Installing and Configuring VPN on Windows Server 2003

8/7/2019 Installing and Configuring VPN on Windows Server 2003

1/20

Installing And Configuring VPN On Windows Server2003Installing and Configuring VPN on Windows Server 2003

What is Virtual Private Network (VPN)?A virtual private network (VPN) is a network that uses a publictelecommunication infrastructure, such as the Internet, to provide remoteoffices or individual users with secure access to their organization's network.A virtual private network can be contrasted with an expensive system ofowned or leased lines that can only be used by one organization. The goal ofa VPN is to provide the organization with the same capabilities, but at amuch lower cost.A VPN works by using the shared public infrastructure while maintainingprivacy through security procedures and tunneling protocols such as the

Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encryptingdata at the sending end and decrypting it at the receiving end, send the datathrough a "tunnel" that cannot be "entered" by data that is not properlyencrypted. An additional level of security involves encrypting not only thedata, but also the originating and receiving network addresses.Components Of VPNA VPN in servers running Windows Server 2003 is made up of a VPN server, aVPN client, a VPN connection (that portion of the connection in which thedata is encrypted), and the tunnel (that portion of the connection in whichthe data is encapsulated). The tunneling is completed through one of thetunneling protocols included with servers running Windows Server 2003,

both of which are installed with Routing and Remote Access. The Routingand Remote Access service is installed automatically during the installationof Windows Server 2003. By default, however, the Routing and RemoteAccess service is turned off.

The two tunneling protocols included with Windows are:Point-to-Point Tunneling Protocol (PPTP): Provides data encryptionusing Microsoft Point-to-Point Encryption.Layer Two Tunneling Protocol (L2TP): Provides data encryption,authentication, and integrity using IPSec.

Your connection to the Internet must use a dedicated line such as T1,Fractional T1, or Frame Relay. The WAN adapter must be configured with theIP address and subnet mask assigned for your domain or supplied by anInternet service provider (ISP). The WAN adapter must also be configured asthe default gateway of the ISP router.
http://newadmins.blogspot.com/2009/07/installing-and-configuring-vpn-on.htmlhttp://newadmins.blogspot.com/2009/07/installing-and-configuring-vpn-on.htmlhttp://newadmins.blogspot.com/2009/07/installing-and-configuring-vpn-on.htmlhttp://newadmins.blogspot.com/2009/07/installing-and-configuring-vpn-on.html


2/20

NOTE: To turn on VPN, you must be logged on using an account that has

administrative rights.

VPN InstallationTo install and turn on a VPN server, follow these steps:

1. Click Start, point to Administrative Tools, and then click Routingand Remote Access.2. Click the server icon that matches the local server name in the leftpane of the console. If the icon has a red circle in the lower-left corner,the Routing and Remote Access service has not been turned on. If theicon has a green arrow pointing up in the lower-left corner, the Routingand Remote Access service has been turned on. If the Routing andRemote Access service was previously turn on, you may want to

reconfigure the server. To reconfigure the server:a. Right-click the server object, and then click Disable Routing andRemote Access. ClickYes to continue when you are prompted withan informational message.

b. Right-click the server icon, and then click Configure and EnableRouting and Remote Access to start the Routing and RemoteAccess Server Setup Wizard. Click Next to continue.

c. Click Remote access (dial-up or VPN) to turn on remotecomputers to dial in or connect to this network through the Internet.Click Next to continue.

2. Click to select VPN or Dial-up depending on the role that you intend

to assign to this server.3. In the VPN Connection window, click the network interface which isconnected to the Internet, and then click Next.4. In the IP Address Assignment window, click Automatically if aDHCP server will be used to assign addresses to remote clients, orclick From a specified range of addresses if remote clients must onlybe given an address from a pre-defined pool. In most cases, the DHCPoption is simpler to administer. However, if DHCP is not available, youmust specify a range of static addresses. Click Next to continue.5. If you clicked From a specified range of addresses, the AddressRange Assignment dialog box opens. Click New. Type the first IP

address in the range of addresses that you want to use in the Start IPaddress box. Type the last IP address in the range in the End IPaddress box. Windows calculates the number of addressesautomatically. Click OKto return to the Address RangeAssignment window. ClickNext to continue.6. Accept the default setting ofNo, use Routing and Remote Accessto authenticate connection requests, and then click Next to


3/20

continue. Click Finish to turn on the Routing and Remote Access serviceand to configure the server as a Remote Access server.

The Routing And Remote Access Wizard Component

Like most wizards, the first screen of the Routing and Remote Access wizardis purely informational and you can just click Next.The second screen in this wizard is a lot meatier and asks you to decide whatkind of remote access connection you want to provide. Since the goal here isto set up a PPTP-based VPN, select the "Virtual Private Network VPN andNAT" selection and click Next.

Select the VPN option and click Next

The next screen of the wizard, entitled VPN Connection, asks you todetermine which network adapter is used to connect the system to theInternet. For VPN servers, you should install and use a separate networkadapter for VPN applications. Network adapters are really cheap andseparation makes the connections easier to secure. In this example, I'veselected the second local area network connection , a separate NIC from theone that connects this server to the network. Notice the checkbox labeled"Enable security on the selected interface by setting up Basic Firewall"underneath the list of network interfaces. It's a good idea to enable sinceoption it helps to protect your server from outside attack. A hardware firewallis still a good idea, too.


4/20

Select the network adapter that connects your server to the Internet

With the selection of the Internet-connected NIC out of the way, you need totell the RRAS wizard which network external clients should connect to in

order to access resources. Notice that the adapter selected for Internetaccess is not an option here.


5/20

Select the network containing resources needed by external clients

Just like every other client out there, your external VPN clients will need IPaddresses that are local to the VPN server so that the clients can access theappropriate resources. You have two options (really three " I'll explain in aminute) for handling the doling out of IP addresses.First, you can leave the work up to your DHCP server and make the rightconfiguration changes on your network equipment for DHCP packets to getfrom your DHCP server to your clients. Second, you can have your VPNserver handle the distribution of IP addresses for any clients that connect tothe server. To make this option work, you give your VPN server a range ofavailable IP addresses that it can use. This is the method I prefer since I cantell at a glance exactly from where a client is connecting. If they're in theVPN "pool" of addresses, I know they're remote, for example. So, for thissetting, as shown in below, I prefer to use the "From a specified range ofaddresses" option. Make your selection and click Next.


6/20

Your choice on this one! I prefer to provide a range of addresses

If you select the "From a specified range of addresses" option on theprevious screen, you now have to tell the RRAS wizard exactly whichaddresses should be reserved for distribution to VPN clients. To do this, clickthe New button on the Address Range Assignment screen. Type in thestarting and ending IP addresses for the new range and click OK. The"Number of addresses" field will be filled in automatically based on yourentry. You can also just enter the starting IP address and the number if IPaddresses you want in the pool. If you do so, the wizard automaticallycalculates the ending IP address. Click OK in the New Address Rangewindow; your entry appears in the Address Range Assignment window. ClickNext to continue.


7/20

You can have multiple address ranges, as long as they are all accessible

The next screen asks you to identify the network that has shared access tothe Internet. This is generally the same network that your VPN users will useto access shared resources.


8/20

Pick the network adapter that gives you access to the Internet

Authenticating users to your network is vital to the security of your VPNinfrastructure. The Windows VPN service provides two means for handlingthis chore. First, you can use RADIUS, which is particularly useful if you haveother services already using RADIUS. Or, you can just let the RRAS servicehandle the authentication duties itself. Give users access to the VPN servicesby enabling dial-in permissions in the user's profile (explained below). Forthis example, I will not be using RADIUS, but will allow RRAS to directlyauthenticate incoming connection requests.


9/20

Decide what means of authentication you want to provide

That's it for the RRAS wizard! You're provided with a summary screen thatdetails the selections you made.


10/20

The RRAS wizard summary window

This also completes the installation of the Remote Access/VPN Server role.

User Configuration

By default, users are not granted access to the services offered by the VPN;

you need to grant these rights to each user that you want to allow remoteaccess to your network. To do this, open Active Directory Users andComputers (for domains) or Computer Management (for stand alonenetworks), and open the properties page for a user to whom you'd like togrant access to the VPN. Select that user's Dial-In properties page. On thispage, under Remote Access Permissions, select "Allow access". Note thatthere are a lot of different ways to "dial in to" a Windows Server 2003system; a VPN is but one method. Other methods include wireless networks,802.1x, and dial-up. This article assumes that you're not using the Windowsfeatures for these other types of networks. If you are, and you specify "Allowaccess", a user will be able to use multiple methods to gain access to your

system. I can't go over all of the various permutations in a single article,however.


11/20

Allow the user access to the VPN

Up and Running

These are the steps needed on the server to get a VPN up and running.

How to Configure a VPN Connection from a Client Computer1. On the client computer, confirm that the connection to theInternet is correctly configured.2. Click Start, click Control Panel, and then click NetworkConnections. Click Create a new connection under NetworkTasks, and then click Next.3. Click Connect to the network at my workplace to create thedial-up connection. Click Next to continue.4. Click Virtual Private Network connection, and then click Next.

5. Type a descriptive name for this connection in the Companyname dialog box, and then click Next.6. Click Do not dial the initial connection if the computer ispermanently connected to the Internet. If the computer connectsto the Internet through an Internet Service Provider (ISP),click Automatically dial this initial connection, and then click thename of the connection to the ISP. Click Next.


12/20

7. Type the IP address or the host name of the VPN servercomputer (for example, VPNServer.SampleDomain.com).8. Click Anyone's use if you want to permit any user who logson to the workstation to have access to this dial-up connection.Click My use only if you want this connection to be available only

to the currently logged-on user. Click Next.9. Click Finish to save the connection.10. Click Start, click Control Panel, and then click NetworkConnections.11. Double-click the new connection.12. Click Properties to continue to configure options for theconnection. To continue to configure options for the connection,follow these steps:

o If you are connecting to a domain, clickthe Options tab, and then click to select the Include Windows

logon domain check box to specify whether to requestWindows Server 2003 logon domain information before tryingto connect.o If you want the connection to be redialed if the line isdropped, click theOptions tab, and then click to selectthe Redial if line is dropped check box.

To use the connection, follow these steps:1. Click Start, point to Connect to, and then click the newconnection.2. If you do not currently have a connection to the Internet,Windows offers to connect to the Internet.

3. When the connection to the Internet is made, the VPN serverprompts you for your user name and password. Type your username and password, and then clickConnect.Your network resources must be available to you in the sameway they are when you connect directly to the network.NOTE: Todisconnect from the VPN, right-click the connection icon, andthen click Disconnect.

TroubleshootingTroubleshooting Remote Access VPNsCannot Establish a Remote Access VPN Connection

Cause: The name of the client computer is the same as the

name of another computer on the network.

Solution: Verify that the names of all computers on the networkand computers connecting to the network are using uniquecomputer names.


13/20

Cause: The Routing and Remote Access service is not startedon the VPN server.

Solution: Verify the state of the Routing and Remote Accessservice on the VPN server.

Cause: Remote access is not turned on on the VPN server.

Solution: Turn on remote access on the VPN server.

Cause: PPTP or L2TP ports are not turned on for inboundremote access requests.

Solution: Turn on PPTP or L2TP ports, or both, for inboundremote access requests.

Cause: The LAN protocols used by the VPN clients are notturned on for remote access on the VPN server.

Solution: Turn on the LAN protocols used by the VPN clients forremote access on the VPN server.

Cause: All of the PPTP or L2TP ports on the VPN server arealready being used by currently connected remote access clientsor demand-dial routers.

Solution: Verify that all of the PPTP or L2TP ports on the VPNserver are already being used. To do so, click Ports in Routingand Remote Access. If the number of PPTP or L2TP portspermitted is not high enough, change the number of PPTP or

L2TP ports to permit more concurrent connections.

.

Cause: The VPN server does not support the tunnelingprotocol of the VPN client.


14/20

By default, Windows Server 2003 remote access VPN clients usethe Automaticserver type option, which means that they try toestablish an L2TP over IPSec-based VPN connection first, andthen they try to establish a PPTP-based VPN connection. If VPN

clients use either the Point-to-Point Tunneling Protocol(PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option,verify that the selected tunneling protocol is supported by theVPN server.

By default, a computer running Windows Server 2003 Server andthe Routing and Remote Access service is a PPTP and L2TPserver with five L2TP ports and five PPTP ports. To create aPPTP-only server, set the number of L2TP ports to zero. Tocreate an L2TP-only server, set the number of PPTP ports tozero.

Solution: Verify that the appropriate number of PPTP or L2TPports is configured.

Cause: The VPN client and the VPN server in conjunction witha remote access policy are not configured to use at least onecommon authentication method.

Solution: Configure the VPN client and the VPN server inconjunction with a remote access policy to use at least onecommon authentication method.

Cause: The VPN client and the VPN server in conjunction witha remote access policy are not configured to use at least one

common encryption method.

Solution: Configure the VPN client and the VPN server inconjunction with a remote access policy to use at least onecommon encryption method.


15/20

Cause: The VPN connection does not have the appropriatepermissions through dial-in properties of the user account andremote access policies.

Solution: Verify that the VPN connection has the appropriatepermissions through dial-in properties of the user account andremote access policies. For the connection to be established, thesettings of the connection attempt must:o Match all of the conditions of at least one remoteaccess policy.o Be granted remote access permission through theuser account (set to Allow access) or through the useraccount (set to Control access through Remote Access Policy)and the remote access permission of the matching remote

access policy (set to Grant remote access permission).o Match all the settings of the profile.o Match all the settings of the dial-in properties of theuser account.

See the Windows Server 2003 Help and Support Center for anintroduction to remote access policies, and for more informationabout how to accept a connection attempt. Click Start to accessthe Windows Server 2003 Help and Support Center.

Cause: The settings of the remote access policy profile are in

conflict with properties of the VPN server.

The properties of the remote access policy profile and theproperties of the VPN server both contain settings for:o Multilink.o Bandwidth allocation protocol (BAP).o Authentication protocols.

If the settings of the profile of the matching remote accesspolicy are in conflict with the settings of the VPN server, theconnection attempt is rejected. For example, if the matchingremote access policy profile specifies that the Extensible

Authentication Protocol - Transport Level Security (EAP-TLS)authentication protocol must be used and EAP is not enabled onthe VPN server, the connection attempt is rejected.

Solution: Verify that the settings of the remote access policyprofile are not in conflict with properties of the VPN server.

See the Windows Server 2003 Help and Support Center for more


16/20

information about additional information about multilink, BAPand authentication protocols. Click Start to access the WindowsServer 2003 Help and Support Center.

Cause: The answering router cannot validate the credentialsof the calling router (user name, password, and domain name).

Solution: Verify that the credentials of the VPN client (username, password, and domain name) are correct and can bevalidated by the VPN server.

Cause: There are not enough addresses in the static IPaddress pool.

Solution: If the VPN server is configured with a static IP addresspool, verify that there are enough addresses in the pool. If all ofthe addresses in the static pool have been allocated toconnected VPN clients, the VPN server cannot allocate an IPaddress, and the connection attempt is rejected. If all of theaddresses in the static pool have been allocated, modify thepool. See the Windows Server 2003 Help and Support Center formore information about TCP/IP and remote access, and how tocreate a static IP address pool.

Cause: The VPN client is configured to request its own IPXnode number and the VPN server is not configured to permit IPXclients to request their own IPX node number.

Solution: Configure the VPN server to permit IPX clients torequest their own IPX node number.

Cause: The VPN server is configured with a range of IPX

network numbers that are being used elsewhere on your IPXnetwork.

Solution: Configure the VPN server with a range of IPX networknumbers that is unique to your IPX network.


17/20

Cause: The authentication provider of the VPN server isimproperly configured.

Solution: Verify the configuration of the authentication provider.You can configure the VPN server to use either Windows Server2003 or Remote Authentication Dial-In User Service (RADIUS) toauthenticate the credentials of the VPN client.

Cause: The VPN server cannot access Active Directory.

Solution: For a VPN server that is a member server in a mixed-

mode or native-mode Windows Server 2003 domain that isconfigured for Windows Server 2003 authentication, verify that:o The RAS and IAS Servers security group exists. If not,create the group and set the group type to Security and thegroup scope to Domain local.o The RAS and IAS Servers security group has Readpermission to the RAS and IAS Servers Access Check object.o The computer account of the VPN server computer is amember of the RAS and IAS Servers security group. You canuse the netsh ras show registeredserver command to viewthe current registration. You can use thenetsh ras add

registeredserver command to register the server in aspecified domain.

If you add (or remove) the VPN server computer to the RASand IAS Serverssecurity group, the change does not takeeffect immediately (because of the way that Windows Server2003 caches Active Directory information). To immediatelyeffect this change, restart the VPN server computer.o The VPN server is a member of the domain.

Cause: A Windows NT 4.0-based VPN server cannot validateconnection requests.

Solution: If VPN clients are dialing in to a VPN server runningWindows NT 4.0 that is a member of a Windows Server 2003mixed-mode domain, verify that the Everyone group is added tothe Pre-Windows 2000 Compatible Access group with thefollowing command:"net localgroup "Pre-Windows 2000 Compatible Access""


18/20

If not, type the following command at a command prompt on adomain controller computer, and then restart the domaincontroller computer:net localgroup "Pre-Windows 2000 Compatible Access"everyone /add

Cause: The VPN server cannot communicate with theconfigured RADIUS server.

Solution: If you can reach your RADIUS server only through yourInternet interface, do one of the following:o Add an input filter and an output filter to the Internetinterface for UDP port 1812 (based on RFC 2138, "RemoteAuthentication Dial-In User Service (RADIUS)"). or-o Add an input filter and an output filter to the Internetinterface for UDP port 1645 (for older RADIUS servers), forRADIUS authentication and UDP port 1813 (based on RFC

2139, "RADIUS Accounting"). -or-

o -or- Add an input filter and an output filter to theInternet interface for UDP port 1646 (for older RADIUSservers) for RADIUS accounting.

Cause: Cannot connect to the VPN server over the Internetusing the Ping.exe utility.

Solution: Because of the PPTP and L2TP over IPSec packetfiltering that is configured on the Internet interface of the VPN

server, Internet Control Message Protocol (ICMP) packets usedby the ping command are filtered out. To turn on the VPN serverto respond to ICMP (ping) packets, add an input filter and anoutput filter that permit traffic for IP protocol 1 (ICMP traffic).

Cannot Send and Receive Data Cause: The appropriate demand-dial interface has not beenadded to the protocol being routed.

Solution: Add the appropriate demand-dial interface to the

protocol being routed.

Cause: There are no routes on both sides of the router-to-router VPN connection that support the two-way exchange oftraffic.

Solution: Unlike a remote access VPN connection, a router-to-


19/20

router VPN connection does not automatically create a defaultroute. Create routes on both sides of the router-to-router VPNconnection so that traffic can be routed to and from the otherside of the router-to-router VPN connection.

You can manually add static routes to the routing table, or youcan add static routes through routing protocols. For persistentVPN connections, you can turn on Open Shortest Path First(OSPF) or Routing Information Protocol (RIP) across the VPNconnection. For on-demand VPN connections, you canautomatically update routes through an auto-static RIP update.See Windows Server 2003 online Help for more informationabout how to add an IP routing protocol, how to add a staticroute, and how to perform auto-static updates. Cause: A two-way initiated, the answering router as a remoteaccess connection is interpreting router-to-router VPN

connection.

Solution: If the user name in the credentials of the calling routerappears under Dial-In Clients in Routing and Remote Access, theanswering router may interpret the calling router as a remoteaccess client. Verify that the user name in the credentials of thecalling router matches the name of a demand-dial interface onthe answering router. If the incoming caller is a router, the porton which the call was received shows a status of Active and thecorresponding demand-dial interface is in a Connectedstate.

Cause: Packet filters on the demand-dial interfaces of thecalling router and answering router are preventing the flow oftraffic.

Solution: Verify that there are no packet filters on the demand-dial interfaces of the calling router and answering router thatprevent the sending or receiving of traffic. You can configureeach demand-dial interface with IP and IPX input and outputfilters to control the exact nature of TCP/IP and IPX traffic that ispermitted into and out of the demand-dial interface.

Cause: Packet filters on the remote access policy profile arepreventing the flow of IP traffic.

Solution: Verify that there are no configured TCP/IP packet filterson the profile properties of the remote access policies on theVPN server (or the RADIUS server if Internet Authentication


20/20

Service is used) that are preventing the sending or receiving ofTCP/IP traffic. You can use remote access policies to configureTCP/IP input and output packet filters that control the exactnature of TCP/IP traffic permitted on the VPN connection. Verifythat the profile TCP/IP packet filters are not preventing the flow

of traffic

Read more: http://newadmins.blogspot.com/search/label/Configuring%20VPN#ixzz1IHb6V5xZ
http://newadmins.blogspot.com/search/label/Configuring%20VPN#ixzz1IHb6V5xZhttp://newadmins.blogspot.com/search/label/Configuring%20VPN#ixzz1IHb6V5xZ

Date post:	08-Apr-2018
Category:	Documents
Upload:	jamal-mehaboob
View:	232 times
Download:	0 times

Installing and Configuring VPN on Windows Server 2003

Documents