EE250 Final Year Project Implementation This report is about the final year project implementation. The

chosen topic for this project is real time Virtual Private Networking implementation for Sun InfoSys Ltd.

By making a Virtual Private Network system, I plan to cater to the company's current need of providing connectivity to its essential resources as the Managing Director Mr. S. Peter Andy is always on the move and needs to connect to the company resources from various national and international venues such as UK and Taiwan when doing meetings & presentations with his suppliers in Taiwan. He needs to be able to have up to the minute data about stocks, current requirements, current problems and sales figures.

In my view the possible methods to achieve the objective would be:

•  Virtual Private Networking using hardware based tools and technologies.

•  Virtual Private Networking using software based tools and technologies.

1. Hardware Based Solutions: For hardware based solutions, various tools and devices are

available by a number of vendors; these include Cisco as the foremost mentioned, Sonicwall, Shiva etc. The list is endless. These are VPN enabled / pass through routers, VPN Concentrators, VPN Optimized Routers and VPN Firewalls etc.

2. Software Based Solutions: For software based solutions there are numerous products

in the market each catering to all the needs of any kind of scenario. The good side about software based solutions is that they are very much customizable and upgradeable, scaleable. The bad point is that they are prone to fallouts, attacks, viruses, and performance issues.

Software based solutions are best offered by the software giant Microsoft (ISA Server), Then Symantec, Check point software, Cisco and many others.

Remote-Access VPNRemote-access, also called a virtual private dial-up network (VPDN), is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Normally, a company that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a Low Call or Free number (0800, 0500 etc) to reach the NAS and use their VPN client software to access the corporate network.

A good example of a company that needs a remote-access VPN would be a company with a lot of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider.

A company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be one of two types:

Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN.

Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment.

Project Plan

17/02/200522/02/2005 Abstract

24/02/200524/02/2005 Introduction

25/02/200503/03/2005 The project proposal 04/03/200528/04/2005The detailed design or investigations and results

29/04/200518/05/2005 Completion of Final Report

19/05/200520/05/2005 Web Site

20/05/200520/05/2005 Article

When talking about software based solutions a point to note is that they are all platform dependent. Hence they can incur overhead costs and expensive expertise to pay for installation and or management. I chose ISA Server 2000 for this implementation. I decided to show the work done and with the help of figures to better understand each step that I took. The next steps were:

Performance needs of the remote applications IP Address Planning ISP Evaluation Installing and configuring ISA Server 2000 and on

Windows Server 2003 for Remote VPN

Performance needs:

The applications that are being used in Sun InfoSys Ltd. are SAGE, MSOffice, Internet Explorer, Microsoft Outlook, Microsoft Remote Desktop, and IP camera's and DVR's propriety softwares. The most resource hungry applications are SAGE and the IP Cameras and DVR's remote viewing softwares.

My analysis after actual testing is that these applications are not incredibly resource hungry yet are not on the basic level as well, in other words they are nor enterprise class application on the other hand they are not basic or home applications, they are medium level moderate application which requite a fairly consistent performance if not super fast performance.

Because of the nature of the Camera and DVR software, they need to have the highest frames per second and need no frames to be dropped, the reason being if any frame is dropped and a burglary is occurring in that given time and frame then the evidence could become lost. Therefore I decided that I should choose a solution that should provide me consistency and little amount of errors while also delivering adequate speed levels and performance.

IP Address Planning:

Sun InfoSys Ltd. does not need a huge amount of IP addresses to be purchased from an ISP because the whole network only need to be available for certain individuals and they can log on the internet.

In my investigation I found out that they need 5 static IP addresses which should be purchased by their ISP. One for the remote connection capability, one for backup purposes, another for network allotment and rest two for future requirements like windows media server as they are planning to do web casting for some of their customers.

•  ISP Evaluation:

Sun InfoSys Ltd. already is on a business plan with an Internet Service Provider called Eclipse Internet. The service provider is excellent and already providing all the necessary broadband needs and bandwidth, the requested 5 static IP address were readily provided by them. I did not find any need to move on to another ISP and this ISP is excellent.

Installing and configuring ISA Server 2000 and on Windows Server 2003 for Remote VPN:

I followed the excellent articles and help available in abundance by Microsoft and on the internet on how to install and configure VPN on Microsoft Windows Server 2003.

I installed ISA Server 2000 because it was cheap, offered everything that this project required and fairly easy to deploy.

Installation and Configuration of ISA Server 2000 on Windows Server 2003

After carefull study I found out that the following procedures must be performed to install ISA Server 2000 on a Windows Server 2003 computer and they must be in the following order:

Install Windows Server 2003 Install ISA Server 2000 Install ISA Server Service Pack 1 Install isahf255.exe Install Feature Pack 1

Installing Windows Server 2003 ISA Server 2000 can be installed in one of thee mode:

Cache Mode Caching mode ISA Server is designed to have one or two

network interfaces. Each interface must be located on the internal network because packet filtering is not enforceable on a caching only ISA Server machine.

Firewall Mode Firewall mode provides a high level of firewall protection from

external intruders and also protects your network by enabling granular outbound access control. Firewall mode does not include the Web caching features that are part of the Cache mode server.

Integrated Mode Integrated mode provides all the firewall and caching features

available with ISA Server 2000

The “Windows Server 2003” server machine that I was using for VPN deployment had to have the following characteristics:

At least two network interfaces – one internal and one external

DNS setting on the internal interface uses an internal DNS server that can resolve Internet host names

All non-essentials services on the ISA Server 2000 machine are disabled

An Integrated mode ISA Server firewall requires at least one internal and one external interface.

The internal interface is never configured with a default gateway address. The IP address on the internal interface is always on the LAT.

The external interface is configured with a default gateway that routes packets to the Internet. The external interface is never on the LAT.

Windows Server 2003, like Windows 2000, allows a single default gateway. The result is ISA Server 2000 on Windows Server 2003 supports a single external interface or single Internet interface . I can have multiple public address DMZ interfaces, but only a single interface can connect the internal network to the Internet.

The DNS settings on the ISA Server interfaces must be configured correctly. The preferred setup is to

Configure the internal interface of the ISA Server with the address of a DNS server on the internal network that is capable of resolving Internet host names

Place the internal interface on the top of the interface list. Windows Server 2003 uses the interface order to determine which name server addresses to query first.

Do not enter a DNS server address on the external interface

I had to perform the following steps to configure the interface order on the ISA Server computer:

Clicked Start , pointed to Control Panel and right clicked on

Network Connections . Clicked the Open command (figure 1).

In the Network Connections window, clicked the Advanced menu and then clicked the Advanced Settings command (figure 2).

In the Advanced Settings dialog box, selected the interface representing the internal interface and clicked the up arrow to move the internal interface to the top of the interface list. Clicked OK in the Advanced Settings dialog

box after making the changes to the interface order.

Install ISA Server 2000 I located the ISA Server 2000 CD-ROM disk and put it into the

CD-ROM drive. Performed the following steps to install ISA Server on a Windows Server 2003 machine:

Double click on the ISAAutorun.exe file on the ISA Server CD

(figure 4), local hard disk, or network share point.

Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page.

I saw an ISA 2000 dialog box informing that I need to install ISA 2000 Service Pack 1 (figure 6). Error messages occurred during the installation. I was not concerned about these errors as I will perform the required procedures to prevent them from

becoming a problem. Clicked Continue .

Clicked Continue on the Welcome to the Microsoft ISA Server installation program page.

Entered the CD Key in the CD Key dialog box Clicked OK .

Wrote down the Product ID as list in the Product ID dialog box. Clicked OK in the Product ID dialog box after writing this number down.

Clicked I Agree in the Microsoft ISA Server Setup dialog box.

Clicked the Full Installation button in the installation type dialog box (figure 10). This allows me to use all ISA Server features. I can use the Add/Remove Programs applet later if I need to remove

some ISA Server features.

Selected the Integrated mode option on the Select the mode for this server page (figure 12). I wanted to take advantage of the full power of your ISA Server firewall. Integrated mode gives everything the Web Proxy and

Firewall services have to offer. Clicked Continue .

On the Web cache page, selected a drive to put the Web cache file on. The drive had to be NTFS, so I made sure of that. Typed in a size of the cache in the Cache size (MB) text box and then clicked the Set button. Then clicked OK .

On the LAT page, clicked the Construct Table button. On the Local Address Table page, removed the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Removed the checkmark from the checkbox representing the external interface, and left the checkmark in the checkbox for the internal interface. Clicked OK in the Local Address Table dialog box, then clicked OK in the Setup Message dialog box that informed me that the LAT was constructed based on the Windows 2000 routing table (in spite of the fact that I am installing ISA

Server on a Windows Server 2003 machine).

Clicked OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list.

When installation is complete, I saw a warning balloon informing me that ISA 2000 will cause Windows to become unstable . Closed the balloon, removed the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then clicked OK in the Launch ISA Management Tools dialog box.

Clicked OK in the dialog box informing me that setup was completed.

Clicked OK in the dialog box informing me that setup has failed to start one or more services.

The next step was to immediately install ISA Server Service Pack 1. Downloaded SP1. Downloaded the Service Pack to a machine on the internal network, scanned it for viruses, and then copied it to the ISA Server. Performed the following steps after copying the service pack to the ISA Server:

Double clicked on the isasp1.exe file. Typed in a path to put the temporary files in the Choose Directory for Extracted Files dialog box. Clicked OK .

Clicked I Agree in the End User License Agreement (EULA) dialog box. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box. The computer restarted after that (That's normal). This finished installing ISA Server service pack 1.

There are a few hotfixes and updates that I needed to install on the Windows Server 2003/ISA Server machine to insure ISA Server compatibility with Windows Server 2003. I downloaded the HotFix pack, isahf255.exe

Downloaded the file to a machine on the internal network, scanned it for viruses, and then copied it to the ISA Server. Performed the following steps after copying the file to the ISA Server:

Double clicked on the isahf255.exe file. Clicked I Agree in the ISA Server 2000 hot fix 255 (331062) dialog box. Typed in a path for the temporary files in the Choose Directory for Extracted Files dialog box, then clicked OK.

Clicked I Agree in the EULA dialog box. Clicked OK in the Microsoft ISA Server 2000 Update

Setup dialog box that informed me that the update was successful applied.

I did need to restart the server. The next step was to install Feature Pack 1.

Installing Feature Pack 1 Feature Pack 1 (FP1) is not required. I

don't have to install ISA Server Feature Pack 1 on the Windows Server 2003/ISA Server machine. However, it is highly recommended that I install ISA Server Feature Pack 1 because it adds several new and useful features. I downloaded ISA Server Feature Pack 1 and installed it.

At this point the ISA Server was ready to use.