Using the Connection Manager Administration Kit (CMAK) to Automate VPN Client Deployment
To assist administrators in the deployment of multiple VPN client configuration settings, Microsoft offers a tool called the Connection Manager Administration Kit (CMAK). This tool, installed as an option on a Windows Server 2003 system (or downloaded for older versions of the OS), allows for custom profiles to be generated and then easily distributed to VPN clients via an executable file.For example, the CMAK allows administrators to configure complicated VPN connection settings, such as protocol support, VPN server IP address, encryption methods, and more advanced options, and easily distribute them via email or other methods to clients. This greatly simplifies the deployment of a VPN infrastructure that uses ISA Server.NOTEIf L2TP/IPSec VPNs will be created, using the CMAK helps to automate the connection settings, but does not distribute necessary client certificates. Methods listed in previous sections of this chapter, such as web enrollment of certificates or, preferably, Active Directory autoenrollment, must be run in addition to the CMAK profiles, to allow clients to connect using L2TP/IPSec VPN tunnels.
Installing the Connection Manager Administration Kit (CMAK)
To setup CMAK, it must first be installed as a component on an internal server in the domain. It should not normally be set up on an ISA Server: It is not good practice to install unnecessary tools or services on an ISA Server itself. To install the CMAK, perform the following tasks on the internal member server.
|1.||Click Start, Control Panel, Add or Remove Programs.|
|2.||Click Add/Remove Windows Components.|
|3.||Scroll down and select the Management and Monitoring Tools component by clicking on the text of the box. Do not check the box or it installs all subcomponents. After it is selected (highlighted), click the Details button.|
|4.||Check the box labeled Connection Manager Administration Kit, as shown in Figure 9.26. Click OK to continue.|
Figure 9.26. Installing the Connection Manager Administration Kit (CMAK).
|5.||Click Next to continue.|
|6.||Insert the Windows Server 2003 CD if prompted and click OK.|
|7.||Click Finish to finalize the CMAK installation.|
Creating CMAK Profiles for Client Deployment Automation
After the CMAK is installed on a member server, individual, unique CMAK profiles can be compiled by running through the steps of a CMAK wizard. The wizard allows for a wide variety of options, but this example focuses on setting up CMAK for a simple VPN connection.
|1.||Open the CMAK (Start, Administrative Tools, Connection Manager Administra tion Kit).|
|2.||At the wizard start screen, click Next to continue.|
|3.||Select New Profile from the Service Profile Selection list and click Next to continue.|
|4.||Enter a name for the service, and a filename for the executable, such as what is shown in Figure 9.27. Click Next to continue.|
Figure 9.27. Creating a CMAK VPN profile.
|5.||Under the Realm name, select Do Not Add a Realm Name to the User Name (a realm name is not normally required, unless multiple ISPs are used for access), and click Next to continue.|
|6.||Under Merging Profile Information, the opportunity to import access numbers and existing phone book information from other profiles is available. For a new profile, leave the fields blank and click Next to continue.|
The subsequent dialog box, labeled VPN Support and shown in Figure 9.28, is critical. In it, the fully qualified domain name (FQDN) of the ISA Server or its public IP address can be entered and will be automatically set up when the profile is installed. In addition, an option to allow VPN users to choose from multiple servers is listed. This can prove valuable if setting up multiple VPN presences across different geographic areas, for example.
Figure 9.28. Entering VPN Support information into a CMAK Profile.
|1.||Check the box labeled Phone Book from this profile, and then enter the FQDN or public IP address of the ISA Server into the field labeled Always Use the Same VPN Server. Click Next to continue.|
|2.||Under the VPN Entries dialog box, press the New button to create a new entry.|
|3.||Enter a descriptive name for the entry under the General tab, and review the options under the TCP/IP Settings and Security tab.|
The General tab of the New VPN Entry dialog box has two additional options. The Disable File and Printer Sharing option, which affects only Windows NT, 2000, and XP systems, restricts clients from sharing files or printers while they are connected, which may be desired in some cases. The Enable Clients to Log On to a Network option affects only down-level Windows 9x clients, and is normally left checked.The Security tab of the VPN Entry dialog box, shown in Figure 9.29, is particularly important. This tab allows for the configuration of the type of protocol and encryption support the connection will utilize.
Figure 9.29. Examining the Security tab of the New VPN Entry dialog box.
Figure 9.30. Viewing Advanced Security Settings for an ISA VPN entry in CMAK.
The Custom Actions dialog box, shown in Figure 9.31, allows for custom batch files, executables, and other content to be executed upon connection. This provides for a range of capabilities, such as the running of scripts to provide for VPN Quarantine, described in detail in the next section of this chapter.
Figure 9.31. Adding custom actions to a CMAK Profile.
|1.||Click Next at the Custom Actions dialog box.|
|2.||Leave the default graphic as the one illustrated and click Next to continue.|
|3.||Leave the phone book graphic at the default and click Next to continue.|
|4.||Leave the default icons the same and click Next to continue.|
|5.||Notification area shortcuts provide for additional options to be added to the toolbar on the clients. Leave the default of no additional items and click Next.|
|6.||Use the default help file and click Next.|
|7.||For the Support Information field, enter information useful to the client, such as "For support, call 1-800-555-5555." Click Next to continue.|
|8.||The subsequent dialog box enables the Connection Manager client to be installed along with the profile. This may be necessary for some clients that do not have the updated software, so it is common to check this box. Click Next to continue.|
|9.||If a custom license agreement has been created, it can be entered in the subsequent dialog box. If not, click Next to continue.|
|10.||The Additional Files option allows for extra files to be included in the profile. These files may be necessary for certain functionality or login scripts to work properly, such as with VPN Quarantine scripts. Add any files as necessary, using the Add button as shown in Figure 9.32, and click Next to continue.|
Figure 9.32. Specifying additional files for a CMAK Profile.
|11.||Check the Advanced Customization option on the next dialog box and click Next to continue.|
As previously mentioned, this connection is for VPN access only, and is not being set up to dial any phone entries first. The Advanced Customization dialog box, shown in Figure 9.33, allows for this option to be set. To turn off the dial-up option, perform the following steps:
|1.||Under file name, select <nameofyourprofile>.cms, where nameofyourprofile is the executable name that was originally entered at the start of the wizard.|
|2.||Under section name, choose Connection Manager.|
|3.||Under Key name, choose Dialup.|
|4.||Under Value, enter the number 0.|
|5.||Click the Apply button to save the settings.|
|6.||Click Next to continue.|
|7.||Click Finish when the profile has been created and the Finish dialog box is displayed.|
Figure 9.33. Customizing the Advanced options of the CMAK Profile.
Deploying the Custom CMAK Profile on a Windows XP Client
After the custom CMAK profile has been compiled into an executable and made available to clients (through email, ftp, web download, or removable media), it can be installed and utilized. Installation of the executable is simple and straightforward, and involves the following steps:
|1.||From the client, and while logged in as a local administrator, double-click on the CMAK executable that was created by the CMAK.|
|2.||Click OK when asked if wanting to install the package.|
|3.||Select to make the connection available for My Use Only and click OK.|
|4.||After installing, the connection screen, shown in Figure 9.34, is displayed. Enter the appropriate information and click Connect.|
Figure 9.34. Connecting from a VPN Client configured with a CMAK Profile.
The connectoid should then connect the client via the settings that were established in the CMAK and on the ISA Server. At this point, the client is subject to any of the rules that have been setup to govern the VPN Clients network.