Windows Server 2008 VPN setup

[Tom M]

Hello all,

I am in the middle of setting up (from scratch) a network for our non-
prof, built on a recently installed Windows Server 2008 Enterprise. I
am a newbie but have been successful in setting up the basics of the
network: Internet and LAN, DHCP, DNS, Active Directory. Clients can
authenticate, receive an IP from the DHCP server, etc. There are
three major tasks left: VPN, Secure wireless, and a DMZ wireless. I
would very much appreciate your help with setting up VPN.

Here are the relevant parts of the network for background info:
Basic router (Linksys BEFSX41), IP 10.0.1.1, Subnet 255.255.255.0
Switch (D-Link DSS-16)
Server 2008 Server Enterprise w/ 2 NICs (Connected to router: IP
10.0.1.12, Subnet 255.255.255.0, Gateway 10.0.1.1, DNS 10.0.0.12)
(Connected to switch: IP 10.0.0.12, Subnet 255.255.255.0, Gateway
[blank], DNS 10.0.0.12)
Client workstations running XP Pro or Vista Business
Switch is NOT connected to router
On the server, I have the following roles currently installed: AD,
ADCS, NPAS, DNS, DHCP

I have been trying to cobble together the following approaches:
http://www.windowsecurity.com/articl...ver-Part2.html
http://www.howtonetworking.com/Windows/vpnsetup.htm

But I've been unsuccessful so far. From what I'm gathering, I can't
do NAT because XP may not support it, which I'm fine with. So does
anyone have any pointers? Do I need a third NIC? Do I need to go
through all this creating a certificate stuff? I'm a bit confused.

Thanks
Tom

[Robert L. \(MS-MVP\)]

First of all, we don't recommended install VPN on a DC and a DC running
multihomed computer. Check this search result.

Name resolution on VPNCan't access domain resource when establishing a VPN
from Vista Can ping FQDN but not host name. Can't ping VPN client by name.
Connection issues on DC, ...
www.chicagotech.net/nameresolutionpnvpn.htm

If you don't have budget to buy another server as VPN, you may need to
configure the DC to register only one DNS or WINS if you have enable it as
the above link discusses. You don't need 3rd NIC.


What's the problem? Can't setup VPN on the server? Or you setup VPN, the VPN
client can't access it?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Tom M" <thomas.a.meier@gmail.com> wrote in message
news:d143cae8-0ff6-4ec1-8773-995ca7dc0271@p20g2000yqi.googlegroups.com...
> Hello all,
>
> I am in the middle of setting up (from scratch) a network for our non-
> prof, built on a recently installed Windows Server 2008 Enterprise. I
> am a newbie but have been successful in setting up the basics of the
> network: Internet and LAN, DHCP, DNS, Active Directory. Clients can
> authenticate, receive an IP from the DHCP server, etc. There are
> three major tasks left: VPN, Secure wireless, and a DMZ wireless. I
> would very much appreciate your help with setting up VPN.
>
> Here are the relevant parts of the network for background info:
> Basic router (Linksys BEFSX41), IP 10.0.1.1, Subnet 255.255.255.0
> Switch (D-Link DSS-16)
> Server 2008 Server Enterprise w/ 2 NICs (Connected to router: IP
> 10.0.1.12, Subnet 255.255.255.0, Gateway 10.0.1.1, DNS 10.0.0.12)
> (Connected to switch: IP 10.0.0.12, Subnet 255.255.255.0, Gateway
> [blank], DNS 10.0.0.12)
> Client workstations running XP Pro or Vista Business
> Switch is NOT connected to router
> On the server, I have the following roles currently installed: AD,
> ADCS, NPAS, DNS, DHCP
>
> I have been trying to cobble together the following approaches:
> http://www.windowsecurity.com/articl...ver-Part2.html
> http://www.howtonetworking.com/Windows/vpnsetup.htm
>
> But I've been unsuccessful so far. From what I'm gathering, I can't
> do NAT because XP may not support it, which I'm fine with. So does
> anyone have any pointers? Do I need a third NIC? Do I need to go
> through all this creating a certificate stuff? I'm a bit confused.
>
> Thanks
> Tom

[Bill Grant]

I agree with Bob. Don't even think of enabling VPN on your DC.

If you must have VPN access to your network, read the documentation for
the Linksys BEFSX41.


"Robert L. (MS-MVP)" <findemail@chicagotech.net> wrote in message
news:OnfkKkelJHA.4520@TK2MSFTNGP03.phx.gbl...
> First of all, we don't recommended install VPN on a DC and a DC running
> multihomed computer. Check this search result.
>
> Name resolution on VPNCan't access domain resource when establishing a VPN
> from Vista Can ping FQDN but not host name. Can't ping VPN client by name.
> Connection issues on DC, ...
> www.chicagotech.net/nameresolutionpnvpn.htm
>
> If you don't have budget to buy another server as VPN, you may need
> to configure the DC to register only one DNS or WINS if you have enable it
> as the above link discusses. You don't need 3rd NIC.
>
>
> What's the problem? Can't setup VPN on the server? Or you setup VPN, the
> VPN client can't access it?
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Tom M" <thomas.a.meier@gmail.com> wrote in message
> news:d143cae8-0ff6-4ec1-8773-995ca7dc0271@p20g2000yqi.googlegroups.com...
>> Hello all,
>>
>> I am in the middle of setting up (from scratch) a network for our non-
>> prof, built on a recently installed Windows Server 2008 Enterprise. I
>> am a newbie but have been successful in setting up the basics of the
>> network: Internet and LAN, DHCP, DNS, Active Directory. Clients can
>> authenticate, receive an IP from the DHCP server, etc. There are
>> three major tasks left: VPN, Secure wireless, and a DMZ wireless. I
>> would very much appreciate your help with setting up VPN.
>>
>> Here are the relevant parts of the network for background info:
>> Basic router (Linksys BEFSX41), IP 10.0.1.1, Subnet 255.255.255.0
>> Switch (D-Link DSS-16)
>> Server 2008 Server Enterprise w/ 2 NICs (Connected to router: IP
>> 10.0.1.12, Subnet 255.255.255.0, Gateway 10.0.1.1, DNS 10.0.0.12)
>> (Connected to switch: IP 10.0.0.12, Subnet 255.255.255.0, Gateway
>> [blank], DNS 10.0.0.12)
>> Client workstations running XP Pro or Vista Business
>> Switch is NOT connected to router
>> On the server, I have the following roles currently installed: AD,
>> ADCS, NPAS, DNS, DHCP
>>
>> I have been trying to cobble together the following approaches:
>> http://www.windowsecurity.com/articl...ver-Part2.html
>> http://www.howtonetworking.com/Windows/vpnsetup.htm
>>
>> But I've been unsuccessful so far. From what I'm gathering, I can't
>> do NAT because XP may not support it, which I'm fine with. So does
>> anyone have any pointers? Do I need a third NIC? Do I need to go
>> through all this creating a certificate stuff? I'm a bit confused.
>>
>> Thanks
>> Tom
>

[Tom M]

Bob and Bill,

Thanks for the reply!

> First of all, we don't recommended install VPN on a DC and a DC running
> multihomed computer. Check this search result.
>
> Name resolution on VPNCan't access domain resource when establishing a VPN
> from Vista Can ping FQDN but not host name. Can't ping VPN client by name..
> Connection issues on DC, ...
> www.chicagotech.net/nameresolutionpnvpn.htm
>
> If you don't have budget to buy another server as VPN, you may need to
> configure the DC to register only one DNS or WINS if you have enable it as
> the above link discusses. You don't need 3rd NIC.

Gotcha. What I'm actually running is one server (the DC) as a Virtual
Machine. I was planning to create another VM to do file and print
sharing, and act as backup DC. Would you advise that I put the NPAS
role on the second machine to handle VPN connections?

> What's the problem? Can't setup VPN on the server? Or you setup VPN, the VPN
> client can't access it?

Well, the 2008 instructions I found --
http://www.windowsecurity.com/articl...ver-Part2.html
-- are for setting up a SSTP connection, but I think I want to do L2TP/
IPSec because we will have XP and Vista computers VPN'ing in. So the
problem is I didn't know what was irrelevant in the instructions, and/
or if there was something additional I needed to do.

Of course, then the challenge is testing it!

**

Actually, I've decided to tackle setting up the secure wireless first
because that is more pressing. I will post a new topic soon
addressing that. I'd very much appreciate your comments on it, if you
are available.

Thanks!
Tom

[Bill Grant]

"Tom M" <thomas.a.meier@gmail.com> wrote in message
news:1b8bb056-fadd-484e-a817-dfb485bd88bc@r41g2000yqm.googlegroups.com...
> Bob and Bill,
>
> Thanks for the reply!
>
>> First of all, we don't recommended install VPN on a DC and a DC running
>> multihomed computer. Check this search result.
>>
>> Name resolution on VPNCan't access domain resource when establishing a
>> VPN
>> from Vista Can ping FQDN but not host name. Can't ping VPN client by
>> name.
>> Connection issues on DC, ...
>> www.chicagotech.net/nameresolutionpnvpn.htm
>>
>> If you don't have budget to buy another server as VPN, you may need
>> to
>> configure the DC to register only one DNS or WINS if you have enable it
>> as
>> the above link discusses. You don't need 3rd NIC.
>
> Gotcha. What I'm actually running is one server (the DC) as a Virtual
> Machine. I was planning to create another VM to do file and print
> sharing, and act as backup DC. Would you advise that I put the NPAS
> role on the second machine to handle VPN connections?
>

No, you are not getting the message. Do not run RRAS on a DC. Do not run
a DC as a remote access server or as a router. Do not run a DC in any config
where it will have more than one IP address. (The only exception is SBS
which is designed to run in that sort of config. If you have used SBS in the
past, you may have run a config like that without problems). For a
background on the problems, see KB292822.

[Tom M]

> No, you are not getting the message. Do not run RRAS on a DC. Do not run
> a DC as a remote access server or as a router. Do not run a DC in any config
> where it will have more than one IP address. (The only exception is SBS
> which is designed to run in that sort of config. If you have used SBS in the
> past, you may have run a config like that without problems). For a
> background on the problems, see KB292822.

The kb article you mentioned only references Server 2000 and 2003 --
not 2008, which is what we have. Does this still hold true for 2008?

[Bill Grant]

Indeed it does.

"Tom M" <thomas.a.meier@gmail.com> wrote in message
news:50188556-896a-4576-936c-7f798d5549e0@o11g2000yql.googlegroups.com...
>> No, you are not getting the message. Do not run RRAS on a DC. Do not
>> run
>> a DC as a remote access server or as a router. Do not run a DC in any
>> config
>> where it will have more than one IP address. (The only exception is SBS
>> which is designed to run in that sort of config. If you have used SBS in
>> the
>> past, you may have run a config like that without problems). For a
>> background on the problems, see KB292822.
>
> The kb article you mentioned only references Server 2000 and 2003 --
> not 2008, which is what we have. Does this still hold true for 2008?

[Tom M]

On Feb 25, 7:34 pm, "Bill Grant" <not.available@online> wrote:
> Indeed it does.

Thanks. I am going to reconfigure this stuff. I found some good
sources on technet. I currently have 2 NIC's in the server. I am
thinking I don't really need that since you're saying it shouldn't be
a router. The remaining NIC will simply plug into the switch, and
DHCP client's will set the gateway to the real router, rather than the
2nd NIC on the server. Sound good? Or should I rout Internet traffic
through another 2 NIC's on another server and keep the LAN separate as
I currently have it?

Tom

[Robert L. \(MS-MVP\)]

Correct, just one NIC on the DC.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Tom M" <thomas.a.meier@gmail.com> wrote in message
news:b213ff7f-0ba9-453b-af2c-30599a36629a@a39g2000yqc.googlegroups.com...
On Feb 25, 7:34 pm, "Bill Grant" <not.available@online> wrote:
> Indeed it does.

Thanks. I am going to reconfigure this stuff. I found some good
sources on technet. I currently have 2 NIC's in the server. I am
thinking I don't really need that since you're saying it shouldn't be
a router. The remaining NIC will simply plug into the switch, and
DHCP client's will set the gateway to the real router, rather than the
2nd NIC on the server. Sound good? Or should I rout Internet traffic
through another 2 NIC's on another server and keep the LAN separate as
I currently have it?

Tom