Using the Connection Manager Administrator Kit (CMAK) to STREAMLINE VPN Client Configuration

 

The Connection Manager Administration Kit (CMAK) allows you to create customized Dial-up Networking connectoids or “dialers” for your VPN users. There are many advantages to using the CMAK to create the VPN connectoids. Some of these advantages include:

 

• Avoiding manual configuration of the VPN connectoids
• VPN connectoids can be locked down so that users can not implement dangerous security configurations, such as split tunneling
• You can preconfigure Web Proxy settings on the VPN client so that ISA Server firewall policy is enforced on VPN clients
• With the help of the Phone Book Service, you can automatically update VPN connectoids with up-to-date phone numbers and VPN server addresses
• You can leverage the Routing and Remote Access Quarantine features to protect your internal network by incorporate script parameters into the CMAK connectoid

 

In this ISA Server 2000 VPN Deployment Kit document we’ll go over the basic CMAK components and how to configure a simple but effective VPN connectoid you can distribute to users. Once the VPN user receives the CMAK package, all he needs to do is double click on the CMAK package file and it automatically installs the required files and the VPN connectoid is placed on his desktop. There’s no need for the user to follow complex instructions on how to configure a VPN connectoid in order to connect to the ISA Server firewall/VPN server.

 

There are three basic procedures required to create the package you distribute to your VPN users:

 

• Install the Connection Manager Administration Kit (CMAK) on one of your Windows Server 2003 computers
• Run the CMAK Wizard to create the VPN connectoid
• Distribute the connectoid to your VPN clients

 

Installing the Connection Manager Administration Kit on the Windows Server 2003 Computer

 

Perform the following steps to install the CMAK on a Windows Server 2003 computer:

 

1. Click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.
3. On the Windows Components Wizard page (figure 1), select the Management and Monitoring Tools entry and click the Details button.

 

Figure 1 (Fig153)

 

4. In the Management and Monitoring Tools dialog box (figure 2), put a checkmark in the Connection Manager Administration Kit checkbox, then click OK.

 

Figure 2 (Fig154)

 

5. Click Next in the Windows Components dialog box. You may be asked to provide files from the Windows Server 2003 CD-ROM. If so, provide the Wizard with the location of the i386 folder from the Windows Server 2003 media. Then continue with the installation.
6. Click Finish on the Completing the Windows Components Wizard page.

 

 

Using the CMAK to Create a VPN Connectoid

 

You can now run the CMAK Wizard to create a new connection object (connectoid). Perform the following steps to create a simple VPN connectoid that you can distribute to your users:

 

1. Click Start and point to Administrative Tools. Click on Connection Manager Administration Kit.
2. On the Welcome to the Connection Manager Administration Kit Wizard page (figure 3) you can click the Help button to get comprehensive information on creating, customizing and distributing Connection Manager Profiles (CMAK connectoids). Click Next to continue.

 

Figure 3 (Fig300)

 

3. You have the option to create a new profile or edit an existing profile on the Service Profile Selection page (figure 4). We are creating a new VPN client connectoid in this profile, so we’ll select the New profile option. If you want to make changes to the profile, you can return to the CMAK Wizard and edit an existing profile by selecting the Existing profile option. Click Next.

 

Figure 4 (Fig155)

 

4. You type in a name for the connectoid in the Service name text box on the Service and File Names page (figure 5). This name will appear on the connectoid in the Network and Dial-up Connections window. Make the name meaningful to the users who need to click on it to connect to the ISA Server firewall/VPN server. In this example, we’ll call the connectoid Company VPN. Type in a name for the executable file (.exe) file in the File name text box. The name of the executable file must be 8 or fewer characters. Well call the file name vpn1. Click Next.

 

Figure 5 (Fig156)

 

5. The Realm Name page (figure 6) allows you to add a realm name to the user name. This is not required when you connect directly to the ISA Server firewall/VPN server from a machine that has a dedicated network connection to the Internet. It is helpful when your remote users need to connect via a third party network access server that uses RADIUS to transmit user network authentication credentials to your IAS Servers. In this example we will not use a Realm name, so we select the Do not add a realm name to the user name option and click Next.

 

Figure 6 (Fig157)

 

6. You have the option to merge previously configured Connection Manager Profiles with the one you’re creating now on the Merging Profile Information page (figure 7). This is helpful if you need to incorporate information contained in other profiles (such as network access numbers) into the current profile. We don’t have any previous profiles that contain information we can reuse. Click Next.

 

Figure 7 (Fig158)

 

7. The VPN Support page (figure 8) allows you to configure vital information for your VPN connectoid. We don’t have a pre-existing phone book, so we need to create a new one for this profile by putting a checkmark in the Phone book from this profile checkbox. The phone book contains the address of the VPN server you want users to call.

 

You have two options on the VPN Server name or IP Address frame:

 

• Always use the same VPN server
• Allow the user to choose a VPN server before connecting.

 

In this example we have a single ISA Server firewall/VPN server, so we select the Always use the same VPN server option. If you have multiple VPN servers that you want your users to be able to choose from, select the Allow the user to choose a VPN server before connecting option. You will need to provide a text file that contains a list of the VPN servers; click the Help button on this page for details on how to configure this text file. The Use the same user name and password for VPN and dial-up connections checkbox allows your users to use the same name and password for any dial-up connection that needs to be made before the VPN link is established. We are creating a VPN-only connection profile in this example, so we will not put a checkmark in this checkbox. Click Next.

 

Figure 8 (Fig159)

 

8. You configure TCP/IP and Security settings of the connectoid on the VPN Entries page (figure 9). Select the Company VPN Tunnel (Default) entry from the list in the Virtual Private Network entries frame and click the Edit button.

 

Figure 9 (Fig160)

 

9. The General tab (figure 10) is the first one you see in the Edit Virtual Private Network Entry dialog box. Here you have the options:

 

·         Disable file and printer sharing

·         Enable clients to log on to the network.

 

You should not enable printer and file sharing on the VPN connection unless you wish to share files and printers on the VPN client; note that only Windows NT 4.0, Windows 2000 and Windows XP VPN clients are affected by this setting. The Enable clients to log on to a network entry only affects downlevel Windows clients, such as Windows 95, Windows 98 and Windows ME VPN clients.

 

Figure 10 (Fig161)

 

10. Click the TCP/IP Settings tab in the Edit Virtual Private Networking Entry dialog box (figure 11). In almost all cases, the VPN server assigns IP addressing information to the VPN clients, so the Server assigns addresses option in the Client DNS and WINS configuration frame is the most appropriate in almost all circumstances.

 

A critical setting is the Make this connection the client’s default gateway. This option forces the VPN client to use the VPN link to connect to all non-local networks (all networks that VPN client is not directly connected to). This prevents the VPN client that has not been configured as a Web Proxy and/or Firewall client from connecting to the Internet. Requiring the VPN clients to use the VPN interface as their default gateway prevents VPN clients from circumventing firewall policy when connected to the network. If you disabled the Make this connection the client’s default gateway, it would have the same effect as allowing users to connect modems to their desktops to get around your firewall policy. Please refer to ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients

 

The Use IP header compression entry improves performance.

 

Figure 11 (Fig162)

 

1. Click on the Security tab in the Edit Virtual Private Networking Entry dialog box (figure 12). Click the down arrow in the Security settings drop down list box to see the security options you have for this connectoid.

 

·         The Use basic security settings only option allows both downlevel and Windows 2000, Windows XP and Windows Server 2003 VPN clients to connect to the ISA Server firewall/VPN server using this connectoid.

 

·         The Use advanced security settings option allows only Windows 2000, Windows XP and Windows Server 2003 VPN clients to connect because the downlevel clients do not support the advanced security settings.

 

·         The Use both basic and advanced option if you want both downlevel and Windows 2000. Windows XP and Windows Server 2003 VPN clients to connect with this connectoid. 

 

Secure networks typically don’t allow downlevel clients to connect via VPN, so in this example we’ll select the Use advanced security settings option. You can create a second connectoid (CMAK profile) that allows downlevel clients to connect with more restrictive settings. Once you select the Use advanced security settings option, only the Advanced security settings Configure button is enabled.

 

Figure 12 (Fig163)

 

2. You have a large number of options on the Advanced Security Settings dialog box (figure 13). The default settings are:

 

·         Require encryption, Microsoft CHAP (MS-CHAP)

·         Microsoft CHAP Version 2 (MS-CHAP v2)

·         Try point to Point Tunneling Protocol First

 

These settings provide a good level of security. However you have many options in this dialog box and you should select those that meet your own security requirements. For example, you could configure the VPN strategy as Only use Layer Two Tunneling Protocol (L2TP) and then configure a certificate or a pre-shared key to create the IPSec security association. In this example we use the default settings. Click Cancel in the Advanced Security Settings dialog box.

 

Figure 13 (Fig164)

 

3. Click OK in the Edit Virtual Private Network Entry dialog box. Click Next in the VPN Entries dialog box.
4. You can specify a phone book file on the Phone Book page (figure 14). Phone books are part of the Phone Book Administrator service. Remove the checkmark from the Automatically download phone book updates checkbox since we aren’t running the Phone book service. Click Next.

 

Figure 14 (Fig301)

 

5. You can configure updates to the phone book file to be downloaded on the Phone Book Updates page (figure 15). We aren’t using centralized phone books, so click Next without making any changes on this page.

 

Figure 15 (fig302)

 

6. The Dial-up Network Entries page (figure 16) allows you to specify parameters for the entries you have configured in the phone book for this profile. We haven’t configured any dial-up networking entries for this profile because this profile is designed to support VPN clients that are connected to “always on” networks, such as a hotel Ethernet or wireless network. Click Next.

 

Figure 16 (Fig165)

 

7. You can define custom routing table entries to be used by the VPN client on the Routing Table Update page (figure 17). The default setting is to have the VPN client connect to all non-directly connected networks via the VPN interface. However, if you do not configure the VPN client to use the VPN connection as its default gateway, then you can create custom routing table entries that allow the VPN client to access all subnets on the internal network (or selected subnets on the internal network). We don’t require a custom routing table in this example, so we’ll select the Do not change the routing tables entry and click Next.

 

Figure 17 (Fig166)

 

 

8. You can use the settings on the Automatic Proxy Configuration page (figure 18) to force VPN clients to use the ISA Server firewall/VPN server as its Web Proxy server. The VPN connectoid can be configured to force the VPN client to be a Web Proxy client and enforce firewall policy on the VPN client while connected to the internal network.

 

Select the Automatically configure proxy settings option and type a path to a configuration file in the Proxy settings file text box. You’ll need to configure a text file containing the proper entries. Click the Help button on this page to see how to configure the file.

 

The Restore the users’ previous proxy settings after disconnecting option allows you to restore the VPN client’s previous proxy settings after the VPN client disconnects from the ISA Server firewall/VPN server. This is helpful if the VPN clients need to use a particular Web proxy server on their local connection. In this example we have created a proxy settings file named proxyconfig.txt using the sample provided in the Help file. Click Next to continue.

 

Figure 18 (Fig167)

 

9. On the Custom Actions page (figure 19), you can specify programs to start automatically before, after or during the VPN connection. In this example you can see the actions that have been configured for the Web proxy settings based on what was entered in the Web proxy configuration file we used in step 18. We will not use any other custom actions in this example, so don’t make any changes. Click Next.

 

Figure 19 (Fig168)

 

10. You can create a special graphic that appears when the user opens the VPN connectoid. If you create a custom graphic, make sure that its 330x140 pixels. We don’t have a custom graphic in this example, so leave the Default graphic (figure 20) option as is and click Next.

 

Figure 20 (Fig303)

 

11. You can create a special graphic that appears when the user opens the phone book (figure 21). If you create a custom graphic, make sure that its 114x309 pixels. We don’t have a custom graphic in this example, so leave the Default graphic option as is and click Next.

 

Figure 21 (fig304)

 

12. On the Icons page (figure 22) you can specify icons that you want to display in the Connection Manager user interface. We don’t have any customer graphics in this example, so leave the default Default icons setting as it is and click Next.

 

Figure 22 (fig305)

 

13. The Notification Area Shortcut Menu page (figure 23) allows you to add items to the Connection Manager context menu in the icon it places in the taskbar. We do not have any custom command we need to add. Click Next.

 

Figure 23 (fig306)

 

14. The Help File page (figure 24) allows you to assign a custom Help file to your users.  We do not have a custom Help file in this example, so keep the default setting Default Help file option and click Next.

 

Figure 24 (fig307)

 

15. On the Support Information page (figure 25), type in a phone number users can call for support in the Support information text box. You can leave this box blank if you do not have a support number for user to call. In this example we’ll put the phone number 1-800-555-0100 in the text box.  Click Next.

 

Figure 25 (Fig169)

 

16. On the Connection Manager Software page (figure 26), you have the option to install Connection Manager 1.3 on clients that do not already have it installed on their machines. If the client already has the software installed, no changes will be made on the computer. Leave this option selected and click Next.

 

Figure 26 (Fig170)

 

17. You can create a custom License Agreement (figure 27) and include that with the connectoid. We don’t have a custom license agreement in this example, so click Next without making changes on this page.

 

Figure 27 (fig308)

 

18. You can include additional files in the connection manager profile in on the Additional Files page (figure 28). We don’t have additional files to include in this example, so click Next without making changes.

 

Figure 28 (fig309)

 

19. On the Ready to Build the Service Profile page (figure 29), put a checkmark in the Advanced Customization checkbox. We need to access the advanced customization options because this is a VPN only connectoid. This VPN only connectoid does not require a dial-up connection to be established before the VPN connection. Click Next.

 

Figure 29

 

20. On the Advanced Customization page (figure 30), ensure the name of your executable appears in the File name list box with the .cms file extension. In the Section name list box, select the Connect Manager entry. In the Key name list box, select the Dialup entry. Put 0 in the Value text box. The executable file will be compiled when you click Next.

 

Figure 30 (Fig171)

 

21. Make a note of where the self-installing executable file is located on your local hard disk and then click the Finish button (figure 31).

 

Figure 31 (Fig172)

 

22. Open Windows Explorer (figure 32) and navigate to the directory indicated on the last page of the Wizard. Note the vpn1.exe file. This is the executable file you distribute to your users. You can put this file on a floppy, a CD-ROM or even an email message for distribution. The user only needs to double click on the file to install the VPN connectoid.

 

Figure 32 (Fig173)

 

 

Installing the CMAK VPN Connectoid on the VPN Clients

 

Perform the following steps on the VPN client to install the connectoid:

 

1. The Connection Manager executable file can be copied to the desktop (figure 33). Double click on the Connection Manager executable file.

 

       Note:
You can also install the executable using a log on script, Group Policy or via a Web site link.

 

Figure 33 (Fig174)

 

2. You’ll see a dialog box with the name you assigned to the VPN connectoid after double clicking on the Connection Manager executable file,. Click Yes in response to the question Do you wish to install Company VPN? (figure 34)

 

Figure 34 (Fig175)

 

3. The next dialog box asked if you want the connection available to all users of the computer, or just the logged on user. For security reasons, the best option is to make the connection only available to the logged on user. Select the My use only option (figure 35). Put a checkmark in the Add a shortcut on the desktop checkbox. Click OK.

 

Figure 35 (Fig176)

 

4. The connection dialog box automatically opens (figure 36). Enter your user name and password. If you are using domain based authentication, enter the Logon domain. Notice that help desk phone number appears in this dialog box.

 

Figure 36 (Fig177)

 

The VPN connectoid created by the connection manager is very convenient and it bypasses a lot of problems you might run into when asking users to set up their own VPN connectoids. The only drawback is that if you make a change to the connection requirements, you need to redistribute a new connectoid. Fortunately, making the changes is relatively simple in that you can re-run the CMAK and load the Connection Manager Profile you already created and make the changes to the existing profile. You can then redistribute the new connectoid via log on script, disk, email or a Web page from where the users can download and install the connectoid.