Installing Windows Server 2003 as a VPN Server

The typical VPN server configuration will have two Ethernet cards, one on the private corporate network, and one on the public network. It is generally good practice to place the VPN server behind the corporate firewall, but Windows Server 2003 includes a built-in firewall and filters. Smaller companies that do not have a corporate firewall can support full IPSec and lock down the VPN server itself for protection by using filters or IPSec policy settings.

After the basic Windows Server 2003 install, the Routing and Remote Access Server (RRAS) is installed, but not configured. You must first run the wizard to set up the VPN services. Right-click on the server in the RRAS Microsoft Management Console (MMC) and select the Configure option. At the configuration screen of the wizard, select the Remote Access (Dial-up or VPN) option as shown in Figure 14.16.

Figure 14.16. Select the Remote Access option in the Configuration dialog box.

Next, in the Remote Access dialog box, select VPN, as shown in Figure 14.17. In the VPN Connection dialog box, select the interface that is on the public side of the VPN server, illustrated in Figure 14.18. If your server will be supporting fewer than 1,000 concurrent connections, I would generally recommend that the Administrator use the built-in security in RRAS. If the server is expected to support more concurrent users, it is recommended to manually create the filters on the interface itself.

Figure 14.17. Select the VPN option in the Remote Access dialog box.

Figure 14.18. In the VPN Connection dialog box, select the interface that is on the public side of the VPN server.

Windows Server 2003 can support both a static pool of addresses to give the clients or to use the corporate Dynamic Host Configuration Protocol (DHCP) server for the addresses. Using DHCP might be more complicated, but it does give the Administrator the ability to support dynamic DNS (DDNS) registration for non-DDNS clients . But, for our test server, we will use a static pool of addresses, as illustrated in Figure 14.19.

Figure 14.19. Selecting the Automatically option in the IP Address Assignment dialog box allows you to define a static pool of addresses that the server will hand out.

An advantage of using a static pool of addresses is that RRAS can handle noncontiguous addresses ”something that cannot be done with a DHCP server supplying the address to the VPN server. Figure 14.20 shows how the range would be defined in the Address Range Assignment dialog box. In the ensuing Managing Multiple Remote Access Servers dialog box, configure the VPN server to use RADIUS by selecting the option, as shown in Figure 14.21.

Specify your IAS server as the RADIUS server in the RADIUS Server Selection dialog box, shown in Figure 14.22. Normally you will have two servers for fault tolerance, but in our example we will use the single test server. Following this dialog box is the Finish dialog box. Select the Finish option.

Now that the wizard is complete, the Administrator can configure the VPN server in more detail.

As you've seen, it's easy and quick to configure a VPN server, but the impact of the design is critical to consider. VPN services are highly dependent on other parts of the infrastructure, such as the RADIUS infrastructure, the certificate infrastructure, and the user accounts and groups. Effectively designing a complete solution increases the chances for a successful and stable deployment.