Freigeben über


Extranet for Business Partners

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Extranet for business partners

The network administrator for Electronic, Inc. has created an extranet, a portion of the Electronic, Inc. private network that is available to business partners through secured VPN connections. The Electronic, Inc. extranet is the network attached to the Electronic, Inc. VPN server and contains a file server and a Web server. Parts distributors Tasmanian Traders and Parnell Aerospace are Electronic, Inc. business partners and connect to the Electronic, Inc. extranet by using on-demand, router-to-router VPN connections. An additional access policy is used to ensure that the business partners can only access the extranet file server and Web server.

The file server on the Electronic, Inc. extranet is configured with an IP address of 172.31.0.10, and the Web server is configured with an IP address of 172.31.0.11. Tasmanian Traders uses the public network ID of 131.107.254.0 with a subnet mask of 255.255.255.0. Parnell Aerospace uses the public network ID of 131.107.250.0 with a subnet mask of 255.255.255.0. To ensure that the extranet Web server and file server can reach the business partners, static routes are configured on the file server and Web server for each of the business partner networks that use the gateway address of 172.31.0.1

To simplify configuration, the VPN connection is a one-way initiated connection. The connection is always initiated by the business partner router. For more information, see One-way initiated demand-dial connections.

The following illustration shows the Electronic, Inc. VPN server that provides extranet connections for business partners.

Extranet connections for business partners

To deploy business partner, on-demand, one-way initiated, router-to-router VPN connections to connect Tasmanian Traders and Parnell Aerospace to the Electronic, Inc. extranet based on the settings configured in Common configuration for the VPN server, the following additional settings are configured.

Domain configuration

For the VPN connection to Tasmanian Traders, the user account PTR_Tasmanian is created with the following settings:

  • Password of Y8#-vR7?]fI.

  • For the dial-in properties on the PTR_Tasmanian account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the PTR_Tasmanian account, the Password never expires account option is enabled.

  • The PTR_Tasmanian account is added to the VPN_Partners group.

For the VPN connection to Parnell Aerospace, the user account PTR_Parnell is created with the following settings:

  • Password of W@8c^4r-;2\.

  • For the dial-in properties on the PTR_Parnell account, the remote access permission is set to Control access through Remote Access Policy.

  • For the account properties on the PTR_Parnell account, the Password never expires account option is enabled.

  • The PTR_Parnell account is added to the VPN_Partners group.

Routing configuration

In order for traffic to be sent back to the Tasmanian Traders and Parnell Aerospace business partners, additional routes are added to the routing tables on the file server and Web server computers. On both computers, the following commands were issued at the Windows Server 2003 command prompt.

  • route -p add 131.107.254.0 mask 255.255.255.0 172.31.0.1

  • route -p add 131.107.250.0 mask 255.255.255.0 172.31.0.1

Remote access policy configuration

To define the authentication and encryption settings for business partner VPN connections, the following remote access policy is created:

  • Policy name: VPN Partners

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN)

    • Windows-Groups is set to VPN_Partners

    • Called-Station-ID is set to 207.209.68.1

  • Permission is set to Grant remote access permission

  • Profile settings:

    • Authentication tab: Extensible Authentication Protocol is enabled and Smartcard or other certificate (TLS) is configured to use the installed computer certificate (also known as the machine certificate). Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is also enabled.

    • Encryption tab: Strong and Strongest are the only options that are selected.

Demand-dial interface configuration

To connect the Tasmanian Traders router to the Electronic, Inc. VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface Wizard with the following settings:

  • Interface name

    PTR_Tasmanian

  • Connection type

    Connect using virtual private networking (VPN) is selected.

  • VPN type

    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address

    Leave blank.

  • Protocols and security

    The Route IP packets on this interface check box is selected.

  • Dial-out credentials

    • User name: none

    • Domain: none

    • Password: none

    • Confirm password: none

Note

  • The destination address is left blank, and the user name is set to "none" because this demand-dial interface is never used to initiate the connection. The business partner always initiates the connection to the Electronic, Inc. VPN server.

To connect the Parnell Aerospace router to the Electronic, Inc. VPN server by using a router-to-router VPN connection over the Internet, a demand-dial interface is created by using the Demand-Dial Interface Wizard with the following settings:

  • Interface name

    PTR_Parnell

  • Connection type

    Connect using virtual private networking (VPN) is selected.

  • VPN type

    Point to Point Tunneling Protocol (PPTP) is selected.

  • Destination address

    Leave blank.

  • Protocols and security

    The Route IP packets on this interface check box is selected.

  • Dial-out credentials

    • User name: none

    • Domain: none Password: none

    • Confirm password: none

Note

  • The destination address is left blank and the user name is set to "none" because this demand-dial interface is never used to initiate the connection. The business partner always initiates the connection to the Electronic, Inc. VPN server.

Static route for Tasmanian Traders

To make all locations at Tasmanian Traders reachable, the following static route is configured:

  • Interface: PTR_Tasmanian

  • Destination: 131.107.254.0

  • Network mask: 255.255.255.0

  • Metric: 1

Static route for Parnell Aerospace

To make all locations at Parnell Aerospace reachable, the following static route is configured:

  • Interface: PTR_Parnell

  • Destination: 131.107.250.0

  • Network mask: 255.255.255.0

  • Metric: 1

IP packet filter configuration

To confine the traffic from the Tasmanian Traders business partner to the file server and Web server, the following IP packet filters are configured on the PTR_Tasmanian demand-dial interface:

  • Input filters

    • Filter action: Deny all traffic except those listed below

    • Filter 1: Destination network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

    • Filter 2: Destination network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

  • Output filters

    • Filter action: Deny all traffic except those listed below

    • Filter 1: Source network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

    • Filter 2: Source network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

To confine the traffic from the Parnell Aerospace business partner to the file server and Web server, the following IP packet filters are configured on the PTR_Parnell demand-dial interface:

  • Input filters

    • Filter action: Deny all traffic except those listed below

    • Filter 1: Destination network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

    • Filter 2: Destination network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

  • Output filters

    • Filter action: Deny all traffic except those listed below

    • Filter 1: Source network IP address of 172.31.0.10 and subnet mask of 255.255.255.255

    • Filter 2: Source network IP address of 172.31.0.11 and subnet mask of 255.255.255.255

Note

  • The Called-Station-ID is set to the IP address of the Internet interface for the VPN server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.

For more information about the business partner router configuration, see:

Note

  • The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.