A virtual private network (VPN), allows you to connect components to a network, via another network, such as the Internet. You can make your Windows 2000 Server-based computer a remote-access server so that other users can connect to it by using VPN, and then access shared files on your local drives or on your network. Virtual private networks accomplish this by "tunneling" through the Internet or another public network in a manner that provides the same security and features as a private network. With a VPN, connections across the public network can transfer data using the routing infrastructure of the Internet, but to the user it appears as though the data were being sent over a dedicated private link.
This article describes how to install virtual private networking (VPN) and how to create a new VPN connection in Windows 2000.
Overview of VPN
A virtual private network (VPN) is a means of connecting to a private network (such as your office network) by way of a public network, such as the Internet. This combines the virtues of a dial-up connection to a dial-up server with the ease and flexibility of an Internet connection. By using an Internet connection, you can travel worldwide and still, in most places, connect to your office with a local call to the nearest Internet access phone number. If you have a high-speed Internet connection (such as cable or DSL) at your computer (and at your office), you can communicate with your office at full Internet speed, which is much faster than any dial-up connection using an analog modem.
VPNs use authenticated links to ensure that only authorized users can connect to your network, and they use encryption to ensure that data that travels over the Internet can't be intercepted and used by others. Windows achieves this security using Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).
VPN technology also allows a corporation to connect to its branch offices or to other companies over a public network (such as the Internet) while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.
Components of a VPN
A VPN in Windows 2000 consists of a VPN server, a VPN client, a VPN connection (the portion of the connection in which the data is encrypted), and the tunnel (the portion of the connection in which the data is encapsulated). The tunneling is done through one of the tunneling protocols included with Windows 2000, both of which are installed with Routing and Remote Access. The two tunneling protocols included with Windows 2000 are:
- Point-to-Point Tunneling Protocol (PPTP): Provides data encryption using Microsoft Point-to-Point Encryption.
- Layer Two Tunneling Protocol (L2TP): Provides data encryption, authentication, and integrity using IPSec.
Your connection to the Internet should use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP), as well as the default gateway of the ISP router.
NOTE: To enable VPN, you must be logged on using an account that has administrative rights.
How to Install and Enable VPN
To install and enable a VPN server, follow these steps:
- On the Microsoft Windows 2000 VPN computer, confirm that both the connection to the Internet and the connection to your local area network (LAN) are correctly configured.
- Click Start, point to Administrative Tools, and then click Routing and Remote Access.
- Click the server name in the tree, and click Configure and Enable Routing and Remote Access on the Action menu, and then click Next.
- In the Common Configurations dialog box, click Virtual private network (VPN server), and then click Next.
- In the Remote Client Protocols dialog box, confirm that TCP/IP is included in the list, click Yes, all of the available protocols are on this list, and then click Next.
- In the Internet Connection dialog box, select the Internet connection that will connect to the Internet, and then click Next.
- In the IP Address Assignment dialog box, select Automatically in order to use the DHCP server on your subnet to assign IP addresses to dialup clients and to the server.
- In the Managing Multiple Remote Access Servers dialog box, confirm that the No, I don't want to set up this server to use RADIUS now checkbox is selected.
- Click Next, and then click Finish.
- Right click the Ports node, and then click Properties.
- In the Ports Properties dialog box, click the WAN Miniport (PPTP) device, and then click Configure.
- In the Configure Device - WAN Miniport (PPTP) dialog box, do one of the following:
- If you do not want to support direct user dialup VPN to modems installed on the server, click to clear the Demand-Dial Routing Connections (Inbound and Outbound) check box.
- If you do want to support direct user dialup VPN to modems installed on the server, click to select the Demand-Dial Routing Connections (Inbound and Outbound) check box.
- Type the maximum number of simultaneous PPTP connections that you want to allow in the Maximum Ports text box. (This may depend on the number of available IP addresses.
- Repeat steps 11 through 13 for the L2TP device, and then click OK.
How to Configure the VPN Server
To further configure the VPN server as required, follow these steps.
Configuring the Remote Access Server as a Router
For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server.
To configure the server as a router:
- Click Start, point to Administrative Tools, and then click Routing and Remote Access.
- Right-click the server name, and then click Properties.
- On the General tab, click to select Enable This Computer As A Router.
- Select either Local area network (LAN) routing only or LAN and demand-dial routing, and then click OK to close the Properties dialog box.
How to Configure PPTP Ports
Confirm the number of PPTP ports that you need. To verify the number of ports or to add ports, follow these steps:
- Click Start, point to Administrative Tools, and then click Routing and Remote Access.
- In the console tree, expand Routing and Remote Access, expand the server name, and then click Ports.
- Right-click Ports, and then click Properties.
- In the Ports Properties dialog box, click WAN Miniport (PPTP), and then click Configure.
- In the Configure Device dialog box, select the maximum number of ports for the device, and then select the options to specify whether the device accepts incoming connections only, or both incoming and outgoing connections.
How to Manage Addresses and Name Servers
The VPN server must have IP addresses available in order to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client.
For Windows 2000-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. You can also configure a static IP address pool. The VPN server must also be configured with name resolution servers, typically DNS and WINS server addresses, to assign to the VPN client during IPCP negotiation.
How to Manage Access
Configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections.
NOTE: By default, users are denied access to dial-up.
Access by User Account
If you are managing remote access on a user basis, click
Allow Access on the
Dial-In tab of the user's
Properties dialog box for those user accounts that are allowed to create VPN connections. If the VPN server is allowing only VPN connections, delete the default remote access policy called "Allow Access If Dial-In Permission Is Enabled." Then create a new remote access policy with a descriptive name, such as VPN Access If Allowed By User Account. For more information, see Windows 2000 Help.
CAUTION: After you delete the default policy, a dial-up client that does not match at least one of the policy configurations you create will be denied access.
If the VPN server is also allowing dial-up remote access services, do not delete the default policy, but move it so that it is the last policy to be evaluated.
Access by Group Membership
If you are managing remote access on a group basis, click the
Control access through remote access policy radio button on all user accounts by using the Active Directory Users and Computers Console in Administrator Tools or MMC snap-in. Create a Windows 2000 group with members who are allowed to create VPN connections. If the VPN server allows only VPN connections, delete the default remote access policy called Allow Access If Dial-In Permission Is Enabled. Next, create a new remote access policy with a descriptive name such as VPN Access If Member Of VPN-Allowed Group, and then assign the Windows 2000 group to the policy.
If the VPN server also allows dial-up networking remote access services, do not delete the default policy; instead move it so that it is the last policy to be evaluated.
How to Configure a VPN Connection from a Client Computer
To set up a connection to a VPN:
- On the client computer, confirm that the connection to the Internet is correctly configured.
- Click Start, point to Settings, and then click Network And Dial-Up Connections.
- Double-click Make New Connection.
- Click Next, and then click Connect To A Private Network Through The Internet, and then click Next.
- Do one of the following:
- If you use a dial-up connection to connect to the Internet, click Automatically Dial This Initial Connection and then select your dial-up Internet connection from the list.
- If you use a full-time connection (such as a cable modem), click Do Not Dial The Initial Connection.
- Click Next.
- Type the host name (for example, Microsoft.com) or the IP address (for example, 123.123.123.123) of the computer to which you want to connect, and then click Next.
- Click to select For All Users if you want the connection to be available to anyone who logs on to the computer, or click to select Only For Myself to make it available only when you log onto the computer, and then click Next.
- Type a descriptive name for the connection, and then click Finish.
NOTE: This option is available only if you are logged on as a member of the Administrators group.
- Click Start, point to Settings, and then click Network And Dial-Up Connections.
- Double-click the new connection.
- Click Properties to further configure options for the connection:
- If you are connecting to a domain, click the Options tab, and then click to select the Include Windows logon domain check box to specify whether to request Windows 2000 logon domain information before attempting to connect.
- If you want the connection to be redialed if the line is dropped, click the Options tab, and then click to select the Redial if line is dropped check box.
To use the connection:
- Click Start, point to Settings, and then click Network And Dial-Up Connections.
- Double-click the new connection.
- If you do not currently have a connection to the Internet, Windows offers to connect to the Internet.
- Once the connection to the Internet is made, the VPN server prompts you for your user name and password. Enter your user name and password, click Connect, and your network resources should be available to you in the same way they are when you connect directly to the network.NOTE: To disconnect from the VPN, right-click the connection's icon, and then click Disconnect.