共用方式為


Remote access/VPN server role: Configuring a remote access/VPN server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Remote access/VPN server role: Configuring a remote access/VPN server

You can configure a server that allows remote users to access resources on your private network over dial-up or virtual private network (VPN) connections. This type of server is called a remote access/VPN server. Remote access/VPN servers can also provide network address translation (NAT). With NAT, the computers on your private network can share a single connection to the Internet. With VPN and NAT, your VPN clients can determine the IP addresses of the computers on your private network, but other computers on the Internet cannot.

This topic explains the basic steps for configuring a remote access/VPN server using Manage Your Server, the Configure Your Server Wizard, and the Routing and Remote Access Server Setup Wizard. After you finish configuring a basic remote access/VPN server, you can complete additional configuration tasks, depending on how you want to use the remote access/VPN server.

This topic covers:

Before you begin

Configuring your remote access/VPN server

Next steps: Completing additional tasks

Before you begin

Before you configure your server as a remote access/VPN server, you should verify whether or not:

  • The operating system is configured correctly. In the Windows Server 2003 family, remote access/VPN depend on the appropriate configuration of the operating system and its services. If you have a new installation of a product in the Windows Server 2003 family, you can use the default service settings. No further action is necessary. If you upgraded to a product in the Windows Server 2003 family or you want to confirm that your services are configured correctly for best performance and security, verify your service settings by comparing them to the table in Default settings for services.

  • Your server is correctly configured for optimal security for your network needs. Because your remote access/VPN server will connect your private network, the Internet, and your remote clients, you must make sure the server is secure. The security of your private network depends on the security of your remote access/VPN server. For more information, see Security information for remote access.

  • This computer has two network interfaces, one that connects to the Internet and one that connects to the private network. The connection to the Internet must be a dedicated connection with enough bandwidth that VPN users can connect to your private network and users on your private network can connect to the Internet. The connection to computers on your private network must be made through a hardware device, such as a network adapter.

  • All needed network protocols have been installed for your network interfaces. For more information, see Network interfaces.

  • Windows Firewall is disabled on the server that you want to configure for remote access/VPN. You will configure the Basic Firewall feature of Routing and Remote Access during setup, which will serve in place of Windows Firewall.

  • Internet Connection Sharing is disabled on the server that you want to configure for remote access/VPN. Internet Connection Sharing is not compatible with Routing and Remote Access. Internet Connection Sharing and Network Bridge are not included in Windows Server 2003, Web Edition; Windows Server 2003, Datacenter Edition; and the Itanium-based versions of the original release of the Windows Server 2003 operating systems.

  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

The following table lists the information that you need to know before you configure a remote access/VPN server.

Before adding a remote access/VPN server role Comments

Determine which network interface connects to the Internet and which network interface connects to your private network.

During configuration, you will be asked to choose which network interface connects to the Internet. If you specify the incorrect interface, your remote access/VPN server will not operate correctly.

Determine whether remote clients will receive IP addresses from a Dynamic Host Configuration Protocol (DHCP) server on your private network or from the remote access/VPN server that you are configuring.

If you have a DHCP server on your private network, the remote access/VPN server can lease 10 addresses at a time from the DHCP server and assign those addresses to remote clients. If you do not have a DHCP server on your private network, the remote access/VPN server can automatically generate and assign IP addresses to remote clients. If you want the remote access/VPN server to assign IP addresses from a range that you specify, you must determine what that range should be.

Determine whether you want connection requests from VPN clients to be authenticated by a Remote Authentication Dial-In User Service (RADIUS) server or by the remote access/VPN server that you are configuring.

Adding a RADIUS server is useful if you plan to install multiple remote access/VPN servers, wireless access points, or other RADIUS clients to your private network. For more information, see Internet Authentication Service.

Determine whether VPN clients can send DHCP messages to the DHCP server on your private network.

If a DHCP server is on the same subnet as your remote access/VPN server, DHCP messages from VPN clients will be able to reach the DHCP server after the VPN connection is established. If a DHCP server is on a different subnet than your remote access/VPN server, make sure that the router between subnets can relay DHCP messages between clients and the server. If your router is running a Windows Server 2003 operating system, you can configure the DHCP Relay Agent service on the router to forward DHCP messages between subnets.

Verify that all users have user accounts that are configured for dial-up access.

Before users can connect to the network, they must have user accounts on the remote access/VPN server or in Active Directory. Each user account on a stand-alone server or a domain controller contains properties that determine whether that user can connect. On a stand-alone server, you can set these properties by right-clicking the user account in Local Users and Groups and clicking Properties. On a domain controller, you can set these properties by right-clicking the user account in the Active Directory Users and Computers console and clicking Properties. For more information, see Dial-in properties of a user account and Windows interface administrative tool reference A-Z: Active Directory Users and Computers.

Configuring your remote access/VPN server

To configure a remote access/VPN server, start the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Configuration Options page, click Custom configuration and click Next. On the Server Role page, click Remote access/VPN server, and then click Next.

This section describes the steps in the Routing and Remote Access Server Setup Wizard for configuring a remote access/VPN server that is not part of an Active Directory domain or part of a network with DNS or DHCP servers. If you follow these steps, you will configure a remote access/VPN server that provides both dial-up and VPN access for remote access clients, provides NAT for computers on your private network, generates and assigns IP addresses for remote access clients, and locally authenticates connection requests.

This section covers:

Summary of Selections

Using the Routing and Remote Access Server Setup Wizard

Completing the Configure Your Server Wizard

Completing configuration in Routing and Remote Access

Removing the remote access/VPN server role

Summary of Selections

On the Summary of Selections page, you can view and confirm the options that you have selected. If you clicked Remote access/VPN server on the Server Role page, the following line appears:

  • Run the Routing and Remote Access Server Setup Wizard to set up routing and VPN

To apply the selections shown on the Summary of Selections page, click Next. The Configure Your Server Wizard starts the Routing and Remote Access Server Setup Wizard. If you cancel the Routing and Remote Access Server Setup Wizard, your remote access/VPN server will not be configured, the Routing and Remote Access service will not be started, and the Configure Your Server Wizard will display the Cannot Complete page.

When you complete the Routing and Remote Access Server Setup Wizard and the Configure Your Server Wizard, the Routing and Remote Access service is started automatically.

Using the Routing and Remote Access Server Setup Wizard

After you choose the remote access/VPN role and confirm your Summary of Selections by clicking Next in the Configure Your Server Wizard, the Routing and Remote Access Server Setup Wizard starts.

This section describes the following steps in the Routing and Remote Access Server Setup Wizard:

Configuration

VPN Connection

IP Address Assignment

Name and Address Translation Services

Address Assignment Range

Managing Multiple Remote Access Servers

Completing the Routing and Remote Access Server Setup Wizard

Configuration

On the Configuration page, click Virtual Private Network (VPN) access and NAT, and click Next.

Important

  • This document describes the Virtual Private Network (VPN) access and NAT configuration only. If you decide to choose a different configuration, review the documentation for Routing and Remote Access before you complete the Routing and Remote Access Server Setup Wizard. This document will not help you complete any other role than Virtual Private Network (VPN) access and NAT. For more information about other configurations, see Common server configurations for remote access servers.

VPN Connection

On the VPN Connection page, click the network interface that connects this computer to the Internet. The network interface that you choose will be configured to receive connections from VPN clients. Any interface that you do not choose will be configured as a connection to your private network.

In Network Interfaces, the Enable security on the selected interface by setting up Basic Firewall check box will already be selected. Do not clear this check box. This option configures Basic Firewall, a dynamic packet filtering service that helps protect your private network from unsolicited network traffic.

After you finish, click Next.

IP Address Assignment

On the IP Address Assignment page, the Automatically option is selected automatically. Do not change the selection. This selection configures your server to generate and assign IP addresses to remote clients.

After you finish, click Next.

Name and Address Translation Services

On the Name and Address Translation Services page, the Enable basic name and address services option is selected automatically. Do not change the selection. This selection configures your server to automatically assign IP addresses to any computer on your private network that requests one. The selection also configures your server to forward name resolution requests to a DNS server on the Internet.

After you finish, click Next.

Address Assignment Range

The Address Assignment Range page displays the range of addresses that is defined for assignment to any computer on your network that requests one. This range is generated based on the IP address of the network adapter you chose on the VPN Connection page. Review the information presented.

After you finish, click Next.

Managing Multiple Remote Access Servers

On the Managing Multiple Remote Access Servers page, the No, use Routing and Remote Access to authenticate connection requests option is selected automatically. Do not change the selection. This selection configures your server to authenticate connection requests locally by using Windows authentication, Windows accounting, and locally stored remote access policies.

After you finish, click Next.

Completing the Routing and Remote Access Server Setup Wizard

On the Completing the Routing and Remote Access Server Setup Wizard page, review the summary information. Verify that:

  • The correct network interface is configured to provide VPN access.

  • Dial-up and VPN clients are assigned to your private network for addressing.

  • Client connections are accepted and authenticated using remote access policies for this remote access/VPN server.

  • NAT is configured for the correct network interface.

  • Clients will be assigned IP addresses from the correct range.

If any of the summary information is incorrect, click Back, and then change the information.

If you click Finish, you will not be able to open the Routing and Remote Access Server Setup Wizard again, unless you either remove the remote access/VPN server role from within the Configure Your Server Wizard or disable Routing and Remote Access from the Routing and Remote Access snap-in.

After you have ensured that the summary information is correct, click Finish. A message will appear informing you that, to support the relaying of DHCP messages from remote access clients to a DHCP server, you must open Routing and Remote Access on the remote access/VPN server and configure DHCP Relay Agent with the IP address of a DHCP server. Click OK. The Routing and Remote Access service will be started automatically, and the Configure Your Server Wizard will reappear.

Completing the Configure Your Server Wizard

After you complete the Routing and Remote Access Server Setup Wizard, the Configure Your Server Wizard displays the This Server is Now a Remote Access/VPN Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

After you complete the Configure Your Server Wizard:

You are now ready to complete configuration for your remote access/VPN server in Routing and Remote Access.

Completing configuration in Routing and Remote Access

To open Routing and Remote Access, click Manage this remote access/VPN server from Manage Your Server. You can also open Routing and Remote Access from Administrative Tools. To open Administrative Tools, click Start, click Control Panel, and then double-click Administrative Tools.

In Routing and Remote Access, double-click the server you have just configured, and then click Remote Access Policies. The default remote access policy is set to deny all access to everyone. Your users will not be able to connect to your remote access/VPN server until you edit the default policy to allow access or replace the default policy with your own policies. Review the default policy by double-clicking it, and then edit it to specify the access that you want to allow your users.

If this server has been previously configured as a remote access/VPN server or if IAS has been configured on this server, the remote access policy or policies that appear in Routing and Remote Access might be configured differently from the default remote access policy. Carefully review all of your remote access policies to ensure that you have allowed and denied remote access according to your network needs. Be sure that you are not accidentally allowing or denying more remote access to your network than you intend.

For more information, see Add a remote access policy, Introduction to remote access policies, and Re-create the default remote access policy.

After you have configured remote access policies, you have completed all necessary configuration for a remote access/VPN server on a network without a DHCP server. If your network uses a DHCP server, you must also configure the DHCP Relay Agent before configuration is complete. In Routing and Remote Access, double-click IP Routing, right-click DHCP Relay Agent, and click Properties. Type the IP address of the DHCP server for your network in Server address, click Add, and then click OK.

Removing the remote access/VPN server role

If you need to reconfigure your server for a different role, you can remove existing server roles. When you remove the remote access/VPN server role, your server will no longer provide dial-up or VPN access for remote access clients. Additionally, your server will no longer provide NAT for computers on your private network. Remote users will not be able to connect to your private network, and the computers on your private network might not be able to connect to the Internet. Basic Firewall will no longer protect the computers on your private network. After you remove the remote access/VPN server role, consider enabling Windows Firewall or adding another firewall to protect the computers on your private network, if your network does not already have one. Test your private network to make sure computers on the private network have the level of access to the Internet required by your business needs. Reconfigure remote access policies in IAS to deny all remote access attempts.

To remove the remote access/VPN server role, restart the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Remote access/VPN server, and then click Next. On the Role Removal Confirmation page, review the items listed under Summary, select the Remove the remote access/VPN server role check box, and then click Next. In the dialog box that asks you to confirm that you want to disable the router and remove the remote access configuration, click Yes. On the Remote Access/VPN Server Role Removed page, click Finish.

Next steps: Completing additional tasks

After you complete the Configure Your Server Wizard and complete configuration in Routing and Remote Access, your server is ready for use as a remote access/VPN server that provides both VPN access and NAT. Up to this point, you have completed the following:

  • Started the Routing and Remote Access service.

  • Configured your server to accept VPN and dial-up connections.

  • Configured your server to provide NAT for your private network.

  • Configured remote access policies to allow users to connect to the server running Routing and Remote Access.

  • If the network uses a DHCP server, configured the DHCP Relay Agent to forward DHCP messages from remote access clients to the DHCP server.

If you have completed all of these tasks, you have created a basic remote access/VPN server that will allow remote computers to connect to your server with a dial-up or a VPN connection and provide network address translation (NAT) for your private network.

The following table lists additional tasks that you might want to perform on your remote access/VPN server.

Task Purpose of task Reference

Configure static packet filters.

To add static packet filters to better protect your network.

Add local host filters; Packet filtering

Configure services and ports.

To choose which services on your private network you want to make available for remote access users.

Configure services and ports

Adjust logging levels for routing protocols.

To configure the level of event details that you want to log. You can decide what information you want to track your log files.

Log details for a routing protocol

Configure the number of VPN ports.

To add or remove VPN ports.

Add PPTP or L2TP ports

Create a Connection Manager profile for your users.

To manage the client connection experience for your users and simplify troubleshooting client connections.

Connection Manager Administration Kit

Add Certificate Services.

To configure and manage a certification authority (CA) on a server for use in a public key infrastructure (PKI).

Certificate Services; Computer certificates for L2TP/IPSec VPN connections

Increase remote access security.

To protect your remote users and your private network by enforcing the use of secure authentication methods, requiring higher levels of data encryption, and more.

Security information for remote access

Increase VPN security.

To protect your remote users and your private network by requiring the use of secure routing and tunneling protocols, configuring account lockout, and more.

VPN Security