Remote access/VPN server role: Configuring a remote access/VPN serverYou can
configure a server that allows remote users to access resources on your
private network over dial-up or virtual private network (VPN) connections.
This type of server is called a remote access/VPN server. Remote access/VPN
servers can also provide network address translation (NAT). With NAT, the
computers on your private network can share a single connection to the
Internet. With VPN and NAT, your VPN clients can determine the IP addresses
of the computers on your private network, but other computers on the Internet
cannot.
This topic explains the basic steps for configuring a remote access/VPN
server using Manage Your Server, the Configure Your Server Wizard, and the
Routing and Remote Access Server Setup Wizard. After you finish configuring a
basic remote access/VPN server, you can complete additional configuration
tasks, depending on how you want to use the remote access/VPN server.
This topic covers:
Before you begin
Configuring your remote access/VPN server
Next steps: Completing additional tasks
--------------------------------------------------------------------------------
Before you begin
Before you configure your server as a remote access/VPN server, you should
verify whether or not:
The operating system is configured correctly. In the Windows Server 2003
family, remote access/VPN depend on the appropriate configuration of the
operating system and its services. If you have a new installation of a
product in the Windows Server 2003 family, you can use the default service
settings. No further action is necessary. If you upgraded to a product in the
Windows Server 2003 family or you want to confirm that your services are
configured correctly for best performance and security, verify your service
settings by comparing them to the table in Default settings for services.
Your server is correctly configured for optimal security for your network
needs. Because your remote access/VPN server will connect your private
network, the Internet, and your remote clients, you must make sure the server
is secure. The security of your private network depends on the security of
your remote access/VPN server. For more information, see Security information
for remote access.
This computer has two network interfaces, one that connects to the Internet
and one that connects to the private network. The connection to the Internet
must be a dedicated connection with enough bandwidth that VPN users can
connect to your private network and users on your private network can connect
to the Internet. The connection to computers on your private network must be
made through a hardware device, such as a network adapter.
All needed network protocols have been installed for your network
interfaces. For more information, see Network interfaces.
The following table lists the information that you need to know before you
configure a remote access/VPN server.
Before adding a remote access/VPN server role Comments
Determine which network interface connects to the Internet and which network
interface connects to your private network. During configuration, you will be
asked to choose which network interface connects to the Internet. If you
specify the incorrect interface, your remote access/VPN server will not
operate correctly.
Determine whether remote clients will receive IP addresses from a Dynamic
Host Configuration Protocol (DHCP) server on your private network or from the
remote access/VPN server that you are configuring. If you have a DHCP server
on your private network, the remote access/VPN server can lease 10 addresses
at a time from the DHCP server and assign those addresses to remote clients.
If you do not have a DHCP server on your private network, the remote
access/VPN server can automatically generate and assign IP addresses to
remote clients. If you want the remote access/VPN server to assign IP
addresses from a range that you specify, you must determine what that range
should be.
Determine whether you want connection requests from VPN clients to be
authenticated by a Remote Authentication Dial-In User Service (RADIUS) server
or by the remote access/VPN server that you are configuring. Adding a RADIUS
server is useful if you plan to install multiple remote access/VPN servers,
wireless access points, or other RADIUS clients to your private network. For
more information, see Internet Authentication Service.
Determine whether VPN clients can send DHCP messages to the DHCP server on
your private network. If a DHCP server is on the same subnet as your remote
access/VPN server, DHCP messages from VPN clients will be able to reach the
DHCP server after the VPN connection is established. If a DHCP server is on a
different subnet than your remote access/VPN server, make sure that the
router between subnets can relay DHCP messages between clients and the
server. If your router is running a Windows Server 2003 operating system, you
can configure the DHCP Relay Agent service on the router to forward DHCP
messages between subnets.
Verify that all users have user accounts that are configured for dial-up
access. Before users can connect to the network, they must have user accounts
on the remote access/VPN server or in Active Directory. Each user account on
a stand-alone server or a domain controller contains properties that
determine whether that user can connect. On a stand-alone server, you can set
these properties by right-clicking the user account in Local Users and Groups
and clicking Properties. On a domain controller, you can set these properties
by right-clicking the user account in the Active Directory Users and
Computers console and clicking Properties. For more information, see Dial-in
properties of a user account and Active Directory Users and Computers.
--------------------------------------------------------------------------------
Configuring your remote access/VPN server
To configure a remote access/VPN server, start the Configure Your Server
Wizard by doing either of the following:
From Manage Your Server, click Add or remove a role. By default, Manage Your
Server starts automatically when you log on.
To open the Configure Your Server Wizard, click Start, point to Settings,
click Control Panel, double-click Administrative Tools, and then double-click
Configure Your Server Wizard.
On the Configuration Options page, click Custom configuration and click
Next. On the Server Role page, click Remote access/VPN server, and then click
Next.
This section describes the steps in the Routing and Remote Access Server
Setup Wizard for configuring a remote access/VPN server that is not part of
an Active Directory domain or part of a network with DNS or DHCP servers. If
you follow these steps, you will configure a remote access/VPN server that
provides both dial-up and VPN access for remote access clients, provides NAT
for computers on your private network, generates and assigns IP addresses for
remote access clients, and locally authenticates connection requests.
This section covers:
Summary of Selections
Using the Routing and Remote Access Server Setup Wizard
Completing the Configure Your Server Wizard
Completing configuration in Routing and Remote Access
Removing the remote access/VPN server role
Summary of Selections
On the Summary of Selections page, you can view and confirm the options that
you have selected. If you clicked Remote access/VPN server on the Server Role
page, the following line appears:
Run the Routing and Remote Access Server Setup Wizard to set up routing and
VPN
To apply the selections shown on the Summary of Selections page, click Next.
The Configure Your Server Wizard starts the Routing and Remote Access Server
Setup Wizard. If you cancel the Routing and Remote Access Server Setup
Wizard, your remote access/VPN server will not be configured, the Routing and
Remote Access service will not be started, and the Configure Your Server
Wizard will display the Cannot Complete page.
When you complete the Routing and Remote Access Server Setup Wizard and the
Configure Your Server Wizard, the Routing and Remote Access service is
started automatically.
Using the Routing and Remote Access Server Setup Wizard
After you choose the remote access/VPN role and confirm your Summary of
Selections by clicking Next in the Configure Your Server Wizard, the Routing
and Remote Access Server Setup Wizard starts.
This section describes the following steps in the Routing and Remote Access
Server Setup Wizard:
Configuration
VPN Connection
IP Address Assignment
Name and Address Translation Services
Address Assignment Range
Managing Multiple Remote Access Servers
Completing the Routing and Remote Access Server Setup Wizard
Configuration
On the Configuration page, click Virtual Private Network (VPN) access and
NAT, and click Next.
Important
This document describes the Virtual Private Network (VPN) access and NAT
configuration only. If you decide to choose a different configuration, review
the documentation for Routing and Remote Access before you complete the
Routing and Remote Access Server Setup Wizard. This document will not help
you complete any other role than Virtual Private Network (VPN) access and
NAT. For more information about other configurations, see Common
configurations for remote access servers.
VPN Connection
On the VPN Connection page, click the network interface that connects this
computer to the Internet. The network interface that you choose will be
configured to receive connections from VPN clients. Any interface that you do
not choose will be configured as a connection to your private network.
In Network Interfaces, the Enable security on the selected interface by
setting up Basic Firewall check box will already be selected. Do not clear
this check box. This option configures Basic Firewall, a dynamic packet
filtering service that helps protect your private network from unsolicited
network traffic.
After you finish, click Next.
IP Address Assignment
On the IP Address Assignment page, the Automatically option is selected
automatically. Do not change the selection. This selection configures your
server to generate and assign IP addresses to remote clients.
After you finish, click Next.
Name and Address Translation Services
On the Name and Address Translation Services page, the Enable basic name and
address services option is selected automatically. Do not change the
selection. This selection configures your server to automatically assign IP
addresses to any computer on your private network that requests one. The
selection also configures your server to forward name resolution requests to
a DNS server on the Internet.
After you finish, click Next.
Address Assignment Range
The Address Assignment Range page displays the range of addresses that is
defined for assignment to any computer on your network that requests one.
This range is generated based on the IP address of the network adapter you
chose on the VPN Connection page. Review the information presented.
After you finish, click Next.
Managing Multiple Remote Access Servers
On the Managing Multiple Remote Access Servers page, the No, use Routing and
Remote Access to authenticate connection requests option is selected
automatically. Do not change the selection. This selection configures your
server to authenticate connection requests locally by using Windows
authentication, Windows accounting, and locally stored remote access policies.
After you finish, click Next.
Completing the Routing and Remote Access Server Setup Wizard
On the Completing the Routing and Remote Access Server Setup Wizard page,
review the summary information. Verify that:
The correct network interface is configured to provide VPN access.
Dial-up and VPN clients are assigned to your private network for addressing.
Client connections are accepted and authenticated using remote access
policies for this remote access/VPN server.
NAT is configured for the correct network interface.
Clients will be assigned IP addresses from the correct range.
If any of the summary information is incorrect, click Back, and then change
the information.
If you click Finish, you will not be able to open the Routing and Remote
Access Server Setup Wizard again, unless you either remove the remote
access/VPN server role from within the Configure Your Server Wizard or
disable Routing and Remote Access from the Routing and Remote Access snap-in.
"rizz" wrote:
> hello i have been asked if i could set up a link to the
> server for home users.
> which is the best way of diong this?
> somebody suggested an vpn using intranet or extranet.
> is this correct?.
> if so does any body know the best place to find a stepby
> step, to do this in a secure way?
> thanks in advance
> Rizz
>
Similar Threads
Linear Mode
