In my last column, I discussed some VPN basics, including the tunneling protocols that Windows 2000 supports and the different levels of security and interoperability that these protocols provide. Many people I talk to assume that configuring and supporting a VPN server is difficult—probably because of the security implications of using the Internet for private communications. In fact, Win2K makes it easy to configure VPN on both the server and the client.
Configuring a VPN Server
To set up a Win2K VPN server, you use the Microsoft Management Console (MMC) RRAS snap-in. (RRAS is the Win2K replacement for Windows NT 4.0's RAS; a RRAS add-on is available for NT 4.0.) To RAS’s dial-up server functionality, RRAS adds dynamic routing, DHCP relay capabilities, Network Address Translation (NAT), and a policy-based management system that lets you control remote access. RRAS also gives you a more intuitive and user-friendly interface than the NT 4.0 RAS administrative interface. For example, you'll appreciate RRAS's DHCP relay configuration option when you need to use DHCP to issue IP addresses to dial-up or VPN clients.
To configure RRAS to provide VPN access, open the RRAS snap-in, right-click your server, and choose "Configure and Enable Routing and Remote Access" to launch the RRAS Setup Wizard. You can then choose to configure a VPN server with the wizard's help or to set up a "manually configured server," which installs and starts the RRAS service but leaves you to configure it on your own.
If you decide to use the wizard to configure the VPN support, the wizard prompts you to verify that you've installed the appropriate communications protocols and to specify the adapter that connects your server to the Internet. For dependable VPN service, choose a machine that has a permanent Internet connection and a static IP address. (You can work around the static IP address recommendation using options such as dynamic DNS—DDNS—but in most cases, it's probably more trouble than it's worth.) Next, the wizard asks you to specify a method to distribute IP addresses to clients. You can either use DHCP or define a pool of IP addresses for remote clients to use. If you chose to use DHCP, you must configure the DHCP relay agent properties, which you can find in the RRAS snap-in.
If you choose to configure the VPN server manually, the setup process creates the RRAS and VPN server for you. You must then launch the RRAS snap-in and configure the various settings yourself.
Configuring a VPN Client
To configure a Win2K client to connect to a VPN server, you launch the Control Panel Network and Dial-Up Connections applet's Network Connection Wizard and choose Make New Connection. After you specify that you want to connect to a VPN server, the wizard asks you whether you want to establish a dial-up connection to the Internet before establishing the VPN connection (e.g., if you plan to dial-in to an ISP). Next, the wizard asks for the VPN server's DNS name or IP address. Connecting to a VPN server is usually a two-step process. Unless you have a persistent (i.e., "always on") connection, you first establish a connection to the Internet and then connect to the VPN server. The wizard creates a connection icon in your Network and Dial-up Connections folder that you can use to initiate the connection. If you need to adjust any settings for the connection (e.g., change the VPN server's IP address or specify whether to use PPTP or Layer 2 Tunneling Protocol—L2TP), right-click the connection icon, and choose Properties.
Making Adjustments
Be aware that when you use the RRAS Setup Wizard to create a VPN server, the wizard configures filters on your VPN server to drop all but PPTP and L2TP traffic. If you plan to use this connection for any other purpose (e.g., to connect to Web sites), you must relax these filter settings. If you plan to use the machine as a VPN server only, you can configure the filters to limit access to certain IP address ranges to tighten security. To configure RRAS filters, start the RRAS snap-in, open the Routing-General node, and choose the network adapter.
The wizard automatically creates 128 PPTP and 128 L2TP ports, and RRAS negotiates with each client that connects to ensure that it uses the appropriate protocol based on client capabilities. If you need additional ports of a certain type, open the RRAS snap-in, right-click Ports, and choose Properties. Next, select the appropriate tunneling protocol, and choose Configure.