none
How to Setup VPN on Server 2008 Enterprise with a single NIC

    Question

  • I have a sharepoint server installed on my server, and I understand that for users out side my network to access the SP sites they need to VPN. 

     

    Can someone please get me directions on How to setup a VPN on my server using just one NIC.

    Also I don't have AD installed on the server, I don't know if that is needed.

    Sunday, March 20, 2011 12:54 PM

Answers

All replies

  • You can easily create a VPN server with one NIC. And it's recommended to not run RRA/NPS on a domain controller. You can run it on a member server of an AD infrastructure and use AD accounts to allow to logon. If not using AD, you have to create accounts for each user on the local RRAS machine.

    You didn't post what operating system you are using, so here are some links to assist you with both operating systems.

    ======
    Configure RRAS and VPN for 2008/2008 R2:


    Remote Access Deployment – Part 2: Configuring RRAS as a VPN server
    http://blogs.technet.com/b/rrasblog/archive/2009/03/25/remote-access-deployment-part-2-configuring-rras-as-a-vpn-server.aspx

    Routing and Remote Access Service on Wnidows 2008 & Windows 2008 R2
    Sep 30, 2009 ... The following describe how to configure RRAS: The following topics are still relevant to Windows Server 2008 and Windows Server 2008 R2, ...
    http://technet.microsoft.com/en-us/library/cc754634(WS.10).aspx

    How to configure Windows 2008 Server IP Routing
    Dec 11, 2008 ... Figure 5: The Win 2008 Role Services are part of the Network Policy and Access Services Role.
    http://www.windowsnetworking.com/articles_tutorials/How-configure-Windows-2008-Server-IP-Routing.html

    YouTube Video: How To Install and Configure RRAS NAT & VPN -
    How to install routing and remote access server and test the installation with a vpn connection.
    http://www.youtube.com/watch?v=wpt2z3LA0dQ

    VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC
    http://blogs.technet.com/b/rrasblog/archive/2006/09/20/vpn-server-deployment-ip-addressing-routing-nat-single-vs-two-nic.aspx

     

    ======
    Windows 2003 - Configure VPN in RRAS

    Configure a Windows Server 2003 VPN on the server side (screen shots)
    http://articles.techrepublic.com.com/5100-10878_11-5805260.html

    Configure a Windows Server 2003 VPN on the server side
    http://www.techrepublic.com/article/configure-a-windows-server-2003-vpn-on-the-server-side/5805260

    Remote access/VPN server role: Configuring a remote access/VPN ...Remote access/VPN server role: Configuring a remote access/VPN server. Updated: January 21, 2005. Applies To: Windows Server 2003, Windows Server 2003 R2, ...
    http://technet.microsoft.com/en-us/library/cc736357(WS.10).aspx

    How to install and configure a Virtual Private Network server in ...You can configure the VPN server to use either Windows Server 2003 or Remote ...
    http://support.microsoft.com/kb/323441

    Virtual Private NetworksConfigure and deploy VPN connections to client computers that are ready to ...
    http://technet.microsoft.com/en-us/network/bb545442

    Windows 2000/2003 - How to configure VPN Server with single NIC on Windows Server
    http://blogs.technet.com/b/rrasblog/archive/2006/06/19/437171.aspx

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by capiono Monday, March 21, 2011 1:23 PM
    Sunday, March 20, 2011 10:29 PM
  • Thanks Ace, 

    Monday, March 21, 2011 1:21 PM
  • You are welcome! :-)

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, March 21, 2011 1:41 PM
  • Hi Ace

    I am also trying to set up a similiar configuration on Windows Server 2008.

    I have a 2008 Server with a single nic, not using AD, DHCP controlled by the modem/router.

    I have gone through the installation process for installing remote access correctly and have configured VPN with a custom configuration as I believe I need to with a single NIC.

    I have then created a network policy to allow "users" group access and left all of these settings default (with the exception of adding in the users group obviously)

    Finally I have right clicked on the server in Routing and Remote access and gone to properties / IP4 and set an IP pool in there within the range of the modem/router.

    Still when I try to connect from a remote PC it sits on "Connecting to xxx using "WAN Miniport (SSTP)" and ends up failing with "Error 800"

    I am able to remote connect to the server from my remote location and computer so connectivity does exist.

    Friday, April 08, 2011 9:21 AM
  • VPN Error 800 tells me that the necessary ports are not opened on your perimeter firewall, or the perimeter firewall has an older IOS that doesn't properly support inbound PPTP traffic.

    If you can create a VPN connection from a test machine on the same internal subnet to the VPN server, then that says the VPN service is properly configured. Just the fact that remote desktop works from the outside world doesn't mean anything for VPN services, but at least it tells me that you have TCP port 3389 opened properly for remote administration.

    I would also suggest to not use DHCP on the router/firewall, rather use DHCP on a Windows Server. There aer numerous options that firewall DHCP services do not support, especially with Active Directory and Secure Dynamic DNS Updates, and keeping the DNS zone clean from duplicate host records. I realize you're not using AD, but just thought to let you know that firewalls have their limitations.

    The VPN ports that need to be port-remapped (or as some call it "port translated," whichever terminology is used) are:

    • TCP 1723
    • ProtocolID #47 (This is not a Port#, rather it is a ProtocolID#). This is also known as "GRE"

    I don't know what kind of router/firewall you have, but you would configure GRE differently based on the way different firewalls administration is setup. For example in a Cisco ASA, I would create a rule to allow 1723 to the server, then I would allow "GRE" inbound. On a Linksys, if I remember correctly, they refer to it as "VPN Passthrough." So it depends on your firewall. You would have to consult your firewall's documentation on how to do that.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, April 08, 2011 9:18 PM