Setting up a VPN on Windows Server 2008 / Vista

Posted on 2009-12-17
Last Modified: 2012-05-08
I am running Windows Server 2008 and I have installed the Routing and Remote Access Role.  I have a Custom Configuration for the VPN as I only have one NIC on the server.

I would ultimately like to be able to switch on a laptop and log straight on my domain through Active Directory remotely/through the internet.

I am a little unsure how to do this.

Firstly, what DNS records do I need to set for my external domain (e.g.  For info, the VPN server is also acting as my domain controller and I have a local domain running.

Secondly, what do I need to do on my router/firewall? It's a Netgear ProSafe router and I have enabled VPN passthrough and opened up the PPTP port and forwarded this port to the server behind the router.

Thirdly, what do I need to do on the laptop or other remote computers? I have attempted to set up a VPN connection, but when I try to connect, it asks for a username/password/domain, then displays "Registering computer on the network" before failing to connect.  I have no idea if the laptop has found the server/VPN or not.

Thanks in advance!
Question by:pipelineconsulting
    LVL 77

    Expert Comment

    by:Rob Williams
    When the connection fails what error number is reported such as 721, 691, 800?
    Very possible the failure is GRE is not allowed. On Most Netgears you do not forward port 1723 to the server but rather forward the PPTP service. This forwards port 1723 and also enables GRE/PPTP pass-through.

    In order for clients to logon directly to your domain they need to be joined to the domain. If they are in the logon box of the client machine there will be a check box for "use dial-up connection". If they select this the VPN will then be provided as an option. Selecting the VPN allows the user to authenticate to your domain, and have group policy and logon scripts applied.

    As for configuring the client they need to have the VPN adapter configured with your server as the DNS server, and add the domain suffix under advanced DNS, but this is done automatically when joined to the domain. If doing so manually see:
    LVL 2

    Expert Comment

    1) no need to set dns to external you can use IP. If you want use something like just simply add this as an A record to the DNS server
    2) VPN passtrough is required primarily for clients for receiving UDP VPN response payload back. On server side router, just 1723 port forwarding is required.
    3) did you set up the security group for VPN? allowed it to connect inside Routing and Remote access? Maybe if you use NAP server the rules are there instead of RRAS
    4) how about IP address allocation for the clients? there is something called DHCP relay so in will basically forward configuration from LANs DHCP to client. Also it is possible to set special manually assigned network, best for use totally different segnent.
    Dont forget to have routing turned on in case you want to reach anything behind RRAS PPTP server.
    LVL 2

    Accepted Solution

    2)GRE 47 has to be enabled so leave passtrough on the server side.
    I found nice howto also:
    Once you've installed the NP&AS role and then subsequently RRAS as a role service, you will get an icon appear in Administrative Tools called Routing and Remote Access.

    On opening this MMC applet, you will see the server object in the tree view. You will need to right-click this and choose the option to "Configure and enable RRAS". As you step through the wizard, you will have to answer a series of questions as to what you want the server to perform. At this stage, you would be best choosing the option "Remote Access (dial-up or VPN)". If the wizards asks for further information, this should be specific to your network.

    Finally, once RRAS is enabled and started, you should see some PPTP ports under the "Ports" section of the RRAS console. If you see them, you have PPTP VPNs up and running. The last step is to open the ports through your firewall to the server. You will need to pass TCP port 1723 to the internal IP of the Server 2008 machine, and you will also have to enable a feature known as PPTP Passthrough. This feature creates a port called GRE 47 - this is not TCP port 47, so a firewall rule cannot be created in the usual way. It's either enabling the passthrough option or using your router/firewall's built-in rules to add in the ports for PPTP.

    Don't forget that users who are dialling in will need the "Allow" flag setting on the Dial-in tab of their user properties.

    Author Comment

    Followed all of your suggestions but still having a few problems.  The router has been set to allow the PPTP service through (not sure if i need to allow any others through?)

    Viewed through Event Viewer, the error I am getting is:

    This computer was not able to set up a secure session with a domain controller in domain PIPELINE due to the following:
    There are currently no logon servers available to service the logon request.
    This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

    If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

    The error is being thrown by NETLOGON and has an event ID of 5719.

    Do I need to configure anything else on the client laptop? Can  I assume that the VPN request is getting through the firewall?
    LVL 77

    Expert Comment

    by:Rob Williams
    When the connection fails what error number is reported such as 721, 691, 800?
    This is not in the event log but rather pops up on the client when the connection fails.
    You cannot test the VPN using the external address of the server from the LAN, you must be off site.
    You can test at least the VPN configuration by connecting from the LAN to the Server's LAN IP.

    Author Comment

    I am using the built-in Vista VPN client which is added through Network and Sharing Centre.
    I get a pop up which asks simply whether to Diagnose the Problem (nothing useful revealed here) or to Try Again - there are no error codes shown.

    I have tried connecting through a 3G mobile dongle but with no success.
    LVL 77

    Assisted Solution

    by:Rob Williams
    Have you tried from off site using a wired connection?
    Very often 3G connections will not work because of blocked GRE or multiple NAT configurations.
    It sounds like the initial connection is made, handshaking starts, but authentication fails. This can be due to bad credentials, dissimilar authentication protocols, and often due to blocked GRE.

    Author Comment

    I've tried an offsite wireless connection, which also didn't work.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    Let’s list some of the technologies that enable smooth teleworking. 
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now