Solved

Step by step instructions on setting up VPN on Server 2008

Posted on 2009-04-03
16
3,022 Views
Last Modified: 2013-11-21
I recently installed a new windows 2008 server (standard) for a buddys business.  This is the only server they have.  The server is the DC, Active Directory, DNS.  Setup is as follows.  T1 router - Watchguard Firewall - switch - server. They are requesting that I setup VPN access so 2 clients can access their mapped network drive on the server from home..  If anyone can help me with setting this up that would be awsome.  I installed the routeing services. Just need to know how to configure them.  The gateway is 192.168.7.1 and the server is 192.168.7.2.   The 192.168.7.1 is the watchguard.
0
Comment
Question by:xplit871
  • 7
  • 3
  • 3
  • +2
16 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24064184

What Operating System will the remote clients connecting to the VPN be running? If it's Vista, I would configure the new SSTP VPN which is based on SSL technology. It would simply need port 443 open through the firewall to the IP of the server. You can configure this using http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html.

However, if you will be having legacy clients connect to the VPN, you'll probably need to go the PPTP route. This needs port 1723 open through the firewall, and PPTP Passthrough enabled. You can configure the PPTP VPN per my info at http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23610766.html.

-Matt
0
 

Author Comment

by:xplit871
ID: 24065216
xp users, im sure in the future some vista, ive looked over that guide and started working through it, but i get hung up when selecting 2 different nic cards because i only have one active and its connected to the switch not the router.
0
 

Author Comment

by:xplit871
ID: 24065247
also, at figure 15 i did VPN, instead of VPN and NAT,  and then next it asked me to select a NIC connected to the internet, so i selected the only NIC that i have enabled and hit next, then it asks me for another nic, so i selected one thats disabled, now no one can access network drives, or the SQL database.
0
 

Author Comment

by:xplit871
ID: 24065258
i have only setup 1 VPN before and it was quite some time ago and one a 2003 SBS.  I dont remember having to go through so many steps to make it work.....
0
 
LVL 14

Expert Comment

by:MCSA2003
ID: 24065929
If your using a watchguard firewall, why not set a couple users up on it, download the vpn client, import the .wgx file and be done with it?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24066002
On a side note, as you already have Watchguard firewall, you can configure firewall to act as VPN server.

Which model of firewall you have and which version of software are you running.

Please advice if you would like to go this way.

Thank you.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24066502

I would generally avoid using a firewall as a VPN server, and always recommend making a domain-joined machine the VPN server. This simplifies the login procedure as it will integrate fully with Active Directory.

The first article I linked to will not help you configure a VPN which will work for XP workstations. An SSTP VPN will only work natively with Vista or higher. You therefore want a PPTP connection, which can be configured as per http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23610766.html#22135981. It's incredibly simple though; you use Server Manager to install the NP&S / RRAS role, and then configure the RRAS server to act as a VPN server.

-Matt
0
 
LVL 14

Expert Comment

by:MCSA2003
ID: 24067087
Which version of the Watchguard Firewall do you have? I have provided a link that will walk you through setting up the MUVPN software. Once this is setup, you just run the software, it establishes the connection and you are connected to your network just as if your inside the domain. This is what these devices are designed for as well as providing security. I have the Firebox Edge along with a Cisco PIX and love them both.

http://watchguard.custhelp.com/cgi-bin/watchguard.cfg/php/enduser/std_adp.php?p_faqid=1709&p_created=1226697977#edge
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24067106

A hardware-based VPN is ideal for site-to-site connections, but as I keep saying, not for remote access. It won't have native integration with regards to user and computer accounts in Active Directory. The principles of a VPN mean any VPN will allow you to communicate with the internal domain, but you over-complicate the authentication process massively by separating the two technologies out.

-Matt
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24067526
The WatchGuard can be set up for active directory integration using RADIUS, and would provide a more secure connection where the end user must have the appropriate client, and it uses IPSec. However, the Windows PPTP VPN is by far the easiest to set up. WatchGuard if not familiar with it will take a while to learn, especially with the RADIUS configuration.

With server 2008 you need to add the RRAS role. To do so go to server management | add role | network access and protection | RRAS only | finish the wizard. From there it is the same as 2003:

The basic server and client configurations can be found at the following sites with good detail. This configuration is for use with RRAS and a single NIC:
-Server 2003 configuration:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
-Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
-Windows Vista client configuration:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.
-Nome resolution can be dealt with in many ways. See:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above.
0
 

Author Comment

by:xplit871
ID: 24068465
ill be working on this monday when i go down to the client as once i setup the vpn server it cut off all network traffic for some reason.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24072024
If when setting up RRAS you enable NAT it will cut off network access. Make sure you do not do so, or uninstall that component if it has already been enabled.
0
 

Author Comment

by:xplit871
ID: 24078008
Ok i need help fast!  I got here, disabled the RRAS which said it would clear the configuration.  I got my internet access back.  But no one can access the shared network drive, or the program that uses SQL server.  Im getting all kinds of errors under active directory file services DNS and print services. The following is the error that im getting for active directory.  When I setup RRAS the first time, i selected VPN, NOT VPN AND NAT.  Im not sure what it screwed up but everything worked golden until i did that.  Thats when it killed all network access to this server.  Please if anyone can help quickly it would be greatly appreciated.

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.
0
 

Author Comment

by:xplit871
ID: 24078037
Also, people can no longer see the server when exploring to my network places / entire network / Microsoft windows network / domain.  All the other computers are there, just not the server.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24083272
Can the client machines ping the server?
Can the server ping the clients?
Might the Windows Firewall been enabled and blocking traffic. Enabling RRAS disables the Windows firewall. Disabling RRAS should not enable it by default, but may have.
Does the server have 1 or 2 NIC's, if 2 RRAS needs to be configured for routing.
Could you post the results of "ipconfig /all" for us to review?
0
 

Author Comment

by:xplit871
ID: 24083728
it turned off ipsec on the ipv4 configuration. Re-enabled and everything works like a dream.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now