HOW TO: Provide Secure Point-to-Point Communications Across a Private Network or the Internet in Windows Server 2003 (324747)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q324747
For a Microsoft Windows 2000 version of this article, see 301194.

IN THIS TASK

SUMMARY

This step-by-step article describes how to install and configure a virtual private network (VPN) to provide secure point-to-point communications across a private network or the Internet.

back to the top

To Install the Remote Access Service Server

If the remote access service server is a member of a domain, it must be a member of the RAS and IAS Servers group in that domain.

If you are not a member of the Domain Admins group, a member of that group must add this server to the RAS and IAS Servers group.

If you are a member of the Domain Admins group, the server is automatically added to the RAS and IAS Servers group after you complete the procedures that are included in this document.

back to the top

To Enable the Routing and Remote Access Service and Configure a VPN Interface

  1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
  2. Click the server that matches the local server name in the left pane of the console.

    If the icon has a red circle in the lower-left corner, the Routing and Remote Access service is not enabled. Go to step 3.

    If the icon has a green arrow pointing up in the lower-left corner, the service is enabled. If so, you may want to reconfigure the server. To reconfigure the server, you must first disable Routing and Remote Access. To do this, right-click the server, and then click Disable Routing and Remote Access. Click Yes when you are prompted with an informational message.
  3. Right-click the server, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next.
  4. Click Remote access (dial-up or VPN) to enable remote computers to dial in or connect to this network through the Internet. Click Next.
  5. Click VPN for virtual private access, or click Dial-up for dial-up access, depending on the role you want to assign to this server.
  6. On the VPN Connection page, click the network interface that is connected to the Internet, and then click Next.
  7. On the IP Address Assignment page, do one of the following:
    • If a DHCP server will be used to assign addresses to remote clients, click Automatically, and then click Next. Go to step 8.
    • To give remote clients addresses only from a pre-defined pool, click From a specified range of addresses.

      In most cases, the DHCP option is simpler to administer. However, if DHCP is not available, you must specify a range of static addresses. Click Next.

      The wizard opens the Address Range Assignment page.
      1. Click New.
      2. In the Start IP address box, type the first IP address in the range of addresses that you want to use.
      3. In the End IP address box, type the last IP address in the range.

        Windows calculates the number of addresses automatically.
      4. Click OK to return to the Address Range Assignment page.
      5. Click Next.
  8. Accept the default setting No, use Routing and Remote Access to authenticate connection requests, and then click Next.
  9. Click Finish to enable the Routing and Remote Access service and to configure the server to run Routing and Remote Access.
You can now configure the server as a VPN server.

back to the top

Setting Up a Client for Remote Access

After you set up the server to receive dial-up connections, you must set up a remote access client connection on the user's workstation.

back to the top

To Set Up a Client for a Dial-Up Connection

To set up a client for dial-up access, follow these steps on the client workstation.

NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, click Control Panel, and then double-click Network Connections.
  2. Under Network Tasks, click Create a new connection, and then click Next.
  3. Click Connect to the network at my workplace to create the dial-up connection, and then click Next.
  4. Click Dial-up connection, and then click Next.
  5. On the Connection Name page, type a descriptive name for this connection, and then click Next.
  6. On the Phone Number to Dial page, type the phone number for the remote access server in the Phone Number dialog box.
  7. Do one of the following, and then click Next:
    • If you want to allow any user who logs on to the workstation to have access to this dial-up connection, click Anyone's use.
    • If you want this connection to be available only to the currently logged-on user, click My use only.
  8. Click Finish to save the connection.
back to the top

To Set Up a Client for a VPN Access Connection

To set up a client for VPN access, follow these steps on the client workstation:

NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, click Control Panel, and then double-click Network Connections.
  2. Under Network Tasks, click Create a new connection, and then click Next.
  3. Click Connect to the network at my workplace to create the dial-up connection, and then click Next.
  4. Click Virtual Private Network connection, and then click Next.
  5. On the Connection Name page, type a descriptive name for this connection, and then click Next.
  6. Do one of the following, and then click Next:
    • If the computer is permanently connected to the Internet, click Do not dial the initial connection.
    • If the computer connects to the Internet by way of an Internet service provider (ISP), click Automatically dial this initial connection, and then click the name of the connection to the ISP.
  7. Type the IP address or the host name of the VPN server computer (for example, VPNServer.SampleDomain.com).
  8. Do one of the following, and then click Next:
    • If you want to allow any user who logs on to the workstation to have access to this dial-up connection, click Anyone's use.
    • If you want this connection to be available only to the currently logged-on user, click My use only.
  9. Click Finish to save the connection.
back to the top

To Connect to the VPN Server

After you create a VPN connection on your local workstation, you can connect to the server. To do this, follow these steps.

NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
  1. Click Start, point to Connect To, and then click the new connection that you created.
  2. In the User Name box, type your user name. If the network to which you want to connect has multiple domains, you may have to specify a domain name. If this is the case, use the domain_name\user name format in the User Name box.
  3. In the Password box, type your password.
  4. If you use a dial-up connection, check the phone number that is listed in the Dial box to make sure that it is correct. Make sure that you have specified any additional numbers that you must have to obtain an external line or to dial long-distance.
  5. Click Dial or Connect (for VPN connections).

    Your computer establishes a connection to the remote access server. The server authenticates the user and registers your computer on the network.
back to the top

Configuring the Server to Accept Remote Clients and Granting Remote Access Rights to Users

In Windows Server 2003, authorization is granted based on the dial-in properties that you set in the user account in Active Directory and on the remote access policy that you set for the remote access server. With remote access policies, you can grant or deny authorization based on criteria, such as the time of day, day of the week, the user's membership in Windows Server 2003 security groups, or the type of connection that is requested.

When you install the Routing and Remote Access service and you configure the server that will run it, Windows creates a default policy that grants access to all users, provided that dial-in permissions have been enabled (these permissions are configured on a user-by-user basis). For users to be able to dial-in and authenticate to a remote access server, these settings must be enabled in their user accounts.

When the server is a member of a domain, you can set these settings by using the users' domain accounts.

When the server is a standalone server or member of a workgroup, the users must have local accounts on the remote access server.

back to the top

To Allow the Server to Accept Remote Access Clients

  1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
  2. Double-click the server object, and then click Remote Access Policies.
  3. Right-click Connections to Microsoft Routing and Remote Access server, and then click Properties.
  4. Click Grant remote access permission, and then click OK.
  5. Close Routing and Remote Access.
back to the top

To Grant Dial-up Access Permission to Individual Users

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the user account for which you want to enable remote access, and then click Properties.
  3. Click the Dial-in tab, click Allow access, and then click OK.
  4. Close the UserAccount Properties dialog box.
back to the top

To Grant Remote Access Permission to a User Group

  1. Create a group with members who are permitted to create VPN connections.
  2. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
  3. In the console tree, expand Routing and Remote Access, expand the server name, and then click Remote Access Policies.
  4. Right-click the right pane, point to New, and then click Remote Access Policy.
  5. Click Next, type the policy name, and then click Next.
  6. Click VPN for virtual private access, or click Dial-up for dial-up access, and then click Next.
  7. Click Add, type the name of the group that you created in step 1, and then click Next.
  8. Follow the on-screen instructions to complete the wizard.
If the VPN server already permits dial-up networking remote access services, do not delete the default policy; instead, move it so that it is the last policy to be evaluated.

back to the top

Troubleshooting

If You Receive an Error Message That the Specified Destination Is Not Reachable

Verify that the client is connected to the network. To test whether the remote server can be contacted, follow these steps:
  1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
  2. At the command prompt, type the following, and then press ENTER:

    pingservername

If the ping request times out, try pinging the IP address of the remote server to see if there is a Domain Name System (DNS) name resolution issue.

back to the top

If You Can Contact the Server, but You Cannot Successfully Authenticate

Verify that the user account that you are using has been granted permission to dial in and authenticate with Active Directory. The server that you are contacting must be a member of the RAS and IAS Servers group.

back to the top
Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbnetwork kbSecurity kbHOWTOmaster kbNetwork KB324747 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.