Question : Problem: Setting up VPN on windows server 2000 with one NIC

Hi all,

After trawling through many posts on this website about how to set up windows server 2000 to act as a VPN server, on a machine with one NIC I think it's time to ask it again, offering full points for anyone that can give a detailed & full answer as there isn't one out there!

Ok, I have a windows server 2000 machine, connected using its one and only NIC by gigabit ethernet to the uplink port of a switch. This switch has ports 1-19 connected to client machines in the office, and port 20 connected to the router, the others are empty. All clients are 10.0.0.x and the router's LAN IP is 10.0.0.254, all set by DHCP on the server. (The router *non adsl* has its WAN port connected to the ethernet output of an old adsl router as it has a modem inbuilt, with nothing connected to the old router other than the new router, which is in the old routers DMZ- the WAN IP that the new router see's is 81.100.x.x). The server is set up with active directory, and the main use for the network is internet access (which works across all machines and the server... thanks to all that helped out on that one a few months ago :) ), filesharing (each client machine has a folder on their HD set to share- contains customer quotes etc, plus a few files on the server are shared), and running a certain specialist bit of software for orders uses a database stored on the server. Due to many now having broadband at home, and sales reps being able to have 3g datacards, we want the shared files to be accessed by people dialling into the network either from laptops with datacards or from broadband at home. There's also the possibility of sales reps using the ordering software, so the specialist software being able to access the database on the server. So basically, work as they could in the office.

The 'new' router that has been installed is a VPN one, however I hear it is better to dial into the windows VPN server instead of dialling into the router for authentication purposes (eg if an unknown client connects to the switch they cannot get access to the network, they have to log on) and for ease of use: windows vpn uses a connection made in network connections, however for the router user licenses need to be purchased for their complicated client software. The server is high-spec and doesn't do much other than host a few small files and dish out 20 IP addresses once a day so giving it something to do isn't a problem! (Please correct me if I'm wrong...)

I need a solution so people can dial a connection which will give them access to network resources as if they were an authenticated on-site user. The network works well as-is, so having a one NIC solution would be preferred to installing another NIC in the server and changing the network's topology with regard to its current DNS and internet access setup.

Advice in simple terms, right from the bottom up would be much appreciated as this is all new to me and I've got stuck with this- we have no I.T guy (yet) and no-one else dares touch this with a bargepole!

Thanks

*Additional current setup info:
Server has DHCP on, reservations set for MACs. All machines and the router are in the same subnet.
Internet connection comes into the network as follows:
ADSL Line > old ADSL modem/router ( DMZ set to: )  > New router > Switch > Server, Clients
Clients have IP of server set as DNS server, router IP as gateway
Server has statically configured IP, its own IP as DNS server, router IP as gateway. ISP's DNS servers are stored in the forwarders tab of the DNS console. In the DHCP management console, in scope, the router's IP is in #003 and the server's IP in #006 DNS Servers.

Answer : Problem: Setting up VPN on windows server 2000 with one NIC

-First to set up the Windows 2000 server as a VPN server, using RRAS, follow the instructions on the following site. They are very complete and explicit:
http://www.onecomputerguy.com/w2k/w2k_vpn/w2k_vpn.htm
-To set up the client, for example on an XP machine, see the following:
http://www.onecomputerguy.com/networking/xp_vpn.htm
-The router will also have to be configured for 2 things; 1) configured to allow GRE packets to pass. On many routers this is done by enabling PPTP or VPN pass through  2) You need to forward port 1723 to the new VPN server. Depending on the make of your router you may be able to get specific instructions at the following site. Click on the link for your router, if present, and then on the PPTP link.
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm
-Now the catch, you mention your "Old ADSL" is a combined router/modem. Putting the other router in the DMZ may work, but where it performs NAT, you need to get around that. The best method is to put it in Bridge mode, if that is possible, and connect the newer router to a standard LAN port.

If you provide router and modem makes and models, I might be able to be more specific.

Then there is option #2.
>>"I hear it is better to dial into the windows VPN server instead of dialling into the router for authentication purposes"
I tend to disagree. The Windows VPN requires port forwarding which is slightly reduced security. Using the router as the VPN server does not require opening or forwarding any ports, it is more efficient at doing the encrypting and unencrypting, uses IPSec instead of PPTP which is more secure, and as for server authentication, the user still has to authenticate to Windows before being allowed to access any resources, assuming we are not talking about Win9x machines.
Again what make and model router, perhaps I can provide some more insight.
--Rob
Random Solutions  
 
programming4us programming4us