Need help setting up a VPN server

Need help setting up a VPN server

Hi all

I just setup a computer with windows 2003 server ent. R2 and i want it to be
running as a VPN server. It has two network cards, one which is connected to
the internal network and the other one is connected to a wireless router
(with cable) which the latter then connects to an ADSL modem for Internet
connectviity. My question is how can I enable Routing and Remote access on
this machine and make the server act as a VPN server (giving access to
internal resources). I am sure this involves some port forwarding from modem
to router and also a way to translate the IP address to an Internet host
name (using no-ip.com for example)

Thanks a lot for your help!

1. Make sure the router is PPTP pass through or GRE enabled.
2. Forward port 1723 to the windows server.
3. This how to may help
How to setup VPN
To create VPN connection, open Networking Connections>New Connection
Wizard>Set up an advanced connection>Accept incoming connections, then
follow the ...
www.howtonetworking.com/Windows/vpnsetup.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Paul Smith" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Need help setting up a VPN server
>
> Hi all
>
> I just setup a computer with windows 2003 server ent. R2 and i want it to
> be running as a VPN server. It has two network cards, one which is
> connected to the internal network and the other one is connected to a
> wireless router (with cable) which the latter then connects to an ADSL
> modem for Internet connectviity. My question is how can I enable Routing
> and Remote access on this machine and make the server act as a VPN server
> (giving access to internal resources). I am sure this involves some port
> forwarding from modem to router and also a way to translate the IP address
> to an Internet host name (using no-ip.com for example)
>
> Thanks a lot for your help!
>

Is it recommended to use Server 2003 for VPN server or a hardware appliance?

Rob

"Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> 1. Make sure the router is PPTP pass through or GRE enabled.
> 2. Forward port 1723 to the windows server.
> 3. This how to may help
> How to setup VPN
> To create VPN connection, open Networking Connections>New Connection
> Wizard>Set up an advanced connection>Accept incoming connections, then
> follow the ...
> www.howtonetworking.com/Windows/vpnsetup.htm
>
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Paul Smith" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Need help setting up a VPN server
>>
>> Hi all
>>
>> I just setup a computer with windows 2003 server ent. R2 and i want it to
>> be running as a VPN server. It has two network cards, one which is
>> connected to the internal network and the other one is connected to a
>> wireless router (with cable) which the latter then connects to an ADSL
>> modem for Internet connectviity. My question is how can I enable Routing
>> and Remote access on this machine and make the server act as a VPN server
>> (giving access to internal resources). I am sure this involves some port
>> forwarding from modem to router and also a way to translate the IP
>> address to an Internet host name (using no-ip.com for example)
>>
>> Thanks a lot for your help!
>>
>

In most cases, I recommend to use hardware VPN. However, based on our test,
Windows 2008 VPN work great.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Rob" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is it recommended to use Server 2003 for VPN server or a hardware
> appliance?
>
> Rob
>
> "Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> 1. Make sure the router is PPTP pass through or GRE enabled.
>> 2. Forward port 1723 to the windows server.
>> 3. This how to may help
>> How to setup VPN
>> To create VPN connection, open Networking Connections>New Connection
>> Wizard>Set up an advanced connection>Accept incoming connections, then
>> follow the ...
>> www.howtonetworking.com/Windows/vpnsetup.htm
>>
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>> "Paul Smith" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Need help setting up a VPN server
>>>
>>> Hi all
>>>
>>> I just setup a computer with windows 2003 server ent. R2 and i want it
>>> to be running as a VPN server. It has two network cards, one which is
>>> connected to the internal network and the other one is connected to a
>>> wireless router (with cable) which the latter then connects to an ADSL
>>> modem for Internet connectviity. My question is how can I enable Routing
>>> and Remote access on this machine and make the server act as a VPN
>>> server (giving access to internal resources). I am sure this involves
>>> some port forwarding from modem to router and also a way to translate
>>> the IP address to an Internet host name (using no-ip.com for example)
>>>
>>> Thanks a lot for your help!
>>>
>>

"Paul Smith" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Need help setting up a VPN server
>
> Hi all
>
> I just setup a computer with windows 2003 server ent. R2 and i want it to
> be running as a VPN server. It has two network cards, one which is
> connected to the internal network and the other one is connected to a
> wireless router (with cable) which the latter then connects to an ADSL
> modem for Internet connectviity. My question is how can I enable Routing
> and Remote access on this machine and make the server act as a VPN server
> (giving access to internal resources). I am sure this involves some port
> forwarding from modem to router and also a way to translate the IP address
> to an Internet host name (using no-ip.com for example)
>
> Thanks a lot for your help!
>

Setting it up as a remote access server is pretty easy. The wizard does
it for you. Do this and make sure that you can make a VPN connection to this
server from a local workstation using its local address. There is no point
in trying to connect from the Internet until this works. The tricky bit is
getting access to it from the Internet, because your server does not have a
public IP address.

Does the wireless router have a public IP? Is it static or dynamic? This
is pretty important because this is the device you have to connect to from
the Internet. When you work out how to access the router from the Internet
you can look at port forwarding on the router to extend the connection to
your server on the private network.

"Rob" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is it recommended to use Server 2003 for VPN server or a hardware
> appliance?

Either is fine. But you may also consider replacing the "router" *with* the
RRAS box (or the appliance). Or use the wireless "router" as the VPN
Server if it is capable.

If it were mine, I would be ditching the wireless "router" for something
less "home-user" like the RRAS box or a commercial firewall that has VPN
capability. For the wireless element I would use a Wireless Access Point
[WAP] (not a "router") and have that sitting inside the LAN preferabley far
enough from an outside wall as I could get it to reduce the reach of the
signal that leaks outside.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Yeah, that's what I've read. What I did to reduce people using the signal
outside is after business hours, I used the built in rules in the Linksys
WRT45G to disable internet access before and after business hours. It is a
public wireless internet router meant only for customers. If I were to use
RRAS for the vpn server, would I have to have another RRAS box at another
location maintaining the site-to-site vpn or can I use a vpn endpoint router
to connect to the RRAS box?


Rob

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
>
> "Rob" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Is it recommended to use Server 2003 for VPN server or a hardware
>> appliance?
>
> Either is fine. But you may also consider replacing the "router" *with*
> the RRAS box (or the appliance). Or use the wireless "router" as the VPN
> Server if it is capable.
>
> If it were mine, I would be ditching the wireless "router" for something
> less "home-user" like the RRAS box or a commercial firewall that has VPN
> capability. For the wireless element I would use a Wireless Access Point
> [WAP] (not a "router") and have that sitting inside the LAN preferabley
> far enough from an outside wall as I could get it to reduce the reach of
> the signal that leaks outside.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

Hi,

It is recommended to have some type of firewall between. Personally I have a
hardware firewall and ISA installed.

Here are my settings. I just setup recently and it works great.

Routing and Remote Access Server Settings (Admin tools)– VPN Server

Properites of Server

General Tab
Enable as Router – LAN and Demand Dial
Remove Access Server

Security Tab
Windows Authentication
Authentication Methods Button
EAP – not ticked
MS-CHAP v2 – TICKED
MS-CHAP – not ticked
CHAP – not ticked
SPAP – not Ticked
Unencyrpted password PAP – Not Ticked
Unauthenticated Access – Does Not allow remote systems to
connect without authentication.

IP Tab
Enable IP Routing
Allow IP-based remote access
DHCP
Adaptor – Internal Network adaptor obtains DHCP, DNS and WINS

PPP Tab
Multilink Connections ticked (all ticked)

Event Logging
Log Errors and Warnings

Remote Access Policies
ISA Server Default Policy
Allow Access if Part of VPN Group
NAS-Port-Type matches “Virtual VPN� AND
Windows-Groups matches “Domain\VPN Users� AND
Day and Time Restrictions matches Sun 6am-2400-Mon 5am-2400
Tunnel-Type matches “Point to Point Tunneling Protocol (PPTP)
Grant Remote Access Permission

Ports Properties
L2TP Ports – 1
Remote access connections ticked
Demand Dial routing ticked
Phone Number xxx.xxx.xxx.xxx (put IP here)
Number of Ports 1

PPTP Ports – 1
Remote access connections ticked
Demand Dial routing ticked
Phone Number xxx.xxx.xxx.xxx (put IP here)
Number of Ports 1

IP Routing – DHCP Relay Agent

Properties – Add IP of DHCP Server

IP Routing - General Properties

Properties of External Connections
General Tab
Input and Output Filters

Inbound Filters
Drop ALL packets except those that meet the criteria below
Source Address Source Mask Destination Address Destination
Mask Protocol Source Port or Type Destination Port or Code
Any Any xxx.xxx.xxx.xxx 255.255.255.255 47 Any Any
Any Any xxx.xxx.xxx.xxx 255.255.255.255 TCP Any 1723
Any Any xxx.xxx.xxx.xxx 255.255.255.255 TCP(est) 1723 Any

Output Filters
Drop ALL packets except those that meet the criteria below
Source Address Source Mask Destination Address Destination
Mask Protocol Source Port or Type Destination Port or Code
xxx.xxx.xxx.xxx 255.255.255.255 Any Any 47 Any Any
xxx.xxx.xxx.xxx 255.255.255.255 Any Any TCP 1723 Any
xxx.xxx.xxx.xxx 255.255.255.255 Any Any TCP(est) Any 1723

Cheers,
Lara


"Paul Smith" wrote:

> Need help setting up a VPN server
>
> Hi all
>
> I just setup a computer with windows 2003 server ent. R2 and i want it to be
> running as a VPN server. It has two network cards, one which is connected to
> the internal network and the other one is connected to a wireless router
> (with cable) which the latter then connects to an ADSL modem for Internet
> connectviity. My question is how can I enable Routing and Remote access on
> this machine and make the server act as a VPN server (giving access to
> internal resources). I am sure this involves some port forwarding from modem
> to router and also a way to translate the IP address to an Internet host
> name (using no-ip.com for example)
>
> Thanks a lot for your help!
>
>
>

"Rob" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yeah, that's what I've read. What I did to reduce people using the signal
> outside is after business hours, I used the built in rules in the Linksys
> WRT45G to disable internet access before and after business hours. It is a
> public wireless internet router meant only for customers. If I were to use
> RRAS for the vpn server, would I have to have another RRAS box at another
> location maintaining the site-to-site vpn or can I use a vpn endpoint
> router to connect to the RRAS box?

I really can't answer that. You're situation is just too "foggy" for me.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

OK, can I use a Netgear FVS318 VPN Endpoint to connect to the RRAS server?

Rob

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Rob" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Yeah, that's what I've read. What I did to reduce people using the signal
>> outside is after business hours, I used the built in rules in the Linksys
>> WRT45G to disable internet access before and after business hours. It is
>> a public wireless internet router meant only for customers. If I were to
>> use RRAS for the vpn server, would I have to have another RRAS box at
>> another location maintaining the site-to-site vpn or can I use a vpn
>> endpoint router to connect to the RRAS box?
>
> I really can't answer that. You're situation is just too "foggy" for me.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>