VPN

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This guide provides detailed information about how you can use five computers to create a test lab with which to configure and test virtual private network (VPN) remote access with the Microsoft® Windows® XP Professional operating system with Service Pack 2 (SP2) and the 32-bit versions of the Microsoft Windows Server™ 2003 operating system with Service Pack 1 (SP1). These instructions are designed to take you step-by-step through the configuration required for a Point-to-Point Tunneling Protocol (PPTP) connection, a Layer Two Tunneling Protocol (L2TP) with Internet Protocol security (L2TP/IPsec) connection, and a VPN connection that uses certificate-based Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication.

Note

The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to show the desired functionality clearly. This configuration is designed to reflect neither best practices nor a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network.

Setting Up the Test Lab for PPTP, L2TP/IPsec, and EAP-TLS Remote Access VPN Connections

The infrastructure for the VPN test lab network consists of five computers performing the following services:

• A computer running Windows Server 2003 with SP1, Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a certification authority (CA).
• A computer running Windows Server 2003 with SP1, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.
• A computer running Windows Server 2003 with SP1, Standard Edition, named IIS1 that is acting as a Web and file server.
• A computer running Windows Server 2003 with SP1, Standard Edition, named VPN1 that is acting as a VPN server. VPN1 has two network adapters installed.
• A computer running Windows XP Professional with SP2 named CLIENT1 that is acting as a VPN client.

The following diagram shows the configuration of the VPN test lab.

There is a network segment representing a corporate intranet and a network segment representing the Internet. All computers on the corporate intranet are connected to a common hub or Layer 2 switch. All computers on the Internet are connected to a separate common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network of 172.16.0.0/24 is used for the intranet. The private network of 10.0.0.0/24 is used for the simulated Internet. Windows Firewall is set up and configured on the RADIUS server (IAS1), the Web and file server (IIS1), and the client computer (CLIENT1). Windows Firewall should not be turned on or configured on either the domain controller (DC1) or the VPN server (VPN1). In addition, the Windows Firewall/Internet Connection Sharing (ICS) service should be disabled on VPN1.

IIS1 obtains its IP address configuration using DHCP. CLIENT1 uses DHCP for its IP address configuration; however, it is also configured with an alternate IP configuration so that it can be placed on either the intranet network segment or the simulated Internet. All other computers have a manual IP address configuration. There are no Windows Internet Name Service (WINS) servers present.

To reconstruct this test lab, configure the computers in the order presented, beginning with the PPTP-based remote access VPN connection. Additional sections of this guide describe L2TP/IPsec-based and EAP-TLS-based remote access VPN connections.

PPTP-based Remote Access VPN Connections

The following sections describe how to set up and configure each of the computers in the test lab for a PPTP-based remote access VPN connection. PPTP is typically used when there is no public key infrastructure (PKI) to issue computer certificates that are required for L2TP/IPsec connections.

DC1

DC1 is a computer running Windows Server 2003 with SP1, Enterprise Edition, that is providing the following services:

• A domain controller for the example.com Active Directory® domain.
• A DNS server for the example.com DNS domain.
• A DHCP server for the intranet network segment
• The enterprise root certification authority (CA) for the example.com domain.

Note

Windows Server 2003 with SP1, Enterprise Edition, is used so that autoenrollment of user certificates for EAP-TLS authentication can be configured. This is described in the "EAP-TLS-based Remote Access VPN Connections" section of this guide.

Configure DC1

1.       Install Windows Server 2003 with SP1, Enterprise Edition, as a stand-alone server.

2.       Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0.

Configure DC1 as a domain controller

1.       To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo, and then click OK.

2.       In the Welcome to the Active Directory Installation Wizard dialog box, click Next.

3.       In the Operating System Compatibility dialog box, click Next.

4.       Verify that Domain controller for a new domain option is selected, and then click Next.

5.       Verify that Domain in a new forest is selected, and then click Next.

6.       Verify that No, just install and configure DNS on this computer is selected, and then click Next.

7.       On the New Domain Name page, type example.com, and then click Next.

8.       On the NetBIOS Domain Name page, confirm that the Domain NetBIOS name is EXAMPLE, and then click Next.

9.       Accept the default Database and Log Folders directories, as shown in the following figure, and then click Next.

10.   In the Shared System Volume dialog box, shown in the following figure, verify that the default folder location is correct. Click Next.

11.   On the Permissions page, verify that the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems check box is selected, as shown in the following figure. Click Next.

12.   On the Directory Services Restore Mode Administration Password page, leave the passwords blank, and then click Next.

13.   Review the information that appears on the Summary page, and then click Next.

14.   On the Completing the Active Directory Installation Wizard page, click Finish.

15.   When prompted to restart the computer, click Restart Now.

Raise the domain functional level

1.       Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder, and then right-click the domain computerdc1.example.com.

2.       Click Raise Domain Functional Level, select Windows Server 2003 on the Raise Domain Functional Level page, and then click Raise, as shown in the following figure.

Install and configure DHCP

1.       In Control Panel, double-click Add or Remove Programs, and then install DHCP as a Networking Services component.

2.       Open the DHCP snap-in from the Administrative Tools folder.

3.       Click Action, and then click Authorize to authorize the DHCP service.

4.       In the console tree, right-click dc1.example.com, and then click New Scope.

5.       On the Welcome page of the New Scope Wizard, click Next.

6.       On the Scope Name page, type CorpNet in Name. This is shown in the following figure.

7.       Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP address, 172.16.0.100 in End IP address, and 24 in Length. This is shown in the following figure.

8.       Click Next. On the Add Exclusions page, click Next.

9.       On the Lease Duration page, click Next.

10.   On the Configure DHCP Options page, click Yes, I want to configure DHCP options now. This is shown in the following figure.

11.   Click Next. On the Router (Default Gateway) page, click Next.

12.   On the Domain Name and DNS Servers page, type example.com in Parent domain. Type 172.16.0.1 in IP address, and then click Add. This is shown in the following figure.

13.   Click Next. On the WINS Servers page, click Next.

14.   On the Activate Scope page, click Yes, I want to activate this scope now. This is shown in the following figure.

15.   Click Next. On the Completing the New Scope Wizard page, click Finish.

Install Certificate Services

1.       In Control Panel, double-click Add or Remove Programs, and then install the Certificate Services component as an enterprise root CA with the nameExample CA.

2.       Select Enterprise root CA, as shown in the following figure, and then click Next.

3.       Type Example CA for the Common name for this CA, as shown in the following figure, and then click Next.

4.       Click Next to accept the default Certificate Database Settings shown in the following figure.

5.       Click Finish.

Add computers, users, and groups to the domain

1.       Open the Active Directory Users and Computers snap-in.

2.       In the console tree, open example.com.

3.       Right-click Users, point to New, and then click Computer.

4.       In the New Object - Computer dialog box, type IAS1 in Computer name. This is shown in the following figure.

5.       Click Next. In the Managed dialog box, click Next. In the New Object - Computer dialog box, click Finish.

6.       Use steps 3 through 5 to create additional computer accounts with the following names: IIS1, VPN1, and CLIENT1.

7.       In the console tree, right-click Users, point to New, and then click User.

8.       In the New Object - User dialog box, type VPNUser in First name, and type VPNUser in User logon name. This is shown in the following figure.