Setup For virtual private networking servers

To allow VPN clients access to your network, you will need to set up a VPN server that is
attached to your internal network as well as to the Internet, as shown in the figure below. This
is commonly done by connecting one network interface card (NIC) in the VPN server to your
company network, and connecting another network card to the Internet. The Internet
connection can be a dedicated line such as a cable modem, DSL, a dial-up connection, or an
ISDN link. See the “Connecting Your Network to the Internet” guide to learn about configuring
the external Internet connection.

In this document, for the purposes of setting up a VPN gateway, we assume your Windows
2000-based server is connected to the LAN and has a dedicated DSL connection to the
Internet.

We also assume the ISP has pre-assigned a static public IP address that is associated with
the external NIC. The internal NIC that connects our VPN server to the private network has a
statically configured IP address that is excluded from your DHCP address pool. Please review
the DHCP scope configuration section of the “Upgrading a Windows NT Domain to Windows
2000 Active Directory “ deployment guide for more details.

Windows 2000 supports two type of remote access VPN technology: Point -to-Point Tunneling
Protocol (PPTP) and Layer 2 Tunneling Protocol over IP Security (L2TP/IPSec). This guide
focuses on providing basic VPN remote access through PPTP. L2TP/IPSec requires advanced
knowledge of encryption and authentication technologies including Public key infrastructure
(PKI) and is not covered in this guide. For more information on using L2TP and IPSec, please
see the Windows 2000 Server Help and the Windows 2000 Resource Kit.

Enable Remote Access on a Internet Connection Server

The “Connecting Your Network to the Internet” guide configures a Windows 2000 Server as an
Internet connection server that provides access to the Internet and shares this connection with
local area network clients. This Internet connection server can be enabled as a remote access
server.

Open the Routing and Remote Access tool from the Administrative Tools folder on the Start
Menu.

Right click on the server name (ex. LITWARE -1) and select Properties.

Check the Remote Access Server box and click OK.

Your Internet connection server is now capable of handling remote access and VPN. Click Finish
to complete the configuration.
Configuring Remote Access Services
To configure a dial-up RAS and VPN gateway on a Windows 2000 Server

1. Open the Routing and Remote Access tool from the Administrative Tools folder on the
Start Menu.

When you open the tool for the first time, you will see your server name listed in the left side
with the instructional text in the right pane.

To run a wizard to configure your server, right click on the server name and choose Configure
and Enable Routing and Remote Access.

You will see a Welcome screen next, click Next.

You are then shown a list of common configurations to choose from.

oose Remote Access Server and click Next. The “Virtual private network (VPN) server” option is
used to create a dedicated virtual private networking

server. Since we are creating a server that supports both Dial-up and VPN, we will use the Remote
access server option.

You will see a list of networking protocols for remote clients. Since you will already have TCP/IP
networking configured on your network with the DHCP and DNS servers that were set up
previously when you set up Active Directory, TCP/IP will be already listed in the Protocols list. Click
Next.

Since this server is going to be a vi rtual private networking server and it has two network cards
installed, you will be prompted for which network connection to assign remote clients to. Select the
network connection for your local network (not the one connected to the Internet) and click Next.

Next you will be prompted about IP Address assignment. You should use the default option of
Automatically, since the server will use the existing DHCP to assign IP addresses to your remote
access clients when they connect. Click Next.

Now you will be prompted about using a RADIUS server for authentication. RADIUS servers can
be used to manage authentication and remote access group policy. For this guide, we use Active
Directory to authenticate remote clients. Choose the default of No and click Next.

The final screen will tell you that you have successfully configured your server for remote access.
Click Finish.

Congratulations. You have successfully configured a remote access and virtual private
networking server. The wizard automatically configures all your modems and ISDN adapters to
be available for remote users. It also configures your server for five PPTP and five L2TP/IPSec
connections. The figure below shows a server configured using the wizard with default options
when it had an ISDN adapter ins talled and eight modems on a multi-port serial board.
 Note: Because VPN with L2TP requires that machine certificates be installed, this particular configuration will not
support L2TP connections. Setting up advanced VPN is beyond the scope of this guide. For the purposes of this
guide, we focus on PPTP VPN connections. If you do not plan on using L2TP, it is best to remove support for L2TP
using the following instructions.

If you do not plan to support virtual private networking at this time, you can change the default
settings and remove support for L2TP and PPTP. Also, you can increase the number of allowed
PPTP connections. You can even set certain modems to only be available for dial-in if you want to
use some of the modems for other purposes such as accepting faxes using Microsoft Fax. This is
configured by right clicking on Ports and choosing Properties.

You can select each modem port and click Configure. You can enable or disable each modem or
ISDN port for inbound remote access connections. For PPTP or L2TP, you can click on either one
and choose Configure. Then you can set the number of allowed connections and enable or
disable them completely.
 Note: To remove inbound support for L2TP connections as discussed earlier, configure the WAN Miniport (L2TP)
properties as shown below.

After configuring these options, your server is ready to accept connections from remote access
clients using dial-up or virtual private networking. All you have to do now is enable remote access
permissions for the users that you want to allow to connect.

Setting remote access permissions

To allow remote users to connect to your network using virtual private networking or dial-up
networking, you will need to allow them to connect by giving them access privileges.

• Open Active Directory Users and Computers from the Administrative Tools folder on the
Start Menu.

• Click on the Users folder under your domain name, shown here as litware.net.

• Right click on the user you want to enable remote access permissions for, and choose
Properties. In this case, the user is named “Ras User”

• 4. Click on the Dial-in tab. You now see where you can select to Allow or Deny
remote access permissions into your network for any user by changing the setting you
see below.
You can also set other advanced settings here for each user. For more information on using
any of the other options shown here, please see the Windows 2000 Help.