Common Configuration for the VPN Server (VPN with Windows Server 2003)
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To deploy a VPN solution for Electronic, Inc., the network administrator performs an analysis and makes design decisions regarding:
The network configuration.
The remote access policy configuration.
The domain configuration.
The security configuration.
Network Configuration
The key elements of the network configuration are:
The Electronic, Inc. corporate intranet uses the private networks of 172.16.0.0 with a subnet mask of 255.240.0.0 (172.16.0.0/12) and 192.168.0.0 with a subnet mask of 255.255.0.0 (192.168.0.0/16). The corporate campus network segments use subnets of 172.16.0.0 and the branch offices use subnets of 192.168.0.0.
The VPN server computer is directly attached to the Internet using a T3 (also known as a DS-3) dedicated WAN link.
The IP address of the WAN adapter on the Internet is 207.46.130.1 as allocated by the Internet service provider (ISP) for Electronic, Inc. The IP address of the WAN adapter is referred to on the Internet by the domain name vpn.electronic.example.com.
The VPN server computer is directly attached to an intranet network segment that contains a router that connects to the rest of the Electronic, Inc. corporate campus intranet. The intranet network segment has the IP network ID of 172.31.0.0 with the subnet mask of 255.255.0.0.
The VPN server computer is configured with a static pool of IP addresses to allocate to remote access clients and calling routers that is a subset of the intranet network segment (an on-subnet address pool).
Figure 1 shows the network configuration of the Electronic, Inc. VPN server.
.gif "Art Image")
Figure 1: The network configuration of the Electronic, Inc. VPN server
Based on the network configuration of the Electronic, Inc. corporate campus intranet, the VPN server computer is configured as follows:
Install hardware on the VPN server.
The network adapter that is used to connect to the intranet segment and the WAN adapter that is used to connect to the Internet are installed according to the adapter manufacturer's instructions. Once drivers are installed and functioning, both adapters appear as local area connections in Network Connections.
Configure TCP/IP on the LAN and WAN adapters.
For the LAN adapter, an IP address of 172.31.0.1 with a subnet mask 255.255.0.0 is configured. For the WAN adapter, an IP address of 207.46.130.1 with a subnet mask 255.255.255.255 is configured. A default gateway is not configured for either adapter. Domain Name System (DNS) and Windows Internet Name Service (WINS) server addresses are also configured.
Configure the Routing and Remote Access service.
The Routing and Remote Access service is initially configured with the Routing and Remote Access Server Setup Wizard. To run the Wizard, right-click the name of the server in the Routing and Remote Access snap-in, and then click Configure and Enable Routing and Remote Access. Configure the VPN server using the following settings:
Configuration: Remote access (dial-up or VPN)
Remote Access: VPN
VPN Connection: Click the connection that corresponds to the interface connected to the Internet
IP Address Assignment: Click From a specified range of addresses and create a single range from 172.31.255.1 to 172.31.255.254. This creates a static address pool for up to 253 VPN clients.
Managing Multiple Remote Access Servers: Click No, use Routing and Remote Access to authenticate connection requests
The default method of authenticating remote access and demand-dial connections is to use Windows authentication, which is appropriate in this configuration containing only one VPN server. For information about the use of Remote Authentication Dial-In User Service (RADIUS) authentication for Electronic, Inc., see the Dial-up and VPNs with RADIUS section in this paper. For more information about the use of Windows and RADIUS authentication, see the topic titled Authentication vs. Authorization in Windows Server 2003 Help and Support.
Configure the DHCP Relay Agent.
In the console tree, navigate to IP Routing\DHCP Relay Agent. Right-click DHCP Relay Agent, and then click Properties. In the DHCP Relay Agent Properties dialog box, type the IP address of an intranet Dynamic Host Configuration Protocol (DHCP) server in Server address. Click Add, and then click OK. By configuring the DHCP Relay Agent routing protocol component, VPN remote access clients can receive the correct DNS domain name, DNS server addresses, and WINS server addresses when connecting to the intranet.
Configure static routes on the VPN server to reach intranet and Internet locations.
To reach intranet locations, a static route is configured with the following settings:
Interface: The LAN adapter attached to the intranet
Destination: 172.16.0.0
Network mask: 255.240.0.0
Gateway: 172.31.0.2
Metric: 1
This static route simplifies routing by summarizing all destinations on the Electronic, Inc. intranet. This static route is used so that the VPN server does not need to be configured with a routing protocol.
To reach Internet locations, a static route is configured with the following settings:
Interface: The WAN adapter attached to the Internet
Destination: 0.0.0.0
Network mask: 0.0.0.0
Gateway: 0.0.0.0
Metric: 1
This static route summarizes all destinations on the Internet. This route allows the VPN server to respond to a remote access client or demand-dial router from anywhere on the Internet.
Note
Because the WAN adapter creates a point-to-point connection to the ISP, any address can be entered for the gateway. The gateway address of 0.0.0.0 is an example. 0.0.0.0 is the unspecified IP address.
Configure a static route on the intranet router to reach all branch offices.
To reach branch office locations from the intranet router, a static route is configured with the following settings:
Interface: The LAN adapter attached to the intranet
Destination: 192.168.0.0
Network mask: 255.255.0.0
Gateway: 172.31.0.1
Metric: 1
This static route simplifies routing by summarizing all destinations at Electronic, Inc. branch offices. The intranet router advertises this static route to its neighboring routers so that a route to the branch office locations exists on each router of the intranet.
Remote Access Policy Configuration
Electronic, Inc. is using a native-mode Active Directory domain and the network administrator for Electronic, Inc. has decided on an access-by-group administrative model. The remote access permission on all user accounts is set to Control access through Remote Access Policy. The granting of remote access permission to connection attempts is controlled by the remote access permission setting on the first matching remote access policy. Remote access policies are used to apply different VPN connection settings based on group membership.
For more information, see the topic Introduction to remote access policies in Windows Server 2003 Help and Support.
Domain Configuration
To take advantage of the ability to apply different connection settings to different types of VPN connections, the following Active Directory groups are created:
VPN_Users
Used for remote access VPN connections
VPN_Routers
Used for site-to-site VPN connections from Electronic, Inc. branch offices
VPN_Partners
Used for site-to-site VPN connections from Electronic, Inc. business partners
Note
All users and groups in this example deployment are created in the electronic.example.com Active Directory domain.
Security Configuration
To enable L2TP/IPSec connections, the use of smart cards by remote access clients, and the use of EAP-TLS by routers, the Electronic, Inc. domain is configured to autoenroll computer certificates to all domain members.
For more information, see the topic titled "Checklist: Configuring certificate autoenrollment" in Windows Server 2003 Help and Support.