Need help setting up a VPN server

Discussion in 'Server Networking' started by Paul Smith, Dec 23, 2008.

  1. Paul Smith

    Paul Smith Guest

    Need help setting up a VPN server

    Hi all

    I just setup a computer with windows 2003 server ent. R2 and i want it to be
    running as a VPN server. It has two network cards, one which is connected to
    the internal network and the other one is connected to a wireless router
    (with cable) which the latter then connects to an ADSL modem for Internet
    connectviity. My question is how can I enable Routing and Remote access on
    this machine and make the server act as a VPN server (giving access to
    internal resources). I am sure this involves some port forwarding from modem
    to router and also a way to translate the IP address to an Internet host
    name (using no-ip.com for example)

    Thanks a lot for your help!
     
    Paul Smith, Dec 23, 2008
    #1
    1. Advertisements

  2. 1. Make sure the router is PPTP pass through or GRE enabled.
    2. Forward port 1723 to the windows server.
    3. This how to may help
    How to setup VPN
    To create VPN connection, open Networking Connections>New Connection
    Wizard>Set up an advanced connection>Accept incoming connections, then
    follow the ...
    www.howtonetworking.com/Windows/vpnsetup.htm


    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Robert L. \(MS-MVP\), Dec 23, 2008
    #2
    1. Advertisements

  3. Paul Smith

    Rob Guest

    Is it recommended to use Server 2003 for VPN server or a hardware appliance?

    Rob
     
    Rob, Dec 23, 2008
    #3
  4. In most cases, I recommend to use hardware VPN. However, based on our test,
    Windows 2008 VPN work great.

    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Robert L. \(MS-MVP\), Dec 23, 2008
    #4
  5. Paul Smith

    Bill Grant Guest

    Setting it up as a remote access server is pretty easy. The wizard does
    it for you. Do this and make sure that you can make a VPN connection to this
    server from a local workstation using its local address. There is no point
    in trying to connect from the Internet until this works. The tricky bit is
    getting access to it from the Internet, because your server does not have a
    public IP address.

    Does the wireless router have a public IP? Is it static or dynamic? This
    is pretty important because this is the device you have to connect to from
    the Internet. When you work out how to access the router from the Internet
    you can look at port forwarding on the router to extend the connection to
    your server on the private network.
     
    Bill Grant, Dec 23, 2008
    #5
  6. Either is fine. But you may also consider replacing the "router" *with* the
    RRAS box (or the appliance). Or use the wireless "router" as the VPN
    Server if it is capable.

    If it were mine, I would be ditching the wireless "router" for something
    less "home-user" like the RRAS box or a commercial firewall that has VPN
    capability. For the wireless element I would use a Wireless Access Point
    [WAP] (not a "router") and have that sitting inside the LAN preferabley far
    enough from an outside wall as I could get it to reduce the reach of the
    signal that leaks outside.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 24, 2008
    #6
  7. Paul Smith

    Rob Guest

    Yeah, that's what I've read. What I did to reduce people using the signal
    outside is after business hours, I used the built in rules in the Linksys
    WRT45G to disable internet access before and after business hours. It is a
    public wireless internet router meant only for customers. If I were to use
    RRAS for the vpn server, would I have to have another RRAS box at another
    location maintaining the site-to-site vpn or can I use a vpn endpoint router
    to connect to the RRAS box?


    Rob

     
    Rob, Dec 24, 2008
    #7
  8. Paul Smith

    lforbes Guest

    Hi,

    It is recommended to have some type of firewall between. Personally I have a
    hardware firewall and ISA installed.

    Here are my settings. I just setup recently and it works great.

    Routing and Remote Access Server Settings (Admin tools)– VPN Server

    Properites of Server

    General Tab
    Enable as Router – LAN and Demand Dial
    Remove Access Server

    Security Tab
    Windows Authentication
    Authentication Methods Button
    EAP – not ticked
    MS-CHAP v2 – TICKED
    MS-CHAP – not ticked
    CHAP – not ticked
    SPAP – not Ticked
    Unencyrpted password PAP – Not Ticked
    Unauthenticated Access – Does Not allow remote systems to
    connect without authentication.

    IP Tab
    Enable IP Routing
    Allow IP-based remote access
    DHCP
    Adaptor – Internal Network adaptor obtains DHCP, DNS and WINS

    PPP Tab
    Multilink Connections ticked (all ticked)

    Event Logging
    Log Errors and Warnings

    Remote Access Policies
    ISA Server Default Policy
    Allow Access if Part of VPN Group
    NAS-Port-Type matches “Virtual VPN†AND
    Windows-Groups matches “Domain\VPN Users†AND
    Day and Time Restrictions matches Sun 6am-2400-Mon 5am-2400
    Tunnel-Type matches “Point to Point Tunneling Protocol (PPTP)
    Grant Remote Access Permission

    Ports Properties
    L2TP Ports – 1
    Remote access connections ticked
    Demand Dial routing ticked
    Phone Number xxx.xxx.xxx.xxx (put IP here)
    Number of Ports 1

    PPTP Ports – 1
    Remote access connections ticked
    Demand Dial routing ticked
    Phone Number xxx.xxx.xxx.xxx (put IP here)
    Number of Ports 1

    IP Routing – DHCP Relay Agent

    Properties – Add IP of DHCP Server

    IP Routing - General Properties

    Properties of External Connections
    General Tab
    Input and Output Filters

    Inbound Filters
    Drop ALL packets except those that meet the criteria below
    Source Address Source Mask Destination Address Destination
    Mask Protocol Source Port or Type Destination Port or Code
    Any Any xxx.xxx.xxx.xxx 255.255.255.255 47 Any Any
    Any Any xxx.xxx.xxx.xxx 255.255.255.255 TCP Any 1723
    Any Any xxx.xxx.xxx.xxx 255.255.255.255 TCP(est) 1723 Any

    Output Filters
    Drop ALL packets except those that meet the criteria below
    Source Address Source Mask Destination Address Destination
    Mask Protocol Source Port or Type Destination Port or Code
    xxx.xxx.xxx.xxx 255.255.255.255 Any Any 47 Any Any
    xxx.xxx.xxx.xxx 255.255.255.255 Any Any TCP 1723 Any
    xxx.xxx.xxx.xxx 255.255.255.255 Any Any TCP(est) Any 1723

    Cheers,
    Lara
     
    lforbes, Dec 28, 2008
    #8
  9. I really can't answer that. You're situation is just too "foggy" for me.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 29, 2008
    #9
  10. Paul Smith

    Rob Guest

    OK, can I use a Netgear FVS318 VPN Endpoint to connect to the RRAS server?

    Rob
     
    Rob, Dec 29, 2008
    #10
  11. I don't know.
    It would probably have to be an IPSec Tunnel and not a PPTP or L2TP Tunnel.
    I suspect the structure of how RRAS deals with PPTP or L2TP is not going to
    be the same as the Netgear does it.

    ....and that is a guess.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Dec 29, 2008
    #11
  12. Paul Smith

    Rob Guest

    Do you know of any articles out there about doing this? I've looked, but
    didn't find anything related to what I want to do.

    Rob
     
    Rob, Dec 30, 2008
    #12
  13. Paul Smith

    Paul Smith Guest

    i managed to setup my VPN using windows 2003 but now i cannot browse..

    i mean when connecting to my VPN to my internal network I canot use the
    internet. when i close the connection, the internet is back...

    what can i do to have both of them simultaneously running?

    thanks

     
    Paul Smith, Dec 30, 2008
    #13
  14. I think you are going down the wrong road.
    But the situation is way too unclear to come up with a good solution.
    You probably should back up to the beginning and explain the situation more
    clearly and describe the reason for doing what you are doing.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 30, 2008
    #14
  15. That is exactly how it is supposed to work with a Remote Access VPN.
    There is a way, but you are not supposed to do it.

    You probably should start your own new thread to pursue this. It is
    confusing to run two conversations in the same thread.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Dec 30, 2008
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.