Think of a scenario where you need to access some important
files from your corporate server and you are sitting far away. One way is to set
up a remote access server with dial-up links. The other alternative is to set up
a remote access server over VPN. This will allow you to access your network
resources over the Internet. The links can also be secured so that data is
encrypted while being transferred. We'll explain how this can be done using
Windows 2003 server. For this, you need a multi-homed server with at least two
network cards. The remaining process is as follows.
|
Server setup
Configure both network cards with static IP addresses, one with an internal
IP of your LAN, while the other with a public IP. You also need a firewall in
between to ensure that your LAN is secure from external access. Then from your
Windows 2003 server, go to Start>Programs> Administrative tools>Routing
and Remote access. This opens a Routing and Remote Access MMC (Microsoft
Management Console). On the left panel, you will find an icon showing the
server's status. Right-click on the server icon and from the popup menu,
select the 'Configure and Enable Routing and Remote Access' option from the
pop-up menu. This will launch a Routing and Remote Access wizard to configure
its services. Click on Next, and the wizard will ask you to select the type of
routing configuration you would like to set for this machine. Select 'Virtual
Private Network (VPN) Server' and click Next. Now, the wizard will show you
the Remote client Protocol page, select 'Yes, all required protocols are on
this list' option and Next. By default setting is TCP/IP.
From Routing and Remote Access wizard, you need to select the third option to set up VPN |
Here, the wizard will ask you to configure the network card
for VPN setup. Select the network card, which is connected on the public network
(203.122.29.x) and click on Next. It will open the IP address assignment page;
click on the 'automatic' radio button, if your network has a DHCP server
available. If not, click on the 'From a specified range of address' option,
and give the range of IPs for clients and click on Next. This screen will allow
you to configure the authentication mode for the VPN setup.
Adding security policies
However, you can manage multiple remote access servers centrally with the
help of RADIUS or Remote authentication Dial-In User Service.
You can have multiple remote access servers on your
network, but you would like to authenticate users from one central server,
rather than creating users account for each remote access server. For
configuring RADIUS use IAS (Internet Authentication Server), built-in Windows
2000 Server. If you authenticate from the same server, click “No, I don't
want to setup this server to use RADIUS now' and click next. Finally
click on Finish button to complete the Routing and Remote Assess Server
configuration. After this you need to set policy for the users so that the
remote user can dial-in. To give access policies to users to connect on the VPN
server, you must specify some access permission to the users.
The RRAS wizard lets you choose the configuration you
want, so that remote users can connect to the VPN server from their VPN clients.
Open Routing and Remote Access from Start>Programs>Administrative tools.
Click on 'Remote Access Policies' given on the left panel, and click on plus
sign (+) to expand its sub-tree.
Here from the User Management Console, select the user and set its Dial-In Accessto 'Allow Access” |
On the right panel, you find 'Allow access if dial-in
permission enabled' option, right-click it to select its properties. From the
property sheet, select 'Grant Remote Access permission' radio button, then
click 'Ok' and close the Routing and Remote Access MMC. Next you need to
grant permission to the remote users to connect to the VPN server. For this open
'Active Directory User and Computer' from Start>Programs>
Administrative Tools, and select the user. Double-click on it to check user
properties. From the user property sheet, click on Dial-In tab and select
'Allow access' radio button from Access permission Dial-In or (VPN) option.
Click 'Ok' and close the Active Directory User and Computer MMC.
Setup VPN client
Creating VPN clients is simple. We used Win XP Pro as a remote client. Go to
Start>Programs> Accessories> Communication, and click on 'New
connection Wizard'.
This runs a wizard for creating a VPN connection. Select
'Connect to the network to my workplace' and click on 'Next'. On the
Network Connection page, click on 'Virtual Private Network Connection' and
click on Next. Next, the wizard will ask you for a connection name. Provide a
convenient name to it and click on Next. Now give the IP address or DNS name for
the VPN server and click on Next. Click on Finish button to close the wizard.
With this, your VPN client is ready. Launch the VPN client with the user name
and password to connect to your office VPN server. However, the speed of
access depends on the amount of bandwidth available.
Sanjay Majumder