VPN Servers go a long way toward saving money for companies with remote access clients. In the not-so-distant past, companies that wanted to give road warriors access to corporate internal network resources needed to install modem banks and multiple phone lines. The cost of installing multiple dial-up RAS servers was compounded by the long distance charges or costs incurred from 1-800 numbers. VPN servers remove this cost-rich hardware/telco layer and allow you to support dozens and even hundreds of remote access calls with a single VPN server and high-speed Internet connection.

Most of the articles I see on the Internet focus on how to set up and configure the VPN server. This makes sense, since most of the complicated work in setting up a VPN client/server solution is done at the VPN server. However, configuring VPN clients is not always a piece of cake. This is especially true when dealing with legacy VPN client operating systems, such as the Windows 9x line.

We’ll look at how to configure your Win9x computers to be VPN clients that connect to Windows NT 4.0 VPN servers. You can use the same procedures to configure the Win9x clients to connect to Windows 2000 VPN servers. The only major difference between connecting to Windows NT 4.0 and Windows 2000 VPN servers is that the Windows NT 4.0 VPN servers do not support the L2TP/IPSec VPN protocol. However, this doesn’t pose much of a problem for our Win9x VPN clients, because the only VPN protocol supported by Win9x operating systems is the Point-to-Point Tunneling Protocol (PPTP).

Windows 9x Dial-up Networking Service 1.4 (DUN 1.4)
Before getting into the nuts and bolts of configuring the Win9x VPN client, you need to familiarize yourself with the latest update to the Win9x Dial-Up Networking Service, DUN 1.4. There are several reasons why you’ll want to download and install DUN 1.4, including:

  • Support for 128-bit encryption.
  • A Y2K fix for the VPN DHCP client component.
  • Fixes that improve the stability of the PPTP connection.
  • Support for internal ISDN adapters.
  • Multilink support.
  • Support for PPTP connections over a “LAN” or dedicated connection (such as DSL or cable).

Check out Microsoft Knowledge Base article Q297774 for full details on DUN 1.4. There are several versions of DUN 1.4, one each designed for Windows 95, Windows 98, and Windows 98SE. Information about the updates and files for download can be found in Microsoft Knowledge Base article Q285189. Be aware that you will need to restart the computer at the end of the DUN 1.4 installation.

Note

Windows Me does not require the DUN 1.4 Dial-up Networking update.

Configuring the Windows 9x VPN client
The procedure for configuring the Windows 9x VPN clients is very similar, with only very minor differences between each version. Prior to configuring the PPTP VPN client connection on the Win9x client, make sure you have an Internet connection to the Internet VPN server. The Internet connection device can be an analog dial-up modem, ISDN terminal adapter, a DSL line, or a cable connection.

Let’s use the Windows 95 client as an example of how to configure all the Win9x clients. Perform the following steps on your Windows 95 computer:

  1. Click Start | Programs | Accessories. Point to Communications, and then click on Dial-up Networking.
  2. The Dial-up Network Wizard Welcome dialog box will appear (Figure A). Click Next to continue.

Figure A

  1. On the next page (Figure B), type in a name for the connection in the Type A Name For The Computer You Are Dialing text box. Click the down arrow in the Select A Device drop-down list box and select the Microsoft VPN Adapter option. DUN 1.4 added this feature to your Windows 95 computer. Click Next.

Figure B

  1. On the Make New Connection page, type in the IP address or the Fully Qualified Domain Name (FQDN) of the VPN server that the Windows 95 computer will connect with (Figure C). If you use an FQDN, make sure that there is an entry in the public DNS that resolves to the IP address on your VPN server that is listening for incoming VPN connections. If you do not have a DNS entry for your VPN server, enter an IP address instead. Click Next.

Figure C

  1. On the last page of the wizard (Figure D), you’ll be told that you’ve done everything right and that you’ve created a new connection. After clicking Finish, the connectoid will appear in your Dial-Up Networking folder.

Figure D

  1. Return to the Dial-Up Networking window. You should see the icon for the VPN connectoid you just created, and another connectoid for an ISP connection if you require a dial-up connection to access the Internet (Figure E).
Note

You must create the dial-up connection separate from the VPN connection.

Figure E

Further tweaking with VPN Properties
You might want to do some further tweaking of the VPN connection. Right-click the VPN connectoid and click Properties. On the General tab (Figure F), you can change the name or IP address of the VPN server. This is convenient because, if the name or address of the VPN server changes, you don’t have to create a new connectoid. Just change an existing one.

Figure F

You can make many customizations on the Server Types tab (Figure G). By default, the Log On To Network and Enable Software Compression options are enabled. For connections that support MS-CHAP, check the Require Encrypted Password box. If you want to use MS-CHAP version 2, the client will negotiate MS-CHAP version 2 with the VPN server first. If the server does not support MS-CHAP version 2, the client will drop down to support MS-CHAP version 1. Also, make sure that data encryption is enabled. If you want to optimize connection speed, uncheck protocols that you do not use. If you do not disable the protocols, the client will attempt to negotiate each one selected.

Figure G
Set high encryption for the link.

When you click on the TCP/IP Settings button at the bottom of the Server Types tab, you’ll see what appears in Figure H. Most VPN servers will automatically assign IP addressing information to the VPN client. Therefore, you should leave the default settings Server Assigned IP Address and Server Assigned Name Server Addresses as they are. The Use IP Header Compression option should be set if the VPN server supports this option.

Figure H

The most interesting option is the Use Default Gateway On Remote Network. When this option is selected, the VPN client uses the VPN interface as the gateway for all nonlocal network addresses. If the client dialed in to an ISP first, the ISP assigned the computer a default gateway at the ISP to allow the client access to the Internet. However, when the Use Default Gateway On Remote Network option is enabled, the VPN client is assigned a new default gateway, which is the VPN server’s VPN interface. The end result is that the VPN client cannot access the Internet once it connects to the corporate VPN.

If this option is disabled, the VPN client will be able to access both the internal corporate network and the Internet at the same time. This creates the possibility that the VPN client will be able to route packets from the Internet to the internal network. Allowing the VPN client to access the Internet through the ISP and also the corporate network through the VPN at the same time is poor security practice. This is akin to allowing users on the internal network to plug modems into their computers and thus bypass corporate Internet access policies.

The Windows 98/98SE VPN client
Configuring the Windows 98/98SE client works exactly the same as configuring the Windows 95 client. The interfaces are virtually identical after installing DUN 1.4. The only difference you’ll see is found in the Connections menu in the Dial-up Networking window. In the Dial-up Networking window, click Connections and then click Settings (Figure I).

Windows 98/98SE allows you to configure a redial value and a wait interval before redialing. This option isn’t available in the Windows 95 dial-up networking. You also have the option to be prompted before a dial-up connection is established. This is helpful when you use dial-up networking to map network drives via the VPN interface.

Figure I

Click on the Security tab and you’ll see what appears in Figure J. Both Disable Sending Of LAN Manager Passwords and Require Secure VPN Connections are enabled by default. LAN Manager password authentication is inherently insecure and should always be disabled. The secure VPN connection option will force 128-bit encryption. If the VPN server does not support 128-bit encryption, the connection attempt will fail. If this option is not enabled, the client will first negotiate 128-bit encryption. If the negotiation fails, it will fall back to 40-bit encryption.

Figure J

Some final thoughts on troubleshooting
There are a handful of troubleshooting issues you should be aware of before finalizing your VPN client/server solution. Many ISPs do not allow incoming GRE packets into their networks, or they require that the user pay extra for a “business account.” If the VPN client cannot establish a VPN connection with the corporate VPN server, the user should contact his ISP to determine if GRE connections are allowed for the user’s account.

Windows 9x clients will not be able to connect to VPN NLB server clusters if the NLB interface still has the actual IP address configured on the cluster servers. Only the virtual IP address can be listed on the external interfaces of the cluster members if you expect to connect down-level clients to a PPTP VPN NLB cluster. If the VPN client fails to connect to a PPTP NLB cluster, confirm that only the virtual IP address appears on the external interface of each of the cluster members.

If a WINS server is manually assigned to a NIC, the PPTP VPN client will not be able to obtain a WINS server address on the PPTP VPN interface. This is in spite of the fact that the WINS address is configured only on the NIC. Note that manually setting a DNS server address on the machine’s NIC will not prevent the PPTP VPN client from obtaining a DNS server address from the VPN server.

You may run in to issues when users plug directly into the corporate network with an Ethernet card while at work, and then go home and try to connect to the same network through the PPTP VPN interface. The user may need to run the winipcfg utility from the Run menu to renew the IP address. If that does not work, the NIC may need to be removed before the VPN user can connect to the network remotely.