Using Windows 2003 Server as a VPN server is one of the better (read: overkill) remote access solutions for a SOHO network. This how-to will show how to create a simple yet effective VPN solution with certain limitations. Mainly, it assumes the Windows 2003 server has only one network card and sites behind a router/firewall. Make sure you have administrator privileges before continuing.
- Open Routing and Remote Access by going to
Control Panel -> Administrative Tools -> Routing and Remote Access.
- Right-click on the server name.
- In the context menu, select Configure and Enable Routing and Remote Access. Click Next on the wizard.
- On the Configuration page, select Custom Configuration. (Note: This particular option is chosen because we are using a single network card.)
- On the next screen, pick VPN Access then click Next. Then hit Finish to close out the wizard.
- A dialog box will appear asking if you want to start the service. Click Yes.
At this point there are a few more items left to configure. In this example, my configuration uses a custom firmware Linksys WRT54G router to handle DHCP, firewall and connection sharing. Regardless of DHCP being available, I’ve assigned a static IP range to VPN clients.
- In Routing and Remote Access, right-click the server name as before.
- In the context menu, select Properties.
- Click the IP tab.
- Select the radio-button next to Static address pool.
- Click the Add button.
- In the New Address Range window, enter the appropriate start and end IP addresses. The addresses should follow the convention of the rest of your network.
- Click Okay and Apply until returning to the Routing and Remote Access window and close that as well.
User accounts must be given VPN access via user properties.
- Open Active Directory Users and Computers and click the Users folder.
- Double-click on a user name to be given VPN access in the right hand window.
- Click the Dial-in tab.
- Select the radio-button next to Allow access in the Remote Access Permission (Dial-in or VPN) section. (Note: If you have multiple users, then it might be easier to create a new user group with VPN access. Then the add user profiles to the group as necessary.)
- Close out the window. Repeat as necessary for any other users.
Since my test server sits behind a router/firewall, the next step involves forwarding ports on the router/firewall to the local IP address of the VPN server. My Linksys WRT54G router requires PPTP Passthrough being enabled. Port listing:
- PPTP: 1723.
- IPSec: 500, 50-51.
Realize that once the ports are opened to the VPN server, the local network is open to the possibility of malicious attacks. Make sure users comply with a good password policy and monitor access logs. I highly doubt home users will be running out to purchase a copy of Window Server 2003 any time soon but if, like me, you happen to be tinkering with a free 120-day trial version then it is prudent to be vigilant.
Configuring an XP client is straight forward. The only caveat is knowing the IP address of the server. If you are on a static IP, then there is no problem. If you happen to be on a dynamic IP address (i.e. an IP that changes regularly), then a service like DynDNS will give you a resolvable host name.
These are the steps to configure the XP machine for VPN access:
- Go to
Start -> Settings -> Network Connections.
- Open the New Connection Wizard.
- Pick Connect to the network at my workplace then click Next.
- Pick Virtual Private Network connection then click Next.
- In the text box, provide a connection name then click Next.
- Since I have broadband available from wherever I need to access my network, I have no need to dial an internet provider. If this is the case in your set up, then pick Do not dial the initial connection.
- On the next screen enter the host name or IP address of the VPN server then click Next. Then pick Finish.
To connect to your VPN server, double-click on the connection icon just created on the client machine.
Troubleshooting: Some routers do not function properly in a VPN over NAT environment. Consult this list of affected routers.
I tend to install and reinstall operating systems quite frequently on my home system. With my hectic schedule, I don’t have time to sit down to reinstall and configure every last program. Although it is arguably easier to use a backup of my system for day-to-day mishaps, I tend to change out peripherals a lot and restoring a system that does not have certain drivers “cleaned out” tends to wreak havoc on a new configuration. To make this process go a bit faster, two years ago I created a “Ghost Image” of my hard drive after doing a basic install. Now, instead of it taking a few hours of toiling away to reinstall a system, I can do this all in about 15 minutes with only half a dozen quick mouse clicks. The trick is to use Norton Ghost or any other imaging software and Microsoft Sysprep.
Part 1: Install XP and Sysprep
- Install Windows XP on a clean hard drive.
- Do not install any drivers or other utilities that are hardware specific beyond what Windows itself installs.
- This is necessary to make sure the image is as portable as possible across different types of systems. However, different storage controllers and different HALs (Hardware Abstraction Layers) make this harder to predict.
- Most modern computers these days work fine with a standard ACPI HAL, but if this image is to be truly portable across multiple machines then it must be determined which specific HAL will be needed. Refer to Microsoft KB309283 if you are completely lost.
- It is also important to determine if the target system uses a storage controller that normally requires a driver disc during a regular XP install. If this is the case, then the necessary paths to the drivers must be included in the Sysprep.inf file. These must be added to the
[SysprepMassStorage]section in the form
PCI\VEN_###&DEV_#### = PATH_TO_DRIVER_ON_IMAGED_DRIVEwhere VEN_#### should be replaced by the Vendor ID number (i.e. VEN_1234) and the DEV_#### should be replaced by the Device ID number (DEV_1234). This information can usually be found in the specifc driver INF files. Here is an example for adding the VMWare SCSI controller driver to
….snipped out windows mass storage driver list….
testuseraccount with administrative privileges. Use this account to install and configure all the software and policies on the system.
testuseraccount to the
Administratorstart menu. (Note: This is necessary as some installers do not create start menu items in
All Usersbut within the
testuserprofile only. This leaves some items missing on the
c:\Documents and Settings\Default User. If you don’t understand then refer to Microsoft KB291586.
testuseraccount. Make sure that
c:\Documents and Settings\testuserhas been deleted too.
sysprep.inffile by running
setupmgr.exe. This a tool Microsoft provides for creating an answer file so the restore doesn’t involving asking the normal setup questions. The basic steps are below:
- Run setupmgr.exe
- Click Create New
- Click Sysprep Setup
- Then choose whichever product you are using. In our example it would be XP Professional.
- The next question asks: Do you want to fully automate the install? All this question determines is who is going to accept the EULA, you or the person restoring the image. Also, picking yes means that you must enter your Product Key. I pick no because this is for my own use and I don’t want someone to swipe my Product Key accidentally, but a large company or OEM may choose differently.
- The next few sets of options are for you to enter in any information like your Name, Organization, Time Zone, Product Key (I leave this blank), Network Settings, etc.
- I leave the Computer Name option set to Automatically generate computer name.
- Once completed, a dialog box will ask where you want to save the file. c:\sysprep\sysprep.inf is the path we’re using in this example.
- On the completion screen, click Cancel to close
The process of creating a basic
sysprep.inf file is now completed.
c:\sysprep\sysprep.infin Notepad and add the following lines to the relavent sections (if the heading doesn’t exist, create it):
sysprep.infyet! OemPNPDriversPath points to the
c:\driversdirectory created earlier. For organizational purposes, I split up my custom driver files based on category (i.e. hardware_cat in the example above). For example, all video drivers go under
c:\drivers\videoand network drivers under
c:\drivers\network. In each of those directories, the specific driver bundles are placed with their driver inf files (i.e. driver_dir). For example, the latest nVidia drivers would go into
c:\drivers\video\nVidia\. The last part is refering to
driver_infis just that, the name of the inf file. For example, for the latest nVidia driver, the path would be
sysprep.inf, the path would be written as
OemPNPDriversPath=drivers\video\nVidia\nv4_disp.inf;. Do not forget the semi-colon as a separator. For the next driver, repeat the procedure by placing the path after the semi-colon without leaving a space. Once all the drivers are added, save the file.
c:\sysprep\sysprep -bmsd. This will build the Windows XP standard mass storage drivers section.
InstallFilesPathwhich usually points to
c:\sysprep\i386. I usually copy the contents of my XP CD’s i386 directory into
c:\sysprep\i386. This isn’t necessary.
[SysprepMassStorage]section as detailed above.
Sysprep is now complete. Part 2 discusses imaging.