Implementing VPN support
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Implementing VPN support
A virtual private network (VPN) connection provides remote access to private networks over the Internet (or other network). A VPN connection is established using a tunneling protocol to establish a tunnel through the Internet to the private network. To establish a VPN connection, users can connect directly to the private network through the tunnel by either dialing into a local Internet service provider (ISP) or by using a pre-existing connection to the Internet (direct connection).
This means that remote users can connect using worldwide Internet access points to access private resources as easily as local users. For corporations, it means that employees have remote access over the Internet to their corporate private networks, usually through a local phone number. By having users create VPN connections rather than dial-up connections, the company does not incur the considerable expenses associated with long distance telephone service without compromising security.
You can use the Connection Manager Administration Kit (CMAK) wizard to set up VPN connections, including:
Make a direct connection to a private network.
Tunnel to a private network over a public network, such as the Internet.
Select a VPN server for the connection.
Using the CMAK wizard, you can set up support for VPN connections using Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP). To use these VPN connections, you must have a remote access server on the private network configured to support the appropriate protocol.
Important
A VPN connection requires the computer on which Connection Manager is run to be configured to use the same network protocols that the private network uses.
VPN connections on computers running Windows Millennium Edition, Windows 98, or Windows 95 require that users have the latest Dial-up Networking software installed on their computers. Users can obtain the current Dial-up Networking software by downloading it as a Windows Update from the Microsoft Web site. You should document this requirement for your users. For more information on verifying and installing Dial-up Networking software, see Providing user documentation.
You can create a service profile with which users can establish direct VPN connections using a tunnel over pre-existing connections. For example, users who are already connected to the Internet through DSL or a cable modem can then connect to your private network using a VPN-only profile you created. To create a VPN-only profile:
Start the CMAK wizard.
On the VPN Support pane, select the Phone book from this profile check box, and specify a VPN server (by DNS name or IP address) or specify a VPN file (by typing the full path to the file).
Configure the VPN entry or entries with the correct security and addressing information for your network.
Do not specify a phone book file on the Phone Book pane, and clear the Automatically download phone book updates check box. You do not need to configure the default dial-up entry for the profile.
On the last pane of the wizard, select the Advanced Customization check box.
On the Advanced Customization pane, click the profile .cms file, click [Connection Manager], and set the value of the Dialup key to zero.
Click Apply, and finish the wizard.
This process will create a VPN-only profile, without a General tab in the Properties dialog box for the profile. Users of your profile will not see any phone or dialing information.
Setting up a dial-up profile to support VPN connections might add an Internet Logon tab to the Properties dialog box. On this tab, users type the user name and password for the Internet service provider. In the logon dialog box, users type a private network user name, password, and logon domain.
To implement VPN connections in your service profiles, you must specify the address of at least one server to be used and how to handle authentication. As you run the CMAK wizard:
You must have the VPN server address, specified either as a Domain Name System (DNS) name or as an IP address.
If you do not want to let the server assign addresses for DNS and Windows Internet Name Service (WINS) servers, you can specify the addresses to be used.
You must specify whether users enter the same user name and password for both logging on to the Internet using a dial-up connection and logging on to the private network server using a VPN connection. If you specify that the same credentials are to be used for both, the Internet Logon tab does not appear and the user only has to enter credentials once to connect.
You must specify the VPN security settings to be used for connections made with this profile. By default, the security setting is selected to Configure both basic and advanced settings, which requires a configuration for profiles installed on Windows 95, Windows 98, Windows NT 4.0, and Windows Millinnium Edition, and a different configuration for profiles installed on Windows 2000, Windows XP, and the Windows Server 2003 family. Windows 2000, Windows XP, and Windows Server 2003 operating systems have more advanced security features and can support a higher level of security for your connection. You can choose to require the use of advanced security settings only, although this setting might prevent some clients on other operating systems from connecting with your profile. You can also choose to only use basic security settings that all operating systems that support Connection Manager can utilize. However, this means that all profiles will use the basic security settings, regardless of whether the operating system can support a higher level of security.
For more information on keys to be used with direct connections, see Advanced Customization.
Enabling user choice of VPN server
You can allow your users to choose from multiple VPN servers when they connect to your service. For example, a user could select a VPN server that is close to his or her location, or a user could choose a VPN server that has higher security settings. For service profiles that support this option, a VPN tab appears in the properties dialog box for the service profile. This tab contains a customized text message and a list of VPN servers.
To enable your users to choose a VPN server from a list when they connect to your service, you must create a VPN file before you start the CMAK wizard. A VPN file is a text file that you can create with any plain-text editor, such as Notepad. The table below identifies sections, keys, and values that compose a VPN file.
[Section] or key name | Value |
---|---|
[Settings] |
Section header for the keys that contain VPN settings. |
Default |
The friendly name of the default VPN server for this service profile. If you create this key but do not give it a value or if you do not create this key, the user must select a VPN server the first time the user connects with the service profile. |
UpdateURL |
The URL of the Web server that contains updates for this VPN file. If this key is added, a post-connect action is added automatically to the service profile. This post-connect action updates the VPN file. |
Message |
The text message that appears on the VPN tab in the properties dialog box for the service profile. This message cannot exceed 256 characters, and it must be a single paragraph. If this key is created but left blank, default text is used. |
[VPN Servers] |
Section header for the keys that identify VPN servers. |
FriendlyName |
The name of this key is the friendly name of one of the VPN servers available to your users. The value of this key is the DNS or IP address of the VPN server for which you named the key. If you want this VPN server to use a specific set of network and security settings, you must follow the DNS address with a comma and the name of a VPN entry that you will edit in the VPN Entries pane of the CMAK wizard. If you do not specify a VPN entry, the VPN server will use the settings for the default VPN entry. |
If the fictional company Awesome Computers wanted to provide its users with a choice of VPN servers, an administrator might create a VPN file similar to the example below.
[Settings]
default=Awesome Computers HQ
UpdateURL=https://awesomecomputers.microsoft.com/VPNfile.txt
Message=Please select a server from the following list. You might want to choose a server closest to your location or to your data. Windows 98 users should choose Awesome Computers Windows 98.
[VPN Servers]
Awesome Computers HQ=awesomecomputers.microsoft.com
Awesome Computers New York=ny.awesomecomputers.microsoft.com
Awesome Computers Spain=es.awesomecomputers.microsoft.com,Awesome International VPN Settings
Awesome Computers Madagascar=ma.awesomecomputers.microsoft.com,Awesome International VPN Settings
Awesome Computers Windows 98=awesomecomputers.microsoft.com,Awesome 98 VPN Settings
In the above example, the VPN servers Awesome Computers HQ and Awesome Computers New York use the settings specified in the default VPN entry. Awesome Computers Spain and Awesome Computers Madagascar will use the settings specified in the VPN entry named Awesome International VPN Settings. A VPN server has been created for clients running Windows 98, and it uses the settings specified in the VPN entry named Awesome 98 VPN Settings. Users will see the friendly names of the VPN servers you have defined.