Windows Security: Build a VPN Server

Secure connections for your remote users are easy enough to provide with a Microsoft Windows 2003 VPN server.

By Ryan Bass | Posted Nov 16, 2007
Page 1 of 2
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Ryan Bass
We've introduced some fundamental concepts for building a Microsoft Windows Server 2003 VPN server. This week I'll take you step-by-step through a basic remote access VPN deployment.

The very first thing you need to decide when building a Windows VPN server is whether or not to use Microsoft's Internet Authentication Service (IAS) to authenticate users connecting to your VPN. IAS is Microsoft's implementation of RADIUS, and when building a VPN server you can have user's credentials passed off to IAS for verification or you can have users authenticated directly against Active Directory (AD). Using IAS provides several advantages. First, it has better logging capabilities including the ability to send data directly to an SQL database. And second, it provides a central destination for you to point several VPN servers at. This allows you to maintain one set of remote access policies that all of your VPN servers can use. We won't go into too much detail on remote access policies in this article, but in a nutshell they can be characterized as a powerful way to define who is allowed access to your VPN. Assuming that IAS is your choice for authentication, let's jump right into the configuration of an IAS server.

Follow the steps below to install your IAS server. If you are short on hardware it can be installed on the same server you plan to use for VPN access (though this is not recommended for a high security environment).

  1. Start » Control Panel » Add or Remove Programs » Add/Remove Windows Components » Networking Services » Details... » Internet Authentication Service
  2. Start » Administrative Tools » Internet Authentication Service » Right-click "Internet Authentication Service (local) » Register Server in Active Directory
  3. Start » Administrative Tools » Internet Authentication Service » Remote Access Logging » Choose the desired option
  4. Start » Administrative Tools » Internet Authentication Service » right-click RADIUS Clients » New RADIUS Client » enter the appropriate information for your VPN server (you will be asked to enter a shared secret, enter one and save it for later)
  5. If your IAS server has a firewall enabled then make an exception to allow UDP port 1812 from the VPN server

While we have the IAS admin interface open, let's go through the process of adding a remote access policy to allow access to users who are in a specified AD group (the two default groups will not allow anyone to access your VPN server). Here are the steps:

  1. Start » Administrative Tools » Internet Authentication Service » right-click Remote Access Policies » New Remote Access Policy
  2. Choose a name » Next
  3. Choose VPN » Next
  4. Click Add...
  5. Click Locations... and select your domain
  6. Add MyVPNaccessGroup » Next
  7. Leave MS-CHAPv2 as the only option » Next
  8. Leave "Strongest encryption" as the only option » Next » Finish

Finally we need to update our new remote access policy to protect against rogue computers on the remote user's network from using the VPN connection to forward packets through the VPN server. Follow these steps:

Our ISA server is now ready to receive authentication requests from a VPN server. Before you can begin configuring a VPN server, take care of these pre-requisites on the VPN server:

  1. Setup two network interface cards (NICs) on your VPN server, connect one to the internal protected network and connect the other to your DMZ or publicly accessible network (we'll refer to this as the external NIC)
  2. Do not configure DNS or WINS on the external NIC
  3. Do not define default gateways for the internal NIC, only define one default gateway for the external NIC

And now, here are the steps required to configure your new VPN server:

  1. Start » Administrative Tools » Services » Stop the "Windows Firewall/Internet Connection Sharing" service and set the startup mode to Disabled
  2. Start » Administrative Tools » Routing and Remote Access
  3. Right-click the server name and click Configure and Enable Routing and Remote Access (the local firewall service must be disabled)
  4. Choose Remote Access » Next » check the box for VPN » Next
  5. Select the external NIC (notice the check box for "Enable security...") » Next
  6. Select the internal NIC » Next
  7. Choose "Automatically" or "From a specified range of addresses" (this procedure will follow the 2nd option) » Next
  8. Click New... » enter a range of IPs » OK » Next
  9. Choose "Yes, set up this server to work with a RADIUS server" » Next
  10. Enter your IAS server and shared secret » Next » Finish
  11. Routing and Remote Access » YOURSERVER » IP Routing » DHCP Relay Agent » Add the IP address of a DHCP server to the DHCP Relay Agent configuration (note that the DHCP server is required to return information such as default domains, but shouldn't be handing out any IP addresses because set a static pool of addresses)
  12. If your internal network only consists of one network then you're finished! Otherwise, a route will need to be added for clients to get to other internal networks. Routing and Remote Access » YOURSERVER » IP Routing » right-click Static Routes » New Static Route... » enter a route that will get traffic to any subnet on your internal network. The easiest way to do this is to point all traffic for your internal network to the default gateway that the internal NIC is using.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter