Summary Virtual Private Networks (VPN) allow users working at home, on the road or at a branch office to connect in a secure manner to a remote corporate server using the public Internet. VPN server or host is a computer that accepts VPN connections from VPN clients. A VPN server or host can be a NT/W2K server or W2K/XP Pro. VPN client is a computer that initiates a VPN connection to a VPN server or host. A VPN client can be an individual computer running MS Windows NT version 4.0, Windows 2000, 9x. VPN clients can also be any non-Microsoft Point-to-Point Tunneling Protocol (PPTP) client or Layer Two Tunneling Protocol (L2TP) client using IPSec. Basic VPN Requirement User Permission. Enable a user to access the VPN. To do this, go to AD Users and Computers, select the user who need to access the VPN, click Dial-in. Check Allow access on the Remote Access Permission (Dial-in or VPN). IP Configuration. The VPN server should have a static IP address and assign the arrange IP addresses to VPN clients. The VPN server must also be configured with DNS and WINS server addresses to assign to the VPN client during the connection. Data Encryption. Data carried on the public network should be rendered unreadable to unauthorized clients on the network. Protocol Support. The TCP/IP is common protocols used in the public network. The VPN also include IP, Internetwork Packet Exchange (IPX), NetBEUI and so on. Firewall Ports. When you place a VPN server behind your firewall, be sure to enable IP protocol 47 (GRE) and TCP port 1723. Interface(s) for VPN server. If your network doesn't have a router or the VPN is also a gateway, your computer must have at least two interfaces, one connecting to the Internet and another connecting to the LAN. If it is behind a router, you just need one NIC. One interface for VPN client. The interface can be a dial-in modem, or a dedicated connection to the Internet. Still need help, contact consultant Q: Can I setup my VPN client as a router to direct all local computers traffic to the VPN. A: No, you need to setup site to site VPN. Can't ping computer name when using VPN If you have name resolution issue when using VPN, check the PPTP filtering on the server. If you disable UDP ports 137 and 138 or TCP port 139, NetBIOS packets can't pass through the network. You also need to enable these ports on all firewalls and routers that are between the client and the server for unicast (point-to-point) traffic. Configure RRAS tracing When you need to monitor the activities of RRA and Dial-Up Networking components, use the tracing functionality to configure RRA and Dial-Up Networking components to log tracing information to a file. You can make RRA and Dial-Up Networking tracing available by either configuring the registry or using the netsh command. How to add DNS and WINS into your Cisco VPN server If your VPN client cannot find servers or cannot ping computernmae, you may need to add DNS and WINS into your VPN server. For example, to add DNS and WINS on a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and vpdn group 1 client configuration wins winsservername.. How to assign a static IP to VPN client If you have Windows 2003 server as VPN server, you can assign a static IP under user's properties. If you use other Windows OS as VPN server, you may do create a DHCP reservation. How to connect to a Windows domain using Windows VPN at startup If you are running w2k/xp pro setup for a domain controller, you will have a option to "log on using dial-up connection" on logon screen after creating a VPN/dial-up connection. In the Log On to Windows dialog box, the user can select the Log on using dial- up connection check box. After clicking OK, the user is prompted to choose a network connection. How to configure VPN Packet Filters When you setup the RRAS, a set of default Input and Output Filters on the external adapter on the VPN server will be created. If you aren't running your server in a highly secure environment, you can comfortably place the server outside the firewall and restrict incoming VPN traffic to PPTP packets only. To display and mortify these filters, go to Routing and Remote Access>IP Routing>General, and then you can add or edit the packet filters of the dedicated Local Area Connection. Or to enable PPTP filtering from Control Panel, select the Network applet, Protocols, TCP/IP Protocols, the WAN adapter, Advanced. Then, select the Enable PPTP Filtering check box, as Screen 1 shows. When you enable PPTP filtering, the server will refuse all non-PPTP requests. How do I set up a modem to dial into a remote compute You need to install your modem from the control panel if you haven't already, and you need to set up the dialup networking server on your remote computer. (This is included with Win98, NT4 and w2k/xp. On Win95 it is in the Plus! pack, but you need to get an update to version 1.3 or later from Microsoft's site. At the time of writing it can be found here.) You can enable the dialup server from the 'Connections' menu of the dial- up networking window. If it isn't there, or if you've updated the dialup networking as mentioned above, you need to install it using the Windows Setup section of 'Add/Remove Programs' in the control panel. How many inbound dial-in connections are supported W2K server supports 256 inbound dial-in connections while w2k pro supports 1. How to create an incoming networking connection You can configure an incoming connection to accept the following connection types: (modem, ISDN, X.25), VPN (PPTP, L2TP), or direct (serial, infrared, DirectParallel). On a computer running Windows 2000, 2003 or XP Pro, an incoming connection can accept up to three incoming calls, up to one of each of these types. Note: on a computer running Windows 2000/2003 Server, the number of inbound calls is only limited by the computer and its hardware configuration. To create VPN connection, open Networking Connections>New Connection Wizard>Set up an advanced connection>Accept incoming connections, then follow the instruction. How to establish VPN connection automatically 1. You can run rasdial.exe as a service by using instsrv.exe 2. Add rasdial.exe into startup. 3. Create IPSec VPN if you have static IP. How to manage IP assignment on RRAS Open RRAS, right-click on the RRAS server>Properties>IP. You will have two options, DHCP and Static address pool. How to schedule to connect and disconnect a VPN You can use rasdial command plus scheduler. How to setup VPN server on 2003 server You may have two options to setup VPN server on Windows 2003. 1) Create an incoming networking connection if you have small network or you want to setup one PC to PC VPN; 2) If you have large numbers of incoming connections on a server that operates as part of a distributed network or as a domain controller, you should use RRA to create a VPN server. How to setup VPN on w2k server with one NIC Symptoms: When attempting to create VPN on w2k server with one NIC, you may receive "You have chosen the last available connection as the Internet connection. A VPN server required that one connection be used as the private network connection" if you select the NIC. 1. You should highlight No internet connection instead of the NIC or LAN connection. 2. You may try "Manually configured server option". How to use PPTP through a Cisco PIX In order to use PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723. How to configure W2K server as VPN server To setup a Windows 2000 server for VPN, open Routing and Remote Access console in the Administrative Tools folder, right-click the server and then click Configure and Enable Routing and Remote Access>Virtual private network [VPN] server. Click Next if TCP/IP is only protocol you will use. Select a connection you will connect to on the Internet Connection. You will have two options to assign IP to VPN clients. The default is Automatically. It is recommended to configure the server to assign client addresses from a static address pool, rather than assigning addresses from a DHCP server. If you configure RAS to assign client addresses from a static address pool, clients inherit the DNS and WINS settings from the RAS server. If your RAS server can browse the network, clients should also be able to browse the network with the same settings. If you prefer DHCP, verify that DHCP scope option 44 (WINS/NetBIOS name server) points to the WINS server and scope option 6 shows the address of your DNS server. When you don't define these options, you almost guarantee problems with client browsing. Finally, you can select using RADIUS or not. NOTE: If VPN traffic is traveling through a router or firewall, configure the router or firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50 [Encapsulating Security Payload]) traffic to and from the VPN server. How to configure Win 2000/XP Pro as VPN host Prior to Windows 2000/XP Pro, you must add PPTP on NT 4.0 Server to establish VPN connections. With the release of Windows 2000/XP Pro, you have the ability to run a Windows 2000/XP Pro as a VPN host. However, Windows 2000/XP Pro enables only one VPN connection at a time and requires Internet Protocol (IP). Before you start the VPN configuration, you should have a equipment (modem, T1, Frame Relay, ADSL, or cable modem) connecting to the Internet. Also make sure you have correct TCP/IP settings on the W2K/XP. To setup Win XP (in our case) Pro as VPN host, go to the Properties of My Network Places>Create a New Connections>Set up a Advanced Connection>Accept Incoming Connections. On the Devices for Incoming Connections dialog box, do not select any device, only click Next and check Allow Private Connections, and then clickNext. On the Allowed Users dialog box, select or add all users for whom you want to enable access. The accounts have to exist on both computers that are involved in establishing the VPN connection. On the New Connection Wizard, File and Printer Sharing for Microsoft Networks, Internet Protocol (TCP/IP) and Client for Microsoft Networks should be listed as networking components. By default, Allow callers to access my local area network and Assign TCP/IP address automatically using DHCP are checked. If you would like to keep the default settings, click Next to continue. Now, the Incoming Connection icon should show on Incoming section under the Properties of My Network Places and is ready to use. How to configure a W2K/XP as VPN client To connect to a VPN server, you should have a dail-in modem or a dedicated connection to the Internet. To setup a XP client to access the VPN host, go to theProperties of My Network Places>Create a New Connections>Connect to the network at my workplace>Virtual Private Network connection. Type Computer that will be showed as connection name in VPN section, select Do not dial the initial connection and then type the VPN host IP. You have two options to create this connection for anyone or for yourself. How to configuring a multihomed VPN server If the VPN server has two network cards, one for the LAN and one for the WAN, leave the gateway on the LAN adapter blank. In the gateway field of the WAN network interface, enter the TCP/IP address that your ISP defines; the gateway address usually points to a router at your ISP. It is recommend you manually enter the TCP/IP address, DNS and WINS for the LAN NIC instead of using DHCP. Incoming Connection or RRAS You can create an incoming connection on a computer acting as a remote access server if it is running Windows 2000, XP Pro. or if it is a stand-alone computer runningWindows 2000/2003 Server. For large numbers of incoming connections on a computer running Windows 2000/2003 Server as a router or as a domain controller, or a member of a domain, you should use Routing and Remote Access to create a remote access server. Logon script with VPN To run logon script while establishing a VPN, you may have two options. 1) create a batch including rasdial.exe plus mapping. 2) Use Microsoft CMAK Manage VPN connections To manage VPN logon time, permissions, disconnect if idle for certain minutes, maximum session other constraints, use Remote Access Policies under RRAS. Security on Windows VPN Server A Windows 2000 VPN server is installed with a default set of Input and Output filters on the external adapter. These filters support PPTP, L2TP, and IPSec connectivity only and block other traffic.. However, the filters can be modified. To modify the filters, go to RRAS>IP Routing>General, right-click the external adapter and select Properties. Which ports need to be opened for running VPN A: PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE); L2TP: UDP Port 1701; IPSec: UDP Port 500, Pass IP protocol 50 and 51. Note: 47 is a protocol number and not TCP port. The protocol name is GRE. It'll make a big difference when configuring your firewall or router. What statements are required to allow a VPN inbound past my Cisco PIX? The following example is a simple PPTP access list: access-list 110 permit tcp any host x.x.x.x eq 1723 access-list 110 permit gre any host x.x.x.x Note: 1. x.x.x.x is outside ip. 2. If you use 6.3.1, you will need to enable fixup protocol pptp 1723. Why doesn't my w2k/xp have "log on using dial-up connection" option on the logon screen 1. You must create a VPN or dial-up connection. 2. Your administrator may disable this option. 3. If the computer is not a member of a domain, the Log on using dial-up connectioncheck box does not appear.
Pages to are hidden for
"VPN Summary"Please download to view full document