Implementing VPN Support
Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2012, Windows Vista
A virtual private network (VPN) connection provides remote access to private networks over the Internet (or other network). A VPN connection is established using a tunneling protocol to establish a tunnel through the Internet to the private network. To establish a VPN connection, users can connect directly to the private network through the tunnel by either dialing into a local Internet service provider (ISP) or by using a direct connection to the Internet.
This means that remote users can connect using worldwide Internet access points to access private resources as easily as local users. For corporations, it means that employees have remote access over the Internet to their corporate private networks. By having users create VPN connections rather than dial-up connections, the company does not incur the considerable expenses associated with long distance telephone service without compromising security.
You can use the CMAK wizard to set up VPN connections, including:
Make a direct connection to a private network.
Tunnel to a private network over a public network, such as the Internet.
Select a VPN server for the connection.
Using the CMAK wizard, you can set up support for VPN connections using Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), Secured Sockets Tunneling Protocol (SSTP), or VPN Reconnect with Internet Key Exchange version 2 (IKEv2). To use these VPN connection types, you must have a remote access server on the private network configured to support the appropriate protocol.
Important
A VPN connection requires the computer on which Connection Manager is run to be configured to use the same network protocols that the private network uses.
You can create a connection profile with which users can establish direct VPN connections using a tunnel over pre-existing connections. For example, users who are already connected to the Internet through DSL or a cable modem can then connect to your private network using a VPN-only profile you created.
To create a VPN-only profile
Start the CMAK wizard.
On the VPN Support page, select Phone book from this profile, and then specify a VPN server (by DNS name or IP address) or specify a VPN file (by typing the full path to the file).
Configure the VPN entry or entries with the correct security and addressing information for your network.
Do not specify a phone book file on the Phone Book page, and clear the Automatically download phone book updates check box. You do not need to configure the default dial-up entry for the profile.
On the last page of the wizard, select the Advanced Customization check box.
On the Advanced Customization page, click the profile’s .cms file, click [Connection Manager], and then set the value of the Dialup key to 0 (zero).
Click Apply, and finish the wizard.
This process will create a VPN-only profile, without a General tab in the Properties dialog box for the profile. Users of your profile will not see any phone or dialing information.
Setting up a dial-up profile to support VPN connections might add an Internet Logon tab to the Properties dialog box. On this tab, users type the user name and password for the Internet service provider. In the logon dialog box, users type a private network user name, password, and logon domain.
To implement VPN connections in your connection profiles, you must specify the address of at least one server to be used and how to handle authentication. As you run the CMAK wizard:
You must have the VPN server address, specified either as a Domain Name System (DNS) name or as an IP address.
If you do not want to let the server assign addresses for DNS and Windows Internet Name Service (WINS) servers, you can specify the addresses to be used.
You must specify whether users enter the same user name and password for both logging on to the Internet using a dial-up connection and logging on to the private network server using a VPN connection. If you specify that the same credentials are to be used for both, the Internet Logon tab does not appear and the user only has to enter credentials once to connect.
You must specify the VPN security settings to be used for connections made with this profile. On the Security tab of the Properties page for the VPN entry, you can select a single tunneling protocol, or which tunneling is to be tried first. You must also configure the authentication methods to be used when the tunnel is established. Ensure that at least one supported method is supported by both this connection profile and the remote access server to which the profile connects.
For more information on advanced customization keys that can be used with VPN connections, see Advanced Customization.
Enabling user choice of VPN server
You can allow your users to choose from multiple VPN servers when they connect to your service. For example, a user could select a VPN server that is close to his or her location, or a user could choose a VPN server that has higher security settings. For connection profiles that support this option, a VPN tab appears in the properties dialog box for the service profile. This tab contains a customized text message and a list of VPN servers.
To enable your users to choose a VPN server from a list when they connect to your service, you must create a VPN file before you start the CMAK wizard. A VPN file is a text file that you can create with any plain-text editor, such as Notepad. The table below identifies sections, keys, and values that compose a VPN file.
| [Section] or key name | Value |
|---|---|
[Settings] |
Section header for the keys that contain VPN settings. |
Default |
The friendly name of the default VPN server for this connection profile. If you create this key but do not give it a value or if you do not create this key, the user must select a VPN server the first time the user connects with the profile. |
UpdateURL |
The URL of the Web server that contains updates for this VPN file. If this key is added, a post-connect action is added automatically to the connection profile. This post-connect action updates the VPN file. |
Message |
The text message that appears on the VPN tab in the properties dialog box for the connection profile. This message cannot exceed 256 characters, and it must be a single paragraph. If this key is created but left blank, default text is used. |
[VPN Servers] |
Section header for the keys that identify VPN servers. |
FriendlyName |
The name of this key is the friendly name of one of the VPN servers available to your users. The value of this key is the DNS or IP address of the VPN server for which you named the key. If you want this VPN server to use a specific set of network and security settings, you must follow the DNS or IP address with a comma and the name of a VPN entry that you will edit in the VPN Entries page of the CMAK wizard. If you do not specify a VPN entry, the VPN server will use the settings for the default VPN entry. |
If the fictional company Awesome Computers wanted to provide its users with a choice of VPN servers, an administrator might create a VPN file similar to the example below.
[Settings]
default=Awesome Computers HQ
UpdateURL=https://awesomecomputers.microsoft.com/VPNfile.txt
Message=Please select a server from the following list. You might want to choose a server closest to your location or to your data.
[VPN Servers]
Awesome Computers HQ=awesomecomputers.microsoft.com
Awesome Computers New York=ny.awesomecomputers.microsoft.com
Awesome Computers Spain=es.awesomecomputers.microsoft.com,Awesome International VPN Settings
Awesome Computers Madagascar=ma.awesomecomputers.microsoft.com,Awesome International VPN Settings
In the above example, the VPN servers Awesome Computers HQ and Awesome Computers New York use the settings specified in the default VPN entry. Awesome Computers Spain and Awesome Computers Madagascar will use the settings specified in the VPN entry named Awesome International VPN Settings. Users will see the friendly names of the VPN servers you have defined.