Build VPNs to connect servers and networks securely across the Internet
In "Point-to-Point Tunneling Protocol" (June 1997), I explained how to build Virtual Private Networks (VPNs) to let client systems access your
Windows NT network securely through the Internet. The response to that article
showed that many of you have found this solution useful. Some readers
anticipated my next article, because one of the most frequent responses was, "This
is great. Can I use this to connect my offices?"
Well, the short answer to that question is no. Unfortunately, you can't use
standard Remote Access Service (RAS) and PPTP to connect your offices. The RAS
and PPTP that come with NT Server 4.0 are for client/server communications, not
server-to-server communications. Fortunately, Microsoft has just released a tool
that lets you build true VPNs securely, across the Internet, to connect servers
and networks.
Time for a Little RRAS
Meet Microsoft's Routing and RAS (RRAS). RRAS (formerly code-named
Steelhead) is Microsoft's set of enhancements to NT's RAS and Multi-Protocol
Routing (MPR) services. Among the significant enhancements that RRAS includes,
you'll find support for newer routing protocols such as Routing Information
Protocol (RIP) 2.0 and Open Shortest Path First (OSPF), a graphical interface
and administration tool (for details about OSPF, see Tao Zhou, "Steelhead's
OSPF Routing," August 1997); Remote Authentication Dial In User Service
(RADIUS) client support; demand-dial routing; and PPTP server-to-server
connections. In short, RRAS is industrial-strength routing for NT. (For an
in-depth look at RRAS features, see Mark Minasi, "Steelhead Swims into the
Mainstream," August 1997.)
By taking advantage of the PPTP enhancements to build VPNs, you can connect
remote offices securely with nothing more than an Internet connection at each
site. Here, I describe what you need to connect remote offices as VPNs and tell
you how to do it.
Can't Say Enough
Routing can be a very complex subject. If the world of IP, routing
protocols, static routes, name resolution, and other WAN areas makes you uneasy,
consider taking Microsoft's TCP/IP course to get your feet wet. In the meantime,
if you follow the example here, you can build a sample VPN across the Internet
and experience firsthand how RRAS works. I assume you have at least a
rudimentary understanding of TCP/IP networking principles.
The Scenario
Because predicting what a typical network configuration might look like
isn't possible, let's use a hypothetical situation to configure and demonstrate
the capabilities of RRAS. Assume you work at a US corporation. Your CEO has just
signed a merger deal with a large corporation in Europe, joining your two
companies. Your assignment is to set up communications between the two networks.
Your CEO assumes you need only to connect a few wires in the back room to get
things going and is wondering why you haven't finished yet.
Fortunately for you, the European company is running NT 4.0 with the new
RRAS update. You're also lucky because the firm's technical employees speak
English and mention that you can download the RRAS update from Microsoft's Web
site at http://www.microsoft.com/ntserver/info/routing&ras.htm. After
downloading the 5.5MB update and Service Pack 3 (SP3--you must install SP3
before you install RRAS), you're ready to go.
What You Need
For this example, you need two systems running NT Server 4.0 (we'll call
them EUROPE and AMERICA) and one workstation, which we'll call EUROPE-W0001. The
workstation can be running either Windows 95 or NT Workstation.
You need two connections (dedicated or dial-up) to the Internet. Dedicated
connections work better than dial-up, but dial-up connections are acceptable.
You also need two fixed Internet IP addresses. Although you can
make dynamically assigned addresses work, I recommend avoiding them. I've
successfully tested RRAS with dynamically assigned addresses, but because this
solution requires building static routing tables, IP addresses that change make
a mess of things. Therefore, this example assumes you have fixed addressing.
Finally, if you're trying out RRAS on a dedicated Internet connection that
goes through a firewall, you need an open port on the firewall to work through.
To let PPTP traffic pass through your firewall, open port 1723 for protocol ID
number 47 going in either direction (port 1723 is the port defined for PPTP
traffic over TCP/IP connections).
Figure 1 depicts the sample network's layout; the workstation is on the
EUROPE network. Table 1 lists the network's IP address ranges. Make sure that
TCP/IP and PPTP are the only protocols in use anywhere.
Basic IP Configuration
Let's start by configuring the workstation. Simply set up the workstation
with the standard Microsoft TCP/IP stack, and assign the workstation a
fixed internal (i.e., non-Internet) IP address such as 172.16.10.2 with a subnet
mask of 255.255.255.0 and a default internal gateway address of 172.16.10.1.
Although I'm using internal IP addresses (in the 172.x.x.x range) as
sample Internet addresses, remember that your interface to the Internet must
have InterNIC-approved IP addresses. Test your configuration by making
sure you can ping your own IP address. Because this sample network won't be
running any name resolution, create an LMHOSTS file on the workstation with an
IP address such as 172.16.1.1 pointing to server AMERICA.
Next, configure the EUROPE server by installing Microsoft's TCP/IP stack,
and assign the server a fixed internal IP address such as 172.16.10.1 and a
subnet mask of 255.255.255.0. No default gateway is necessary on the server
because the MPR service will run on it. Ping your own address to verify that
you've configured the server correctly. Make sure your workstation and server
are on the same logical network segment, and verify your connectivity by pinging
each one from the other.