Virtual Private Networks

A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link. Virtual private networking is the act of creating and configuring a virtual private network.

To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN tunnel or connection.

VPN connections allow users who work at home or while traveling to obtain a remote access connection to an organization server using the infrastructure provided by a public internetwork such as the Internet. From the user's perspective, the VPN is a point-to-point connection between the computer, the VPN client, and an organization server (the VPN server). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.

VPN connections also allow organizations to have routed connections with other organizations over a public internetwork such as the Internet, while maintaining secure communications. For example, offices that are geographically separate can use VPN connections. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

Benefits of Co-locating VPN Functionality on a Forefront TMG Computer

By using the Forefront TMG computer as the VPN server, you benefit from protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the Forefront TMG access policy. After VPN connections are established, the VPN clients belong to the VPN Clients network. They are allowed access to resources on the protected network, in accordance with a predefined policy.

All VPN connections to the Forefront TMG computer are logged to the Firewall log. This offers you more auditing possibilities.

Forefront TMG support two VPN protocols for remote client access:

In addition, IPsec tunnel mode is supported for site-to-site VPN connections. However, this option provides encapsulation for IP traffic only. The primary reason for using IPsec tunnel mode is interoperability with routers and other non-Windows systems that do not support the L2TP over IPsec or PPTP protocols.

Types of VPN Connections

There are two types of VPN connections:

VPN Components

A VPN includes the following components:

VPN and Multi-networking

When you configure the VPN, you can set aside a pool of static IP addresses for the VPN users' computers. When a VPN client connects to the local network, it is assigned an IP address from this address pool. This IP address is added to the VPN Clients network.

In the multi-network environment supported by Forefront TMG, VPN users are added to the VPN Clients network.

Although the VPN users are virtually part of the local network address range, they are not subject to the local network's access policy, as you configured it for Forefront TMG. Special rules can be configured to allow them access to network resources.

VPN Quarantine

The Forefront TMG VPN quarantine uses the following Windows Server 2008 features to prevent remote VPN clients from obtaining remote access after authentication until the configuration of their systems has been examined.

NAP enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with the health policy can be provided with restricted network access until their configuration is updated and brought into compliance with policy. NAP uses a Network Policy Server (NPS) to evaluate the health state of NAP clients. For more information about NAP, see Network Access Protection.

Configuring Forefront TMG to work with NAP includes the following tasks:

Forefront TMG can also use NAQC to prevent remote VPN clients from obtaining remote access after authentication until the configuration of their systems has been examined by a server-provided script and validated as meeting the requirements of the organization's network policies. The connection to a remote VPN client can be closed if the time-out period elapses before the configuration is validated.

The VPN quarantine can be configured to operate in one of three modes using the QuarantineMode property.

When NAQC is used, the clearing of VPN clients from quarantine can be enabled by installing the Remote Access Quarantine Agent service (Rqs.exe) on the Forefront TMG computer and Remote Access Quarantine Client (Rqc.exe) on VPN clients. The Remote Access Quarantine Agent service, which acts as a listener component, is included when you install Routing and Remote Access. However, the Remote Access Quarantine Agent service is disabled by default. When you deploy NAQC, you must start the Remote Access Quarantine Agent service and change the startup type to automatic. Remote Access Quarantine Client runs as a notification component on the remote client computer, informing the listener component running on the Forefront TMG computer that the client computer complies with security policy.

You can configure Forefront TMG as an RQS listener by running the Remote Access Quarantine Tool, ConfigureRQSForTMG.vbs. This script creates an access rule that allows NAQC (RQS) traffic on port 7250 from the VPN Clients and Quarantined VPN Clients networks to the Local Host network. This access rule enables Forefront TMG to receive notifications from client computers. Additional steps must also be performed. For detailed instructions on implementing NAQC on Forefront TMG, see Configuring RQS/RQC based quarantine control.

Alternatively, you can create a custom listener component that listens for messages from a matching notifier component running on quarantine-compatible remote access clients. These messages indicate that the scripts have run successfully. Then your listening component can use the MprAdminConnectionRemoveQuarantine function to remove the quarantine restrictions from the remote access connections.

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.