VPN Setup Using RRAS
The purpose of providing server-based (hosted) Virtual Private Network (VPN) connectivity is to allow remote businesses or users to establish a secure connection into a protected private network, in order to perform business-related functions as if those remote users were directly connected at the office.
Two of the most common ways of setting up VPN in a Windows Server environment are 1) Simplified VPN using a standalone Windows Server and 2) VPN using a Dedicated VPN gateway server.
The two primary options for setting up VPN connections in Windows Server (and related client) are PPTP (Point-to-Point Protocol) and L2TP (Layer 2 Tunneling Protocol). PPTP is Microsoft’s out-of-the box, supported protocol; whereas, L2TP is slightly more secure and has come to be virtually as popular as PPTP. L2TP is the defacto industry standard, non-proprietary protocol.
VPN 101 – The Basics
A VPN (aka ‘VPN tunnel’ or just ’tunnel’) allows connections from two end-points over a public network (i.e. Internet) in a secure manner.
The VPN tunnel logically functions as a dedicated WAN link.
The tunnel uses authenticated links to allow connections only by authorized, authenticated users.
The tunnel encrypts the data via PPTP or L2TP – both provide encryption, but only LT2P also includes a built-in authentication functionality within the L2TP protocol itself
a. Windows Server 2003 Standard or Enterprise
b. Two NICs (network interface cards) on whichever is the VPN server
c. The server will use network address translation (NAT)
d. The server will effectively function as a router (between public & private network)
e. Fixed public IP on the outside (external) NIC
f. Fixed non-routable (private) IP on the inside (internal) NIC (i.e. 10.x, 192.x, 172.x, etc.)
g. Windows Firewall and Internet Connection sharing disabled until done with setup
h. Windows Server 2003 as the base platform on the VPN server,
i. Dual NICs for the device used as the VPN server.
Following are the details of the RRAS method for dealing with setting up VPN for Windows Server
Simplified VPN Setup Using a Standalone Windows Server with RRAS
If you have a single server or small home or small office network to which you want access and/or you want a single external-facing Windows server to provide VPN capabilities to other parts of your network, you can use what is termed the “light-weight server VPN alternative;” that is to say, enable the Routing and Remote Access Service (RRAS) on the Windows Server and configure it as necessary for VPN connectivity. The best method for accomplishing this is to enable a 2nd NIC (or add, then enable, a 2nd NIC). Note: A Windows server can function as a VPN server using a single NIC, but it is not recommended; using 2 NICs provides added security and, if one NIC fails, the server still can be utilized, just without Internet/VPN connectivity, until the 2nd NIC is replaced.
First, login to the server with an administrative account
Next, disable the RRAS service if it is enabled (it will be enabled later by the steps in this document)
Click Start, then Run, then type “services.msc” and click OK or press return. This will take you to the Services control interface. Look for the RRAS service. If it is started, stop it and disable it.
Right-click on the service, then choose “Properties;” once in Properties, set the service for Disabled; and click “Stop.” After ensuring the RRAS service is disabled, click OK, then close the Services control interface.
The steps below include “configuring and enabling” the remote access server and its service.
Steps to Configure & Enable RRAS
a. Click Start, navigate to and click “Control Panel”
b. Double-click “Administrative Tools”
c. Double-click “routing and remote access”
d. Right-click on your device, which will show as a ‘server’
e. Choose “Configure and Enable Routing and Remote Access” (RRAS)
f. At the RRAS setup wizard screen, click “Next”
g. In the setup Wizard, choose “Remote access (dial-up or VPN), then click “Next.”
h. Select “VPN,” since that is the function this server will perform
h. On the “VPN Connection” screen, choose the external NIC which will connect to the Internet
i. On the “IP Address Assignment” screen, choose the option to assign addresses automatically - this simplifies the overall setup, and allows the VPN client addresses to be assigned from your overall workstation DCHP address pool. Then click “Next.”
j. At the final screen, accept the default of “No, use Routing and Remote Access to authenticate connection requests, click “Next,” then “Finish,” which will enable the RRAS service
NOTE: we will assume NAT is enabled, since the VPN server will NAT addresses between Inside private net & Outside public net
The above steps configure the server for “remote access," but now we must configure it also as a router.
Steps to configure a Windows 2003 Server as a Router
Start, control panel, administrative tools, then click “Routing and Remote Access,” right-click your server, click “Properties,” click the “General” tab, then click the selection for “Router” under “Enable this computer as a,” then click “LAN and demand-dial routing,” then click “OK” to close the properties dialog box.
VPN SETUP DIAGRAM, A LOOK AT PART 2, AND REFERENCES
Diagram of Simplified RRAS VPN using just a Windows 2003 Server as a VPN server (click image to enlarge):
What to look forward to in Part 2. Part 2 details the steps for VPN Setup Using a Dedicated ISA Server. Also, Part 2 covers steps needed to Authorize VPN Users and steps needed to Setup VPN Client.
Microsoft’s Server VPN setup instructions can be found here.
A TechRepublic VPN setup article can be found here.
Microsoft’s Client VPN setup instructions can be found here.
This post is part of the series: VPN Setup on Windows Server 2003
This two-part series covers the two most common ways of setting up VPN on Windows Server 2003 - Part 1 covers using a Windows Server 2003 server with RRAS; Part 2 covers using a Dedicated ISA VPN gateway server