Step-By-Step: Configure a Windows 2000 VPN

Implement a secure tunnel/VPN between your company and remote users by enabling the RAS VPN services in Windows 2000 Server.

VPNs and tunnels are powerful, convenient and secure ways to access resources remotely. You can implement a secure tunnel/VPN between your company and remote users by enabling the RAS VPN services in Windows 2000 Server. Windows 2000 Server can support both L2TP and PPTP based clients and is very easy to set up.

The procedure
To enable RAS VPN services on Windows 2000 Server, go to Start | Programs | Administrative Tools | Routing and Remote Access and right-click the name of your server and choose Configure And Enable Routing And Remote Access from the shortcut menu. This will start a wizard to help you set up a VPN server as shown in Figure A.

Figure A
Configure Routing and Remote Access.

On the Welcome screen for the wizard, shown in Figure B, click Next to continue.

Figure B
Welcome screen for the Routing and Remote Access Server setup wizard

The wizard provides you with six different configuration options for RAS (Remote Access Services) on Windows 2000. For the purposes of this article, choose to set up a VPN server as shown in Figure C.

Figure C
Choose the VPN option.

The next screen, shown in Figure D, provides a list of protocols active on the VPN server. Since Windows 2000 uses TCP/IP by default, that is all I have installed. If you run IPX/SPX, you’ll see this option listed as well. Click Next to move on.

Figure D
Remote client protocols configuration

The next screen asks you to choose the adapter that you want to use to provide VPN services. You will need two network adapters; the VPN services wizard will install strong security controls on the VPN adapter to help protect it from attack, since it will have to be exposed to the outside world. For my example here, I will install the VPN services using my AMD PCNET adapter, as you can see in Figure E.

Figure E
Choosing the adapter

The next screen, Figure F, asks you how you want to handle addressing of the remote clients. Since these incoming clients will be coming in through a VPN tunnel, they will be viewed as an extension of your network and, as such, will require local IP addressing. You can specify a range of addresses or allow your DHCP server to automatically assign the addresses.

Figure F
IP address assignment

If you specify a range of addresses, the screen in Figure G will ask you for that information. To add a range of addresses, click New and type in the range that you wish to use. Keep in mind that these addresses should be from the same local pool of addresses as your internal network, even if your network is based on RFC 1918 private addresses. These packets will be encapsulated inside IP packets going over the Internet and broken down once they reach your VPN server, so routing issues do not come into play for the RFC 1918 addresses.

Figure G
Assigning a range of addresses

Windows 2000 also has the ability to provide RADIUS (Remote Authentication Dial-In User Service) services. RADIUS is a service that allows you to centrally administer user accounts for remote access. On the screen shown in Figure H, you can enable RADIUS.

Figure H

Finally, you are finished and the wizard installs your settings. You will get a message indicating that you must enable the relay of DHCP messages across the VPN server, which is also acting as a router to your network. Client DHCP requests are not able to traverse the VPN server to your internal DHCP server if you do not do this. If you specified a range of addresses, DHCP relay won’t be a problem. Just dismiss the message.

In order for users to be able to make use of this service, they must be explicitly allowed to do so by using Active Directory Users And Computers. All you have to do is make a change on the Dial-In properties page as in Figure I.

Figure I
Allowing a user access from outside

Establishing a client session
At this point, you have a fully functional remote access tunnel/VPN server. In order to use it, you need PPTP or L2TP client software. All recent versions of Windows include a PPTP client, and Windows 2000 and XP both include full L2TP/IPSec-based clients for additional security. For this example, I will be initiating a PPTP connection to my VPN server using Windows XP as the client.

To begin with, start the New Network Connection Wizard in Windows XP and choose Connect To The Network At My Workplace, as shown in Figure J, which is Windows XP’s way to set up a VPN.

Figure J
Network connection type

You’ll then see the Network Connection screen shown in Figure K. This screen asks whether this will be a dial-up or a VPN connection.

Figure K
A VPN or a dial up connection

The next screen is the Connection Name screen, seen in Figure L. As you can probably guess, all you have to do is give a name for the connection.

Figure L
Name the connection.

Next, you need to specify the IP address for the public VPN interface that you set up on your Windows 2000 Server. As shown in Figure M, enter the address in the Host Name field. My public address is since I am doing this example behind a firewall.

Figure M
VPN server address

When you are done, the connection dialog box, seen in Figure N, will come up and ask for authentication information. I will use the credentials for the user for whom I granted the ability to dial into the VPN server.

Figure N
Connection dialog

Once the credentials are verified, you are assigned an IP address from the range specified earlier and will be able to access resources on the host network. From there, your users are set and ready to go!


Editor's Picks

Free Newsletters, In your Inbox