How-To: Windows 2003 VPN Server

Using Windows 2003 Server as a VPN server is one of the better (read: overkill) remote access solutions for a SOHO network. This how-to will show how to create a simple yet effective VPN solution with certain limitations. Mainly, it assumes the Windows 2003 server has only one network card and sites behind a router/firewall. Make sure you have administrator privileges before continuing.

Main configuration:

  1. Open Routing and Remote Access by going to Control Panel -> Administrative Tools -> Routing and Remote Access.
  2. Right-click on the server name.
  3. In the context menu, select Configure and Enable Routing and Remote Access. Click Next on the wizard.
  4. On the Configuration page, select Custom Configuration. (Note: This particular option is chosen because we are using a single network card.)
  5. On the next screen, pick VPN Access then click Next. Then hit Finish to close out the wizard.
  6. A dialog box will appear asking if you want to start the service. Click Yes.

At this point there are a few more items left to configure. In this example, my configuration uses a custom firmware Linksys WRT54G router to handle DHCP, firewall and connection sharing. Regardless of DHCP being available, I’ve assigned a static IP range to VPN clients.

  1. In Routing and Remote Access, right-click the server name as before.
  2. In the context menu, select Properties.
  3. Click the IP tab.
  4. Select the radio-button next to Static address pool.
  5. Click the Add button.
  6. In the New Address Range window, enter the appropriate start and end IP addresses. The addresses should follow the convention of the rest of your network.
  7. Click Okay and Apply until returning to the Routing and Remote Access window and close that as well.

User accounts must be given VPN access via user properties.

  1. Open Active Directory Users and Computers and click the Users folder.
  2. Double-click on a user name to be given VPN access in the right hand window.
  3. Click the Dial-in tab.
  4. Select the radio-button next to Allow access in the Remote Access Permission (Dial-in or VPN) section. (Note: If you have multiple users, then it might be easier to create a new user group with VPN access. Then the add user profiles to the group as necessary.)
  5. Close out the window. Repeat as necessary for any other users.

Since my test server sits behind a router/firewall, the next step involves forwarding ports on the router/firewall to the local IP address of the VPN server. My Linksys WRT54G router requires PPTP Passthrough being enabled. Port listing:

Realize that once the ports are opened to the VPN server, the local network is open to the possibility of malicious attacks. Make sure users comply with a good password policy and monitor access logs. I highly doubt home users will be running out to purchase a copy of Window Server 2003 any time soon but if, like me, you happen to be tinkering with a free 120-day trial version then it is prudent to be vigilant.

Configuring an XP client is straight forward. The only caveat is knowing the IP address of the server. If you are on a static IP, then there is no problem. If you happen to be on a dynamic IP address (i.e. an IP that changes regularly), then a service like DynDNS will give you a resolvable host name.

These are the steps to configure the XP machine for VPN access:

  1. Go to Start -> Settings -> Network Connections.
  2. Open the New Connection Wizard.
  3. Pick Connect to the network at my workplace then click Next.
  4. Pick Virtual Private Network connection then click Next.
  5. In the text box, provide a connection name then click Next.
  6. Since I have broadband available from wherever I need to access my network, I have no need to dial an internet provider. If this is the case in your set up, then pick Do not dial the initial connection.
  7. On the next screen enter the host name or IP address of the VPN server then click Next. Then pick Finish.

To connect to your VPN server, double-click on the connection icon just created on the client machine.

Troubleshooting: Some routers do not function properly in a VPN over NAT environment. Consult this list of affected routers.

How-To: Image Windows XP with Ghost and Sysprep

I tend to install and reinstall operating systems quite frequently on my home system. With my hectic schedule, I don’t have time to sit down to reinstall and configure every last program. Although it is arguably easier to use a backup of my system for day-to-day mishaps, I tend to change out peripherals a lot and restoring a system that does not have certain drivers “cleaned out” tends to wreak havoc on a new configuration. To make this process go a bit faster, two years ago I created a “Ghost Image” of my hard drive after doing a basic install. Now, instead of it taking a few hours of toiling away to reinstall a system, I can do this all in about 15 minutes with only half a dozen quick mouse clicks. The trick is to use Norton Ghost or any other imaging software and Microsoft Sysprep.

Part 1: Install XP and Sysprep

  1. Install Windows XP on a clean hard drive.
  2. Do not install any drivers or other utilities that are hardware specific beyond what Windows itself installs.
    • This is necessary to make sure the image is as portable as possible across different types of systems. However, different storage controllers and different HALs (Hardware Abstraction Layers) make this harder to predict.
    • Most modern computers these days work fine with a standard ACPI HAL, but if this image is to be truly portable across multiple machines then it must be determined which specific HAL will be needed. Refer to Microsoft KB309283 if you are completely lost.
    • It is also important to determine if the target system uses a storage controller that normally requires a driver disc during a regular XP install. If this is the case, then the necessary paths to the drivers must be included in the Sysprep.inf file. These must be added to the [SysprepMassStorage] section in the form PCI\VEN_###&DEV_#### = PATH_TO_DRIVER_ON_IMAGED_DRIVE where VEN_#### should be replaced by the Vendor ID number (i.e. VEN_1234) and the DEV_#### should be replaced by the Device ID number (DEV_1234). This information can usually be found in the specifc driver INF files. Here is an example for adding the VMWare SCSI controller driver to sysprep.inf

      ….snipped out windows mass storage driver list….


  3. Create a testuser account with administrative privileges. Use this account to install and configure all the software and policies on the system.
  4. Remember to run Windows Update, Office Update and make sure all the rest of the software is up to date. You’ll probably end up rebooting a few times in between but keep going until everything is updated.
  5. Copy all the start menu items from the testuser account to the Administrator start menu. (Note: This is necessary as some installers do not create start menu items in All Users but within the testuser profile only. This leaves some items missing on the Administrator start menu.)
  6. Log out and log back in as the computer Administrator and then copy the testuser profile folder to the default user profile folder. This is done via Control Panel -> System -> Advanced -> User Profile “Settings” then select testuser and click Copy to. Copy all of this to c:\Documents and Settings\Default User. If you don’t understand then refer to Microsoft KB291586.
  7. Delete the testuser account. Make sure that c:\Documents and Settings\testuser has been deleted too.
  8. Download Sysprep for XP SP2.
  9. Extract the files to c:\sysprep.
  10. Create the basic sysprep.inf file by running setupmgr.exe. This a tool Microsoft provides for creating an answer file so the restore doesn’t involving asking the normal setup questions. The basic steps are below:
    • Run setupmgr.exe
    • Click Create New
    • Click Sysprep Setup
    • Then choose whichever product you are using. In our example it would be XP Professional.
    • The next question asks: Do you want to fully automate the install? All this question determines is who is going to accept the EULA, you or the person restoring the image. Also, picking yes means that you must enter your Product Key. I pick no because this is for my own use and I don’t want someone to swipe my Product Key accidentally, but a large company or OEM may choose differently.
    • The next few sets of options are for you to enter in any information like your Name, Organization, Time Zone, Product Key (I leave this blank), Network Settings, etc.
    • I leave the Computer Name option set to Automatically generate computer name.
    • Once completed, a dialog box will ask where you want to save the file. c:\sysprep\sysprep.inf is the path we’re using in this example.
    • On the completion screen, click Cancel to close setupmgr.exe.

    The process of creating a basic sysprep.inf file is now completed.

  11. Before proceeding to the next step, create a custom hardware drivers directory for any drivers needed for the target system. Usually I use c:\drivers.
  12. Open c:\sysprep\sysprep.inf in Notepad and add the following lines to the relavent sections (if the heading doesn’t exist, create it):




  13. Do not close the sysprep.inf yet! OemPNPDriversPath points to the c:\drivers directory created earlier. For organizational purposes, I split up my custom driver files based on category (i.e. hardware_cat in the example above). For example, all video drivers go under c:\drivers\video and network drivers under c:\drivers\network. In each of those directories, the specific driver bundles are placed with their driver inf files (i.e. driver_dir). For example, the latest nVidia drivers would go into c:\drivers\video\nVidia\. The last part is refering to driver_inf is just that, the name of the inf file. For example, for the latest nVidia driver, the path would be c:\drivers\video\nVidia\nv4_disp.inf. In sysprep.inf, the path would be written as OemPNPDriversPath=drivers\video\nVidia\nv4_disp.inf;. Do not forget the semi-colon as a separator. For the next driver, repeat the procedure by placing the path after the semi-colon without leaving a space. Once all the drivers are added, save the file.
  14. Run c:\sysprep\sysprep -bmsd. This will build the Windows XP standard mass storage drivers section.
  15. While editing sysprep.inf there is an option labeled InstallFilesPath which usually points to c:\sysprep\i386. I usually copy the contents of my XP CD’s i386 directory into c:\sysprep\i386. This isn’t necessary.
  16. Add any custom Storage dirvers to the [SysprepMassStorage] section as detailed above.
  17. Now run C:\sysprep\sysprep.exe.
  18. Pick options Mini Setup and Detect non-plug and play hardware. If you don’t have a volume license and plan on just using this image for restoring the computer the image was made on, then pick the option Don’t regenerate security identifiers. If you have a volume license key and will be using this image for multiple machines then leave that option unchecked. Ensure that Shutdown is selected from the Shutdown mode drop-down menu and click Reseal.
  19. If you left the SID option to regenerate, then a pop-up will ask you to confirm. hit OK to continue.
  20. This will take a while and your system will shut down once the process is complete.

Sysprep is now complete. Part 2 discusses imaging.

How-To: Internet Explorer Warning Infobar

I have received a few emails asking how to implement the Internet Explorer “infobar” warning on their own site. If you don’t know what I’m taking about, when browsing to my blog with Microsoft’s infamously buggy but popular browser, users see this:

Internet Explorer Infobar

Background: I don’t have to preach to the choir about Internet Explorer (IE) having a lot of quirks when it comes to rendering CSS heavy pages in addition to all the security issues plaguing the browser. The theme on this site is a slightly modified version of K2 which still needs some work to make sure it displays properly on IE. Not only do I not have time to fix these bugs myself due to school but more than 80% of my readers use Firefox. I still wanted to display a warning to any IE users letting them know that this site won’t look quite right without using an alternate browser (i.e. Opera, Safari, Konq, Firefox, etc.). Although I’m not afraid to tinker, I don’t enjoy reinventing the wheel so my first hope was finding someone else having coded this before I went at “programming” a little css/javascript myself. Google brought me to a posting that had the basic CSS and example code ready to go. Interestingly, the version was a streamlined version of the original author’s code (dead link). However, this minimized version did not scroll with the page in IE because IE does not properly support position: fixed. There were many possible solutions to getting this to work but most involved messing up all position: absolute blocks on the page. Finally, I found a solution that I adapted to work the way I wanted.

Instructions: This is how to add it to your site. (Warning: Your mileage may vary so backup your site before attempting an of this. Don’t come running to me when something goes wrong.)

1. Save warning.gif by right clicking and hitting “Save as…”


Warning.gif Image File

2. Create a file called infobar.css and paste the following code into it. Note that the path to warning.gif must be updated to reflect your site. Then save it.

[code lang=”CSS”]
Name: No IE Information Bar
Version: 0.2.6 Minimized
Modified by: and

body {
margin: 0;
#infobar {
font: message-box;
position: absolute; left: 0px; top: 0px;
z-index: 5; /* Change this value accordingly to reflect your site’s setup */
body>div#infobar {
position: fixed; /* Hopefully Internet Explorer 7 will parse this tag proporly */
#infobar a, #infobar a:link, #infobar a:visited, #infobar a:active {
display: block;
float: left;
clear: both;
width: 100%;
color: InfoText;
background: InfoBackground url(‘http://path/to/warning.gif’) no-repeat fixed .3em .3em; /* Change this path */
border-bottom: .16em outset;
text-align: left;
text-decoration: none;
cursor: default;
padding: .45em 0 .45em 2em;
margin: 0 -2em 0 0;
#infobar a:hover {
color: HighlightText;
background-color: Highlight;

3. Modify your site’s template. For K2, I put this all into my header.php file.

Part A: Somewhere right after the tag paste the following (change the path to infobar.css for your site):

[code lang=”Javascript”]


Part B: Right after tag paste the following:

[code lang=”HTML”]


That’s it. Let me know if there are any mistakes or a better way of doing this.