Configure a Windows Server 2003 VPN on the server

Wednesday, December 7, 2011

Configure a Windows Server 2003 VPN on the server

Add the Remote Access/VPN Server role to your Windows Server 2003 system

            To add the Remote Access/VPN Server role, go to Start | All Programs |Administrative Tools | Configure Your Server Wizard. The first screen of this wizard isfor informational purposes only and, thus, is not shown here. Click Next. Thesame goes for the second screen, which just tells you some things you need tohave completed before adding new roles to your server.

On thethird screen of the wizard, entitled Server Role, you're presented with a listof available roles for your server along with column that indicates whether ornot a particular role has been assigned to this machine. Figure A shows you a screen from a server on which just the IIS Webserver role has been added.
To add a new role, select the role and click Next

To add theRemote Access/VPN Server role to your server, select that role and click theNext button to move on to the next screen in the wizard, which provides youwith a quick overview of the options you selected.
The summary screen is pretty basic for this role

Take note: This selection just starts anotherwizard called the Routing and Remote Access Wizard, described further below.

The Routing and Remote Access Wizard component

             Like mostwizards, the first screen of the Routing and Remote Access wizard is purelyinformational and you can just click Next.

The secondscreen in this wizard is a lot meatier and asks you to decide what kind ofremote access connection you want to provide. Since the goal here is to set upa PPTP-based VPN, select the "Virtual Private Network VPN and NAT"selection and click Next.
Select the VPN option and click Next

The nextscreen of the wizard, entitled VPN Connection, asks you to determine whichnetwork adapter is used to connect the system to the Internet. For VPN servers,you should install and use a separate network adapter for VPN applications. Networkadapters are really cheap and separation makes the connections easier to secure.In this example, I've selected the second local area network connection (see Figure D), a separate NIC from the onethat connects this server to the network. Notice the checkbox labeled"Enable security on the selected interface by setting up Basic Firewall"underneath the list of network interfaces. It's a good idea to enable sinceoption it helps to protect your server from outside attack. A hardware firewallis still a good idea, too.
Select the network adapter that connects your server to the Internet

With theselection of the Internet-connected NIC out of the way, you need to tell theRRAS wizard which network external clients should connect to in order to accessresources. Notice that the adapter selected for Internet access is not anoption here.
Select the network containing resources needed by external clients

Just likeevery other client out there, your external VPN clients will need IP addressesthat are local to the VPN server so that the clients can access the appropriateresources. You have two options (really three รข€" I'll explain in a minute) forhandling the doling out of IP addresses.

First, youcan leave the work up to your DHCPserver and make the right configuration changes on your network equipment forDHCP packets to get from your DHCP server to your clients. Second, you can haveyour VPN server handle the distribution of IP addresses for any clients thatconnect to the server. To make this option work, you give your VPN server arange of available IP addresses that it can use. This is the method I prefersince I can tell at a glance exactly from where a client is connecting. Ifthey're in the VPN "pool" of addresses, I know they're remote, forexample. So, for this setting, as shown in FigureF below, I prefer to use the "From a specified range ofaddresses" option. Make your selection and click Next.
Your choice on this one! I prefer to provide a range of addresses

If youselect the "From a specified range of addresses" option on theprevious screen, you now have to tell the RRAS wizard exactly which addressesshould be reserved for distribution to VPN clients. To do this, click the New button on the Address Range Assignment screen. Type in the starting and ending IP addresses for the new range andclick OK. The "Number of addresses" field will be filled inautomatically based on your entry. You can also just enter the starting IPaddress and the number if IP addresses you want in the pool. If you do so, thewizard automatically calculates the ending IP address. Click OK in the NewAddress Range window; your entry appears in the Address Range Assignment window.Click Next to continue.
You can have multiple address ranges, as long as they are all accessible

The nextscreen asks you to identify the network that has shared access to the Internet.This is generally the same network that your VPN users will use to accessshared resources.
Pick the network adapter that gives you access to the Internet

Authenticatingusers to your network is vital to the security of your VPN infrastructure. TheWindows VPN service provides two means for handling this chore. First, you canuse RADIUS, which is particularly useful if you have other services already usingRADIUS. Or, you can just let the RRAS service handle the authentication dutiesitself. Give users access to the VPN services by enabling dial-in permissionsin the user's profile (explained below). For this example, I will not be usingRADIUS, but will allow RRAS to directly authenticate incoming connectionrequests.
Decide what means of authentication you want to provide

That's itfor the RRAS wizard! You're provided with a summary screen that details theselections you made.
The RRAS wizard summary window

This alsocompletes the installation of the Remote Access/VPN Server role.

User configuration

               By default,users are not granted access to the services offered by the VPN; you need togrant these rights to each user that you want to allow remote access to yournetwork. To do this, open ActiveDirectory Users and Computers (for domains) or Computer Management (forstand alone networks), and open the properties page for a user to whom you'dlike to grant access to the VPN. Select that user's Dial-In properties page. Onthis page, under Remote Access Permissions, select "Allow access". Notethat there are a lot of different ways to "dial in to" a WindowsServer 2003 system; a VPN is but one method. Other methods include wirelessnetworks, 802.1x, and dial-up. This article assumes that you're not using theWindows features for these other types of networks. If you are, and you specify"Allow access", a user will be able to use multiple methods to gainaccess to your system. I can't go over all of the various permutations in asingle article, however.
Allow the user access to the VPN

Up and running

These arethe steps needed on the server to get a VPN up and running. Of course, if youhave devices such as firewalls between your VPN server and the Internet,further steps may be required; these are beyond the scope of this article,however.

Leave a Reply

Subscribe to Posts | Subscribe to Comments

Pageviews

Followers

Blog Archive

Powered by Blogger.

- Copyright © 2013 Selva Sharing -Selvasharing- Powered by Blogger - Designed by @ Access -