18.3.2020 • Pilvi-infrastruktuuri Tietoturva
Corporate VPN using Microsoft offerings
Cloud technologies, like for example Office 365, are great for many reasons. One of them is that they enable people to work basically from anywhere, office, home, airport, hotel, café and so on. But if organization still has some legacy apps that cannot be moved to the cloud, or securely published to the Internet to allow their usage from anywhere, there is a need still to securely connect to those applications inside corporate network.
In these cases, there are several different ways to provide a secure access to those applications. Using Microsoft solutions this access to remote users can be provided by using different features. One would be using a Remote Desktop Services servers in on-premise network to provide virtual desktops and applications to users. Another, quite new, would be to use Windows Virtual Desktop feature from the cloud to provide those virtual desktop machines.
While these features are great and (especially in case of Windows Virtual Desktop) provide a number of cool possibilities, there is also an older and familiar technology, called VPN or Virtual Private Network, that can be set up, securely and in an inexpensive manner, using pure Microsoft technologies and making use of existing hardware and licenses.
Using Windows Server as a VPN server makes it easy to set up and configure a VPN in a matter of hours with existing hardware, software and licenses. If Windows server is used as a VPN server, only licenses needed are the license for the actual VPN Server(s) (Windows Server License) and Windows server client access licenses that we probably already have if we are using Windows Servers for any other workload, like file servers or Active Directory.
On the client side, in most cases, all the software that is needed is already included in the client OS, so in these cases no additional software needs to be installed, only configuration needs to be done in the client side. This can be done manually, or by deploying the configuration, as is or by using script, with Group Policy, SCCM, Intune or some other system that is used to manage the end-user devices.
The VPN solution built on top of Windows Server offers a range of choices in VPN protocols, authentication protocols and encryption method and level used. The VPN protocol used can be SSTP (SSL), IKEv2, L2TP or PPTP, or any combination of these. The authentication can be done by username/password or user or machine certificates using a number of authentication protocols like PEAP or EAP, or even older (but not necessarily so secure) MSCHAPv2 or PAP. Again, any combination to support a wide variety of end user devices, not just Windows 10 machines, can be configured. The user accounts can be in Active Directory, or if RADIUS is used for authentication, basically in any directory service that can support RADIUS authentication.
For encryption of the data transferred over the VPN, we can use 128 or 256 bit AES, or if needed for compatibility, DES/3DES. Even the VPN server itself does not have to be a state-of-the-art server hardware. Either hardware or VM server can be used.
The number of CPU cores and RAM needed is more depended of the throughput needed than the actual number of concurrent users, but even a VM with 2-4 a bit older AMD or Intel CPU cores and 2-4 GB of RAM can easily handle hundreds of megabits of traffic. Of course if higher level of throughput is required, the server can have more cores and RAM, or you can deploy several servers that work as a cluster and also achieve high availability and fault tolerance for the system.
The high-level setup would consist of following tasks:
- Set up a Windows Server, either a hardware server or a VM
- Install Remote Access role to the server
- Configure Routing and Remote access for VPN use
- Configure required VPN Protocols
- Configure authentication settings
- Configure network settings for VPN connections
- Specify and configure a public DNS name to be used
- Obtain a certificate for the system (if needed)
- Install and configure the certificate (if needed)
- Configure User accounts to be able to use the VPN
- Configure client device settings, as a deployable package or script, or as documentation end users can easily follow and configure the VPN for their own machines.
For all these steps step-by-step documentation can be found from Microsoft’s documentation, or in several good blog articles in the Internet. If needed (either right a way or as later evolution for the environment) additional features can be configured as needed. Some of these features can include:
- Automatic Single-Sign-ON or SSO
- Always-on-functionality which automatically opens the VPN connection when needed, or when specified applications are used, or every time the device has a network connection
- Device compliance check
All in all, using Windows Server as a VPN solution in your network can give you a low cost (as few or none additional licenses are needed), high security and easy to deploy VPN solution.