Setting up a VPN with Windows 2000

What you need to know before you plug in a VPN

Have you heard about the magical benefits of the virtual private network? Are you ready to test its merits in your remote access infrastructure? If so, you’ll be happy to hear that Windows 2000 provides an excellent VPN platform, especially for connecting small remote offices and supporting telecommuters from their home offices. You’ll be amazed at how easy the basic setup of a VPN has become with Windows 2000. At the same time, Win2K offers dramatic improvements in functionality and security over the bare bones VPN of Windows NT.

In this article, we’ll examine what hardware and software you'll need for your VPN, explain how to configure a VPN server on your corporate network, and show you how to configure telecommuters to make a VPN connection to the corporate LAN. We’ll focus on the basics of VPN setup, but we won’t touch on advanced topics, such as setting up a server-to-server VPN with a remote office network, setting up Remote Access Policies, or configuring your VPN connection to pass through firewalls and proxy servers. With this in mind, let’s get started on configuring your Windows 2000 remote access VPN.

Preparing the infrastructure
The first thing you need to consider is the hardware requirements for your VPN server. Remember that Windows 2000 by itself requires substantial hardware resources. In an enterprise environment, you will want your VPN server to be a dedicated server with nothing but Windows 2000 Server or Windows 2000 Advanced Server running on the machine. For this configuration, I would recommend at least a 450-MHz Pentium III with at least 256 megabytes of RAM. For a small business or branch office with fewer than 100 users and fewer than 20 remote access connections, you can use a 300 MHz (or better) Pentium II or Celeron machine with at least 128 megabytes of RAM.

Your server will need to have two network cards. One card will connect to the Internet and the other will connect to the local area network. As you’ve probably realized, this means your VPN server is actually functioning as more of a VPN router than as a server. It authenticates the users, creates the secure tunnel, and then, like any router, allows users to access resources on the subnet to which they are connecting or to another subnet, based on routing tables. Keep in mind that this can include non-Windows resources such as NetWare and UNIX servers.

The final major consideration is your Internet connection. Using a VPN server can mean that you’ll be able to get rid of many of your phone lines that are currently dedicated to RAS. However, in one sense, this is robbing Peter to pay Paul because you’ll probably need to consider increasing the Internet bandwidth at your corporate office. This will depend on how much bandwidth you have to begin with, what your current utilization is, and the numbers of users and remote offices that will be connecting to your VPN server. Also, VPN works best if you have an always-on Internet connection at your corporate network. If you have a dial-up Internet connection, the only VPN solution I would recommend would be a server-to-server connection between your corporate office and a remote office.

Configuring the VPN server
Once you’ve dealt with the hardware issues, you need to install Windows 2000 Server and the latest Service Pack on your machine. Make sure you don’t install other unnecessary services, such as DNS, DHCP, and IIS. Also avoid loading any additional third-party software, except for things that are absolutely necessary such as backup agents.

During installation, you should choose to statically assign IP addresses. You’ll need to set up one network card with a true Internet IP address and the default gateway of your Internet router. The other network card should have an IP address assigned to the local network, and it should not contain a default gateway.

You’ll also need to set the domain/workgroup for your VPN server. This setting will depend on how you decide to do authentication. There are three basic options: The VPN server can authenticate users locally, you can use Windows 2000 domain security, or you can pass authentication to a RADIUS server. If you have the VPN server authenticate users locally, you’ll want to set up a workgroup just for the VPN server—something like “Internet.” If you want to use Active Directory and have a Windows 2000 domain controller handle authentication, have the VPN server join a Windows 2000 domain. If you’re going to have a cluster of VPN servers, you may want to use a RADIUS server (such as Microsoft’s Internet Authentication Service) to perform VPN authentication. In this example, we’ll have the VPN server authenticate users locally.

Once you have Windows 2000 Server installed, go to Start | Programs | Administrative Tools | Routing And Remote Access to pull up the RRAS Microsoft Management Console, shown in Figure A. Then, click on the icon with the name of your server and click Action | Configure And Enable Routing And Remote Access. This will launch a wizard that sets up a new server. Select Manually Configured Server, which will take you into RRAS to begin your configuration. You may be tempted to select the VPN option in the wizard, but please control yourself. The VPN wizard is still a little quirky, and it’s much better to configure the few basic VPN settings in RRAS manually so you'll know how to troubleshoot and tweak them in the future.

Figure A
RRAS Microsoft Management Console

Start the configuration by right clicking on the icon with the name of your VPN server and selecting Properties. This will bring up the main options you’ll use to activate your VPN server. In the General tab, shown in Figure B, make sure that you have checked the Router and Remote Access Server selections and that the LAN And Demand-Dial Routing option is selected under Router. Switch to the Security tab and select Windows Authentication if the VPN server is doing its own authentication or if you’re using a Windows domain for authentication. If you’re using a RADIUS server, choose RADIUS Authentication. As for PPP and Event Logging, you can leave the default settings or tweak them to your preferences.

Figure B
General tab in the Properties dialog box

The settings in the IP tab, shown in Figure C, are very important. You’ll want to check Enable IP Routing and Allow IP-based Remote Access And Demand-Dial Connections, and then configure IP Address Assignment for DHCP or assign a static address pool (in the subnet you want clients to connect on). Set the Adapter option to the adapter that connects to your LAN. The settings in the IP tab are crucial because they regulate the IP and network information that incoming VPN clients will receive. In most cases, I would recommend using DHCP to assign IP information to your VPN clients. This is especially effective when using the same DHCP server that clients on your LAN use to receive their IP information. VPN users can also receive static IPs, as you will see when we get to client configuration.

Figure C
Settings in the IP tab

After completing the VPN server properties, there are only a few more settings to configure. If you did opt to use DHCP, you’ll need to right click on DHCP Relay Agent (a container under IP Routing), select Properties, and add the IP address of the DHCP server(s) for your local area network. After that, right click on Ports and select Properties, and you should see the default configuration of 10 PPTP ports, 10 L2TP ports, and 1 Parallel port, as shown in Figure D.

Figure D
The Ports Properties dialog box

You can leave the default Parallel port alone, but you can double-click on the PPTP and L2TP ports and configure the number of ports you need for these protocols. You want to make sure that there are enough ports for all of your users and remote servers, but you don’t want to enable more ports than you need. Keep in mind that Windows 2000 Professional is currently the only client that supports L2TP, so most clients will connect using PPTP. While L2TP is destined to become the new standard in VPN, this article will focus on making connections using the simpler and more universal PPTP protocol.

Configuring remote clients
You have now completed all of the basic steps for preparing a VPN server on your corporate network. Now, let’s take a look at how to connect a remote client. In this example, I’ll focus on the best VPN client, Windows 2000 Professional. You can also make good VPN connections with Windows NT 4.0 and Windows 98, but they aren’t nearly as fast or as functional as Win2K Pro. However, before any client can connect to your VPN server, you need to provide their user account with remote access permission.

If your VPN server is authenticating users locally, set up user remote access permissions by going to Start | Programs | Administrative Tools | Computer Management | Local Users And Groups | Users and double-clicking a user (or creating a username) that you want to enable for remote access. Next, select the Dial-In tab, shown in Figure E, and select the Allow Access option. As you get more advanced with VPN, you can select Control Access Through Remote Access Policy and use Remote Access Policies for greater control and security. The Dial-In tab also lets you set up users to receive a static IP address, rather than receiving their IP information from DHCP when they connect.

Figure E
Options in the Dial-In tab

On a Windows 2000 Professional machine with an Internet connection, connecting to a corporate VPN server is simple. First, click Start | Settings | Network And Dial-up Connections | Make New Connection. Click Next to begin the wizard, and then select Connect To A Private Network Through The Internet. At the next prompt, you’ll need to specify how to connect to the Internet. If you have an “always-on” connection, such as a DSL or cable modem, choose Do Not Dial The Initial Connection. If you have a dial-up connection, choose Automatically Dial This Connection and select your Internet dial-up connection from the list. Now, you’ll need to select your Destination Address, which will be the fully qualified domain name or IP address of your VPN server. Choose whether the connection will be accessible For All Users or Only For Myself. Then, name the connection (I suggest something like Office VPN) and click Finish. Now, when you open Network And Dial-up Connections, you’ll notice the Office VPN icon, as shown in Figure F.

Figure F
The Network And Dial-up Connections window

Right click on the Office VPN icon and click Properties. This will bring up your client VPN options, which you’ll use to troubleshoot and adjust settings in the future. Now you can double-click the Office VPN icon to display a login screen, shown in Figure G. Enter a username and password for a user who has remote access permission and click Connect. If you have an always-on Internet connection, this should bring up a dialog box to follow along with the authentication steps. If you have a dial-up connection, you should see the dial-up connection triggered first (you may have to hit Connect for that one and then hit Connect again for the VPN connection), and then you will see the dialog box showing the VPN authentication process.

Figure 7
The Office VPN login screen

This article has provided a primer for setting up a VPN using Windows 2000. We’ve focused on VPN as a remote access solution for telecommuters, but the scope of VPN in Windows 2000 extends far beyond the basic concepts reviewed here. If you’re ready to pilot a Windows 2000 VPN in your enterprise, I recommend further study on VPN concepts and troubleshooting by consulting Microsoft’s VPN Web site.
Planning a VPN? Let us know if this article helped. If you'd like to share your opinion, start a discussion below or send the editor an e-mail.

Editor's Picks