Setting up the VPN test network infrastructure
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Setting up the infrastructure
The infrastructure for the VPN test lab network consists of five computers performing the following services:
A computer running Windows Server 2003, Standard Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, and a certification authority (CA).
A computer running Windows Server 2003, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-in User Service (RADIUS) server.
A computer running Windows Server 2003, Standard Edition, named IIS1 that is acting as a Web server and file sharing server.
A computer running Windows Server 2003, Standard Edition, named VPN1 that is acting as a VPN server. VPN1 has two network adapters installed.
A computer running Windows XP Professional named CLIENT1 that is acting as a VPN client.
The following illustration shows the configuration of the VPN test lab.
There is a network segment representing a corporate intranet and a network segment representing the Internet. All computers on the corporate intranet are connected to a common hub or Layer 2 switch. All computers on the Internet are connected to a separate common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network of 172.16.0.0/24 is used for the intranet. The private network of 10.0.0.0/24 is used for the simulated Internet.
Each computer is manually configured with the appropriate IP address, subnet mask, and DNS server IP address. There are no Dynamic Host Configuration protocol (DHCP) or Windows Internet Name Service (WINS) servers present.
The following sections describe the configuration for each of the computers in the test lab. To reconstruct this test lab, configure the computers in the order presented.
Note
- The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
DC1
DC1 is a computer running Windows Server 2003, Standard Edition, that is providing the following services:
A domain controller for the testlab.microsoft.com domain.
A DNS server for the testlab.microsoft.com DNS domain.
The enterprise root certification authority (CA) for the testlab.microsoft.com domain.
To configure DC1 for these services, perform the following steps.
Install Windows Server 2003, Standard Edition, as a stand-alone server.
Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0. For more information, see Configure TCP/IP for static addressing.
Run Active Directory Installation Wizard for a new domain called testlab.microsoft.com in a new forest. Install the DNS service when prompted.
Install the Certificate Services component as an enterprise root CA. For more information, see Install an enterprise root certification authority.
Configure the testlab.microsoft.com domain for automatic enrollment of computer certificates. For more information, see Configure automatic certificate allocation from an enterprise CA.
IAS1
IAS1 is a computer running Windows Server 2003, Standard Edition, that is providing RADIUS authentication, authorization, and accounting for VPN1 (the VPN server computer).
To configure IAS1 as a RADIUS server, perform the following steps:
On DC1, add a computer account for the IAS1 computer. For more information, see Create a new computer account.
Install Windows Server 2003, Standard Edition, as a stand-alone server.
Configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.
Join IAS1 to the testlab.microsoft.com domain. For more information, see Join a domain.
Install Internet Authentication Service (IAS) and register it in the testlab.microsoft.com domain. For more information, see Install IAS and Enable the IAS server to read user accounts in Active Directory.
IIS1
IIS1 is a computer running Windows Server 2003, Standard Edition, and Internet Information Services (IIS). It is providing Web server services for intranet clients. To configure IIS1 as a Web server, perform the following steps:
On DC1, add a computer account for the IIS1 computer. For more information, see Create a new computer account.
Install Windows Server 2003, Standard Edition, as a stand-alone server, then install IIS.
For more information, see Installing IIS.
Configure the TCP/IP protocol with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.
Join IIS1 to the testlab.microsoft.com domain. For more information, see Join a domain.
Install IIS.
To determine whether the Web server is working correctly, run your Web browser on IAS1. When prompted by the Internet Connection Wizard, configure the wizard for a LAN connection. In your Web browser, in Address, type https://IIS1.testlab.microsoft.com/wnetStndS\_v\_s\_rgb.gif. You should see a Windows Server 2003, Standard Edition, graphic.
On IIS1, in Windows Explorer, share the root directory of Local Disk (C:) using the share name ROOT to the group Everyone with full access. For more information, see Share a folder or drive.
VPN1
VPN1 is a computer running Windows Server 2003, Standard Edition, that is providing VPN server services for Internet-based VPN clients. To configure VPN1 as a VPN server, perform the following steps:
On DC1, add a computer account for VPN1. For more information, see Create a new computer account.
Install Windows Server 2003, Standard Edition, as a stand-alone server.
For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.
For the Internet local area connection, configure the TCP/IP protocol with the IP address of 10.0.0.2 and the subnet mask of 255.255.255.0. For more information, see Configure TCP/IP for static addressing.
Join VPN1 to the testlab.microsoft.com domain. For more information, see Join a domain.
Configure and enable the Routing and Remote Access service. For more information, see Enable the Routing and Remote Access service. In the Routing and Remote Access server Setup Wizard, select Virtual private network (VPN) server from the list of common configurations. When prompted for IP address assignment, select From a specified range of addresses and configure the range 172.16.0.248 to 172.16.0.255. Do not configure RADIUS authentication.
CLIENT1
CLIENT1 is a computer running Windows XP Professional that is acting as a VPN client and gaining remote access to intranet resources across the simulated Internet. To configure CLIENT1 as a VPN client, perform the following steps:
On DC1, add a computer account for CLIENT1. For more information, see Create a new computer account.
Connect CLIENT1 to the intranet network segment.
On CLIENT1, install Windows XP Professional as a workgroup computer.
Configure the TCP/IP protocol with the IP address of 172.16.0.5, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.
Join CLIENT1 to the testlab.microsoft.com domain. For more information, see Join a domain.
Configure the TCP/IP protocol with the IP address of 10.0.0.1, the subnet mask of 255.255.255.0, and no DNS server IP address. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.
Shut down the CLIENT1 computer.
Disconnect the CLIENT1 computer from the intranet network segment, and connect it to the simulated Internet network segment.
Restart the CLIENT computer and log on using the cached credentials of the testlab.microsoft.com administrator account.