Configuring a Win2K VPN Server

VPN client connections and a glimpse of the future of IIS administration

In many of my earlier articles, I've said that you shouldn't consider implementing remote access technologies such as Microsoft Windows 2000 Server Terminal Services without implementing a VPN solution to secure that technology. In "Installing a Win2K VPN Server," January 2002, InstantDoc ID 23275, I showed you how to install a Win2K VPN to secure such remote access for your IIS administrators. This month, I show you how to configure a VPN connection, then provide a few tips and tricks for optimizing your PPTP VPN connections.

Configuring a VPN Connection
If you followed the instructions in last month's article, you now have a functional VPN server. Now, I'll walk you through the steps for configuring a VPN connection to your Win2K VPN server:

  1. Choose Start, Settings, Network and Dial-up Connections, then select Make New Connection to launch the Network Connection Wizard.
  2. Click Next on the wizard's first screen.
  3. On the Network Connection Type screen, which Figure 1 shows, select the Connect to a private network through the Internet option. Click Next.
  4. The wizard's next screen asks whether the VPN must connect to the Internet. If you're using a cable modem or DSL connection from a remote location such as your home, select the Do not dial the initial connection option. If you're using a dial-up connection to the Internet, select the Automatically dial this initial connection option. Click Next.
  5. On the Destination Address screen, which Figure 2 shows, enter the destination of your VPN server. This destination can be an IP address or a DNS name. Click Next.
  6. Determine whether you want to create this connection for all users or only yourself, then click Next.
  7. Name your connection (e.g., use your company's name followed by VPN). You can have the wizard add a desktop shortcut by selecting the Add a shortcut to my desktop check box.
  8. Click Finish.
  9. When the VPN connection is complete, the wizard launches a connection dialog box. Click Properties.
  10. Click the Options tab, which Figure 3 shows, then select the Include Windows logon domain check box. Keep all the other default settings. Click OK.

Now, connect to the VPN by typing your username, password, and domain. When you're connected, a computer icon will appear in your taskbar. If you hover over the computer icon, Windows provides connection identification and information. You can disconnect your VPN connection by right-clicking the VPN connection in the taskbar and selecting Disconnect. (Note that when you authenticate to a Win2K domain through a VPN connection, the logon script doesn't run. If network drives are mapped through your Win2K logon script and you want to access them, you need to map network drives manually.)

Public Name Resolution Through a VPN Connection
The first time you establish a successful VPN connection to your remote server, you might have trouble with public name resolution (e.g., DNS, WINS). For example, you might not be able to launch a browser on a remote system to connect to a public Web site on the Internet. Because your VPN server is a completely separate LAN, you need to configure name resolution separately, too. Fortunately, there's a bulletproof way to handle name resolution on the client side without having to address the security implications of handling it on the VPN server—through your default Internet connection (i.e., your ISP).

However, before I show you how to set up public name resolution, I should point out that setting it up on your VPN server isn't necessarily a good idea. Indeed, many administrators deliberately set up their VPN servers without it. Two schools of thought exist about denying public name resolution through a VPN server. The first school asserts that the purpose of a VPN is to provide secure access to corporate LAN resources. Therefore, leveraging the corporate VPN as a springboard to public Internet sites is unnecessary. The second school centers on security. Providing public Internet access through a VPN connection is just one more exposed route that a malicious intruder can attack. So, many IIS administrators choose either not to provide name resolution at all through VPN connections or to provide only internal name resolution for internal servers (i.e., internal DNS).

If, however, your clients or administrators require access to resources outside the VPN, you can configure your VPN connection to handle public name resolution outside your VPN server. To do so for a Win2K VPN, follow these steps:

  1. Choose Start, Settings, Network and Dial-up Connections.
  2. Right-click your VPN connection, then select Properties.
  3. Click the Networking tab.
  4. Select Internet Protocol (TCP/IP) from the components list, then click Properties.
  5. Click Advanced, then click the General tab, which Figure 4, page 10, shows.
  6. Clear the Use default gateway on remote network check box. (This check box is selected by default.)

The Use default gateway on remote network check box controls the route used for connections to remote servers. By clearing this check box, your Internet connection rather than the remote server handles the routing. This connection provides a secure connection to the servers on your LAN through the VPN. Any access to the public Internet will be routed through your Internet connection, where your ISP handles public name resolution.

VPN Connectivity Through Windows CE
At the time of this writing, Windows CE .NET (code-named Talisker) was in beta 2 and publicly available. This new version of Windows CE will ship not only with a VPN client but also with its own version of Terminal Services. Figure 5 shows the Windows CE VPN configuration screen. Web-exclusive Figure 1, which you can access from the Windows Web Solutions Web site (http://, InstantDoc ID 23575), shows the Windows CE Terminal Services client.

Windows CE .NET will feature PPTP support. With this support, you can secure the transfer of data from a remote Windows CE­based client running on form factors as small as a pocket PC to a private enterprise server by creating a VPN across a TCP/IP-based network. Windows CE .NET will also feature RDP 5.0 support, which connects a Windows CE­based client to a Win2K- or Windows NT 4.0­based server that's running Terminal Services. As Web-exclusive Figure 2 shows, you can securely administer a production IIS server remotely from a wireless pocket PC by running Internet Services Manager (ISM) over Terminal Services. You'll be able to administer IIS servers remotely on handheld computers that have the same tools you use on desktop PCs!

Up and Running with VPN
Installing and configuring a VPN server for secure remote access is one of the more complex operations in Win2K. Configuring VPN client access is also complex. Now, you have the foundation to get your VPN client connectivity running securely and effectively. Next month, I'll dive into the Microsoft SMTP Service and show you how to automate sending email from your Web servers.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.