Installing a Win2K VPN Server

A VPN is the expansion of a private network (e.g., a LAN) that leverages links across a shared or public network, such as the Internet. VPNs are a secure way of providing access to the servers on your LAN. In previous articles, I've warned against implementing remote access technologies such as Windows 2000 Server Terminal Services without first implementing a VPN solution. Now, I show you how to install and implement a VPN server on a Win2K machine to establish secure remote access for Web server administration.

VPN Technology Solutions
With a VPN, data is encapsulated with a header that provides routing information. This header lets data securely traverse a public network to reach the data's endpoint. The data is encrypted, so if packets are intercepted, they're indecipherable without the encryption keys that generated the data on the endpoints. (You can also use a VPN to establish routed connections between two or more LANs—for example, geographically separate offices—through a dedicated WAN connection, but that's beyond the scope of this article.) Two types of VPN technology solutions are available for remote client access in Win2K:

• PPTP—uses user-level Point-to-Point Protocol (PPP) authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption
• Layer 2 Tunneling Protocol (L2TP) with IP Security (IPSec)—uses user-level PPP authentication methods and machine-level certificates with IPSec for data encryption

I show you how to set up a PPTP VPN solution here.

Preparing for VPN Server Installation
Before you begin setting up and configuring a PPTP VPN solution, you might need to take a few preliminary steps. For example, if you have a firewall protecting your servers, you'll need to reference your firewall documentation for information about setting up and configuring your firewall to pass VPN traffic. In addition, a VPN server requires a dedicated NIC, so you need to set up and configure a second NIC that will move this private LAN traffic. The second NIC can use a static or dynamically generated IP address. If you have multiple LAN interfaces, I recommend naming each interface to keep them straight. To give your LAN interfaces names that are more descriptive of their function, open the Control Panel Network and Dial-up Connections applet, then right-click the LAN connection and select Rename.

Next, your VPN server needs a mechanism for resolving computer names to IP addresses. Win2K has two methods to accomplish this task: It uses DNS and a HOSTS file for host name resolution, and WINS and an LMHOSTS file for NetBIOS name resolution. Whatever form of name resolution is already running on your network will be sufficient for your VPN server.

Finally, if your VPN server belongs to a Win2K Active Directory (AD) domain, you need to log on as a user with Domain Admin privileges (or get the help of someone in your company who has Domain Admin privileges). You don't need to have Domain Admin privileges when you're setting up the VPN server, but you need them to add the VPN server to the list of valid remote access servers in AD before remote clients can use the service.

Installing the VPN Server
Installing a VPN server on Win2K is simple. On the server on which you want to run VPN services, click Start, Programs, Administrative Tools, Routing and Remote Access. Right-click the name of the server, then select Configure and Enable Routing and Remote Access to initiate the Routing and Remote Access Server Setup Wizard. On the first screen, click Next. On the Common Configurations screen, select the Virtual private network (VPN) server option, as Figure 1 shows, then click Next. On the Remote Client Protocols screen, verify the client protocols that you want to use in your VPN connection. Most likely, TCP/IP is the only protocol that will appear and the only protocol you need, but some shops still run IPX for backward compatibility to Novell and NetBEUI for backward compatibility to earlier versions of Windows. If you need to add protocols, you must quit the wizard and set them up appropriately in the Network and Dial-up Connections applet. Click Next.

On the Internet Connection screen, specify the Internet connection on the NIC that you've dedicated to your VPN server. This connection corresponds to the NIC connected to the Internet or to your perimeter network. Click Next. On the IP Address Assignment screen, which Figure 2 shows, configure how your VPN clients will be issued valid IP addresses on your network. If you have an operational DHCP server on your network, select the Automatically option. Otherwise, select the From a specified range of addresses option. With this option, you can choose a valid range of IP addresses that are compatible with the subnet on your network. (You can use a range of IP addresses in an off-subnet address range, but you'll need to add routes to your routing infrastructure for VPN clients to be reachable.) Click Next.

The Managing Multiple Remote Access Servers screen, which Figure 3 shows, lets you configure Remote Authentication Dial-In User Service. RADIUS is a client/server protocol and supporting software platform that lets remote access servers communicate with a central server to authenticate dial-up users and authorize their access to the requested system or service. RADIUS lets you maintain user profiles in a central database that all remote servers can share. That is, you can off-load authentication and authorization to a RADIUS server. This scenario is the most likely scenario if you're going to use multiple VPN servers. Win2K includes a RADIUS server known as Internet Authentication Service (IAS), which centralizes authentication, accounting, and administration of remote access policies for multiple Win2K VPN and dial-in remote access servers. IAS also manages third-party network-access servers. (Configuring an IAS server is beyond the scope of this article, but for more information, see Tao Zhou's Windows NT Magazine article "Remote Access Management with RADIUS," http://www.winnet mag.com, InstantDoc ID 5377.) If you choose not to use RADIUS for authentication, a Win2K VPN server can authenticate users by contacting a domain controller (DC) to authorize them through locally configured remote access policies. When you've decided which technology to use for authentication and authorization, click Next.

   Previous  [1]  2  Next