Virtual private networks have fast replaced dial-up connections as the preferred method for achieving remote access to corporate information resources. Although Windows NT and 2000 both boast remote access services, including VPN, Windows Server 2003 offers the next level of these services, providing a secure communications mechanism for your users and infrastructure.
Windows Server 2003 provides a number of enhancements to VPN/remote access services that are superior to the features found in older versions of the operating system. The core support is still available for Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), IP Security (IPSec), Extensible Authentication Protocol (EAP), Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP 2), and Remote Access Services (RAS), but there are also some desirable new features.
In Windows Server 2003, Microsoft has improved the reach, security, and availability of the VPN services by providing NAT-aware L2TP/IPSec services and enabling VPN services to be used in conjunction with Network Load Balancing Services. Previously, to provide VPN services to clients behind NAT devices, the solution was to use the less secure PPTP.
To use L2TP/IPSec services from behind a NAT device, the remote end of the connection must be running a VPN client that supports drafts from the IPSec Protocol Working Group: Negotiation of NAT-Traversal in the IKE and UDP Encapsulation of IPSec Packets. Microsoft’s L2TP client has the appropriate support. The Network Load Balancing Services work in conjunction with both PPTP and L2TP/IPSec-based connections.
Windows Server 2003 also includes the ability to support client NetBIOS name resolution without the need for DNS and WINS servers through the use of a NetBIOS over TCP/IP (NetBT) name resolution proxy service running at the VPN server. This resolves some name resolution problems at the client side.
Up to 1,000 PPTP and 1,000 L2TP connections can be supported in Windows Server 2003 Standard and Enterprise editions, while a single connection of each type is supported in the Web edition. A single connection in the Web edition can help to support a secure remote administration mechanism.
Preparing the Windows Server 2003 system for VPN services
Like all other services in Windows Server 2003, the Routing And Remote Access Services (of which VPN is but one component) are disabled by default. Before they are enabled, a couple of things need to be verified. First, are two communications devices enabled at the server? At least one of them should be a network adapter. After all, the point of a remote access VPN is to provide access to internal network resources from outside the organisation.
Second, check to make sure you’re running the proper protocols on your server and workstations. As far as protocols go, today’s typical VPN uses TCP/IP in one form or another with either PPTP or L2TP for security. To provide users with access to resources on the internal network via a VPN connection, you must distribute IP addresses to them. You can accomplish this via the network’s existing DHCP server or by defining an address pool in the Routing And Remote Access Services configuration. This will also provide the remote client with appropriate addressing information for DNS and WINS to enable efficient name lookups.
Allowing and restricting access
Any type of remote access to a network opens the potential for abuse and unauthorised access, although you can take steps to mitigate these risks. For example, with Windows Server 2003 RRAS/VPN, you must explicitly allow each user to make use of the services by granting dial-in privileges in each user's profile. In addition, you can create strict policies—such as time of day restrictions, maximum session times, and MAC address restrictions—at the server to reduce the inherent security risk.
Enabling VPN services
To enable VPN services, you must enable Routing And Remote Access Services, which include VPNs. First, open Start | All Programs | Administrative Tools | Routing And Remote Access on the server where you want to support VPN. Next, right-click on the server name and choose Configure And Enable Routing And Remote Access. This will start a wizard that will help you configure these services.
RRAS includes a number of other capabilities besides VPN services, including NAT and dial-up (PPP). On the Configuration screen, shown in Figure A, you can specify which services you want to enable. For this example, I'll enable only dial-up/VPN.
| Figure A |
 |
| Enable VPN and/or dial-up services on the local server. |
Choosing dial-up/VPN brings up the Remote Access screen, shown in Figure B. Here, you must select which of these services (or both) that you want to offer from this server. For this example, I'll choose only the VPN components.
| Figure B |
 |
| This server will allow only VPN connections. |
Since VPN servers are generally installed with one interface facing outside the organisation to support remote connections, the wizard will now display the VPN Connection screen, shown in Figure C. You'll need to identify which interface will act in this capacity.
| Figure C |
 |
| The 192.168.1.120 interface is used for remote connections. |
On the VPN server in my lab for this exercise, I have two interfaces. The first interface’s address is 192.168.1.120/24 and the second’s is 192.168.2.2/24. Since this server is in my lab, it does not have a true public address. However, for the purposes of this example, I'll use the 192.168.1.120 interface. Below the interface list, you'll notice a check box indicating that static packet filters can be applied to this interface to allow VPN traffic only. I recommend that you enable this feature, especially if this interface is outside the corporate firewall.
4%
2%
There are cheaper more effective solutions than using windows 2003 server to act as a vpn service.
I would suggest linux based systems rather than windows.
Smoothwall is one of several firewall based systems that has inbuilt VPN facilities, its free, can run on an old 486 or a more modern system, has a wide user base and support is available in Australia if needed.