PPTP-based remote access VPN deployment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

PPTP-based remote access VPN deployment

You can use remote access with products in the Windows Server 2003 family to provide access to a corporate intranet for remote access clients who are making PPTP connections across the Internet. If you want your remote access server to support multiple PPTP connections, complete the following steps:

  • Configure the connection to the Internet.

  • Configure the connection to the intranet.

  • Configure the remote access server as a corporate intranet router.

  • Configure the VPN server.

  • Configure firewall packet filters.

  • Configure remote access policies.

The following illustration shows the elements of a remote access server running Windows Server 2003 that provides PPTP-based remote access to a corporate intranet.

PPTP-based remote access via remote access server

For more information, see Remote access VPN connection and Point-to-Point Tunneling Protocol.

Note

  • On Windows Server 2003, Web Edition, and Windows Server 2003, Standard Edition, you can create up to 1,000 Point-to-Point Tunneling protocol (PPTP) ports, and you can create up to 1,000 Layer Two Tunneling protocol (L2TP) ports. However, Windows Server 2003, Web Edition, can accept only one virtual private network (VPN) connection at a time. Windows Server 2003, Standard Edition, can accept up to 1,000 concurrent VPN connections. If 1,000 VPN clients are connected, further connection attempts are denied until the number of connections falls below 1,000.

Configuring the connection to the Internet

The connection to the Internet from a computer running a Windows Server 2003 operating system is a dedicated connection--a WAN adapter installed in the computer. The WAN adapter is typically a DDS, T1, Fractional T1, or Frame Relay adapter. You must contract with a local telephone company to run the appropriate physical wiring to your premises. You need to verify that the WAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.

The WAN adapter includes drivers that are installed in memobers of the Windows Server 2003 family so that the WAN adapter appears as a network adapter.

You need to configure the following TCP/IP settings on the WAN adapter:

  • IP address and subnet mask assigned from the InterNIC or an Internet service provider (ISP).

  • Default gateway of the ISP router.

So that VPN clients can connect to your VPN server by name (rather than IP address), you can request DNS registration of your VPN server by your ISP.

Configuring the connection to the intranet

The connection to the intranet from a computer running a Windows Server 2003 operating system is a LAN adapter that is installed in the computer. You need to verify that the LAN adapter is compatible with products in the Windows Server 2003 family. To verify compatibility, see the Compatible Hardware and Software section at Support resources.

You need to configure the following TCP/IP settings on the LAN adapter:

  • IP address and subnet mask assigned from the network administrator.

  • DNS and WINS name servers of corporate intranet name servers.

Configuring the remote access server as a corporate intranet router

In order for the remote access server to properly forward traffic on the corporate intranet, you must configure it as a router with either static routes or routing protocols so that all of the locations of the intranet are reachable from the remote access server. For information about routing concepts, see Routing Overview. For information about setting up the remote access server as a router, see Deploying Routing.

Configuring the VPN server

You can configure your VPN server by running the Routing and Remote Access Server Setup Wizard. You can configure the following settings using the wizard:

  • A basic firewall on the public interface.

  • The method by which the VPN server assigns addresses to remote access clients (either using addresses that the VPN server obtains from a DHCP server or using addresses from a specified range of addresses that you have configured on the VPN server).

  • Forwarding of authorization and authentication messages to a Remote Access Dial-In User Service (RADIUS) server (configuration of the VPN server as a RADIUS client).

Once the wizard is run, these Routing and Remote Access settings are automatically configured:

  • Network interfaces

  • PPTP and L2TP ports (5 or 128 of each, depending on your choices when running the wizard)

  • Multicast support using Internet Group Messaging Protocol (IGMP)

  • IP routing

  • Installation of the DHCP Relay Agent component.

For more information on enabling Routing and Remote Access and running the wizard, see Enable the Routing and Remote Access service.

Configuring firewall packet filters

If you are using a firewall, you need to configure PPTP packet filters on your firewall to allow PPTP traffic between Internet-based VPN clients and the VPN server computer. For more information, see VPN servers and firewall configuration.

Configuring remote access policies

For an access-by-user administrative model, you need to set the remote access permission to Allow access on the user accounts for those users who will be making VPN connections. For an access-by-policy model, make the appropriate changes to the remote access permission of the user accounts. For more information, see Introduction to remote access policies.

To configure a remote access policy to control the authentication and encryption options for VPN connections, you can create a remote access policy with the following settings:

  • Set Policy name to VPN Access (example).

  • For conditions, set the NAS-Port-Type condition to Virtual (VPN) and the Tunnel-Type condition to Point-to-Point Tunneling Protocol.

  • Select the Grant remote access permission option.

  • For profile settings, select the appropriate authentication and encryption options.

Then, either delete the default remote access policies or position them after the new policy. This remote access policy allows all users with remote access permission to create a VPN connection.

If you want to distinguish dial-up remote access users from VPN remote access users, do the following:

  1. Create an Active Directory group whose members can create virtual private networking connections with the VPN server. For example, VPN_Users.

  2. Add the appropriate user accounts to the new Active Directory group.

  3. Create a new remote access policy with the following properties:

    • Set Policy name to VPN Access if member of VPN_Users (example).

    • For conditions, set the Windows-Groups condition to VPN_Users (example), set the NAS-Port-Type condition to Virtual (VPN), and set the Tunnel-Type condition to Point-to-Point Tunneling Protocol.

    • Select the Grant remote access permission option.

  4. Move the default remote access policies after the new policy.

The default encryption settings allow no encryption and all levels of encryption strength. To require encryption, clear the No Encryption option and select the appropriate encryption strengths on the Encryption tab of the remote access policy profile. The encryption strengths are:

  • Basic

    You can use this option when communicating with older Microsoft dial-up networking clients. This option uses Microsoft Point-to-Point Encryption (MPPE) and a 40-bit encryption key.

  • Strong

    You can use this option when communicating with dial-up networking clients running Windows 98, Windows 2000, or Windows XP. This option uses MPPE and a 56-bit encryption key.

  • Strongest

    You can use this option when communicating with dial-up networking clients running Windows 98, Windows 2000, or Windows XP. This option uses MPPE and a 128-bit encryption key.

For more information, see Configure encryption.