Setting up VPN on windows server 2000 with one NIC

Hi all,

After trawling through many posts on this website about how to set up windows server 2000 to act as a VPN server, on a machine with one NIC I think it's time to ask it again, offering full points for anyone that can give a detailed & full answer as there isn't one out there!

Ok, I have a windows server 2000 machine, connected using its one and only NIC by gigabit ethernet to the uplink port of a switch. This switch has ports 1-19 connected to client machines in the office, and port 20 connected to the router, the others are empty. All clients are 10.0.0.x and the router's LAN IP is, all set by DHCP on the server. (The router *non adsl* has its WAN port connected to the ethernet output of an old adsl router as it has a modem inbuilt, with nothing connected to the old router other than the new router, which is in the old routers DMZ- the WAN IP that the new router see's is 81.100.x.x). The server is set up with active directory, and the main use for the network is internet access (which works across all machines and the server... thanks to all that helped out on that one a few months ago :) ), filesharing (each client machine has a folder on their HD set to share- contains customer quotes etc, plus a few files on the server are shared), and running a certain specialist bit of software for orders uses a database stored on the server. Due to many now having broadband at home, and sales reps being able to have 3g datacards, we want the shared files to be accessed by people dialling into the network either from laptops with datacards or from broadband at home. There's also the possibility of sales reps using the ordering software, so the specialist software being able to access the database on the server. So basically, work as they could in the office.

The 'new' router that has been installed is a VPN one, however I hear it is better to dial into the windows VPN server instead of dialling into the router for authentication purposes (eg if an unknown client connects to the switch they cannot get access to the network, they have to log on) and for ease of use: windows vpn uses a connection made in network connections, however for the router user licenses need to be purchased for their complicated client software. The server is high-spec and doesn't do much other than host a few small files and dish out 20 IP addresses once a day so giving it something to do isn't a problem! (Please correct me if I'm wrong...)

I need a solution so people can dial a connection which will give them access to network resources as if they were an authenticated on-site user. The network works well as-is, so having a one NIC solution would be preferred to installing another NIC in the server and changing the network's topology with regard to its current DNS and internet access setup.

Advice in simple terms, right from the bottom up would be much appreciated as this is all new to me and I've got stuck with this- we have no I.T guy (yet) and no-one else dares touch this with a bargepole!


*Additional current setup info:
Server has DHCP on, reservations set for MACs. All machines and the router are in the same subnet.
Internet connection comes into the network as follows:
ADSL Line > old ADSL modem/router ( DMZ set to: )  > New router > Switch > Server, Clients
Clients have IP of server set as DNS server, router IP as gateway
Server has statically configured IP, its own IP as DNS server, router IP as gateway. ISP's DNS servers are stored in the forwarders tab of the DNS console. In the DHCP management console, in scope, the router's IP is in #003 and the server's IP in #006 DNS Servers.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
-First to set up the Windows 2000 server as a VPN server, using RRAS, follow the instructions on the following site. They are very complete and explicit:
-To set up the client, for example on an XP machine, see the following:
-The router will also have to be configured for 2 things; 1) configured to allow GRE packets to pass. On many routers this is done by enabling PPTP or VPN pass through  2) You need to forward port 1723 to the new VPN server. Depending on the make of your router you may be able to get specific instructions at the following site. Click on the link for your router, if present, and then on the PPTP link.
-Now the catch, you mention your "Old ADSL" is a combined router/modem. Putting the other router in the DMZ may work, but where it performs NAT, you need to get around that. The best method is to put it in Bridge mode, if that is possible, and connect the newer router to a standard LAN port.

If you provide router and modem makes and models, I might be able to be more specific.

Then there is option #2.
>>"I hear it is better to dial into the windows VPN server instead of dialling into the router for authentication purposes"
I tend to disagree. The Windows VPN requires port forwarding which is slightly reduced security. Using the router as the VPN server does not require opening or forwarding any ports, it is more efficient at doing the encrypting and unencrypting, uses IPSec instead of PPTP which is more secure, and as for server authentication, the user still has to authenticate to Windows before being allowed to access any resources, assuming we are not talking about Win9x machines.
Again what make and model router, perhaps I can provide some more insight.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
I just clicked on your profile, and previous question,n and had a flash back.  :-)
I remember this. I guess the big 'IF' here, which you can likely better answer is; does all necessary traffic get forwarded to the new router through the DMZ. If so you should be good to go with the above instructions.
Rob WilliamsCommented:
x_way, was the above any help? How are you mking out with this?
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

x_wayAuthor Commented:
My apologies for not replying, I should have posted some feedback by now!

Thanks for the comprehensive reply RobWill, if your last attempt to help me out is anything to go by then there's soon to be another 500 points added to your stack!

The reason there's been no reply is firstly I wanted to update the firmware on both routers, they were running firmware that was a couple of versions behind what was avaliable so had to find a day when no-one was really using the internet for that. Now the reason I've not implemented the VPN is that we're awaiting a line upgrade from our broadband provider- it's currently 2mb/256k which just about performs for the office browsing and e-mailing that goes on, but as soon as someone starts downloading a file from the office to home so using the upload I think it'll crawl to a halt, so we're going to see how a 4mb/1mb connection goes. Once thats in place I'm going to give up a Saturday morning to put in the VPN.

This modem is the first one in place which contains the ADSL modem, and has in its DMZ this router which is then connected to the switch. I did have a play with trying to use the Netgear VPN software for VPN however on the machine it was installed on it lost all connectivity when plugged into the network on site (even without running the software, very strange), and when connected to the network it started wiping out the internet connection causing the router to need a reboot, even though no network services worked on the machine in question! Plugging the computer directly into the first router with the software installed worked perfectly (internet access) but plugging it into the VPN router messed things up. Hence the want to use the windows VPN rather than the netgear one as the help files and tutorials seemed very ropey.

Can I also confirm that the help files you posted above are for servers with one NIC? Its the part where it says to choose the network card which has the internet connection and shows one used to connect to the network, and one to the internet that has got me thinking as in the server at the office one NIC does both as it is all just connected to the switch.

We've still got a D-link basic ethernet modem sitting in the cupboard unused if thats any use for anything, it was meant to replace the ADSL router but didn't work when plugged into the VPN router (however with a client plugged into the ethernet port of the modem instead of the VPN router it worked perfectly). It seems a strange router we've got ourselves here!
Rob WilliamsCommented:
>>"firstly I wanted to update the firmware on both routers"
Good choice. Some manufacturers frequently update options and features that can be very useful.

Single NIC on the server is fine. Just select the "local area connection" I don't think it will ask twice but if it does just choose the same. To be honets the config is ever so slightly different on 2003. I have done lots of those but not 2000.
If you are not using Routing and Remote Access for anything else you can easily right click on the server name in the RRAS management console and choose disable. Then choose enable when complete and restart fresh if you run into problems. Doesn't even require a server restart (at least not on 2003) just restarts the RRAS service.

I like the idea of using the basic D-Link modem, but we have been down that road. <G> I was just looking over older questions and wondered how you were making out.
x_wayAuthor Commented:
My apologies to Rob for not accepting this answer sooner, other things happened at work and this had to take a back burner (or more got taken off the hob completely and put into deep freeze).

I have now however given it a crack, and all appears to be working so far from the small amount of testing I have done.

Thats 500 points your way mate, cheers
Rob WilliamsCommented:
No problem. Thanks x_way.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.