To deploy a PPTP-based remote access solution, perform the following steps:
- If you are using EAP-TLS authentication, create a certificate infrastructure to issue user certificates to VPN client computers and computer certificates to your authenticating server computers.
- Connect your VPN server on the Internet.
- Deploy your AAA infrastructure (including RADIUS servers).
- Modify your intranet infrastructure to accommodate routing and quarantine.
- Deploy your VPN clients.
To deploy an L2TP/IPSec-based remote access solution, the steps are:
- Create a certificate infrastructure to issue computer certificates to VPN client computers and your VPN servers.
- Connect your VPN server on the Internet.
- Deploy your AAA infrastructure (including RADIUS servers).
- Modify your intranet infrastructure to accommodate routing and quarantine.
- Deploy your VPN clients.
Configuring the VPN Server’s Connection to the Intranet
For each VPN server, configure the connection connected to the intranet with a manual TCP/IP configuration consisting of an IP address, a subnet mask, intranet DNS servers, and intranet WINS servers.
| Caution | Note that on the intranet connections, you set up DNS and WINS server addresses, where before we told you not to do this for the internet connection. This distinction is vitally important for successful operations. Also, note that you do not set up a default gateway on the intranet connections.
You must not configure the default gateway on the intranet connection. Doing so will create default route conflicts with the default route pointing to the Internet. |
Running the Routing And Remote Access Server Setup Wizard
Run the Routing And Remote Access Server Setup Wizard to configure each Windows Server 2003 VPN server by using the following steps:
- Click Start, point to Programs, point to Administrative Tools, and then click Routing And Remote Access.
- Right-click your server name, and then click Configure And Enable Routing And Remote Access. Click Next.
- In Configuration, click Remote Access (Dial-Up Or VPN) and then click Next.
- In Remote Access, select VPN. If you also want the VPN server to support dial-up remote access connections, select Dial-Up. Click Next.
- In VPN Connection, click the connection that corresponds to the interface connected to the Internet or your perimeter network, and then click Next.
- In IP Address Assignment, click Automatically if the VPN server should use Dynamic Host Configuration Protocol (DHCP) to obtain IP addresses for remote access VPN clients. Or, click From A Specified Range Of Addresses to use one or more static ranges of addresses. If any static address range is an off-subnet address range, routes must be added to the routing infrastructure for the VPN clients to be reachable. When IP address assignment is complete, click Next.
- In Managing Multiple Remote Access Servers, if you are using RADIUS for authentication and authorization, click Yes, Set Up This Server To Work With A Radius Server, and then click Next.
- In RADIUS Server Selection, configure the primary (mandatory) and alternate (optional) RADIUS servers and the shared secret, and then click Next.
- Click Finish.
- If prompted, start the Routing And Remote Access service.
By default for PPTP, only 128 PPTP ports are configured on the WAN Miniport (PPTP) device. If you need more PPTP ports, configure the WAN Miniport (PPTP) device from the properties of the Ports object in the Routing And Remote Access snap-in. By default, 128 L2TP ports are also configured.
By default for L2TP, only 128 L2TP ports are configured on the WAN Miniport (L2TP) device. If you need more L2TP ports, configure the WAN Miniport (L2TP) device from the properties of the Ports object in the Routing And Remote Access snap-in. By default, 128 PPTP ports are also configured. If you want to disable the VPN server’s ability to accept PPTP connections, set the number of ports on the WAN Miniport (PPTP) device to 1, and clear the Remote Access Connections (Inbound Only) and Demand-Dial Connections (Inbound And Outbound) check boxes.
By default, the MS-CHAP, MS-CHAP v2, and EAP protocols are enabled.
If you are using Network Access Quarantine Control, install the quarantine listener component on the VPN server. If you are using Rqs.exe from the Windows Server 2003 Resource Kit, modify the Rqs_setup.bat file to include the correct version string for the version of the network policy compliance script that is being run on the remote access clients. Next, run the Rqs_setup.bat file to install the Remote Access Quarantine Agent service.
Manually Configuring VPN clients
The easy way to set up a user’s client system is to manually create the VPN connectoid using the built-in wizards. If you have a small number of VPN clients, you can manually configure VPN connections for each VPN client. For Windows 2000 VPN clients, use the Make New Connection Wizard to create the Internet and VPN connections and link them together so that when you connect using the VPN connection, the Internet connection is automatically made. For Windows XP VPN clients, use the New Connection Wizard to create the Internet and VPN connections.
As stated previously, this works for a small number of users, but for large corporations this method can easily scale out of control. That is why we have CM and the CMAK.
Configuring CM Packages with CMAK
Corporations rarely are running only one version of Windows, and even if they are, the users’ home computers might not have the latest versions of Windows operating systems. For a large number of VPN clients running different versions of Windows, you should use CMAK to create and distribute customized CM profiles for your users.
One of the capabilities of a CM profile is to run preconnect and postconnect actions (scripts) during the VPN sessions of your users. This capability makes CM the best way to implement the quarantine features of Windows Server 2003. If you are using Network Access Quarantine Control, create the CM package to contain the following:
- A postconnect action setting that runs a network policy requirements script
- That network policy requirements script
This script performs validation checks on the remote access client computer to verify that it conforms to network policies. The script can be a custom executable file or a simple command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters and, optionally, copies the latest version of the script from a quarantine resource.
If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.
- A notifier component
The notifier component sends a message that indicates a successful execution of the script to the quarantine-compatible remote access server. You can use your own notifier component, or you can use Rqc.exe, which is provided with the Windows Server 2003 Resource Kit. If you use Rqc.exe, run it from the script with the correct parameters, including the script version
Popularity: 13% [?]
I am trying to create a vpn connection using a certificate as authentication usng CMAK. When I create the connection manually it works and I can connect by selecting the certificate. But when i try to create the connection using CMAk, I get prompterd for a username, password and domain instead of using the certificate. Any assistance would be appreciated.