Step by step instructions on setting up VPN on Server 2008

What Operating System will the remote clients connecting to the VPN be running? If it's Vista, I would configure the new SSTP VPN which is based on SSL technology. It would simply need port 443 open through the firewall to the IP of the server. You can configure this using http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html.

However, if you will be having legacy clients connect to the VPN, you'll probably need to go the PPTP route. This needs port 1723 open through the firewall, and PPTP Passthrough enabled. You can configure the PPTP VPN per my info at https://www.experts-exchange.com/questions/23610766/How-to-setup-PPTP-VPN-in-Server-2008.html.

-Matt

xp users, im sure in the future some vista, ive looked over that guide and started working through it, but i get hung up when selecting 2 different nic cards because i only have one active and its connected to the switch not the router.

also, at figure 15 i did VPN, instead of VPN and NAT,  and then next it asked me to select a NIC connected to the internet, so i selected the only NIC that i have enabled and hit next, then it asks me for another nic, so i selected one thats disabled, now no one can access network drives, or the SQL database.

i have only setup 1 VPN before and it was quite some time ago and one a 2003 SBS.  I dont remember having to go through so many steps to make it work.....

If your using a watchguard firewall, why not set a couple users up on it, download the vpn client, import the .wgx file and be done with it?

On a side note, as you already have Watchguard firewall, you can configure firewall to act as VPN server.

Which model of firewall you have and which version of software are you running.

Please advice if you would like to go this way.

Thank you.

Which version of the Watchguard Firewall do you have? I have provided a link that will walk you through setting up the MUVPN software. Once this is setup, you just run the software, it establishes the connection and you are connected to your network just as if your inside the domain. This is what these devices are designed for as well as providing security. I have the Firebox Edge along with a Cisco PIX and love them both.

http://watchguard.custhelp.com/cgi-bin/watchguard.cfg/php/enduser/std_adp.php?p_faqid=1709&p_created=1226697977#edge

A hardware-based VPN is ideal for site-to-site connections, but as I keep saying, not for remote access. It won't have native integration with regards to user and computer accounts in Active Directory. The principles of a VPN mean any VPN will allow you to communicate with the internal domain, but you over-complicate the authentication process massively by separating the two technologies out.

-Matt

The WatchGuard can be set up for active directory integration using RADIUS, and would provide a more secure connection where the end user must have the appropriate client, and it uses IPSec. However, the Windows PPTP VPN is by far the easiest to set up. WatchGuard if not familiar with it will take a while to learn, especially with the RADIUS configuration.

With server 2008 you need to add the RRAS role. To do so go to server management | add role | network access and protection | RRAS only | finish the wizard. From there it is the same as 2003:

The basic server and client configurations can be found at the following sites with good detail. This configuration is for use with RRAS and a single NIC:
-Server 2003 configuration:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
-Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
-Windows Vista client configuration:
http://www.onecomputerguy.com/networking/vista_vpn_client.htm
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.
-Nome resolution can be dealt with in many ways. See:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above.

ill be working on this monday when i go down to the client as once i setup the vpn server it cut off all network traffic for some reason.

If when setting up RRAS you enable NAT it will cut off network access. Make sure you do not do so, or uninstall that component if it has already been enabled.

Ok i need help fast!  I got here, disabled the RRAS which said it would clear the configuration.  I got my internet access back.  But no one can access the shared network drive, or the program that uses SQL server.  Im getting all kinds of errors under active directory file services DNS and print services. The following is the error that im getting for active directory.  When I setup RRAS the first time, i selected VPN, NOT VPN AND NAT.  Im not sure what it screwed up but everything worked golden until i did that.  Thats when it killed all network access to this server.  Please if anyone can help quickly it would be greatly appreciated.

The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server.
 
Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made.  To assist in identifying these clients, if such binds occur this  directory server will log a summary event once every 24 hours indicating how many such binds  occurred.  You are encouraged to configure those clients to not use such binds.  Once no such events are observed  for an extended period, it is recommended that you configure the server to reject such binds.
 
For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923.
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher.

Also, people can no longer see the server when exploring to my network places / entire network / Microsoft windows network / domain.  All the other computers are there, just not the server.

Can the client machines ping the server?
Can the server ping the clients?
Might the Windows Firewall been enabled and blocking traffic. Enabling RRAS disables the Windows firewall. Disabling RRAS should not enable it by default, but may have.
Does the server have 1 or 2 NIC's, if 2 RRAS needs to be configured for routing.
Could you post the results of "ipconfig /all" for us to review?

it turned off ipsec on the ipv4 configuration. Re-enabled and everything works like a dream.