Home

Windows Server 2003 VPN and Routing Howto

PostDateIcon March 3rd, 2008

Server 2003 VPN and Routing
==============================================================

Introduction:

Server 2003, sometimes Microsoft gets things right at times and it looks like Routing and VPN Microsoft has their act together on. Linux can be a pain for routing sometimes.. although it has the huge benefit of IPTABLES, I didn't have to set up DHCP or some wild NAT script. The VPN stuff is fairly easy to configure and use, except when compared to OpenVPN its options seem limited.

Users&Group Configuration
==============================================================

Create groups for each of the users below, call them no_auth, auth_chap,auth_pap,auth_mschap. Put one user in each group.

Tech
Admin
Coordinator
Employee
Reception

Create another group or user Enterprise Admins group and put the following users into that container:

dean1
dean2

Enable all users to use time restrictions: 3 working day shifts and two nights.. excluding the deans and enable everyone to be able to dial in.

Before The Install:
==============================================================

To configure the Routing and Remote Access and the Network Address Translation components, your computer must have at least two network interfaces: one connected to the Internet and the other one connected to the internal network. You must also configure the network translation computer to use Transport Control Protocol/Internet Protocol (TCP/IP).

Use the following data to configure the TCP/IP address of the network adapter that connects to the internal network:

TCP/IP address: 192.168.0.1
Subnet mask: 255.255.255.0
No default gateway ( 0.0.0.0 )
Domain Name System (DNS) server: provided by your Internet service provider (ISP) or in this case I used the classrooms.
Windows Internet Name Service (WINS) server: provided by your ISP

Use the following data to configure the TCP/IP address of the network adapter that connects to the external network:

TCP/IP address: provided by your ISP
subnet mask: provided by your ISP
default gateway: provided by your ISP
DNS server: provided by your ISP
WINS server: provided by your ISP

Install and Configure VPN and Routing
==============================================================
Configuring your remote access/VPN server

To configure a remote access/VPN server, start the Configure Your Server Wizard by doing either of the following:
•

From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on.

To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Configuration Options page, click VPN access and NAT.
Select the device that connects the machine to the outside network or Internet and make sure Enable security option is on.

Select the device that will be on the inside of the VPN concentrator. The following screen asks if you want the IPs to be assigned to remote clients, choose the default "automatically". Next, select the device that will be the one connecting the private network to the server.

We don't want to use RADIUS so lets just use Routing and Remote Access. Select Finish and the daemon will start itself.

Configuring NAT and allowing VPN clients through:
==============================================================

Configure dynamic IP address assignment for private network clients:
--------------------------------------------------------------

You can configure your Network Address Translation computer to act as DHCP without having to install a DHCP server:

1. Click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.
2. Expand your server node, and then expand IP Routing.
3. Right-click NAT/Basic Firewall, and then click Properties.
4. In the NAT/Basic Firewall Properties dialog box, click the Address Assignment tab.
5. Click to select the Automatically assign IP addresses by using the DHCP allocator check box. Notice that default private network 192.168.0.0 with the subnet mask of 255.255.0.0 is automatically added in the IP address and the Mask boxes. You can keep the default values, or you can modify these values to suit your network.
6. If your internal network requires static IP assignment for some computers -- such as for domain controllers or for DNS servers -- exclude those IP addresses from the DHCP pool. To do this, follow these steps:
a. Click Exclude.
b. In the Exclude Reserved Addresses dialog box, click Add, type the IP address, and then click OK.
c. Repeat step b for all addresses that you want to exclude.
d. Click OK.

Note:: In the exclude section I excluded the address of 192.168.0.10 which will be the gateway to the 2nd private network.

Configure name resolution:
-------------------------------------------------------------

To configure name resolution, follow these steps:
1. Click Start, point to All Programs, point to Administrative Tools, and then click Routing and Remote Access.
2. Right-click NAT/Basic Firewall, and then click Properties.
3. In the NAT/Basic Firewall Properties dialog box, click the Name Resolution tab.
4. Click to select the Clients using Domain Name System (DNS) check box. If you use a demand-dial interface to connect to an external DNS server, click to select the Connect to the public network when a name needs to be resolved check box, and then click the appropriate dial-up interface in the list.

Allowing VPN access:
--------------------------------------------------------------

If you want to allow anyone that matches the right credentials, select Connections to Microsoft Routing and Remote Access Server Policy and go to its properties. Choose grant access, and everyone who authenticates can access the VPN.

To configure a policy to limit time, just go through the wizard like the below dept' heads section and choose Day-And-Time-Restrictions and configure it.

Creating a access policy for the Dept' Heads
==============================================================

Open Routing and Remote Access/server name/Remote Access Policies

Right click and select New Remote Access Policy

Click next on the welcome, enter a name and use the wizard option. Keep the selected access method as VPN and on the User or Group Access screen lets add the group that contains the deans.

Next at the authentication methods page we want the policy to use MS-CHAP v2 and unselect the policy encryption levels except for "Strongest encryption - IPSEC 3DES or MPPE 128bit)

Hit next and finish.

To add PPTP or L2TP ports
==============================================================

1.Open Routing and Remote Access.

2.In the console tree, click Ports.

Routing and Remote Access/server name/Ports

3.Right-click Ports, and then click Properties.

4.In the Ports Properties dialog box, click either WAN Miniport (PPTP) or WAN Miniport (L2TP), and then click Configure.

5.In Maximum ports, type the number of ports, and then click OK.

Configure 5 Places of Various User Authority:
==============================================================

Create 5 shares with various names by:

Start > Administrative Tools > Computer Management > Shares from the left side menu and right click New Share.

Select the place it should be located and hit next. Take note of the following screen because here you name the share, enter a description and now know the shares path.

The next screen is the most important for the series. It allows you to define permissions and security settings. Personally I went with the custom settings and set the groups that I used for defining the VPN users. For example, reception should maybe be able to read some of the Deans documents he put there for him/her, but not be able to delete files within that share or modify them.

==============================================================

Configure routing to use the RIP protocol.
==============================================================

If routing is not already configured to use some sort of RIP routing do the following:

In Routing and Remote Access/server name/IP Routing
> right click General and select New Routing Protocol.

There select the Interface( I choose the device my private network is running on) for RIP to run on and go with the defaults for the rest. Your pretty save to go with the defaults for most things or the scope of this tutorial.

Configure a static route:
==============================================================

In Routing and Remote Access/server name/IP Routing
> right click Static Routes and select New Static Route.

Select the Interface that is going to be using that static route and the rest of the information is as follows:

The Destination is the destination network, for example the 192.168.10.0 network is my network 2.
Its network mask is 255.255.255.0 and Gateway is 192.168.0.10.

Note:: The destination network is only one hop away so I left the Metric value as 1.

Firewall Filtering:
=============================================================

# Deny ICMP traffic access to your internal networks.
# Deny ICMP traffic from your internal networks to the Internet
# Allow SMTP traffic in from the internet
# Deny SMTP traffic out on to the internet from network 1 (allow from network 2, the network with your Exchange server on it).

On the gateway to the Internet's box

In Routing and Remote Access/server name/IP Routing/NAT/Basic Firewall and select the interface that connects to the Internet.
Right click properties and select inbound filters:

Click new, leave source and destination networks unchecked and select ICMP from the protocols. Leave the other fields blank, Windows will fill them in.
When it goes back to the firewall list, make sure Filter Action: is set to Recieve all packets except those that meet the criteria below.

Apply and go back to the interfaces properties and select outbound filter this time.
Do the same thing as above for any ICMP requests which we don't want heading to the outside world.

Just to make sure we are blocking ICMP from network 1 and the Internet. Add the rules for outbound and inbound like we did above on the inbound and outbound for Network 2, except on Network 1 we want to block SMTP on the outbound which uses TCP port 25 from any:any (source:destination).

References:
=============================================================

http://support.microsoft.com/kb/816581/en-us
http://support.microsoft.com/kb/816573/en-us

PostCategoryIcon Share this   | PostTagIcon Tags: Documentation, Windows Documentation, Windows Server 2003
Post new comment
The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.
Navigation
Syndicate
Syndicate content
Share this
Powered by Drupal, an open source content management system

® Ron Brash 2010 | About Me | Contact | Sitemap