Small Business Owners sometimes need their employees to access network resources from outside the office. One of the tools well suited to provide a Virtual Private Network connection to a company’s internal resources is Small Business Server 2003. Today’s article is about “How to Setup a VPN” ( Virtual Private Network) on SBS 2003 using the built in CEICW and RAS Wizards. We will also visit the Routing and Remote Access Service console in SBS 2003 (just a little bit) to see how access is granted and where current connections can be monitored.

BTW… our VPN walkthrough for SBS 2008 is here

How to configure a SBS 2003 VPN Server

Connect to Internet and open TCP port 1723 in RRAS Routing and Remote Access using the SBS 2003 CEICW

(NOTE: the default port for PPTP is TCP 1723)

• launch Server Management
• from the Home Page, select Internet and Email
• from the links in Manage Internet and Email, select Configure Remote Access
  • this will launch the Configure Email and Internet Connection Wizard
• click Next and move through the configuration screens until you reach the Firewall configuration screen
• select (  ) Enable Firewall, click Next
• check the box [   ] Virtual Private Network, click Next
• click Next and move through the configuration screens until you reach the final Completing the CEICW configuration screen and click Finish

Server Management SBS 2003

Manage Internet and Email SBS 2003

CEICW Configure Email and Internet Connection Wizard SBS 2003

Firewall - CEICW Configure Email and Internet Connection Wizard SBS 2003

Services - Virtual Private Network SBS 2003

Completing CEICW SBS 2003

completed successfully CEICW SBS 2003

At this point the CEICW wizard has gathered the fields and parameters necessary to execute our selections.  Most importantly for this walkthrough, CEICW configures the RRAS (Routing and Remote Access Service) for our VPN. This opens the firewall TCP port 1723 which is the default port for PPTP VPN traffic in Windows Server. The CEICW also opens other ports based on our selections for all services that the wizard has configured.

The next step (now that TCP Port 1723 is open), is to enable and configure the Remote Access Services (RAS).

Enable Remote Access and VPN from the SBS 2003 To Do List

• launch Server Management
• select the To Do List
• in the To Do List, select (3) Configure Remote Access
• this will launch the Remote Access Wizard ,click Next
• select (   ) Enable remote access
  • select the check box [   ] VPN access
  • if needed, select the check box [   ] Dial-in access
• enter the VPN Server Name and click Next
• at the  Completing the Remote Access Wizard screen, click Finish

To Do List - Configure RAS SBS 2003

Remote Access Wizard SBS 2003

Remote Access Method SBS 2003

VPN Server Name SBS 2003

Completing Remote Access Wizard SBS 2003

I consider this final page of the SBS 2003 Remote Access Wizard  (directly above) a little gem for the Administrator. It’s helpful because it provides details informing us of what is about to occur:

• Enable virtual private networking (VPN)
• Create packet filters for Point-to-Point Tunneling Protocol (PPTP)
• Enable Point-to-Point Tunneling Protocol (PPTP) to pass through the firewall (NOTE: this step already completed using CEICW)
• Use DHCP to assign IP addresses to remote client computers
• Create the Client Connection Manager configuration file, which is used to configure remote access settings on remote client computers.
• Configure the remote access policy to allow members of the Mobile Users group to use remote access.
• Mobile client computers, such as laptops, that are currently connected to the local network can now be configured with the connection settings. Do this by running the Setup Computer Wizard and selecting the option to install Connection Manager.
• Remote client computers not currently connected to the local network can download Connection Manager from the Remote Web Workplace Web site at https://vpn.ourcompany.com/remote. Alternatively, you can create a remote connection disk. You can then use the disk to configure the remote client computer to connect to the local network.

Remote Access Configuration successful SBS 2003

Understanding where Remote Access Service lives in Small Business Server 2003

The Remote Access Service can be viewed by launching the Microsoft console for Routing and Remote Access Management (RRASMGMT.msc) from the Administrative Tools of Windows Server.

• GO TO Start menu
• hover over Administrative Tools and then select Routing and Remote Access
• the RRASMGMT.msc will launch

Routing and Remote Access Service SBS 2003

Among thenodes for Network Interfaces, Ports, and IP Routing are Remote Access Clients, Remote Access Policies and Remote Access Logging. It is here where the Remote Access Wizard has configured RAS to permit your Client Workstations and Client Laptops to connect to your VPN. Becoming familiar with the RRASMGMT console is important when managing, troubleshooting, and maintaining Remote Access to your server.

RRAS - Remote Access Policies SBS 2003

By looking at Remote Access Policies, we can see the RAS Wizard has created a Small Business Remote Access Policy (a set of rules to govern the connection – such as “who” can connect)

RRAS - Small Business Remote Access Policy SBS 2003

The Small Business Remote Access Policy Properties dialog box displays which Windows Groups must match the policy to be allowed access to the VPN. In this case, it is the SBS Mobile Users Group. Therefore, whatever users you intend to have access to the SBS 2003 VPN must have membership in the SBS Mobile Users Group.

RRAS - Remote Access Policy properties SBS 2003

Opening this Policy entry confirms that in Small Business Server 2003, there is only one Group by default that is granted access by the RAS Wizard. Adding users to this group is easy. As an administrator, access the Users tools in the SBS Server Management console. Any user may be granted VPN Access by giving them membership in the Mobile Users Security Group. (NOTE: Power Users Security Group, or Administrators Security Group also have access).

SBS Default User Templates are:

• Users Template
• Mobile Users Template (includes membership in the SBS Mobile Users Group)
• Power Users Template
• Administrator Users Template

The SBS Mobile Users is sufficient as Power Users and Administators obviously have additional access permissions.

RRAS - Groups in Remote Access Policy SBS 2003

To read more about RAS and Routing and Remote Access in Small Business Server, please read the Elements of a remote access policy section of the Remote Access Help.

HELP - Remote Access Policy Help SBS 2003

Configuring the External Hardware Firewall for VPN Virtual Private Network access

Once the CEICW and RAS wizards have been properly run on the Small Business Server, the next step is configuring the hardware or “external” FIREWALL.

Most Small Business Networks deploy a hardware firewall of some sort (or at least enable the firewall in the Internet Router). How to configure a hardware firewall will vary from device to device. The key first step is to open the TCP port 1723 to pass PPTP Point to Point Tunneling Protocol traffic INBOUND to your SBS Server. Please read your firewall documentation to confirm your methods.

Key points include:

• PPTP “FIRST” – TCP Port 1723 must be allowed to pass PPTP traffic INTO your SBS 2003 server. This is accomplished in two ways depending on the number of Network Interface Cards installed on the SBS server.
  • 2 NICs – create an INBOUND rule passing TCP Port 1723 to the Wide Area Network (WAN) facing Network Interface card installed on the SBS Server. This routes an Internet request to a special NIC uses specifically to harden access to the SBS Server (SBS 2 NIC scenario).
  • 1 NIC – create an INBOUND rule “port-mapping” TCP Port 1723 to the Local Area Network (LAN) facing Network Interface card – port mapping is generally done when only one network interface is installed on the SBS Server and an outside IP address must be “mapped” to an internal LAN IP address. This routes a request from the Internet directly to a Local Network IP inside your network for the SBS Server (SBS 1 NIC scenario).
  • Your firewall may describe these terms: PPTP, Port 1723, VPN, Remote Access, etc….
• GRE “SECOND but not least important” – GRE Protocol 47 must be allowed to pass traffic also (this allows “Authentication” to occur over PPTP VPN connection once the connection has been made)

… Generic Routing Encapsulation (the GRE Protocol 47) passes IPSec traffic (Internet Protocol Security) for the IPSec session that is part of Client Computer connection process. If the GRE protocol does not pass, the connection cannot “authenticate”. This “Authentication” failure will occur even when PPTP traffic has been allowed by opening TCP Port 1723 (PPTP) on your firewall. GRE issues most often occur client side when a GRE block results in the Username and Password authentication failing to process because of the block. In this case, the VPN connection simply times-out on the client side. This is experienced by the User as a Verifying User name and password dialog (show during the connection process) that just hangs there with the progress bar running on and on.

To pass GRE Protocol 47 on your firewalls (Client side -and- Server side) look for features that:

• enable the “VPN feature” (if one exists)
• enable “IPSec pass through” (if a simple IPSec pass through exists)
• expressly allow the GRE protocol (GRE = Protocol 47)
• explicitly create Inbound and Outbound rules allowing GRE and IPSec passthrough
• NOTE: you may have to upgrade your Router’s Firmware or your Firewall’s Firmware to enable/access these features on older devices

An explicit Rule (if you have to define one) would take on these objectives:

#PPTP Virtual Private Network
pass protocol tcp, to port 1723 >> state, done
pass protocol 47 >> done

Whatever the case, passing GRE Protocol 47 from inside>out is needed to allow IPSec traffic for your authentication. This is most often a concern for the end user (NOT THE SERVER SIDE – BUT ON THE CLIENT SIDE) in that their home firewalls may block and often block GRE traffic by default. Please provide these helpful links about GRE and passing Generic Routing Encapsulation traffic to your users.

• Troubleshooting remote access VPNs
• You receive an “Error 721″ error message when you try to establish a VPN connection through your Windows Server-based remote access server
• VPN Tunnels – GRE Protocol 47 Packet Description and Use

Connect Client Workstations to the Small Business Server 2003 VPN Virtual Private Network

For administrators it should be clearly understood: Clients that frequently connect to a VPN “should be JOINED” to the Domain. This includes users who work at home, mobile sales people (laptop users), etc… Joining COMPUTERS to the Domain achieves a fundamental goal (improving security) by enabling the Domain to authenticate the “computers” as well as the users. Verifying COMPUTER ACCOUNTS provides a 2nd additional form of identity and therefore an additional layer of security. Joining computers to the Domain happily also makes accessing domain resources much easier.

In Small Business Server specifically, special consideration must be given to the “way users are joined to the SBS domain”. Small Business Server primarily uses the connectcomputer wizard. This must be taken into account for VPN users when first establishing their connections to SBS as the SBS Network Configuration Wizard (i.e. connectcomputer wizard) cannot be invoked “over the internet”. Machines therefore, intended for VPN use, should be brought into the corporate office if at all possible.

Note, a manual join over the internet can be achieved “IF” the user has the Join Workstations to Domain User Right or if the Administrator has previously created the COMPUTER ACCOUNT on SBS.

The two solutions are:

1. CONNECTCOMPUTER WIZARD: Bring Client Computer to the Office. Use CONNECTCOMPUTER wizard in SBS 2003. Join computers intended for VPN connectivity to the Domain while connected to the SBS LAN. It is really best (and simplest) to plug-in directly to the internal network (and the Small Business Server) prior joining workstations/laptops
   1. In this scenario the COMPUTER is connected to the LAN and the connectcomputer wizard is accessed using Internet Explorer and typing http://connectcomputer.
   2. Once joined, the computer(s) can be relocated offsite, placed in a remote offices, secured for mobile use, etc….
   3. NOTE: this provides the added benefit of also being able to distribute applications, scripts and policies right away throug your network via Group Policy.
2. MANUAL JOIN: VPN computers can be manually joined to the domain by adding the COMPUTER account using traditional manual methods
   1. Administrators can first “manually add” the COMPUTER account on SBS Server (this is done in advance of a User connecting to the VPN). The User then connects to the VPN and then JOINs the machine to the Domain the first time. The Users must already be a member of the SBS Mobile Users Group to connect to the VPN. In this scenario the Users logs on to VPN – and then – using the computers System dialog, changes the DOMAIN NAME and the COMPUTER NAME to the Name created manually by the Administrator. This will JOIN the workstation to the domain
   2. End Users can also JOIN a computer to the domain if they are granted the Join Workstations to Domain User Right. The Users must already be a member of the SBS Mobile Users Group to connect to the VPN. In this scenario the Users logon to the VPN first – and then – using the computers System dialog, change the COMPUTER NAME themselves and JOIN the workstation to the domain themselves. End Users must be given the  Join Workstations to Domain User Right to JOIN workstations outright with Administrator help (NOTE: this user right can be granted temporarily).

EXAMPLE – HOW TO CHANGE COMPUTER NAME AND DOMAIN NAME AND “JOIN A DOMAIN” FROM A REMOTE SITE (for your Mobile/Remote Users)

• Open the System tool in Control Panel
  • ON WIndows XP and Windows Server 2003 clients, click the Computer Name tab and then click Change
  • ON Windows 2000 clients, click the Network Identification tab and then click Properties
  • enter the Computer Name provided by the administrator
• click OK confirm the settings
• restart the computer
• logon to the computer
• Connect to the SBS network using a VPN connection
• Open the System tool in Control Panel
  • ON WIndows XP and Windows Server 2003 clients, click the Computer Name tab and then click Change
  • ON Windows 2000 clients, click the Network Identification tab and then click Properties
• sele in the Member of section ct the radio button (  ) Domain:
• in the Domain: field, enter the name of your DOMAIN
• NOTE: the computer name should already have been changed correctly in the previous step (this is done in a 2 step process with a restart because I’ve seen failures numerous times on SBS if the COMPUTERNAME is not already configured when JOINING the network)
• click OK, click OK, restart the Computer

Testing a Client VPN Connection and confirming DHCP is assigning VPN IP Addresses

Once your VPN is setup and the Firewall rules established, testing your VPN is the next step. A Client Computer should be used to create a VPN Connection to the SBS 2003 Server and test the SBS 2003 VPN. Workstations have this connectivity built in and making the connection is as easy as using the Network Connection wizard available in both Windows Vista or Windows XP.

Since this article is about the Server side, I want to focus on one particularly “overlooked” aspect of VPN connections…. DHCP.

Earlier in our article (when we described just exactly what the Remote Access Setup Wizard accomplishes) we learned the RAS wizard completes this task:

• Use DHCP to assign IP addresses to remote client computers

The importance of this can be most effectivly communicated with a screenshot of the DHCP  management console. This screen shot is taken after VPN connections have been made.

DHCP management console with Remote Access Services leases Small Business Server 2003

Looking at the DHCP console, we can see a series of leases assigned to the Remote Access Service (you can confirm a RAS lease is made just by looking under the Unique ID column for the word RAS ). In viewing DHCP we confirm both the RAS description on Unique ID as well as a different icon (computer with phone) for IP leases from RAS. Realizing then that RAS is handing out IP’s from DHCP , we recognize why the SBS DHCP service is so important to the Client VPN connections made through RAS.

When the Remote Acccess service is properly configured and a remote connection is made the the VPN, the Remote Access service grabs a range of IP addresses from DHCP. These IP’s are reserved for additional VPN clients “immediately” upon the first VPN connection being made. The default number of additional leases requested by RAS (and reserved from DHCP) is 10.

The reason we discuss this here is that Small Business Server 2008 is designed to shut down the DHCP Service “automatically” if it senses another DHCP Server anywhere on the network (routers, wireless routers, DSL modems, Firewalls, etc…).  Although this may seem a little “off-topic”, in reality it’s not. In short, if DHCP fails or is disabled on SBS, there is no way for SBS DHCP to provide DHCP leases to RAS.

While most administrators review their network topology and know exactly how DHCP is implemented (some small offices do not). When the LAN has been happily functioning based on DHCP “working somewhere”, it’s not always a big deal. However, being clear on where and how IP’s are handed is very important for your VPN Connections. Not only this, but in some Small Business Server deployments I have been asked to review, DHCP is intentionally given over to the Internet Router so that if there is a Server failure, client computers can still access the internet. While this may be a reasonable solution on some levels (one I do not support BTW), it does negate all the additional DHCP configurations that are made or customized by the SBS DHCP Server. Failing to use the SBS DHCP Service in this case can lead to incorrect scope options, proper DNS Server not being defined, entires in SBS DNS never being seen by the network, and so on.

The key point for our article is this, if the DHCP Service has been assigned to an Internet Router or some other device in your network, the Remote Access Service may not be able to provide (or authorized to request) DHCP address to client computers making VPN connections.

A properly configured VPN that can appropriately access DHCP on Small Business Server 2008 will effectivvely provide DHCP leases to both client computers on the LAN and remote access computers connecting on the VPN.

To see this in it’s VPN form, let’s take a look at this sample IP Configuration from a client computer which has connected to a SBS VPN. In this Configuration please note there are two IP leases that have been made.

1. one using the PPP WIGITAL VPN Connection
   1. note the ourcompany.pri Domain (provided by DHCP on the SBS 2008 Server)
   2. note the 10.13.15.x subnet (provided by DHCP on the SBS 2008 Server)
2. one using the Wireless Network Connection
   1. note the my.homenetwork.local Domain (provided by the home network Wireless Service Set)
   2. note the 192.168.1.x subnet (provided by the home network Wireless Service Set)

To view this data: from the computer connected to the VPN, go to Start, Run, type CMD, at the command line type IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : my-mackbookpro
Primary Dns Suffix . . . . . . . : ourcompany.pri
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourcompany.pri
my.homenetwork.local

PPP adapter WIGITAL VPN Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WIGITAL VPN Connection
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.13.15.18(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 10.13.15.1
Primary WINS Server . . . . . . . : 10.13.15.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8058 PCI-E Gigabit Ethernet
net Controller
Physical Address. . . . . . . . . : 00-2F-F3-D0-EE-93
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : my.homenetwork.local
Description . . . . . . . . . . . : Brodcom 802.11n Network Adapter
Physical Address. . . . . . . . . : 00-2F-6B-CC-37-2C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b81a:ccdf:b0b4:254d%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, March 08, 2009 7:34:16 PM
Lease Expires . . . . . . . . . . : Monday, March 09, 2009 7:34:18 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Reviewing the IPCONFIG DATA should give us all ample reminder to check out DHCP, confirm DHCP is providing leases to the Remote Access Server and work with our client connections to make sure those leases are being handed out properly.

That concludes our article.

Thanks for reading. Please comment for the community. If this information has helped you, please link back here. It helps us as well as others who may need the information.

Thank you.
Mark Raborn
WIGITAL