Sometimes,
simplicity is the best option for both a technology solution and the
respective tutorial that explains how to use the new solution. In this certificate,
I will provide a clear, concise, systematic procedure for getting a Windows
Server 2003-based PPTP VPN
up and running. I'm using Windows
Server 2003 with Service Pack 1 for this guide.

Add the Remote Access/VPN Server function to your Windows Server 2003 organization

To add together the Remote Access/VPN Server function, get to Start | All Programs |
Administrative Tools | Configure Your Server Wizard. The get-go screen of this wizard is
for informational purposes just and, thus, is non shown here. Click Next. The
aforementioned goes for the 2d screen, which just tells you some things you demand to
have completed before adding new roles to your server.

On the
third screen of the wizard, entitled Server Office, you're presented with a listing
of bachelor roles for your server along with cavalcade that indicates whether or
non a item part has been assigned to this machine. Figure A shows y'all a screen from a server on which just the IIS Web
server office has been added.

Effigy A

To add a new role, select the role and click Next

To add together the
Remote Access/VPN Server function to your server, select that function and click the
Next button to move on to the next screen in the wizard, which provides you
with a quick overview of the options you selected.

Effigy B

The summary screen is pretty bones for this role

Take annotation: This selection just starts another
wizard chosen the Routing and Remote Admission Wizard, described further below.

The Routing and Remote Access Magician component

Similar most
wizards, the first screen of the Routing and Remote Admission wizard is purely
advisory and you can just click Adjacent.

The second
screen in this sorcerer is a lot meatier and asks you to decide what kind of
remote access connectedness yous want to provide. Since the goal hither is to set up
a PPTP-based VPN, select the "Virtual Private Network VPN and NAT"
selection and click Next.

Figure C

Select the VPN pick and click Next

The next
screen of the wizard, entitled VPN Connection, asks you to determine which
network adapter is used to connect the system to the Internet. For VPN servers,
you should install and use a separate network adapter for VPN applications. Network
adapters are really cheap and separation makes the connections easier to secure.
In this case, I've selected the second local surface area network connexion (see Figure D), a split NIC from the ane
that connects this server to the network. Discover the checkbox labeled
"Enable security on the selected interface by setting up Basic Firewall"
underneath the list of network interfaces. It's a good idea to enable since
option it helps to protect your server from outside assault. A hardware firewall
is yet a practiced idea, besides.

Figure D

Select the network adapter that connects your server to the Net

With the
selection of the Internet-connected NIC out of the way, you demand to tell the
RRAS wizard which network external clients should connect to in order to access
resources. Find that the adapter selected for Internet access is not an
selection here.

Figure Eastward

Select the network containing resources needed by external clients

But like
every other client out there, your external VPN clients will need IP addresses
that are local to the VPN server so that the clients tin access the appropriate
resources. Yous have two options (really three รข€" I'll explain in a infinitesimal) for
handling the doling out of IP addresses.

Start, yous
can get out the piece of work up to your DHCP
server and make the correct configuration changes on your network equipment for
DHCP packets to become from your DHCP server to your clients. Second, you can have
your VPN server handle the distribution of IP addresses for any clients that
connect to the server. To make this option work, you give your VPN server a
range of available IP addresses that it can utilise. This is the method I adopt
since I can tell at a glance exactly from where a customer is connecting. If
they're in the VPN "pool" of addresses, I know they're remote, for
instance. And so, for this setting, as shown in Figure
F beneath, I prefer to use the "From a specified range of
addresses" selection. Make your selection and click Next.

Figure F

Your option on this one! I adopt to provide a range of addresses

If you
select the "From a specified range of addresses" pick on the
previous screen, you lot now accept to tell the RRAS wizard exactly which addresses
should be reserved for distribution to VPN clients. To do this, click the New button on the Address Range Assignment screen. Type in the starting and catastrophe IP addresses for the new range and
click OK. The "Number of addresses" field volition be filled in
automatically based on your entry. Yous tin also just enter the starting IP
address and the number if IP addresses you desire in the pool. If you do and then, the
wizard automatically calculates the catastrophe IP address. Click OK in the New
Address Range window; your entry appears in the Accost Range Assignment window.
Click Next to continue.

Figure Chiliad

Yous can have multiple accost ranges, as long as they are all accessible

The adjacent
screen asks you to place the network that has shared admission to the Internet.
This is generally the same network that your VPN users will employ to access
shared resources.

Figure H

Option the network adapter that gives you admission to the Internet

Authenticating
users to your network is vital to the security of your VPN infrastructure. The
Windows VPN service provides ii means for handling this chore. First, you can
use RADIUS, which is particularly useful if you have other services already using
RADIUS. Or, you tin can just permit the RRAS service handle the authentication duties
itself. Requite users access to the VPN services by enabling dial-in permissions
in the user'due south profile (explained below). For this example, I will not be using
RADIUS, just will allow RRAS to directly authenticate incoming connectedness
requests.

Figure I

Determine what means of authentication you want to provide

That's it
for the RRAS sorcerer! You lot're provided with a summary screen that details the
selections you made.

Figure J

The RRAS wizard summary window

This also
completes the installation of the Remote Admission/VPN Server function.

User configuration

By default,
users are non granted access to the services offered past the VPN; you demand to
grant these rights to each user that yous desire to allow remote access to your
network. To practise this, open Active
Directory Users and Computers (for domains) or Reckoner Management (for
stand alone networks), and open up the properties page for a user to whom y'all'd
like to grant access to the VPN. Select that user'south Dial-In properties folio. On
this page, under Remote Access Permissions, select "Allow access". Note
that there are a lot of different ways to "dial in to" a Windows
Server 2003 system; a VPN is but i method. Other methods include wireless
networks, 802.1x, and punch-up. This article assumes that you're not using the
Windows features for these other types of networks. If you lot are, and you specify
"Allow access", a user volition be able to use multiple methods to gain
access to your organization. I tin't go over all of the various permutations in a
single article, however.

Effigy K

Let the user access to the VPN

Upwardly and running

These are
the steps needed on the server to get a VPN up and running. Of grade, if you
have devices such equally firewalls between your VPN server and the Internet,
farther steps may be required; these are beyond the scope of this commodity,
however.