Configuring a VPN Solution

8/13/2019 Configuring a VPN Solution

1/36

CONFIGURING A VPN

SOLUTION

Document Purpose

This document describes the requirements and setupprocedures for a VPN solution using Microsoft Windows2000. This document is also intended for the technical userwho has limited understanding of VPN solution and sees tounderstand them in greater detail.

M I C R O S O F T C O N S U L T I N G S E R V I C E S

T E L E C O M M U N I C A T I O N S P R A C T I C E


2/36

Table of Contents

Configuring a VPN Server...........................................................................................1Server Requirements.........................................................................................................................1Disabling Server Services.................................................................................................................1

Configuring VPN Server...................................................................................................................2

Creating a VPN Connectoid.......................................................................................14Building A Connectoid....................................................................................................................1

Post Configuration Settings.............................................................................................................1!


3/36

CONFIGURING AVP NSOLUTION

CONFIGURING A VPN SERVER

In order to provide a secure point of entr ou can use t!e fo""o#in$instructions to setup a Virtua" Private Net#or% &VPN' for (ost co((onenviron(ents) *!en i(p"e(entin$ a VPN so"ution one (ust +e a#are oft!e c!an$es t!is !as on accessin$ data) An data t!at is +e!ind t!e VPNserver needs to +e accessed t!rou$! t!e VPN server un"ess ou are part oft!e VPN LAN) T!is (eans an server t!at ou need to access &notdependent on t!e service insta""ed' #it!out t!e VPN securit (ust +eoutside of t!e VPN se$(ent) T!is is +ecause #it! a VPN server one cannotsin$"e out #!ic! services s!ou"d +e "oc%ed do#n, it is an a"" or not!in$approac!) *!at t!is (eans for a co(pan !ostin$ secure FTP servicest!e server needs to +e sittin$ +e!ind t!e VPN Server)

SERVER RE-UIREMENTS

T!e fo""o#in$ is a +ase"ine for re.uire(ents for a VPN Server) /ou (ust!ave a (u"ti!o(ed server) If t!e server is not (u"ti!o(ed ou #i"" not +ea+"e to insta"" t!e VPN services) /our (ini(u( !ard#are re.uire(entsare as fo""o#s0

Pentiu( 122 or !i$!er processor134 M5 RAM &367 reco((ended'8 G5 9:Microsoft; *indo#s; 3


4/36

License Lo$$in$ ServicePrint Spoo"er

Tas% Sc!edu"erTe"net*indo#s Insta""er

Note! "o not disable the remote registr# ser$ice. %f this ser$ice is disabledthe VPN ser$er will not operate correct.

CONFIGURING VPN SERVER

In t!is section ou #i"" +e ta%en t!rou$! a step@+@step process ofconfi$urin$ a VPN server on a co(puter t!at !as *indo#s 3


5/36

2) T!e Rout"n an! Remote Access Ser#er %RRAS& Setup#iardappears) C"ic% Ne't)

(


6/36

8) :o not c!oose V"rtual pr"#ate net)or* %VPN& ser#erBt!ere is a+u$ in t!e #iard t!at i(proper" confi$ures routin$ &see t!eMicrosoft ?no#"ed$e 5ase artic"e -38228 for (ore infor(ation')Instead, c!oose +anuall, conf"ure! ser#er) C"ic% Ne't)

-


7/36

6) *!en t!e RRAS *iard is co(p"ete, c"ic% F"n"s.)

7) No# ou #i"" #ant to start RRAS #!en pro(pted) C"ic%/es) RRASinitia"ies and s!o#s its MMC interface) Ma%e sure t!at t!e server isse"ected)

0


8/36

) Ne>t, ri$!t@c"ic% t!e server na(e and c!oose Propert"es) T!enc"ic% t!e IPta+)

4) C!oose Stat"c a!!ress pooland c"ic% A!!) Enter a ran$e of IPaddresses t!at t!e RRAS server s!ou"d !and out to re(ote c"ients)In t!is e>a(p"e, t!e ran$e is 1231223$22314$0- C"ic% O5) Note! %f

#ou will ha$e more then 2&' simultaneous users #ou will need spanmore then one subnet.

6


9/36

D) In t!e Use t.e follo)"n a!apter to obta"n D7CP8 DNS8 an!9INS a!!resses for !"al4up cl"entsfie"d, c!oose t!e adaptert!at is connected to our private net#or% or FTP content server) Int!is e>a(p"e, it is :ac* Net)

;


10/36

1t, c"ic% t!e E#ent


11/36

11) Ne>t, ou #i"" need to confi$ure t!e PPTP and L3TP ports) In t!eRRAS interface, se"ect Ports) A "ist of tunne" ports appears in t!eRRAS MMC)

13)Ri$!t@c"ic% Portsand c!oose Propert"es)

>


12/36

12)To confi$ure t!e PPTP ports, se"ect *AN Miniport &PPTP' and c"ic%Conf"ure) 5ecause ou are not creatin$ server@to@server tunne"s#it! t!is server, dese"ect Deman!4!"al rout"n connect"ons%"nboun! an! outboun!&) Increase t!e nu(+er of ports as

necessar for our environ(ent &up to 17,248 (a>i(u(') In t!ise>a(p"e, 1$=ports are confi$ured) C"ic% O5)

18)Since ou are not usin$ IPSec in t!is e>a(p"e, t!ere is no need forL3TP ports) Se"ect 9AN +"n"port %


13/36

16)/ou (a receive a notice indicatin$ t!at current connections (i$!t+e disconnected) C"ic%/es+ecause t!ere are no currentconnections ri$!t no#)

17)Once +ac% in t!e Ports Propert"esdia"o$, c"ic% O5)

1)In t!e RRAS MMC ou #i"" see t!e ne# PPTP ports ou defined)Note0 T!e port identifier nu(+ers (a +e different t!an s!o#n!ere)

11


14/36

14)Fro( t!e RRAS MMC interface, se"ect Remote Access


15/36

1D)Ri$!t@c"ic%


16/36

CREATING A VPN CONNECTOID

In order to create a connectoid a connectoid, in *indo#s D(and*indo#s NT, is an icon representin$ a dia"@up net#or%in$ connection t!at#i"" a"so e>ecute a script for "o$$in$ onto t!e net#or% dia"ed t!at can +edistri+uted to (an users ou (ust first (a%e sure t!at ou !ave t!eConnection Mana$er Ad(inistration ?it insta""ed) In order to verif t!is $oto Prorams|A!m"n"strat"#e Toolsand see if t!e Connect"on +anerA!m"n"strat"on 5"tis present) If it is not ou #i"" need to insta"" it) Toinsta"" it on to a server $o to Sett"ns|Control Panel|A!! Remo#eProrams|A!! Remo#e 9"n!o)s Componentst!en se"ect+anaement an! +on"tor"n tools) Ne>t c"ic% on detai"s and on"se"ect Connect"on +anaer Componentsc"ic% O5, t!en c"ic% Ne'tandfo""o# t!e screen pro(pts) Once ou !ave verified or insta""ed connection

(ana$er ou are read to start)

Note! )ou can use #our own compan# logos for the connectoid. %f #ouwould lie to do this mae sure the logo is in the form of a .bmp file.

5UIL:ING A CONNECTOI:

1) T!e first t!in$ t!at ou need to do is start t!e Connection Mana$erapp"ication + $oin$ to Prorams|A!m"n"strat"#e Tools|Connect"on +anaer A!m"n"strat"on 5"t) Once ou !ave startedt!e app"ication ou #i"" +e at t!e #e"co(e screen #!ic! "oo%s "i%e to

one +e"o#) C"ic% Ne't)

1-


17/36

3) In t!e ne>t step ou #i"" create a ne# service profi"e) Ma%e sure t!eCreate Ne) Ser#"ce Prof"leradio +utton is active) C"ic% Ne't)

10


18/36

16


19/36


2) In t!e ne>t step, ou #i"" +e pro(pted for a service na(e and a fi"ena(e) T!e service na(e is t!e na(e ou #is! to $ive t!econnectoid) T!e fi"e na(e is t!e na(e of t!e e>ecuta+"e fi"e t!at#i"" +e created) /our screen s!ou"d "oo% si(i"ar to t!e one +e"o#)

C"ic% Ne't)

PAGE1PAGE 1


20/36


8) In t!e ne>t step ou are as%ed to (er$e service profi"es) Since oudo not !ave an e>istin$ profi"e c"ic% Ne't)

PAGE3PAGE 3


21/36

6) T!e ne>t step is t!e Support Informat"on dia"o$) T!is #ou"d +e a$ood p"ace to point t!e users to t!e !e"p +utton or provide t!e( ap!one nu(+er to ca"" to $et !e"p) Fi"" in our infor(ation and c"ic%Ne't)

(


22/36

7) T!e ne>t step pro(pts ou for a Realm Name) T!e VPN servicedoes not re.uire a rea"( na(e so ou (a c"ic% Ne't)

) In t!e ne>t step ou are pro(pted for dia"@up net#or%in$ nu(+ers)

Once a$ain, VPNs do not use t!is function so c"ic% Ne't)

-


23/36

4) In t!e ne>t step ou are pro(pted for VPN support) /ou #i"" #antto se"ect T."s Ser#"ce Prof"leas s!o#n +e"o# and c"ic% Ne't)

0


24/36

D) In t!e ne>t step ou are as%ed to provide a server na(e for t!e VPNconnection) /ou can eit!er use t!e IP address or ou can use t!efu"" .ua"ified na(e of t!e server as s!o#n +e"o#) *!en ou arefinis!ed c"ic% Ne't)

1t step, ou are as%ed if ou #is! to use ConnectAct"ons) A connect action #ou"d +e an app"ication or +atc! t!at isrun pre@connect, pre@tunne", post@tunne" and on disconnect) At t!isti(e, ou are not usin$ an so !eselecta"" +o>es as s!o#n +e"o#and c"ic% Ne't)

6


25/36

11)T!e ne>t step #i"" pro(pt ou for an auto app"ications ou #ant torun #!en a user connects) C"ic% Ne't)

;


26/36

13)T!e ne>t step pro(pts ou for a


27/36

18) In t!e ne>t screen ou are pro(pted for a P.one :oo*fi"e) Oncea$ain since #e are not usin$ dia"@up net#or%in$ ou (a c"ic%Ne't)

>


28/36

16)T!e ne>t step pro(pts ou for icons) Accept t!e defau"ts and c"ic%Ne't)

12


29/36

17)Fro( t!e Status4Area4Icon+enuscreen accept t!e defau"ts andc"ic% Ne't)

1)T!e ne>t screen pro(pts ou for a 7elp F"le) If ou !ave acusto(ied !e"p fi"e se"ect it at t!is ti(e) If ou do not, accept t!edefau"t and c"ic% Ne't)

11


30/36

14)Fro( t!e Connect"on +anaer soft#are screen ou #i"" #ant to(a%e sure t!e inc"ude Connect"on +anaer 13$ soft)areisse"ected and c"ic% Ne't)

1$


31/36

1D)Fro( t!e


32/36

31)No# ou #i"" see t!e Rea!, to :u"l! Ser#"ce Prof"le dia"o$ c"ic%Ne't)

1-


33/36

33)T!e fina" step to co(p"ete t!e Connect"on +anaerA!m"n"strat"on 5"t 9"?ar!is ne>t) Accept t!e defau"t fi"e "ocationand c"ic% F"n"s.)

POST CONFIGURATION SETTINGS

5 defau"t t!e connectoid t!at #as created can +e used for eit!er a dia"@upconnection or a VPN connection) *e !ave five &6' (ore steps to ensure a$ood e>perience for our users0

1) First #e need to "ocate t!e e>ecuta+"e for t!e connectoid t!at #eust created) /ou s!ou"d +e a+"e to find t!is under Proram F"les|C+A5|Prof"les|%connecto"! name') In t!is fo"der t!ere is a fi"et!at !as a )CMS e>tension)

10


34/36

3) Ne>t, ou #i"" need to open t!is fi"e up in Notepa!in order to editit) Once ou !ave opened it in notepad, "ocate t!e "ine t!at sas:ia"upH1) /ou #i"" #ant to c!an$e t!e 1 to a < &ero') Once t!is isco(p"eted save t!e fi"e and e>it)

16


35/36

2) No# ou are read to reconfi$ure t!e connectoid usin$ t!eConnect"on +anaer A!m"n"strat"on 5"t) Open up t!eConnect"on +anaer A!m"n"strat"on 5"tand c"ic% Ne't)

8) Fro( t!e ne>t screen, ou #i"" c!oose E!"t t."s e'"st"n ser#"ce

prof"le) T!en c!oose our profi"e fro( t!e drop do#n "ist as s!o#n+e"o# and c"ic% Ne't)

1;


36/36

6) If ou do not need to (a%e an ot!er c!an$es ou can continue toc"ic% Ne'tunti" ou are pro(pted to over#rite t!e e>istin$ fi"e)*!en ou are pro(pted to over #rite e>istin$ fi"e c"ic%/est!enc"ic% F"n"s.on t!e co(p"etin$ connection (ana$er ad(inistration

#iard screen)

At t!is point ou are read to test t!e connectoid ou !ave created) A""t!at ou need to do is distri+ute t!e )e>e fi"e fro( #it!in t!e profi"efo"der to our end users) T!is is a se"f@insta""in$ fi"e t!at !as one or t#opro(pts) A"" our users need to do is run t!e )e>e fi"e fro( t!eirdes%top) T!is #i"" insta"" t!e VPN Connectoid to t!eir "oca" (ac!ine) Ift!e c!oose not to create a s!ortcut on t!eir des%top, t!e can find t!econnectoid under +, Net)or* Propert"eson t!e des%top)

Note! %f #our end users are going through a router or a firewall the#

need to mae sure that the correct ports for VPN are open and therouter or firewall supports *+,. -ere is an e(ample of the port and

protocol. The most common problem is opening the firewalls to allowboth port /2 and *+, pacets 1%P protocol '/ through. Not allfirewalls can do this so #ou might need to consult #our firewalldocumentation as to how to set this up.

Documents

Configuring a VPN Solution