Transcript here

EE250 Final Year Project Implementation





This report is about the final year project implementation. The
chosen topic for this project is real time Virtual Private Networking
implementation for Sun InfoSys Ltd.
By making a Virtual Private Network system, I plan to cater to the
company's current need of providing connectivity to its essential
resources as the Managing Director Mr. S. Peter Andy is always on
the move and needs to connect to the company resources from
various national and international venues such as UK and Taiwan
when doing meetings & presentations with his suppliers in Taiwan.
He needs to be able to have up to the minute data about stocks,
current requirements, current problems and sales figures.
In my view the possible methods to achieve the objective would
be:
• Virtual Private Networking using hardware based tools
and technologies.
• Virtual Private Networking using software based tools
and technologies.





1. Hardware Based Solutions:
For hardware based solutions, various tools and devices are
available by a number of vendors; these include Cisco as
the foremost mentioned, Sonicwall, Shiva etc. The list is
endless. These are VPN enabled / pass through routers,
VPN Concentrators, VPN Optimized Routers and VPN
Firewalls etc.
2. Software Based Solutions:
For software based solutions there are numerous products
in the market each catering to all the needs of any kind of
scenario. The good side about software based solutions is
that they are very much customizable and upgradeable,
scaleable. The bad point is that they are prone to fallouts,
attacks, viruses, and performance issues.
Software based solutions are best offered by the software
giant Microsoft (ISA Server), Then Symantec, Check point
software, Cisco and many others.


Remote-Access VPN
Remote-access, also called a virtual private dial-up network
(VPDN), is a user-to-LAN connection used by a company
that has employees who need to connect to the private
network from various remote locations. Normally, a
company that wishes to set up a large remote-access VPN
will outsource to an enterprise service provider (ESP). The
ESP sets up a network access server (NAS) and provides
the remote users with desktop client software for their
computers. The telecommuters can then dial a Low Call or
Free number (0800, 0500 etc) to reach the NAS and use
their VPN client software to access the corporate network.
A good example of a company that needs a remote-access
VPN would be a company with a lot of sales people in the
field. Remote-access VPNs permit secure, encrypted
connections between a company's private network and
remote users through a third-party service provider.



A company can connect multiple fixed sites over
a public network such as the Internet. Site-tosite VPNs can be one of two types:
Intranet-based - If a company has one or more
remote locations that they wish to join in a single
private network, they can create an intranet VPN
to connect LAN to LAN.
Extranet-based - When a company has a close
relationship with another company (for example,
a partner, supplier or customer), they can build
an extranet VPN that connects LAN to LAN, and
that allows all of the various companies to work
in a shared environment.
Project Plan
17/02/2005
22/02/2005 Abstract
24/02/2005
24/02/2005 Introduction
25/02/2005
03/03/2005 The project proposal
04/03/2005
28/04/2005The detailed design or investigations and results
29/04/2005
18/05/2005 Completion of Final Report
19/05/2005
20/05/2005 Web Site
20/05/2005
20/05/2005 Article





When talking about software based solutions a
point to note is that they are all platform
dependent. Hence they can incur overhead costs
and expensive expertise to pay for installation
and or management. I chose ISA Server 2000 for
this implementation. I decided to show the work
done and with the help of figures to better
understand each step that I took. The next steps
were:
Performance needs of the remote applications
IP Address Planning
ISP Evaluation
Installing and configuring ISA Server 2000 and
on Windows Server 2003 for Remote VPN

Performance needs:
The applications that are being used in Sun InfoSys Ltd. are SAGE,
MSOffice, Internet Explorer, Microsoft Outlook, Microsoft Remote
Desktop, and IP camera's and DVR's propriety softwares. The
most resource hungry applications are SAGE and the IP Cameras
and DVR's remote viewing softwares.
My analysis after actual testing is that these applications are not
incredibly resource hungry yet are not on the basic level as well,
in other words they are nor enterprise class application on the
other hand they are not basic or home applications, they are
medium level moderate application which requite a fairly
consistent performance if not super fast performance.
Because of the nature of the Camera and DVR software, they need to
have the highest frames per second and need no frames to be
dropped, the reason being if any frame is dropped and a burglary
is occurring in that given time and frame then the evidence could
become lost. Therefore I decided that I should choose a solution
that should provide me consistency and little amount of errors
while also delivering adequate speed levels and performance.

IP Address Planning:
Sun InfoSys Ltd. does not need a huge amount of IP addresses to be
purchased from an ISP because the whole network only need to
be available for certain individuals and they can log on the
internet.
In my investigation I found out that they need 5 static IP addresses
which should be purchased by their ISP. One for the remote
connection capability, one for backup purposes, another for
network allotment and rest two for future requirements like
windows media server as they are planning to do web casting for
some of their customers.

• ISP Evaluation:
Sun InfoSys Ltd. already is on a business plan with an Internet
Service Provider called Eclipse Internet. The service provider is
excellent and already providing all the necessary broadband needs
and bandwidth, the requested 5 static IP address were readily
provided by them. I did not find any need to move on to another
ISP and this ISP is excellent.

Installing and configuring ISA Server
2000 and on Windows Server 2003
for Remote VPN:
I followed the excellent articles and help
available in abundance by Microsoft and
on the internet on how to install and
configure VPN on Microsoft Windows
Server 2003.
I installed ISA Server 2000 because it was
cheap, offered everything that this project
required and fairly easy to deploy.

Installation and Configuration of ISA Server
2000 on Windows Server 2003
After carefull study I found out that the following
procedures must be performed to install ISA
Server 2000 on a Windows Server 2003
computer and they must be in the following
order:





Install
Install
Install
Install
Install
Windows Server 2003
ISA Server 2000
ISA Server Service Pack 1
isahf255.exe
Feature Pack 1
Installing Windows Server 2003
ISA Server 2000 can be installed in one of thee mode:

Cache Mode
Caching mode ISA Server is designed to have one or two
network interfaces. Each interface must be located on the
internal network because packet filtering is not enforceable
on a caching only ISA Server machine.

Firewall Mode
Firewall mode provides a high level of firewall protection from
external intruders and also protects your network by
enabling granular outbound access control. Firewall mode
does not include the Web caching features that are part of
the Cache mode server.

Integrated Mode
Integrated mode provides all the firewall and caching features
available with ISA Server 2000








The “Windows Server 2003” server machine that I was
using for VPN deployment had to have the following
characteristics:
At least two network interfaces – one internal and one
external
DNS setting on the internal interface uses an internal DNS
server that can resolve Internet host names
All non-essentials services on the ISA Server 2000 machine
are disabled
An Integrated mode ISA Server firewall requires at least
one internal and one external interface.
The internal interface is never configured with a default
gateway address. The IP address on the internal interface is
always on the LAT.
The external interface is configured with a default gateway
that routes packets to the Internet. The external interface
is never on the LAT.





Windows Server 2003, like Windows 2000, allows a single
default gateway. The result is ISA Server 2000 on Windows
Server 2003 supports a single external interface or single
Internet interface . I can have multiple public address DMZ
interfaces, but only a single interface can connect the
internal network to the Internet.
The DNS settings on the ISA Server interfaces must be
configured correctly. The preferred setup is to
Configure the internal interface of the ISA Server with the
address of a DNS server on the internal network that is
capable of resolving Internet host names
Place the internal interface on the top of the interface list.
Windows Server 2003 uses the interface order to determine
which name server addresses to query first.
Do not enter a DNS server address on the external
interface


I had to perform the following steps to configure the interface
order on the ISA Server computer:
Clicked Start , pointed to Control Panel and right clicked on
Network Connections . Clicked the Open command (figure 1).

In the Network Connections window,
clicked the Advanced menu and then
clicked the Advanced Settings command
(figure 2).

In the Advanced Settings dialog box, selected the
interface representing the internal interface and clicked the
up arrow to move the internal interface to the top of the
interface list. Clicked OK in the Advanced Settings dialog
box after making the changes to the interface order.
Install ISA Server 2000
I located the ISA Server 2000 CD-ROM disk and put it into the
CD-ROM drive. Performed the following steps to install ISA
Server on a Windows Server 2003 machine:
Double click on the ISAAutorun.exe file on the ISA Server

CD (figure 4), local hard disk, or network share point.


Click on the Install ISA Server link on the Internet Security
& Acceleration Server 2000 splash page.
I saw an ISA 2000 dialog box informing that I need to install
ISA 2000 Service Pack 1 (figure 6). Error messages occurred
during the installation. I was not concerned about these errors
as I will perform the required procedures to prevent them from
becoming a problem. Clicked Continue .
Clicked Continue on the Welcome to the
Microsoft ISA Server installation
program page.
 Entered the CD Key in the CD Key dialog
box Clicked OK .
 Wrote down the Product ID as list in the
Product ID dialog box. Clicked OK in the
Product ID dialog box after writing this
number down.
 Clicked I Agree in the Microsoft ISA
Server Setup dialog box.


Clicked the Full Installation button in the installation type dialog
box (figure 10). This allows me to use all ISA Server features. I
can use the Add/Remove Programs applet later if I need to
remove some ISA Server features.

Selected the Integrated mode option on the Select the
mode for this server page (figure 12). I wanted to take
advantage of the full power of your ISA Server firewall.
Integrated mode gives everything the Web Proxy and
Firewall services have to offer. Clicked Continue .

On the Web cache page, selected a drive to put
the Web cache file on. The drive had to be NTFS,
so I made sure of that. Typed in a size of the
cache in the Cache size (MB) text box and then
clicked the Set button. Then clicked OK .

On the LAT page, clicked the Construct Table button. On the Local
Address Table page, removed the checkmark in the Add the following
private ranges checkbox. Put a checkmark in the Add address ranges
based on the Windows 2000 Routing Table checkbox. Removed the
checkmark from the checkbox representing the external interface, and left
the checkmark in the checkbox for the internal interface. Clicked OK in the
Local Address Table dialog box, then clicked OK in the Setup Message
dialog box that informed me that the LAT was constructed based on the
Windows 2000 routing table (in spite of the fact that I am installing ISA
Server on a Windows Server 2003 machine).

Clicked OK on the LAT dialog box after
reviewing the list listing in the Internal
IP ranges list.

When installation is complete, I saw a warning balloon
informing me that ISA 2000 will cause Windows to
become unstable . Closed the balloon, removed the
checkmark from the Start ISA Server Getting Started
Wizard checkbox, and then clicked OK in the Launch ISA
Management Tools dialog box.





Clicked OK in the dialog box informing me that setup was
completed.
Clicked OK in the dialog box informing me that setup has
failed to start one or more services.
The next step was to immediately install ISA Server Service
Pack 1. Downloaded SP1. Downloaded the Service Pack to a
machine on the internal network, scanned it for viruses,
and then copied it to the ISA Server. Performed the
following steps after copying the service pack to the ISA
Server:
Double clicked on the isasp1.exe file. Typed in a path to
put the temporary files in the Choose Directory for
Extracted Files dialog box. Clicked OK .
Clicked I Agree in the End User License Agreement
(EULA) dialog box. Clicked OK in the Microsoft ISA
Server 2000 Update Setup dialog box. The computer
restarted after that (That's normal). This finished installing
ISA Server service pack 1.






There are a few hotfixes and updates that I needed to
install on the Windows Server 2003/ISA Server machine to
insure ISA Server compatibility with Windows Server 2003.
I downloaded the HotFix pack, isahf255.exe
Downloaded the file to a machine on the internal network,
scanned it for viruses, and then copied it to the ISA Server.
Performed the following steps after copying the file to the
ISA Server:
Double clicked on the isahf255.exe file. Clicked I Agree in
the ISA Server 2000 hot fix 255 (331062) dialog box.
Typed in a path for the temporary files in the Choose
Directory for Extracted Files dialog box, then clicked
OK.
Clicked I Agree in the EULA dialog box.
Clicked OK in the Microsoft ISA Server 2000 Update
Setup dialog box that informed me that the update was
successful applied.
I did need to restart the server. The next step was to install
Feature Pack 1.
Installing Feature Pack 1
 Feature Pack 1 (FP1) is not required. I
don't have to install ISA Server Feature
Pack 1 on the Windows Server 2003/ISA
Server machine. However, it is highly
recommended that I install ISA Server
Feature Pack 1 because it adds several
new and useful features. I downloaded
ISA Server Feature Pack 1 and installed it.


At this point the ISA Server was ready to
use.