In the good old networking days, life as a network administrator was simple. The only users you had to worry about connecting to your network were the ones in your building. Users at other locations had their own networks with another network administrator to take care of them. Users working from home or on the road couldn’t access network resources, but had to transport floppies, so you didn’t have to worry about them either.

Not any more. Nowadays, users are scattered all across the globe, and they all want access to your network with the same ease and rights as if they were in the office next door to you. That’s where VPNs come in. Deploying a VPN doesn’t mean that you have to upgrade to Windows 2000 or wait for Windows .NET. Even though you’re still running Windows NT, you can deploy a VPN for those users in need by using NT’s RAS. In this Daily Drill Down, I’ll show you how it’s done.


Author’s note

You can configure NT to act as a VPN for both dial-up and Internet connections. For the purposes of this Daily Drill Down, I’ll show you how to configure NT to act as a VPN for users who are coming in over the Internet.


VPN on Windows NT
If you want to deploy a VPN on your network and you already run Windows NT, then you don’t necessarily have to invest in a hardware VPN or upgrade to Windows 2000. You can deploy a VPN solution using NT’s RAS. Doing so is almost as easy as deploying a VPN using Windows 2000.

However, because Windows NT is older than Windows 2000, you don’t gain all of Windows 2000’s additional features in the Windows NT VPN. Some of the things missing from Windows NT’s VPN include:

  • Support for L2TP
  • Policy support for remote access
  • Support for an Internet Key Exchange
  • Support for IPSec
  • Active Directory integration

That said, NT’s VPN solution is still very robust and secure. For security, NT’s VPN uses Point-to-Point Tunneling Protocol (PPTP). NT uses either 40-bit or 128-bit encryption keys to encrypt traffic that travels to and from the server, with the actual encryption level depending on the software used by the VPN client. For authentication purposes, PPTP can use any of the following protocols:

  • Password Authentication Protocol (PAP)
  • Shiva Password Authentication Protocol (SPAP)
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

You can support up to 256 simultaneous logons to your Windows NT server over the VPN. Once connected, users have the same rights on the network as if they were connected via a LAN.

Configuring Windows NT for VPN support
Configuring Windows NT for VPN support is a fairly easy task. By default Windows NT configures its RAS to allow connections via dial-up. To set up a VPN that will allow access from the Internet, you must add PPTP. First, right click Network Neighborhood and select Properties. When the Network Properties window appears, click Protocols.

Click Add on the Protocols screen. You’ll then see the Select Network Protocol screen appear. Select Point-to-Point Tunneling Protocol and click OK. Your server will prompt you to insert the Windows NT Server CD. Do so and wait while it copies the files to your server. When the files finish copying, NT will begin configuring PPTP. You’ll then see the PPTP Configuration screen shown in Figure A.

Figure A
You must specify the number of PPTP connections.

The first thing you must do to configure PPTP is set the maximum number of connections that you want to allow via VPN. You can specify anywhere from 10 to 256 connections. Oddly enough, you can’t directly type the number of connections in the Number drop-down list box. Instead, you must select the number of connections from the box. You can speed up the process somewhat by pressing the first number of the connection you want. So, if you want to connect 50 users, you would press 5 twice, which will cause the list box to scroll first to 5 and then to 50. You would press 5 three times to scroll to 51, and four times to scroll to 52, and so on. Click OK to close the window after you’ve set the number of connections you want.

Next, NT will prompt you to install the RAS service. Click OK to close the Setup Message window informing you of this to continue. NT will then begin copying the RAS files to your server. When it’s done, you’ll see the Add RAS Device screen shown in Figure B.

Figure B
Make sure RASPPTPM is selected as the default device.

To allow remote connections, make sure VPN1-RASPPTM is selected in the RAS Capable Devices drop-down list box. You can add other devices later if you want, such as dial-up modems. Click OK to continue.

You’ll then see the Remote Access Setup screen. On this screen, you can see any RAS connections your server is prepared to handle. Select VPN1 and click Configure. When the Configure Port Usage screen appears, make sure that the Receive Calls Only radio button is selected. This will ensure that users don’t attempt to use the RAS to connect to external resources. Click OK if everything looks correct.

Next, click Network to configure the network settings for the remote connection. You’ll see the Network Configuration screen appear, as shown in Figure C.

Figure C
The Network Configuration screen controls network settings for the connection.

The Server Settings pane contains the selections for network protocols the client will be able to use once connected to the VPN. NT will display the protocols currently running on your network. You should only select protocols necessary for the users to get their work done. Chances are you’ll only use TCP/IP, so deselect any other protocols.

To configure the protocol, click the Configure button. You’ll then see the RAS Server TCP/IP Configuration screen shown in Figure D. On this screen, you make selections that dictate how NT will assign the TCP/IP address for the remote user.

Figure D
This screen allows you configure the protocol for the user.

The Allow Remote TCP/IP Clients box allows you to control the type of access that remote users have. You can limit them to resources only on the VPN server by selecting This Computer Only. To allow users to access any network resource, select Entire Network.

You can either use DHCP to assign network addresses or assign addresses from a static pool. From an administrative standpoint, it’s easiest to use DHCP. That way you don’t have to worry about overlapping addresses or filtering rights based on TCP/IP addresses. If users need a particular static IP address for some reason, you can select the Allow Remote Clients To Request A Predetermined IP Address check box. Click OK once you’ve made all of your selections

When you get back to the Network Configuration screen, double-check the other selections. To secure communications between clients and the server, select the Require Microsoft Encrypted Authentication radio box. Don’t worry about selecting the Enable Multilink check box. This is used primarily by dial-up clients to maximize throughput. Click OK to close the Network Configuration window.

After you return to the Remote Access Setup screen, you can click Continue to close the screen and finish the configuration. NT will copy more files to your server and configure the RAS service based on the selections you made. When the configuration finishes, NT will display an informational screen telling you what utilities to use to administer RAS. Click OK to shut down the window. You’ll then have to restart your Windows NT Server.

After the server restarts, reapply the last Service Pack you applied to your server and restart it again. After this last restart, you’ll be ready to start using RAS.

Allowing users to access RAS
Just because you install RAS and VPN support on your server, doesn’t mean your users can use it. By default, Windows NT denies everyone the ability to access the server via VPN. This increases security on your network and allows you to rest easy knowing that not just anyone can get in through your VPN.

To allow a user to use the VPN, you have two choices: You can either change the user’s rights within User Manager For Domains or you can use the Remote Access Admin utility. Let’s look first at the User Manager For Domains.

Start the User Manager For Domains, by clicking Start | Programs | Administrative Tools (Common) | User Manager For Domains. When the utility starts, select the user to whom you want to grant VPN rights. Select Properties from the User menu. When the User Properties screen appears for the user, click the Dialin button.

You’ll then see the Dialin Information screen appear. Select the Grant Dialin Permission To User check box. Make sure the No Call Back is set in the Call Back box. This box is only useful for users that dial in to a modem, and it won’t work if users are connecting via VPN. Click OK to close the Dialin Information screen and then OK again to close the User Properties screen.

You can also use the Remote Access Admin utility. To start the Remote Access Admin utility, click Start | Programs | Administrative Tools (Common) | Remote Access Admin. You’ll then see the Remote Access Admin Window appear. As you can see, this window lists the available RAS Server and other information for the RAS server, which I’ll discuss more below.

To grant a user the right to use the VPN, select Permissions from the Users menu. You’ll then see the Remote Access Permissions screen shown in Figure E.

Figure E
You can control user rights using the Remote Access Admin utility.

To allow a user to use the VPN, scroll through the Users list box until you find the user you want. Click the Grant Dialin Permission To User check box to allow access to the VPN. Again, make sure that No Call Back is also selected.

Unfortunately, there’s no easy way to select multiple users at once. You must select each user one at a time. Alternatively, you can click the Grant All button to give VPN rights to every user on your NT server and then scroll through the User list box and remove the check from the Grant check box. If you want to quickly remove access to the VPN from every user, click the Remove All button.

Other Remote Access Admin tasks
The Remote Access Admin utility, shown in Figure F, gives you full control over the RAS, and thereby the VPN. As you can see, Remote Access Admin lists the servers that can support VPN, along with the maximum number of connections and current number of logged on connections. Remote Access Admin has a static display. It doesn’t change as users log on and log off. To refresh the screen, select Refresh from the View menu.

Figure F
You can control the Remote Access Service using Remote Access Admin.

You can start or stop the RAS from the Server menu. To stop the service, select Stop Remote Access Service. To start it, select Start Remote Access Service. You can also pause access without unloading the service by selecting Pause Remote Access Service.

To view detailed information, double-click the server. You’ll then see the Communications Ports screen appear. From this screen you can do the following:

  • Disconnect the user from the VPN by clicking Disconnecting User
  • Send a message to a specific user by selecting the user and clicking Send Message
  • Send a message to all users by clicking Send To All
  • View detailed information about the connection by clicking Port Status

If you click the Port Status button, you’ll see the Port Status screen shown in Figure G. Here you can see detailed information about the user’s connection, including such things as how much bandwidth the user can use, how many packets have been transmitted, and the user’s VPN IP address.

Figure G
The Port Status screen shows you detailed information about a user’s session.

Remote Access Admin also allows you to view user information. To do so, select Active Users from the Users menu. You’ll then see the Remote Access Users screen. This screen looks similar to the Communication Ports screen except that rather than showing connections, it shows connected users. Like the Communications Ports screen, you can send messages or disconnect users from this screen.

If you want to view information about a user account, highlight it and click User Account. You’ll then see the screen shown in Figure H. While it doesn’t show detailed information about permissions and such, it does show information about user rights in general, along with callback and password information.

Figure H
Remote Access Admin shows information about logged on users.

VPNs on NT: Virtually Painless Networking
Even though you’re still using Windows NT, you don’t have to be left out in the cold when it comes to deploying such things as VPNs. Using NT’s RAS, you can quickly deploy a VPN for your network. Users can dial in and have the same rights as if they were connected locally, and you can administer their access without learning any new operating systems.