Now that we have all the certificate services deployed, let’s move on to getting the VPN systems configured and deployed. The first step is to deploy the Internet infrastructure for remote access VPN connections that will handle all incoming connection requests and access to and from the Internet. The deployment of the Internet infrastructure consists of the following:
Place VPN servers in a perimeter network or on the Internet.
Install Windows Server 2003 on the VPN server, and configure Internet interfaces.
Add address records to Internet Domain Name System (DNS) servers.
Decide where to place the VPN servers in relation to your Internet firewall. In the most common configuration, the VPN servers are placed behind the firewall on the perimeter network between your intranet and the Internet. This configuration allows the firewalls to handle many security tasks, such as watching for attacks and filtering out undesirable traffic, leaving the VPN servers to handle the processing of the remote access VPN traffic. If you are going to use a firewall in front of the VPN servers, configure packet filters on the firewall to allow PPTP or L2TP/IPSec traffic as required to and from the IP address of the VPN servers’ perimeter network interfaces. For more information, see Appendix B, “Configuring Firewalls for VPN.”
Install Windows Server 2003 on the VPN server computer, connect it to either the Internet or to a perimeter network with one network adapter, and connect it to the intranet with another network adapter. Without running the Routing And Remote Access Server Setup Wizard, the VPN server computer will not forward Internet Protocol (IP) packets between the Internet and the intranet. This is because in its default configuration, a Windows Server 2003-based computer does not act as a router between Transmission Control Protocol/Internet Protocol (TCP/IP) subnets. The wizard will set up the routing connections between the interfaces for you, and handle some other complexities as well. For the connection connected to the Internet or the perimeter network, configure the TCP/IP protocol with a public IP address, a subnet mask, and the default gateway of either the firewall (if the firewall is located in a perimeter network) or an Internet service provider (ISP) router (if the VPN server is directly connected to the Internet and there is no firewall between the VPN server and the ISP router).
Do not configure the Internet connection with DNS server or Windows Internet Name Service (WINS) server IP addresses. This is very important for the proper operation of the VPN server and clients it will be servicing—we will explain why later in this chapter.
For the VPN services to function, the users will need to be able to find the VPN server from anywhere on the Internet—therefore, you will need to advertise the server name properly. To ensure that the name of the VPN server (for example, vpn.microsoft.com) can be resolved to its proper IP address, follow one of two procedures. You can add DNS address (A) records to your DNS server if you are providing DNS name resolution for Internet users. (If this is the case, make sure your ISP knows it and that your DNS servers can respond to the request by ISP’s DNS servers; otherwise, the users will have problems getting to your VPN services.) Alternatively, you can have your ISP add DNS A records to its DNS server or servers if your ISP is providing DNS name resolution for Internet users. Verify that the name of the VPN server can be resolved to its public IP address when connected to the Internet.