Step-by-Step Guide: How to set up a VPN

By Brien M. Posey
21 Mar 2005 | SearchExchange.com

Solutions for keeping remote users connected to Exchange Server have traditionally centered around using
Outlook Web Access. However, there is no reason why your remote users can't connect to your Exchange
organization using a Virtual Private Network (VPN).

In case you aren't familiar with VPN technology, a VPN is a logical, secure connection across an insecure
network, such as the Internet. Remote users can use their existing Internet connections to securely connect to
your network, just as if they were in the office. Better still, VPN technology is Exchange-independent. This
means your remote users can use your VPN connection to access Exchange Server regardless of the version,
and can also access other network resources.

VPN technology is extremely useful in organizations with a lot of remote users, but it can be somewhat
complicated to set up. This guide will walk you step-by-step through the process.

HOW TO SET UP A VPN

Home: Introduction
Step 1: Setup requirements
Step 2: Implement DHCP services
Step 3: Create an enterprise certificate authority
Step 4: Install IAS
Step 5: Configure IAS
Step 6: Create a remote access policy
Step 7: Configure the VPN server
Step 8: Associate the VPN server with the DHCP server
Step 9: Configure your remote clients
Step 10: Test the client connection
Step 11: Alternate VPN configuration options

There are hardware- and software-based VPN solutions. In this step-by-step guide, I will be explaining a
software approach to creating a VPN using Microsoft products.

To create a VPN, you will need three separate Windows 2003 servers and at least one remote client. The
remote client's machine needs to be running Windows XP.

The first Windows 2003 server your VPN will need is basically an infrastructure server. It must act as a domain
controller, DHCP server, DNS server and certificate authority. If you already have a Windows 2003 network
in place, you don't need to go out and buy a server to fit this role.

Any Windows 2003 domain will already have at least one domain controller and one server acting as a DNS
server. Most Windows 2003 networks are also running DHCP services. If you already have all these services in
place, the only thing you will have to worry about is setting up a certificate authority (which I show you how to do
in Step 3). The only thing you need to know for now is that the server that's acting as a certificate authority must
be running Windows Server 2003 Enterprise Edition.
The second server you will need is a VPN server. Windows Server 2003 Standard Edition and Enterprise Edition
both ship with the necessary software. Therefore, you won't need any special software on this server. The only
specific hardware this server needs is two NICs. One NIC will connect to the Internet and the other will connect
to your private corporate network.

The final server you will need is an authentication server. When remote users attempt to access your corporate
network through a VPN, they need to be authenticated. The mechanism of choice for authenticating remote
users is a RADIUS server. RADIUS is an acronym standing for Remote Authentication Dial In User Service.
Microsoft includes its own version of RADIUS in Windows Server 2003 Standard Edition and Enterprise Edition.
The Microsoft version of RADIUS is called Internet Authentication Service (IAS). There are no special
hardware or software requirements for this server.

The last thing that I want to talk about as part of this step in the tutorial is server placement. Each of the
servers I have discussed will be connected to your private network via a hub or switch. The only server that will
have any external connectivity is your VPN server. It is a security risk to connect the VPN server directly to the
Internet though. It is best to place a firewall in front of the VPN server so you can filter out everything but VPN
traffic.

In Step 2, we'll begin the domain configuration process. Your network should contain the required Windows
Server 2003 domain controller and DNS server before moving on to the next step.

1. Open the server's Control Panel and select Add or Remove Programs.
2. When the Add or Remove Programs dialog box appears, click the Add/Remove Windows
Components button.
3. Select the Networking Services option and then click Details.
4. Now select Dynamic Host Configuration Protocol (DHCP) from the list of network services, then click
OK, followed by Next.

Windows will now install the DHCP services. When the installation completes, you will have to create an
address scope and authorize the DHCP server to function on your network.

5. To do so, select the DHCP option from the Administrative Tools menu to open the DHCP console.
6. Right click on your server within the DHCP console and select Authorize.
7. After you authorize the DHCP server, right click on the server's listing within the console again and
select New Scope. This will launch the New Scope Wizard.
8. Click Next to bypass the wizard's welcome screen.
9. Enter a name for the scope that you are creating then click Next. (You can call it anything you want, but
for the purposes of this tutorial, I will be referring to the scope as 'Corporate Network.')
10. You will now be asked to enter an IP address range. Just specify a start and end address that is
consistent with the IP addressing scheme you are already using, but that does not overlap any existing
addresses. The Length and Subnet Mask fields will be filled in for you automatically.
11. The next three screens contain settings that you don't have to worry about. Just click Next three times
until you reach the Router (Default Gateway) screen.
12. Enter the IP address of your network's default gateway, click Add, then Next.
13. Type in the name of your domain and the IP address of your DHCP server and click Next.
14. Click Next again to skip the WINS configuration screen.
15. Finally, verify that the Yes, I Want To Activate The Scope Now option is selected then click Next and
Finish.

Before I show you how to create an enterprise certificate authority, I want to give you a few words of caution.
Installing a certificate authority is not a process to be taken lightly. If someone gains unauthorized access to
your certificate authority, that person pretty much owns your network. Likewise, if a certificate authority server
crashes, it can be devastating to your network.

Therefore, protect your certificate authority server the way you would protect a nuclear bomb. Make sure that it
is as secure as possible and that you perform full system backups frequently. You also want to protect those
backups so they are not accidentally compromised.
 1. With that said, select Add/Remove Programs from the Control Panel and click the Add/Remove
Windows Components button.
2. Choose Certificate Services from the list of Windows components.
3. You will see a warning message indicating that you won't be able to rename the machine or change its
group membership after the certificate services are installed. Click Yes to acknowledge the warning and
then click Next to begin installing the certificate authority.
4. Choose Enterprise Root CA as the type of certificate authority you want to install and click Next.

You will now be prompted to enter a common name for the certificate authority. You must also select a
certificate validity period. The default setting allows certificates to be valid for five years, but you can
increase or decrease this time frame according to your own corporate security policy.

5. Fill out these two items, then click Next. Windows will begin generating cryptographic keys.
6. You will be prompted to enter a location for the certificate database. Select the default location (unless
you want to place the databases onto a volume with better performance or fault tolerance) and click
Next.
7. You will now see a message indicating that Windows must restart the IIS services. Click 'Yes' and
Windows will install the necessary components.

IAS is the Windows Server 2003 implementation of RADIUS. The IAS server will authenticate users who enter
your corporate network through the VPN connection. As such, your IAS server must be a member server in
one of your domains and must be running Windows Server 2003.

1. To install IAS, open the Control Panel and choose the Add/Remove Programs option.
2. When the Add or Remove Programs dialog box appears, click Add/Remove Windows Components.
3. Select the Networking Services option and click Details.
4. Now, choose the Internet Authentication Service option.

5. Click OK, followed by Next, to install IAS.

1. Go to Administrative Tools -> Internet Authentication Service.
2. From here, the first thing you need to do is to register your IAS server with Active Directory. To do so,
right click on the Internet Authentication Service (Local) container and select Register Server in
Active Directory.
3. Click OK to complete the registration process.
4. Now, right click on the RADIUS Clients container and select New RADIUS Clients. If you happen to
know the IP address or DNS name of one of your client machines, go ahead and enter it along with a
friendly name. Otherwise, leave it for now, as we'll be filling it in later when we set up the client
connections anyway.
5. Click Next.
6. You will now be prompted for a shared secret. A shared secret is an encryption key used by the
RADIUS Server and the client. Make sure that the Client Vendor option is set to RADIUS Standard,
enter a shared secret, and click Finish
7. Right click on the Remote Access Policies container and select the New Remote Access Policy
option. This will open the New Remote Access Policy Wizard.
8. Click Next to bypass the wizard's Welcome screen.
9. Verify that the Typical Policy for a Common Scenario option is selected and then enter 'VPN Access'
as the policy name and click Next.
10. Select the VPN option and click Next again.
11. This screen gives you the opportunity to apply the policy to either users or groups. If you haven't already
done so, I recommend taking a time out to create an Active Directory group based on users who will
access the network through the VPN. You can then assign this group to the policy that you are creating.
12. Click Next and you will see the Authentication Methods screen.
13. Verify that MS CHAPV2 is selected and click Next.
14. Confirm that only the Strongest Encryption option is selected and click Next, followed by Finish.
15. Begin by opening the server's Network Connections folder and renaming the connections to
something more meaningful. For example, you might name the connections to Corporate and Internet,
or something like that.
 16. Go to Administrative Tools -> Routing and Remote Access to open the Routing and Remote Access
console.
17. Right click on your VPN server in the console tree and select Configure and Enable Routing and
Remote Access. This will launch the Routing and Remote Access Server Setup Wizard.
18. Click Next to bypass the wizard's welcome screen. You will then see the wizard's configuration screen.
19. Select Remote Access (Dial-Up or VPN) and click Next.
20. Mark the VPN checkbox and click Next.
21. You will now see a screen that displays your machine's network connections. Select the connection
attached to the Internet, verify that the Enable Security checkbox is selected and click Next.
22. Verify that Automatically is selected and click Next.
23. Now choose the option to set the server up to work with a RADIUS Server and click Next.
24. Enter the IP address of your RADIUS server and the shared secret that you assigned to the RADIUS
Server.
25. Click Next, then Finish.

1. Navigate through the console tree to your server -> IP Routing -> DHCP Relay Agent.
2. Right click on the DHCP Relay Agent container and select Properties.
3. Enter the IP address of your DHCP server and click Add, followed by OK.

Your VPN server is now configured. You're in the home stretch! All you need to do now is configure your clients
to work with the VPN you have created

You may recall that we had to create a special security group for any user who is going to be accessing the
network over the VPN connection. Therefore, I am assuming your remote users have been added to the
necessary group and your client computers already have Internet access.

To allow a Windows XP client computer to access your private network, you must tell it to use a VPN
connection.

1. To do so, open the Control Panel and select the Network and Internet Connections option.
2. Select the Create A Connection to the Network At Your Workplace option.
3. Windows will now ask you if you want to create a dial-up connection or a VPN connection. Select the
VPN option and click Next.
4. At this point, you will see the Company Name prompt. Here you can enter the name of your company,
the name of the server that you are connecting to, or anything else to describe the connection.
5. Click Next. You will be prompted to enter the IP address of the server that you are connecting to. This
will be the external IP address (the one connected to the Internet) of your VPN server.
6. Click Next again, followed by Finish to create your connection
7. Double click on the connection in the list of available connections.
8. You will be prompted for a username and password. Rather than entering your logon credentials, click
the Properties button.
9. In Properties, select the Networking tab.
10. Set Type of VPN to PPTP VPN and click OK.
11. You will be returned to the VPN logon screen. Enter your username in the domain/username format.
12. Now enter your password and click Connect.
13. There is a chance that you may be prompted as to which connection you want to use. If prompted,
select the LAN Connection option.
14. Once you are connected, go to Start -> Run and enter the \\servername\ROOT command.

You should see the content's of your server's C drive (assuming that you have the rights). Of course, it's rare
that you would be directly accessing the server's C drive. More often, you would be accessing a specific share
on the server. To do so, you would enter \\servername\sharename.

In this step-by-step guide, I have outlined only one of maybe half a dozen different types of client VPN
connections. There are many variations that involve different encryption or authentication techniques. You can
read about these alternate client configurations