One of the hottest new technologies in the networking world is Virtual Private Networking (VPN). VPN allows multiple secure and private connections to your companies LAN from anywhere in the world using the Internet. The connection is private, requiring a username/password, and is secure using Point-to-Point Tunneling Protocol (PPTP) or Microsoft's new Level 2 Tunneling Protocol (L2TP) over Internet Protocol Security (IPSec). "Tunneling" or encapsulating one protocol inside another, and by encryption a VPN maintains privacy over the Internet.
The client computers connect to WAN Mini ports and virtual PPP adapters with IP addresses issued by the VPN DHCP Server. These adapters and addresses may be viewed from Command Prompt by typing ipconfig/all after connections are established.
A note of interest, Microsoft's L2TP over IPSec does not support Network Address Translation (NAT), so using NAT routers such as the Netgear RT314 will not work. However, this router and others like it will support VPN by using PPTP.
Once your Windows 2000 Server is configured for VPN and has an Internet connection established, usually a T1 or larger pipe, all that is required is a Windows NT or Windows 9x Client computer configured for VPN and an Internet connection with a local ISP. Or if you would like to create a VPN WAN, a second Windows 2000 VPN Server.
The Client computer makes a "local call" to the Internet and then establishes a VPN connection to your LANs Windows 2000 VPN Server. This eliminates the expense of long distance charges, designated 1-800 or "call back" numbers and hardware Modem pools required by the older technology of RAS, Remote Access Service. RAS requires telephone lines and restricts your connections to 56k or slower using analog modems. VPN is not restricted to a 56k analog modem connection where ISDN, DSL or Cable broadband is available.
My first recommendation would be to feed your Server a lot of RAM as this feature eats it for breakfast, lunch, and dinner...
First go to the Administrative Tools, Routing and Remote Access. Add your server if necessary. Then configure and enable Routing and Remote Access with the wizard.
Select VPN Server, and make sure on the next screen you see TCP/IP protocol has been installed.
Then select your proper Internet connection.
The next screen allows you to select weather to use DHCP to issue IP addresses or add a static pool. This service assigns virtual IP addresses to your VPN connections and differs from your DHCP Server issuing IP addresses to clients connected with cable to your internal LAN. Some thoughts on planning at this point is advisable as the default VPN DHCP selection will give you 128 WAN Mini ports for PPTP and another 128 for L2TP. These values may be adjusted later from a minimum of two and a maximum of 16,384. That's a lot of connections.
The next selection will ask if you want to set up Remote Authentication Dial-In User Service (RADIUS. This sets up a RADIUS Server that sits on top of and controls multiple VPN Servers. I chose "no" as I was running out of Servers 
Then click finish and the Routing and Remote Access/VPN Service will start denoted by the green up arrow on your server.
I elected to minimize the number of ports/connections by adjusting the Ports properties to five.
To finalize the Server setup, you must grant your users permission to Dial-In. This is accessed through Administrative Tools, Active Directory Users and Computers. Double click on the users you want to give access permission and select the Allow access radio button.
Use the Make New Connection Wizard and select Connect to a private network through the Internet.
Next you will need to know the VPN Servers IP address.
On the following screen, select For All Users if you will be connecting VPN Server to VPN Server and want the rest of your internal network to access the remote network. The OS using ICS, Internet Connection Sharing, accomplishes this. Again, some pre-planning is advisable prior to this point, as ICS will reconfigure your Servers internal network IP address in the 192.168.0.1 range for NAT, Network Address Translation. If you have previously configured your internal network at a different address, you will have to reconfigure all of your client machines.
Click Finish and you will be ready to access your remote LAN via VPN. Be sure and use an account that has been granted the correct permission to Dial-In on the remote VPN Server.
The initial WAN connection using two Windows 2000 Servers with GENOME1432 in MA. connecting to myself in CA. posed a couple of interesting problems.
The first was finding the remote connected Server, as it does not show up in your Network Neighborhood browser. GENOME1432 was able to find and access my server by using the Universal Naming Convention (UNC), "\\server name" in his browser.
My locating the remote server was a different problem. You must use the IP address that the VPN DHCP Server issues. This is located by going to the properties of the connected or active WAN Mini port. I then used Find Computer with the VPN IP address. To access the Server an account with Dial-In permissions was also needed on the remote end.
After accessing the remote Server, you are able to map network drives to reconnect at logon eliminating going through the location process. This may not work when the VPN connection is broken and then re-established if the IP addresses are dynamic as there is no way to reserve or set a lease duration. I solved this problem by creating a minimum Special Range of Addresses pool.
After the VPN WAN connection was established, the remote Server requesting the connection could share its connection to the rest of its internal LAN, but the local Server was unable to do so. This is where the fun began...
We decided to make a second connection or loop back so the local Server could share the connection with its internal LAN. This was successful and worked as planned with both Servers sharing with their internal LANs and a true WAN established.
I must admit at this point, and I quote GENOME1432, "Our DSL modems started looking like Close Encounters Of The Third Kind".
This double connection eats up bandwidth, and I have since bolted my modem down so it doesn't levitate.
Mad props go out to Genome1432, without his help this article would not have been possible.
|
|
