Deploying Virtual Private Networks with Microsoft Windows Server 2003 (Technical Reference)
Now that we can give users access, we need to set up the VPN servers. Deploying the VPN servers for remote access VPN connections consists of the following:
-
Configure each VPN server’s connection to the intranet.
-
Run the Routing And Remote Access Server Setup Wizard.
Windows Server 2003 includes enhanced support for the clustering of L2TP/IPSec VPN servers. For more information, see the topic “Checklist: Enabling and configuring Network Load Balancing” in Windows Server 2003 Help And Support.
Configuring the VPN Server’s Connection to the Intranet
For each VPN server, configure the connection connected to the intranet with a manual TCP/IP configuration consisting of an IP address, a subnet mask, intranet DNS servers, and intranet WINS servers.
Caution | Note that on the intranet connections, you set up DNS and WINS server addresses, where before we told you not to do this for the internet connection. This distinction is vitally important for successful operations. Also, note that you do not set up a default gateway on the intranet connections. You must not configure the default gateway on the intranet connection. Doing so will create default route conflicts with the default route pointing to the Internet. |
Running the Routing And Remote Access Server Setup Wizard
Run the Routing And Remote Access Server Setup Wizard to configure each Windows Server 2003 VPN server by using the following steps:
-
Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
-
Right-click your server name, and then click Configure And Enable Routing And Remote Access. Click Next.
-
In Configuration, click Remote Access (Dial-Up Or VPN) and then click Next.
-
In Remote Access, select VPN. If you also want the VPN server to support dial-up remote access connections, select Dial-Up. Click Next.
-
In VPN Connection, click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next.
-
In IP Address Assignment, click Automatically if the VPN server should use Dynamic Host Configuration Protocol (DHCP) to obtain IP addresses for remote access VPN clients. Or, click From A Specified Range Of Addresses to use one or more static ranges of addresses. If any static address range is an off-subnet address range, routes must be added to the routing infrastructure for the VPN clients to be reachable. When IP address assignment is complete, click Next.
-
In Managing Multiple Remote Access Servers, if you are using RADIUS for authentication and authorization, click Yes, Set Up This Server To Work With A Radius Server, and then click Next.
-
In RADIUS Server Selection, configure the primary (mandatory) and alternate (optional) RADIUS servers and the shared secret, and then click Next.
-
-
Click Finish.
-
If prompted, start the Routing And Remote Access service.
By default for PPTP, only 128 PPTP ports are configured on the WAN Miniport (PPTP) device. If you need more PPTP ports, configure the WAN Miniport (PPTP) device from the properties of the Ports object in the Routing And Remote Access snap-in. By default, 128 L2TP ports are also configured.
By default for L2TP, only 128 L2TP ports are configured on the WAN Miniport (L2TP) device. If you need more L2TP ports, configure the WAN Miniport (L2TP) device from the properties of the Ports object in the Routing And Remote Access snap-in. By default, 128 PPTP ports are also configured. If you want to disable the VPN server’s ability to accept PPTP connections, set the number of ports on the WAN Miniport (PPTP) device to 1, and clear the Remote Access Connections (Inbound Only) and Demand-Dial Connections (Inbound And Outbound) check boxes.
By default, the MS-CHAP, MS-CHAP v2, and EAP protocols are enabled.
If you are using Network Access Quarantine Control, install the quarantine listener component on the VPN server. If you are using Rqs.exe from the Windows Server 2003 Resource Kit, modify the Rqs_setup.bat file to include the correct version string for the version of the network policy compliance script that is being run on the remote access clients. Next, run the Rqs_setup.bat file to install the Remote Access Quarantine Agent service.
Категории