次の方法で共有


VPN remote access for employees

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

VPN remote access for employees

VPN remote access for employees of Electronic, Inc. is PPTP-based, uses MS-CHAP v2 authentication, and requires strong encryption. To deploy remote access for Electronic, Inc. employees by using remote access VPN connections across the Internet, the following configuration is implemented.

Network configuration

For VPN remote access, the Electronic, Inc. network is configured as follows:

  • The remote access server computer is directly attached to the Internet by using a T3 (also known as a DS-3) dedicated WAN link.

  • The IP address of the T3 WAN adapter on the Internet is 157.54.130.1 as allocated by Electronic, Inc.'s Internet service provider (ISP). The IP address of the WAN adapter is referred to on the Internet by the name vpn.electronic.microsoft.com.

The following illustration shows the configuration of the Electronic, Inc. remote access server for remote access VPN connections.

Configuration for remote access VPN connections

The remote access server computer is configured as follows:

1. Install T3 WAN adapter in the remote access server

The T3 WAN adapter that is used to connect to the Internet is installed according to the adapter manufacturer's instructions. Once the driver is installed and functioning, the adapter appears as a local area connection in Device Manager or the properties of Ports.

2. ConfigureTCP/IPon the WAN adapter

For the WAN adapter, the IP address of 157.54.130.1 with a subnet mask 255.255.255.255 is configured. A default gateway is not configured.

3. Configure a static route to reach Internet locations

To reach Internet locations, a static route is configured with the following settings:

  • Interface: The WAN adapter attached to the Internet

  • Destination: 0.0.0.0

  • Network mask: 0.0.0.0

  • Gateway: 157.54.130.1

  • Metric: 1

Note

  • Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway address. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is reserved as the unspecified IP address.

4. Increase the number of PPTP ports

By default, only five PPTP ports are enabled for VPN connections. The number of PPTP ports is increased to 1,000. For more information, see Add PPTP or L2TP ports.

5. Configure PPTP packet filters

PPTP packet filters are configured on the WAN adapter that connects to the Internet. For more information, see Add PPTP Filters.

Domain configuration

For each employee that is allowed VPN remote access:

  • The remote access permission on the dial-in properties of the user account is set to Allow access.

  • The user account is added to the VPN_Users group.

Remote access policy configuration

To define the authentication and encryption settings for remote access VPN clients, the following remote access policy is created:

  • Policy name: Remote Access VPN Clients

  • Conditions:

    • NAS-Port-Type is set to Virtual (VPN)

    • Tunnel-Type is set to Point-to-Point Tunneling Protocol

    • Windows-Groups is set to VPN_Users (example)

    • Called-Station-ID is set to 157.54.130.1 (example)

  • Permission is set to Grant remote access permission

  • Profile settings:

    • Authentication tab: Microsoft Encrypted Authentication version 2 (MS-CHAP v2) is enabled.

    • Encryption tab: Clear all the options except Strongest.

Notes

  • The Called-Station-ID is set to the IP address of the Internet interface for the remote access server. Only tunnels initiated from the Internet are allowed. Tunnels initiated from the Electronic, Inc. intranet are not permitted. Electronic, Inc. users that require Internet access from the Electronic, Inc. intranet must go through the Electronic, Inc. proxy server (not shown), where Internet access is controlled and monitored.

  • In the access-by-user administrative model, the remote access permission on the remote access policy has no effect on granting remote access permission. However, the network administrator for Electronic, Inc. set the remote access permission on the policy to Grant remote access permission so that an eventual transition to an access-by-policy administrative model does not require changing all the remote access permission settings on all of the configured remote access policies.

PPTP-based remote access client configuration

The New Connection wizard is used to create a VPN connection with the following settings:

  • VPN connection type: PPTP

  • Host name or IP address: vpn.electronic.microsoft.com

Note

  • The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred.