
It's a tough one, and maybe nothing exists out there that will do this.
Failing that, can someone then at least point me in the direction of a technical explanation of how to implement ONE of the following:
- Authentication using user or machine certificates with Windows 2000 Certificate Services and either the Cisco 4.x client or the native Windows client (I have found numerous documents that describe parts of the process, but nothing that puts it all together for me, especially the usage of MSCEP on the Win2K Cert Server to allow processing of certificate requests by the PIX)
- Certificate authentication using PPTP bypassing the Cisco PIX entirely
Thanks,
David
I have never used cerificates on the PIX. What I have done for a customer though is configure the PIX to use RADIUS for authentication and the customer just confiured a Radius server on their file server to authenticate users. This works well.
I am not a windows expert but getting the PPTP passed through the PIX is easy you just define a static mapping from an external IP address to the IP address of the VPN server and then define an access-list to permit TCP port 1723 and GRE in. Let me know if you would like a configuration example.
I am not a windows expert but getting the PPTP passed through the PIX is easy you just define a static mapping from an external IP address to the IP address of the VPN server and then define an access-list to permit TCP port 1723 and GRE in. Let me know if you would like a configuration example.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the delay in responding. Family issues and client issues all at once make for no time to check EE!
To grblades: Yes, I had set up the PIX to use RADIUS authentication on a Win2K server, and that worked okay. You don't get any real doman policy processing because RADIUS is a generic protocol, not a MS-specific one. I got PPTP to go through the PIX with no problem -- as you said, it's just a matter of setting up ACLs to pass the appropriate TCP and IP traffic through. I appreciate your offer, but I got that working with no problem.
To tim_holman: You're partially right about the Cisco client -- it meets most, but not all, of our must-haves. Specifically, there is no mechanism for auto-running logoff scripts. Also, in order to use the Windows 2000 Certificate Services we had to buy the Resource Kit and load the MSCEP utility so it could process cert requests from the PIX. The MSCEP utility, however, requires a standalone Cert Server. Ours was an Enterprise Cert Server. Anyway, from what I've seen, the management of the certificates becomes a chore and more than my client was willing to invest in. Finally, the VoIP latency was a deal-breaker. Unbeknownst to me, our remote user (the Cisco VPN guinea pig) was having severe VoIP problems with the Cisco client -- upwards of 25 minutes for the thing even to connect and gets its IP address via DHCP. With the built-in Windows XP client, it took seconds and the connection has been solid.
In short, I've muddled my way through literally hundreds of documents from MS TechNet, Knowledgebase, and product CDs and the Cisco TAC site and have finally decided to go with an all Microsoft solution. I've set our Certificate Server back to being an Enterprise CA, and only have to determine how certificate requests get passed through the PIX (I may not have to do anything).
I'll update this question within the next couple of days and will award partial points at that time.
To grblades: Yes, I had set up the PIX to use RADIUS authentication on a Win2K server, and that worked okay. You don't get any real doman policy processing because RADIUS is a generic protocol, not a MS-specific one. I got PPTP to go through the PIX with no problem -- as you said, it's just a matter of setting up ACLs to pass the appropriate TCP and IP traffic through. I appreciate your offer, but I got that working with no problem.
To tim_holman: You're partially right about the Cisco client -- it meets most, but not all, of our must-haves. Specifically, there is no mechanism for auto-running logoff scripts. Also, in order to use the Windows 2000 Certificate Services we had to buy the Resource Kit and load the MSCEP utility so it could process cert requests from the PIX. The MSCEP utility, however, requires a standalone Cert Server. Ours was an Enterprise Cert Server. Anyway, from what I've seen, the management of the certificates becomes a chore and more than my client was willing to invest in. Finally, the VoIP latency was a deal-breaker. Unbeknownst to me, our remote user (the Cisco VPN guinea pig) was having severe VoIP problems with the Cisco client -- upwards of 25 minutes for the thing even to connect and gets its IP address via DHCP. With the built-in Windows XP client, it took seconds and the connection has been solid.
In short, I've muddled my way through literally hundreds of documents from MS TechNet, Knowledgebase, and product CDs and the Cisco TAC site and have finally decided to go with an all Microsoft solution. I've set our Certificate Server back to being an Enterprise CA, and only have to determine how certificate requests get passed through the PIX (I may not have to do anything).
I'll update this question within the next couple of days and will award partial points at that time.
Let us know if we can be of any further help - I'm pretty sure we could get the VoIP problems ironed out with the Cisco solution, but if you've gone with M$, then probably little point barking up this tree...
ASKER
I agree -- I'm sure the VoIP problems are simply a configuration issue. At this point, the client wants a reasonably secure VPN up and running with minimal maintenance going forward. (They don't want to spend $$$ on me each time a new user is added.) With the IPSec (MPE? I can't remember the acronym right now), I think the security should be acceptable with MS PPTP.
Thanks for your help. This is my first question on EE, so I'll figure out the points thing later tonight. I never got an exact answer to my question, but you did reinforce the VoIP thing, so I'm inclined to give you at least partial points.
Thanks for your help. This is my first question on EE, so I'll figure out the points thing later tonight. I never got an exact answer to my question, but you did reinforce the VoIP thing, so I'm inclined to give you at least partial points.
If you need 'administrative' help, there's a FAQ in the Help section (top right hand corner of this page), and moderators can be reached via the Support link next to it. :)
ASKER
Thanks. I briefly read it once before, but I want to make sure I do it right. I appreciate your help.
ASKER
Well, no one actually solved my problem, although Tim did point out 'Start Before Login' option on the Cisco client, which I already knew about. In the end, I realize that my client can't have everything they want, so we're reduced to using a garden variety Microsoft PPTP VPN with the built-in Windows 2000 & XP client. We've added IPSec authentication, which was tricky to implement until I figured out the correct way of remotely issuing a client certificate from the Windows 2000 Enterprise Certificate Authority. My final problem is that I can't authenticate using a CMAK-generated connectoid (CMAK being the Windows 2000 RRAS (Routing and Remote Access) Connection Manager Authentication Kit, for those who don't know). I suspect it's encrypting the password, even though I've told it not to. But that's an issue for another question.
Thanks to all. I'll split points even though no one solved my problem, because I'm feeling generous in the spirit of Christmas.
Thanks to all. I'll split points even though no one solved my problem, because I'm feeling generous in the spirit of Christmas.
ASKER
What I meant by the first item you quoted is that I'd like the logon script(s) to be executed without manual intervention by the end user, or without resorting to any hokey tricks (like launching the Task Scheduler upon logon, which fires off a login script, as I've seen some people suggest with the Cisco client). The Windows RRAS Connection Manager Administration Kit (CMAK) allows you to build a package that includes logon and logoff scripts. This package takes the form of an executable file that gets distributed to users. While the logon scripts are not server-based, at least it's better than nothing.
What I meant to say in that second item you quoted is:
- Ability to connect and disconnect from the VPN without logging out *OF WINDOWS*
I think most solutions would give you that anyway, but I wanted to make sure it was included as a bullet point.
Does that help clarify things?