Connection Manager Administrator Kit (CMAK) to STREAMLINE VPN Client
The Connection Manager Administration Kit
(CMAK) allows you to create customized Dial-up Networking connectoids or ďdialersĒ
for your VPN users. There are many advantages to using the CMAK to create the
VPN connectoids. Some of these advantages include:
- Avoiding manual configuration
of the VPN connectoids
- VPN connectoids can be locked
down so that users can not implement dangerous security configurations,
such as split tunneling
- You can preconfigure Web Proxy
settings on the VPN client so that ISA Server firewall policy is enforced
on VPN clients
- With the help of the Phone Book
Service, you can automatically update VPN connectoids with up-to-date
phone numbers and VPN server addresses
- You can leverage the Routing
and Remote Access Quarantine features to protect your internal network by
incorporate script parameters into the CMAK connectoid
In this ISA Server 2000 VPN Deployment Kit
document weíll go over the basic CMAK components and how to configure a simple
but effective VPN connectoid you can distribute to users. Once the VPN user
receives the CMAK package, all he needs to do is double click on the CMAK
package file and it automatically installs the required files and the VPN
connectoid is placed on his desktop. Thereís no need for the user to follow
complex instructions on how to configure a VPN connectoid in order to connect
to the ISA Server firewall/VPN server.
three basic procedures required to create the package you distribute to your
- Install the Connection Manager
Administration Kit (CMAK) on one of your Windows Server 2003 computers
- Run the CMAK Wizard to create
the VPN connectoid
- Distribute the connectoid to
your VPN clients
Installing the Connection Manager
Administration Kit on the Windows Server 2003 Computer
following steps to install the CMAK on a Windows Server 2003 computer:
- Click Start and point to Control
Panel. Click Add or Remove
- In the Add or Remove Programs window, click the Add/Remove Windows Components button.
- On the Windows Components Wizard page (figure 1), select the Management and Monitoring Tools
entry and click the Details
- In the Management and Monitoring Tools dialog box (figure 2), put a
checkmark in the Connection Manager
Administration Kit checkbox, then click OK.
- Click Next in the Windows
Components dialog box. You may be asked to provide files from the
Windows Server 2003 CD-ROM. If so, provide the Wizard with the location of
the i386 folder from the Windows Server 2003 media. Then continue with the
- Click Finish on the Completing
the Windows Components Wizard page.
Using the CMAK to Create a VPN
You can now
run the CMAK Wizard to create a new connection object (connectoid). Perform the
following steps to create a simple VPN connectoid that you can distribute to
- Click Start and point to Administrative
Tools. Click on Connection
Manager Administration Kit.
- On the Welcome to the Connection Manager Administration Kit Wizard
page (figure 3) you can click the Help
button to get comprehensive information on creating,
customizing and distributing Connection Manager Profiles (CMAK
connectoids). Click Next to
- You have the option to create a
new profile or edit an existing profile on the Service Profile Selection page (figure 4). We are creating a
new VPN client connectoid in this profile, so weíll select the New profile option. If you want to
make changes to the profile, you can return to the CMAK Wizard and edit an
existing profile by selecting the Existing
profile option. Click Next.
- You type in a name for the
connectoid in the Service name
text box on the Service and File
Names page (figure 5). This name will appear on the connectoid in the Network and Dial-up Connections
window. Make the name meaningful to the users who need to click on it to
connect to the ISA Server firewall/VPN server. In this example, weíll call
the connectoid Company VPN.
Type in a name for the executable file (.exe) file in the File name text box. The name of
the executable file must be 8 or fewer characters. Well call the file name
vpn1. Click Next.
- The Realm Name page (figure 6) allows you to add a realm name to
the user name. This is not required when you connect directly to the ISA
Server firewall/VPN server from a machine that has a dedicated network
connection to the Internet. It is helpful when your remote users need to
connect via a third party network access server that uses RADIUS to
transmit user network authentication credentials to your IAS Servers. In
this example we will not use a Realm
name, so we select the Do not add a
realm name to the user name option and click Next.
- You have the option to merge
previously configured Connection Manager Profiles with the one youíre
creating now on the Merging Profile
Information page (figure 7). This is helpful if you need to
incorporate information contained in other profiles (such as
network access numbers) into the current profile. We donít have any
previous profiles that contain information we can reuse. Click Next.
- The VPN Support page (figure 8) allows you to configure vital
information for your VPN
connectoid. We donít have a pre-existing phone book, so we need to create
a new one for this profile by putting a checkmark in the Phone book from this profile
checkbox. The phone book contains the address of the VPN server you want
users to call.
You have two options on the VPN Server name or IP Address frame:
- Always use the same VPN server
- Allow the user to choose a VPN server before
In this example we have a single ISA Server firewall/VPN
server, so we select the Always use the
same VPN server option. If you have multiple VPN servers that you want your
users to be able to choose from, select the Allow the user to choose a VPN server before connecting option. You
will need to provide a text file that contains a list of the VPN servers; click
the Help button on this page for
details on how to configure this text file. The Use the same user name and password for VPN and dial-up connections
checkbox allows your users to use the same name and password for any dial-up
connection that needs to be made before
the VPN link is established. We are creating a VPN-only connection profile in
this example, so we will not put a checkmark in this checkbox. Click Next.
- You configure TCP/IP and
Security settings of the connectoid on the VPN Entries page (figure 9). Select the Company VPN Tunnel (Default) entry from the list in the Virtual Private Network entries
frame and click the Edit
- The General tab (figure 10) is the first one you see in the Edit Virtual Private Network Entry
dialog box. Here you have the options:
Disable file and printer sharing
Enable clients to log on to the
You should not enable printer and file sharing on the VPN
connection unless you wish to share files and printers on the VPN client; note
that only Windows NT 4.0, Windows 2000 and Windows XP VPN clients are affected
by this setting. The Enable clients to
log on to a network entry only affects downlevel Windows clients, such as
Windows 95, Windows 98 and Windows ME VPN clients.
- Click the TCP/IP Settings tab in the Edit Virtual Private Networking Entry dialog box (figure 11).
In almost all cases, the VPN server assigns IP addressing
information to the VPN clients, so
the Server assigns addresses
option in the Client DNS and WINS
configuration frame is the most appropriate in almost all
A critical setting is the Make this connection the clientís default gateway. This option
forces the VPN client to use the VPN link to connect to all non-local networks
(all networks that VPN client is not directly connected to). This prevents the
VPN client that has not been configured as a Web Proxy and/or Firewall client
from connecting to the Internet. Requiring the VPN clients to use the VPN
interface as their default gateway prevents VPN clients from circumventing
firewall policy when connected to the network. If you disabled the Make this connection the clientís default
gateway, it would have the same effect as allowing users to connect modems
to their desktops to get around your firewall policy. Please refer to ISA Server 2000 VPN Deployment Kit document
Forcing Firewall Policy on VPN Clients
The Use IP header
compression entry improves performance.
- Click on the Security tab in the Edit Virtual Private Networking Entry
dialog box (figure 12). Click the down arrow in the Security settings drop down list box to see the security
options you have for this connectoid.
Use basic security settings only
option allows both downlevel and Windows 2000, Windows XP and Windows Server
2003 VPN clients to connect to the ISA Server firewall/VPN server using this
Use advanced security settings option
allows only Windows 2000, Windows XP and Windows Server 2003 VPN clients to
connect because the downlevel clients do not support the advanced security
Use both basic and advanced option
if you want both downlevel and Windows 2000. Windows XP and Windows Server 2003
VPN clients to connect with this connectoid.†
Secure networks typically donít allow downlevel clients to
connect via VPN, so in this example weíll select the Use advanced security settings option. You can create a second connectoid
(CMAK profile) that allows downlevel clients to connect with more restrictive
settings. Once you select the Use
advanced security settings option, only the Advanced security settings Configure button is enabled.
- You have a large number of
options on the Advanced Security
Settings dialog box (figure 13). The default settings are:
Require encryption, Microsoft CHAP (MS-CHAP)
Microsoft CHAP Version 2 (MS-CHAP
Try point to Point Tunneling
These settings provide a good level of security. However you
have many options in this dialog box and you should select those that meet your
own security requirements. For example, you could configure the VPN strategy as Only use Layer Two Tunneling Protocol (L2TP) and then configure a
certificate or a pre-shared key to create the IPSec security association. In
this example we use the default settings. Click Cancel in the Advanced
Security Settings dialog box.
- Click OK in the Edit Virtual
Private Network Entry dialog box. Click Next in the VPN Entries
- You can specify a phone book
file on the Phone Book page
(figure 14). Phone books are part of the Phone Book Administrator service.
Remove the checkmark from the Automatically
download phone book updates checkbox since we arenít running the Phone
book service. Click Next.
- You can configure updates to
the phone book file to be downloaded on the Phone Book Updates page (figure 15). We arenít using
centralized phone books, so click Next
without making any changes on this page.
- The Dial-up Network Entries page (figure 16) allows you to specify
parameters for the entries you have configured in the phone book for this
profile. We havenít configured any dial-up networking entries for this
profile because this profile is designed to support VPN clients that are
connected to ďalways onĒ networks, such as a hotel Ethernet or wireless
network. Click Next.
- You can define custom routing
table entries to be used by the VPN client on the Routing Table Update page (figure 17). The default setting is
to have the VPN client connect to all non-directly connected networks via
the VPN interface. However, if you do not configure the VPN client to use
the VPN connection as its default gateway, then you can create custom
routing table entries that allow the VPN client to access all subnets on
the internal network (or selected subnets on the internal network). We
donít require a custom routing table in this example, so weíll select the Do not change the routing tables
entry and click Next.
- You can use the settings on the
Automatic Proxy Configuration
page (figure 18) to force VPN clients to use the ISA Server firewall/VPN
server as its Web Proxy server. The VPN connectoid can be configured to
force the VPN client to be a Web Proxy client and enforce firewall policy
on the VPN client while connected to the internal network.
Select the Automatically
configure proxy settings option and type a path to a configuration file in
the Proxy settings file text box.
Youíll need to configure a text file containing the proper entries. Click the Help button on this page to see how to
configure the file.
The Restore the
usersí previous proxy settings after disconnecting option allows you to
restore the VPN clientís previous proxy settings after the VPN client
disconnects from the ISA Server firewall/VPN server. This is helpful if the VPN
clients need to use a particular Web proxy server on their local connection. In
this example we have created a proxy settings file named proxyconfig.txt using the sample provided in the Help file. Click Next to continue.
- On the Custom Actions page (figure 19), you can specify programs to
start automatically before, after or during the VPN connection. In this example
you can see the actions that have been configured for the Web proxy
settings based on what was entered in the Web proxy configuration file we
used in step 18. We will not use any other custom actions in this example,
so donít make any changes. Click Next.
- You can create a special graphic
that appears when the user opens the VPN connectoid. If you create a
custom graphic, make sure that its 330x140 pixels. We donít have a custom
graphic in this example, so leave the Default
graphic (figure 20) option as is and click Next.
- You can create a special
graphic that appears when the user opens the phone book (figure 21). If
you create a custom graphic, make sure that its 114x309 pixels. We donít
have a custom graphic in this example, so leave the Default graphic option as is and click Next.
- On the Icons page (figure 22) you can specify icons that you want to
display in the Connection Manager
user interface. We donít have any customer graphics in this example, so
leave the default Default icons
setting as it is and click Next.
- The Notification Area Shortcut Menu page (figure 23) allows you to
add items to the Connection Manager context menu in the icon it places in
the taskbar. We do not have any custom command we need to add. Click Next.
- The Help File page (figure 24) allows you to assign a custom Help
file to your users.† We do not have
a custom Help file in this example, so keep the default setting Default Help file option and click
- On the Support Information page (figure 25), type in a phone number
users can call for support in the Support
information text box. You can leave this box blank if you do not
have a support number for user to call. In this example weíll put the
phone number 1-800-555-0100 in
the text box.† Click Next.
- On the Connection Manager Software page (figure 26), you have the
option to install Connection Manager 1.3 on clients that do not already
have it installed on their machines. If the client already has the
software installed, no changes will be made on the computer. Leave this
option selected and click Next.
- You can create a custom License Agreement (figure 27) and
include that with the connectoid. We donít have a custom license agreement
in this example, so click Next
without making changes on this page.
- You can include additional
files in the connection manager profile in on the Additional Files page (figure 28). We donít have additional
files to include in this example, so click Next without making changes.
- On the Ready to Build the Service Profile page (figure 29), put a
checkmark in the Advanced
Customization checkbox. We need to access the advanced customization options because this is a VPN only
connectoid. This VPN only connectoid does not require a dial-up connection
to be established before the VPN connection. Click Next.
- On the Advanced Customization page (figure 30), ensure the name of
your executable appears in the File
name list box with the .cms
file extension. In the Section name
list box, select the Connect
Manager entry. In the Key name
list box, select the Dialup
entry. Put 0 in the Value text box. The executable
file will be compiled when you click Next.
- Make a note of where the self-installing
executable file is located on your local hard disk and then click the Finish button (figure 31).
- Open Windows Explorer (figure 32) and navigate to the directory
indicated on the last page of the Wizard. Note the vpn1.exe file. This is the executable file you distribute to
your users. You can put this file on a floppy, a CD-ROM or even an email
message for distribution. The user only needs to double click on the file
to install the VPN connectoid.
Installing the CMAK VPN Connectoid
on the VPN Clients
following steps on the VPN client to install the connectoid:
- The Connection Manager
executable file can be copied to the desktop (figure 33). Double click on
the Connection Manager executable file.
You can also install the executable using a log on script, Group Policy or via
a Web site link.
- Youíll see a dialog box with
the name you assigned to the VPN connectoid after double clicking on the
Connection Manager executable file,. Click Yes in response to the question Do you wish to install Company VPN? (figure 34)
- The next dialog box asked if
you want the connection available to all users of the computer, or just
the logged on user. For security reasons, the best option is to make the
connection only available to the logged on user. Select the My use only option (figure 35).
Put a checkmark in the Add a
shortcut on the desktop checkbox. Click OK.
- The connection dialog box
automatically opens (figure 36). Enter your user name and password. If you
are using domain based authentication, enter the Logon domain. Notice that help desk phone number appears in
this dialog box.
connectoid created by the connection manager is very convenient and it bypasses
a lot of problems you might run into when asking users to set up their own VPN
connectoids. The only drawback is that if you make a change to the connection
requirements, you need to redistribute a new connectoid. Fortunately, making
the changes is relatively simple in that you can re-run the CMAK and load the
Connection Manager Profile you already created and make the changes to the
existing profile. You can then redistribute the new connectoid via log on
script, disk, email or a Web page from where the users can download and install