Step 1: Setup requirements
To create a VPN, you will need three separate Windows 2003 servers and at least one remote client. The remote client's machine needs to be running Windows XP.
The first Windows 2003 server your VPN will need is basically an infrastructure server. It must act as a domain controller, DHCP server, DNS server and certificate authority. If you already have a Windows 2003 network in place, you don't need to go out and buy a server to fit this role.
Any Windows 2003 domain will already have at least one domain controller and one server acting as a DNS server. Most Windows 2003 networks are also running DHCP services. If you already have all these services in place, the only thing you will have to worry about is setting up a certificate authority (which I show you how to do in Step 3). For now, you just need to know that the server acting as a certificate authority must be running Windows Server 2003 Enterprise Edition.
The second server you will need is a VPN server. Windows Server 2003 Standard Edition and Enterprise Edition both ship with the necessary software. Therefore, you won't need any special software on this server. The only specific hardware this server needs is two NICs. One NIC will connect to the Internet and the other will connect to your private corporate network.
The final server you will need is an authentication server. When remote users attempt to access your corporate network through a VPN, they need to be authenticated. The mechanism of choice for authenticating remote users is a RADIUS server. RADIUS is an acronym standing for Remote Authentication Dial In User Service. Microsoft includes its own version of RADIUS in Windows Server 2003 Standard Edition and Enterprise Edition. The Microsoft version of RADIUS is called Internet Authentication Service (IAS). There are no special hardware or software requirements for this server.
The last thing that I want to talk about as part of this step in the tutorial is server placement. Each of the servers I have discussed will be connected to your private network via a hub or switch. The only server that will have any external connectivity is your VPN server. It is a security risk to connect the VPN server directly to the Internet though. It is best to place a firewall in front of the VPN server so you can filter out everything but VPN traffic.
In Step 2, we'll begin the domain configuration process. Your network should contain the required Windows Server 2003 domain controller and DNS server before moving on to the next step.
- Open the server's Control Panel and select Add or Remove Programs.
- When the Add or Remove Programs dialog box appears, click the Add/Remove Windows Components button.
- Select the Networking Services option and then click Details.
- Now select Dynamic Host Configuration Protocol (DHCP) from the list of network services, then click OK, followed by Next.
Windows will now install the DHCP services. When the installation completes, you will have to create an address scope and authorize the DHCP server to function on your network.
- To do so, select the DHCP option from the Administrative Tools menu to open the DHCP console.
- Right click on your server within the DHCP console and select Authorize.
- After you authorize the DHCP server, right click on the server's listing within the console again and select New Scope. This will launch the New Scope Wizard.
- Click Next to bypass the wizard's welcome screen.
- Enter a name for the scope that you are creating then click Next. (You can call it anything you want, but for the purposes of this tutorial, I will be referring to the scope as 'Corporate Network.')
- You will now be asked to enter an IP address range. Just specify a start and end address that is consistent with the IP addressing scheme you are already using, but that does not overlap any existing addresses. The Length and Subnet Mask fields will be filled in for you automatically.
- The next three screens contain settings that you don't have to worry about. Just click Next three times until you reach the Router (Default Gateway) screen.
- Enter the IP address of your network's default gateway, click Add, then Next.
- Type in the name of your domain and the IP address of your DHCP server and click Next.
- Click Next again to skip the WINS configuration screen.
- Finally, verify that the Yes, I Want To Activate The Scope Now option is selected then click Next and Finish.
Step 3: Create an enterprise certificate authority
Before I show you how to create an enterprise certificate authority, I want to give you a few words of caution. Installing a certificate authority is not a process to be taken lightly. If someone gains unauthorized access to your certificate authority, that person pretty much owns your network. Likewise, if a certificate authority server crashes, it can be devastating to your network.
Therefore, protect your certificate authority server the way you would protect a nuclear bomb. Make sure that it is as secure as possible and that you perform full system backups frequently. You also want to protect those backups so they are not accidentally compromised.
- With that said, select Add/Remove Programs from the Control Panel and click the Add/Remove Windows Components button.
- Choose Certificate Services from the list of Windows components.
- You will see a warning message indicating that you won't be able to rename the machine or change its group membership after the certificate services are installed. Click Yes to acknowledge the warning and then click Next to begin installing the certificate authority.
- Choose Enterprise Root CA as the type of certificate authority you want to install and click Next.
You will now be prompted to enter a common name for the certificate authority. You must also select a certificate validity period. The default setting allows certificates to be valid for five years, but you can increase or decrease this time frame according to your own corporate security policy.
- Fill out these two items, then click Next. Windows will begin generating cryptographic keys.
- You will be prompted to enter a location for the certificate database. Select the default location (unless you want to place the databases onto a volume with better performance or fault tolerance) and click Next.
- You will now see a message indicating that Windows must restart the IIS services. Click 'Yes' and Windows will install the necessary components.
Step 4: Install IAS
IAS is the Windows Server 2003 implementation of RADIUS. The IAS server will authenticate users who enter your corporate network through the VPN connection. As such, your IAS server must be a member server in one of your domains and must be running Windows Server 2003.
- To install IAS, open the Control Panel and choose the Add/Remove Programs option.
- When the Add or Remove Programs dialog box appears, click Add/Remove Windows Components.
- Select the Networking Services option and click Details.
- Now, choose the Internet Authentication Service option.
- Click OK, followed by Next, to install IAS.
Step 5: Configure IAS
- Go to Administrative Tools -> Internet Authentication Service.
- From here, the first thing you need to do is to register your IAS server with Active Directory. To do so, right click on the Internet Authentication Service (Local) container and select Register Server in Active Directory.
- Click OK to complete the registration process.
- Now, right click on the RADIUS Clients container and select New RADIUS Clients. If you happen to know the IP address or DNS name of one of your client machines, go ahead and enter it along with a friendly name. Otherwise, leave it for now, as we'll be filling it in later when we set up the client connections anyway.
- Click Next.
- You will now be prompted for a shared secret. A shared secret is an encryption key used by the RADIUS Server and the client. Make sure that the Client Vendor option is set to RADIUS Standard, enter a shared secret, and click Finish.
Step 6: Create a remote access policy
- ight click on the Remote Access Policies container and select the New Remote Access Policy option. This will open the New Remote Access Policy Wizard.
- Click Next to bypass the wizard's Welcome screen.
- Verify that the Typical Policy for a Common Scenario option is selected and then enter 'VPN Access' as the policy name and click Next.
- Select the VPN option and click Next again.
- This screen gives you the opportunity to apply the policy to either users or groups. If you haven't already done so, I recommend taking a time out to create an Active Directory group based on users who will access the network through the VPN. You can then assign this group to the policy that you are creating.
- Click Next and you will see the Authentication Methods screen.
- Verify that MS CHAPV2 is selected and click Next.
- Confirm that only the Strongest Encryption option is selected and click Next, followed by Finish.
Step 7: Configure the VPN server
- Begin by opening the server's Network Connections folder and renaming the connections to something more meaningful. For example, you might name the connections to Corporate and Internet, or something like that.
- Go to Administrative Tools -> Routing and Remote Access to open the Routing and Remote Access console.
- Right click on your VPN server in the console tree and select Configure and Enable Routing and Remote Access. This will launch the Routing and Remote Access Server Setup Wizard.
- Click Next to bypass the wizard's welcome screen. You will then see the wizard's configuration screen.
- Select Remote Access (Dial-Up or VPN) and click Next.
- Mark the VPN checkbox and click Next.
- You will now see a screen that displays your machine's network connections. Select the connection attached to the Internet, verify that the Enable Security checkbox is selected and click Next.
- Verify that Automatically is selected and click Next.
- Now choose the option to set the server up to work with a RADIUS Server and click Next.
- Enter the IP address of your RADIUS server and the shared secret that you assigned to the RADIUS Server.
- Click Next, then Finish.
Step 8: Associate the VPN server with the DHCP server
- Navigate through the console tree to your server -> IP Routing -> DHCP Relay Agent.
- Right click on the DHCP Relay Agent container and select Properties.
- Enter the IP address of your DHCP server and click Add, followed by OK.
Your VPN server is now configured. You're in the home stretch! All you need to do now is configure your clients to work with the VPN you have created.
You may recall that we had to create a special security group for any user who is going to be accessing the network over the VPN connection. Therefore, I am assuming your remote users have been added to the necessary group and your client computers already have Internet access.
To allow a Windows XP client computer to access your private network, you must tell it to use a VPN connection.
- To do so, open the Control Panel and select the Network and Internet Connections option.
- Select the Create A Connection to the Network At Your Workplace option.
- Windows will now ask you if you want to create a dial-up connection or a VPN connection. Select the VPN option and click Next.
- At this point, you will see the Company Name prompt. Here you can enter the name of your company, the name of the server that you are connecting to, or anything else to describe the connection.
- Click Next. You will be prompted to enter the IP address of the server that you are connecting to. This will be the external IP address (the one connected to the Internet) of your VPN server.
- Click Next again, followed by Finish to create your connection.
Step 10: Test the client connection
- Double click on the connection in the list of available connections.
- You will be prompted for a username and password. Rather than entering your logon credentials, click the Properties button.
- In Properties, select the Networking tab.
- Set Type of VPN to PPTP VPN and click OK.
- You will be returned to the VPN logon screen. Enter your username in the domain/username format.
- Now enter your password and click Connect.
- There is a chance that you may be prompted as to which connection you want to use. If prompted, select the LAN Connection option.
- Once you are connected, go to Start -> Run and enter the \\servername\ROOT command.
You should see the content's of your server's C drive (assuming that you have the rights). Of course, it's rare that you would be directly accessing the server's C drive. More often, you would be accessing a specific share on the server. To do so, you would enter \\servername\sharename.
Step 11: Alternate VPN configuration options
In this step-by-step guide, I have outlined only one of maybe half a dozen different types of client VPN connections. There are many variations that involve different encryption or authentication techniques. You can read about these alternate client configurations here.