Escolar Documentos
Profissional Documentos
Cultura Documentos
html
Takeaway: Set up a Windows Server 2003-based PPTP virtual private network (VPN) with this
step-by-step installation and configuration guide.
Sometimes, simplicity is the best choice for both a technology solution and the corresponding
tutorial that explains how to use the new solution. In this document, I will provide a clear, concise,
systematic procedure for getting a Windows Server 2003-based PPTP VPN up and running. I'm
using Windows Server 2003 with Service Pack 1 for this guide.
On the third screen of the wizard, entitled Server Role, you're presented with a list of available
roles for your server along with column that indicates whether or not a particular role has been
assigned to this machine. Figure A shows you a screen from a server on which just the IIS Web
server role has been added.
Figure A
To add the Remote Access/VPN Server role to your server, select that role and click the Next
button to move on to the next screen in the wizard, which provides you with a quick overview of
the options you selected.
Figure B
Take note: This selection just starts another wizard called the Routing and Remote Access
Wizard, described further below.
The second screen in this wizard is a lot meatier and asks you to decide what kind of remote
access connection you want to provide. Since the goal here is to set up a PPTP-based VPN, select
the "Virtual Private Network VPN and NAT" selection and click Next.
Figure C
The next screen of the wizard, entitled VPN Connection, asks you to determine which network
adapter is used to connect the system to the Internet. For VPN servers, you should install and use
a separate network adapter for VPN applications. Network adapters are really cheap and
separation makes the connections easier to secure. In this example, I've selected the second local
area network connection (see Figure D), a separate NIC from the one that connects this server to
the network. Notice the checkbox labeled "Enable security on the selected interface by setting up
Basic Firewall" underneath the list of network interfaces. It's a good idea to enable since option it
helps to protect your server from outside attack. A hardware firewall is still a good idea, too.
Figure D
Select the network adapter that connects your server to the Internet
With the selection of the Internet-connected NIC out of the way, you need to tell the RRAS wizard
which network external clients should connect to in order to access resources. Notice that the
adapter selected for Internet access is not an option here.
Figure E
Just like every other client out there, your external VPN clients will need IP addresses that are
local to the VPN server so that the clients can access the appropriate resources. You have two
options (really three â€" I'll explain in a minute) for handling the doling out of IP addresses.
First, you can leave the work up to your DHCP server and make the right configuration changes
on your network equipment for DHCP packets to get from your DHCP server to your clients.
Second, you can have your VPN server handle the distribution of IP addresses for any clients that
connect to the server. To make this option work, you give your VPN server a range of available IP
addresses that it can use. This is the method I prefer since I can tell at a glance exactly from where
a client is connecting. If they're in the VPN "pool" of addresses, I know they're remote, for
example. So, for this setting, as shown in Figure F below, I prefer to use the "From a specified
range of addresses" option. Make your selection and click Next.
Figure F
If you select the "From a specified range of addresses" option on the previous screen, you now
have to tell the RRAS wizard exactly which addresses should be reserved for distribution to VPN
clients. To do this, click the New button on the Address Range Assignment screen. Type in the
starting and ending IP addresses for the new range and click OK. The "Number of addresses" field
will be filled in automatically based on your entry. You can also just enter the starting IP address
and the number if IP addresses you want in the pool. If you do so, the wizard automatically
calculates the ending IP address. Click OK in the New Address Range window; your entry appears
in the Address Range Assignment window. Click Next to continue.
Figure G
You can have multiple address ranges, as long as they are all accessible
The next screen asks you to identify the network that has shared access to the Internet. This is
generally the same network that your VPN users will use to access shared resources.
Figure H
Pick the network adapter that gives you access to the Internet
Authenticating users to your network is vital to the security of your VPN infrastructure. The
Windows VPN service provides two means for handling this chore. First, you can use RADIUS,
which is particularly useful if you have other services already using RADIUS. Or, you can just let
the RRAS service handle the authentication duties itself. Give users access to the VPN services by
enabling dial-in permissions in the user's profile (explained below). For this example, I will not be
using RADIUS, but will allow RRAS to directly authenticate incoming connection requests.
Figure I
That's it for the RRAS wizard! You're provided with a summary screen that details the selections
you made.
Figure J
This also completes the installation of the Remote Access/VPN Server role.
User configuration
By default, users are not granted access to the services offered by the VPN; you need to grant
these rights to each user that you want to allow remote access to your network. To do this, open
Active Directory Users and Computers (for domains) or Computer Management (for stand alone
networks), and open the properties page for a user to whom you'd like to grant access to the VPN.
Select that user's Dial-In properties page. On this page, under Remote Access Permissions, select
"Allow access". Note that there are a lot of different ways to "dial in to" a Windows Server 2003
system; a VPN is but one method. Other methods include wireless networks, 802.1x, and dial-up.
This article assumes that you're not using the Windows features for these other types of networks.
If you are, and you specify "Allow access", a user will be able to use multiple methods to gain
access to your system. I can't go over all of the various permutations in a single article, however.
Figure K
Up and running
These are the steps needed on the server to get a VPN up and running. Of course, if you have
devices such as firewalls between your VPN server and the Internet, further steps may be
required; these are beyond the scope of this article, however.
Question - Already had Remote Access Setup for Modem phil@... | 11/23/05
RE: Configure a Windows Server 2003 VPN on the server side rmpel@... | 07/06/07
RE: Configure a Windows Server 2003 VPN on the server side sumant@... | 07/17/07
RE: Configure a Windows Server 2003 VPN on the server side kumar3239@... | 11/27/07
RE: Configure a Windows Server 2003 VPN on the server side kailash.suthar@... | 01/08/08
RE: Configure a Windows Server 2003 VPN on the server side kesava7hills@... | 01/24/08
how i configure the client side setting for vpn in windows server2003
sultan_fd8@... | 02/29/08
RE: Configure a Windows Server 2003 VPN on the server side ronakulus | 04/16/08
RE: Configure a Windows Server 2003 VPN on the server side pankaj_ralhi@... | 05/08/08
RE: Configure a Windows Server 2003 VPN on the server side dhirajm6@... | 10/10/08
RE: Configure a Windows Server 2003 VPN on the server side harris@... | 12/17/08
RE: Configure a Windows Server 2003 VPN on the server side abb2151989@... | 01/11/09
RE: Configure a Windows Server 2003 VPN on the server side snehal bhavsar | 08/03/09
RE: Configure a Windows Server 2003 VPN on the server side mdfiroz240@... | 08/25/09
RE: Configure a Windows Server 2003 VPN on the server side jojo_joscta@... | 11/09/09
RE: Configure a Windows Server 2003 VPN on the server side vsbabumca | 01/25/10
RE: Configure a Windows Server 2003 VPN on the server side muddinbd | 02/02/10
My Updates
My Contacts
Popular on CBS sites: College Signing Day | March Madness | TV | iPhone | Cell Phones | Video
Game Reviews | Free Music
© 2010 CBS Interactive Inc. All rights reserved. | Privacy Policy (updated) | Terms of Use