Virtual Private Networks (VPN) allow users working at home, on the road or at a branch office to connect in a secure manner to a remote corporate server using the public Internet. VPN server or host is a computer that accepts VPN connections from VPN clients. A VPN server or host can be a NT/W2K server or W2K/XP Pro. VPN client is a computer that initiates a VPN connection to a VPN server or host. A VPN client can be an individual computer running MS Windows NT version 4.0, Windows 2000, 9x. VPN clients can also be any non-Microsoft Point-to-Point Tunneling Protocol (PPTP) client or Layer Two Tunneling Protocol (L2TP) client using IPSec.

If you have name resolution issue when using VPN, check the PPTP filtering on the server. If you disable UDP ports 137 and 138 or TCP port 139, NetBIOS packets can't pass through the network. You also need to enable these ports on all firewalls and routers that are between the client and the server for unicast (point-to-point) traffic.

When you need to monitor the activities of RRA and Dial-Up Networking components, use the tracing functionality to configure RRA and Dial-Up Networking components to log tracing information to a file. You can make RRA and Dial-Up Networking tracing available by either configuring the registry or using the netsh command.

If your VPN client cannot find servers or cannot ping computernmae, you may need to add DNS and WINS into your VPN server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and vpdn group 1 client configuration wins winsservername..

If you have Windows 2003 server as VPN server, you can assign a static IP under user's properties. If you use other Windows OS as VPN server, you may do create a DHCP reservation.

If you are running w2k/xp pro setup for a domain controller, you will have a option to "log on using dial-up connection" on logon screen after creating a VPN/dial-up connection. In the Log On to Windows dialog box, the user can select the Log on using dial-up connection check box. After clicking OK, the user is prompted to choose a network connection.

When you setup the RRAS, a set of default Input and Output Filters on the external adapter on the VPN server will be created. If you aren't running your server in a highly secure environment, you can comfortably place the server outside the firewall and restrict incoming VPN traffic to PPTP packets only. To display and mortify these filters, go to Routing and Remote Access>IP Routing>General, and then you can add or edit the packet filters of the dedicated Local Area Connection. Or to enable PPTP filtering from Control Panel, select the Network applet, Protocols, TCP/IP Protocols, the WAN adapter, Advanced. Then, select the Enable PPTP Filtering check box, as Screen 1 shows. When you enable PPTP filtering, the server will refuse all non-PPTP requests.

How do I set up a modem to dial into a remote compute

You need to install your modem from the control panel if you haven't already, and you need to set up the dialup networking server on your remote computer. (This is included with Win98, NT4 and w2k/xp. On Win95 it is in the Plus! pack, but you need to get an update to version 1.3 or later from Microsoft's site. At the time of writing it can be found here.) You can enable the dialup server from the 'Connections' menu of the dial-up networking window. If it isn't there, or if you've updated the dialup networking as mentioned above, you need to install it using the Windows Setup section of 'Add/Remove Programs' in the control panel.

You can configure an incoming connection to accept the following connection types: (modem, ISDN, X.25), VPN (PPTP, L2TP), or direct (serial, infrared, DirectParallel). On a computer running Windows 2000, 2003 or XP Pro, an incoming connection can accept up to three incoming calls, up to one of each of these types. Note: on a computer running Windows 2000/2003 Server, the number of inbound calls is only limited by the computer and its hardware configuration.

To create VPN connection, open Networking Connections>New Connection Wizard>Set up an advanced connection>Accept incoming connections. Click Next without selecting modem or other devices if you try to setup PPTP VPN. Then follow the instruction.

1. You can run rasdial.exe as a service by using instsrv.exe
2. Add rasdial.exe into startup.
3. Create IPSec VPN if you have static IP.

Open RRAS, right-click on the RRAS server>Properties>IP. You will have two options, DHCP and Static address pool.

You may have two options to setup VPN server on Windows 2003. 1) Create an incoming networking connection if you have small network or you want to setup one PC to PC VPN; 2) If you have large numbers of incoming connections on a server that operates as part of a distributed network or as a domain controller, you should use RRA to create a VPN server. Also refer to How to setup Windows 2003 as VPN server with one NIC

Symptoms: When attempting to create VPN on w2k server with one NIC, you may receive "You have chosen the last available connection as the Internet connection. A VPN server required that one connection be used as the private network connection" if you select the NIC.

1. You should highlight No internet connection instead of the NIC or LAN connection.
2. You may try "Manually configured server option".

In order to use PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723.

To setup a Windows 2000 server for VPN, open Routing and Remote Access console in the Administrative Tools folder, right-click the server and then click Configure and Enable Routing and Remote Access>Virtual private network [VPN] server. Click Next if TCP/IP is only protocol you will use. Select a connection you will connect to on the Internet Connection. You will have two options to assign IP to VPN clients. The default is Automatically. It is recommended to configure the server to assign client addresses from a static address pool, rather than assigning addresses from a DHCP server. If you configure RAS to assign client addresses from a static address pool, clients inherit the DNS and WINS settings from the RAS server. If your RAS server can browse the network, clients should also be able to browse the network with the same settings. If you prefer DHCP, verify that DHCP scope option 44 (WINS/NetBIOS name server) points to the WINS server and scope option 6 shows the address of your DNS server. When you don't define these options, you almost guarantee problems with client browsing. Finally, you can select using RADIUS or not.

NOTE: If VPN traffic is traveling through a router or firewall, configure the router or firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50 [Encapsulating Security Payload]) traffic to and from the VPN server.

How to configure Win 2000/XP Pro as VPN host

Prior to Windows 2000/XP Pro, you must add PPTP on NT 4.0 Server to establish VPN connections. With the release of Windows 2000/XP Pro, you have the ability to run a Windows 2000/XP Pro as a VPN host. However, Windows 2000/XP Pro enables only one VPN connection at a time and requires Internet Protocol (IP).

Before you start the VPN configuration, you should have a equipment (modem, T1, Frame Relay, ADSL, or cable modem) connecting to the Internet. Also make sure you have correct TCP/IP settings on the W2K/XP.

To setup Win XP (in our case) Pro as VPN host, go to the Properties of My Network Places>Create a New Connections>Set up a Advanced Connection>Accept Incoming Connections. On the Devices for Incoming Connections dialog box, do not select any device, only click Next and check Allow Private Connections, and then click Next. On the Allowed Users dialog box, select or add all users for whom you want to enable access. The accounts have to exist on both computers that are involved in establishing the VPN connection. On the New Connection Wizard, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP) and Client for Microsoft Networks should be listed as networking components. By default, Allow callers to access my local area network and Assign TCP/IP address automatically using DHCP are checked. If you would like to keep the default settings, click Next to continue. Now, the Incoming Connection icon should show on Incoming section under the Properties of My Network Places and is ready to use.

How to configure a W2K/XP as VPN client

To connect to a VPN server, you should have a dail-in modem or a high speed Internet connection. To setup a XP client to access the VPN host, go to the Properties of My Network Places>Create a New Connections>Connect to the network at my workplace>Virtual Private Network connection. Type Computer that will be showed as connection name in VPN section, select Do not dial the initial connection and then type the VPN host IP. You have two options to create this connection for anyone or for yourself.

How to configuring a multihomed VPN server

If the VPN server has two network cards, one for the LAN and one for the WAN, leave the gateway on the LAN adapter blank. In the gateway field of the WAN network interface, enter the TCP/IP address that your ISP defines; the gateway address usually points to a router at your ISP. It is recommend you manually enter the TCP/IP address, DNS and WINS for the LAN NIC instead of using DHCP.

Incoming Connection or RRAS

You can create an incoming connection on a computer acting as a remote access server if it is running Windows 2000, XP Pro. or if it is a stand-alone computer running Windows 2000/2003 Server. For large numbers of incoming connections on a computer running Windows 2000/2003 Server as a router or as a domain controller, or a member of a domain, you should use Routing and Remote Access to create a remote access server.

Logon script with VPN

To run logon script while establishing a VPN, you may have two options. 1) create a batch including rasdial.exe plus mapping. 2) Use Use Microsoft CMAK.

Manage VPN connections

To manage VPN logon time, permissions, disconnect if idle for certain minutes, maximum session other constraints, use Remote Access Policies under RRAS.

Security on Windows VPN Server

A Windows 2000 VPN server is installed with a default set of Input and Output filters on the external adapter. These filters support PPTP, L2TP, and IPSec connectivity only and block other traffic.. However, the filters can be modified. To modify the filters, go to RRAS>IP Routing>General, right-click the external adapter and select Properties.

A: PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE); L2TP: UDP Port 1701; IPSec: UDP Port 500, Pass IP protocol 50 and 51. Note: 47 is a protocol number and not TCP port. The protocol name is GRE. It'll make a big difference when configuring your firewall or router.

access-list 110 permit tcp any host x.x.x.x eq 1723
access-list 110 permit gre any host x.x.x.x

Note: 1. x.x.x.x is outside ip. 2. If you use 6.3.1, you will need to enable fixup protocol pptp 1723.

1. You must create a VPN or dial-up connection.
2. Your administrator may disable this option.
3. If the computer is not a member of a domain, the Log on using dial-up connection check box does not appear.

Summary

How to establish VPN connection automatically

How to configure Win 2000/XP Pro as VPN host

How to configure a W2K/XP as VPN client

How to configuring a multihomed VPN server

Security on Windows VPN Server