Microsoft KB Archive/301194

= HOW TO: Provide Secure Point-to-Point Communications Across the Internet in Windows 2000 =

PSS ID Number: 301194

Article Last Modified on 11/3/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q301194



IN THIS TASK

 * SUMMARY
 * ** To Install the Remote Access Server
 * To Enable the Routing and Remote Access Service and Configure a Virtual Private Network Interface
 * To Set Up a Client for Virtual Private Networking
 * *** To Set Up a Client for Dial-in Access
 * To Connect to the VPN Server
 * *** To Connect to the Server
 * To Grant Access to Remote Access Servers
 * *** To Configure User Dial-in Access
 * Troubleshooting
 * *** If You Receive an Error Message That the Specified Destination Is Not Reachable
 * If You Can Contact the Server, but You Cannot Successfully Authenticate



SUMMARY
This step-by-step article describes how to install and configure a virtual private network (VPN) to provide secure point-to-point communications across a private network or the Internet.

back to the top

To Install the Remote Access Server
If the remote access server is a member of a domain, it must be a member of the RAS and IAS Servers group in that domain.

If you are not a member of the Domain Admins group, a member of that group must add this server to the RAS and IAS Servers group.

If you are a member of the Domain Admins group, the server is automatically added to the RAS and IAS Servers group after you complete the procedures that are included in this document.

back to the top

To Enable the Routing and Remote Access Service and Configure a Virtual Private Network Interface
To enable the remote access service and to configure a VPN interface:  Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access. In the console tree, click the local server.

Note: If the icon has a red circle in the bottom-left corner, remote access service has not been enabled. If the icon has a green arrow pointing upwards in the bottom-left corner, remote access service has been previously enabled. If you previously enabled the service, go to the &quot;To Set Up a Client for Virtual Private Networking&quot; section in this article; however, you may also want to re-configure the server in this scenario. To re-configure the server:  Right-click the server, and click Disable Routing and Remote Access. When the informational dialog box is displayed in Windows 2000, click Yes. Right-click the server, and click Configure and Enable Routing and Remote Access. On the first page of the Routing and Remote Access Server Setup Wizard, click Next. Click Virtual private network (VPN) server to enable remote computers to connect to this network through the Internet, and then click Next.</ol> </li> Verify that all of the protocols that are required by services that are used by remote users appear in the list of available protocols; TCP/IP must appear in this list. If TCP/IP and the other protocols are in the list, select Yes, all of the required protocols are on this list, and then click Next.</li> Specify the network interface that remote VPN clients and routers will use to access this server from the Internet, and then click Next. In the IP Address Assignment dialog box, click one of the following, and then click Next: <ul> If you want to use the DHCP server to assign addresses to remote clients, click Automatically.</li> If remote clients should only be given an address from a predefined pool, click From a specified range of addresses.

Note: In most cases, the DHCP option is easier to administer. By clicking the From a specified range of addresses option, the Address Range Assignment Wizard starts: <ol> Click New, and then in the Start IP address box, type the first IP address in the range of addresses that you would like to use.</li> In the End IP address box, type the last IP address in the range. After Windows 2000 calculates the number of addresses automatically, click OK.</li> At the Address Range Assignment screen, click Next.</li> Click No, I don't want to set up this server to use RADIUS now (if it is not already selected), click Next, and then click Finish.</li></ol> </li></ul> </li></ol>

The Routing and Remote Access Service is enabled and you can now configure the server as a VPN server.

back to the top

To Set Up a Client for Virtual Private Networking
After you set the server up to receive dial-up connections, you must set up a remote access client connection on the user's workstation.

back to the top

To Set Up a Client for Dial-in Access

 * 1) Click Start, point to Settings, click Network and Dial-up Connections, double-click Make New Connection, and then click Next. Click Connect to a private network through the Internet, and then click Next.
 * 2) Do one of the following:
 * 3) * If there is a dial-up connection that is configured on the workstation, the wizard detects this and the Public Network dialog box is displayed, with which you can connect to an Internet service provider (ISP) before you set up the VPN connection with the remote server.
 * 4) * If you want to connect to an ISP first by using a dial-up connection, click Automatically dial this initial connection, and then click the dial-up connection from the drop-down list. If you have a direct Internet connection that is already available on the local workstation, click Do not dial this initial connection.
 * 5) Type the IP address or host name of the VPN server that you just set up, and then click Next. If the VPN will cross the Internet, the host name should be a fully qualified domain name (FQDN), such as.
 * 6) Click one of the following options, and then click Next:
 * 7) * If you want to allow any user that logs on to this workstation to use this VPN connection, click For all users.
 * 8) * If you want this connection to be available only to the currently logged-on user, click Only for myself.
 * 9) If it is not already cleared, click to clear the Enable Internet Connection Sharing for this connection check box, and then click Next.
 * 10) In Connection Name, type a descriptive name for this connection, and then click Finish.

back to the top

To Connect to the VPN Server
After you have created a VPN connection on your local workstation, you can connect to the server.

back to the top

To Connect to the Server

 * 1) Click Start, point to Settings, click Network and Dial-up Connections, and then double-click the newly-created VPN connection.
 * 2) In User Name, type your user name. If you are connecting to a network that has multiple domains, type  \.
 * 3) In Password, type your password, and then click Connect to have the remote computer connect to the VPN server, authenticate the user, and then register the remote computer on the network.

back to the top

To Grant Access to Remote Access Servers
In Windows 2000, authorization is granted based on the dial-in properties that you set in the user account in Active Directory and on the remote access policy that you set for the remote access server. With remote access policies, you can grant or deny authorization based on criteria, such as the time of day and day of the week, the user's membership in Windows 2000 security groups, or the type of connection that is requested.

When you install the remote access service and you configure the remote access server, Windows 2000 creates a default policy that grants access to all users, provided that dial-in permissions have been enabled (these permissions are configured on a user-by-user basis). For users to be able to dial-in and authenticate to a remote access server, these settings must be enabled within their user account.

When the remote access server is a member of a domain, you can set these settings by using the user's domain account.

When the server is a standalone server or member of a workgroup, the user must have a local account on the remote access server.

back to the top

To Configure User Dial-in Access

 * 1) Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click the appropriate user account, and then click Properties.
 * 3) In the Properties dialog box, click the Dial-in tab.
 * 4) Click Allow access, and then click OK.

back to the top

Error Message That the Specified Destination Is Not Reachable
Verify that the client is connected to the network. Test to see if the remote server can be contacted: <ol> Click Start, point to Programs, point to Accessories, and then click Command Prompt.</li> If the server is part of a network, type:

ping

</li> If the server is on the Internet, type:

ping

</li></ol>

If the ping request times out, try pinging the IP address of the remote server to see if there is a Domain Name System (DNS) name resolution issue.

back to the top

If You Can Contact the Server, but You Cannot Successfully Authenticate
Verify that the user account that you are using has been granted permission to dial in and authenticate with Active Directory. The remote access server that you are contacting must be a member of the RAS and IAS Servers group.

back to the top

Keywords: kbhowto kbHOWTOmaster KB301194

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.