With VPN, enterprise employees can connect to the enterprise's VPN Server at any time to connect to the enterprise's internal network. With the "Routing and Remote Access" service of Windows2003, You can implement software-based VPN.
VPN (Virtual Private Network) is a virtual private network. A temporary, secure, and simulated point-to-point connection is established through a public network (such as the Internet. This is an information tunnel through the public network. data can be transmitted securely in the public network through this tunnel. Therefore, it can also be vividly called "networks in the network ". The key to ensuring secure data transmission is that VPN uses the tunnel protocol. Currently, common tunnel protocols include PPTP, L2TP, and IPSec.
VPN is a server and client connected to the Internet through ADSL Based on Windows 2003. The connection mode is to establish a VPN connection between the client and the server over the Internet.
The VPN Server requires two NICs, one connected to the Intranet and the other connected to the Internet.
Authentication: sets which users can access server resources through VPN. Perform authentication on DC.
Authorization: Check whether the client can dial the server and whether the dial-in conditions (time, protocol…) are met ......)
VPNWorking principle:
VPN Client Requests the VPN Server (requests to the server)
The VPN Server requests the DC for authentication and obtains the authorization information.
The VPN Server responds to the VPN Client dialing request.
The VPN Server establishes a connection with the client and starts to transmit data.
The VPN Server in the working group model performs identity authentication, and the dial-up request is sent to the SAM Database for identity authentication.
1. VPN protocol (tunnel protocol): PPTP, L2TP
2. PPTP: point-to-point transmission protocol, encrypted using nicrosoft point-to-point encryption (MPPE)Algorithm(The protocol is used by default) for Internet.
L2TP: no encryption algorithm by default. To use the encryption algorithm, use IPsec. For Internet, X.25, and ATM
User Account dial-in permissions: The conditions, permissions, and configuration files determine whether the client can dial into the VPN network.
The configuration file includes: dial-in time, IP address range, whether multi-link authentication, identity authentication, and encryption.
Configuration process: route and remote access-Remote Access Policy-set the corresponding time and configuration file
To configure a VPN Server, follow these steps:
First install "route and remote access", or enter "rrasmgmt" in the run. MSC. In the displayed "Routing and Remote Access" Console window, click Configure and enable Routing and Remote Access ,:
The "route and Remote Access Server Installation Wizard" dialog box appears. Click Next and select Custom configuration. Next, select Custom configuration,
Select VPN access. Next ,:
Click Finish.
In the displayed Routing and Remote Access dialog box, click yes ,.
The VPN service is started successfully. Click server name-properties. In the displayed dialog box, select the IP tab, select static address pool in IP address assignment, and click Add ,:
In the start IP address and end IP address edit box, enter the IP address, and click OK,
Click OK;
Tip: using a static IP address pool to assign an IP address to the client can reduce the IP Address Resolution time and increase the connection speed.
You can specify the starting IP address and ending IP address (for example, 192.168.0.10 to 192.168.0.50). If the DHCP service has been configured for this host, you can also select Dynamic Host Configuration Protocol (DHCP ), the connection time is prolonged.
Return to the properties dialog box and click OK to complete the initial configuration.
Tip:If the server has a fixed IP address, the client can establish a VPN connection with the server at any time. If the server uses ADSL dial-up to access the Internet, you need to notify the client after each IP address change, or apply for dynamic domain name resolution service.
Grant the remote connection permission to the user
For security reasons, after the VPN server is configured, all users are denied to dial in to the Service (Initial State). Therefore, you must grant the dial-in permission to the specified user. The procedure is as follows:
1. Right-click my computer in the VPN Server and choose manage.
In the displayed Computer Management window, expand local users and groups and select users.
If the computer is added to the domain, click the user in the ad user and user group in the computer,
2. In the test Properties dialog box, click the dial in tab. Select allow access from the remote access permission list, and click OK ,:
Tip: If the domain function level is Windows hybrid mode, "Access Control through remote access policy" is not optional. You can upgrade the domain function level.
3. in fact, this is the least secure dial-in method. We recommend that you use a remote access policy to control the access, which requires you to customize the Remote Access Policy in the server (if it is in the active domain environment, the domain function level must be upgraded to 03 or above)
After configuring the VPN Server and granting the user the permission to remotely connect to the VPN Server, create a VPN connection in the client and dial the VPN Server, to access the internal network of the enterprise.
Create a clientVPNConnection
The client configuration is relatively simple. You only need to establish a VPN dedicated connection.
Assume that the client has established an Internet-connected ADSL connection. The procedure for creating a VPN connection is as follows:
1. Right-click the network neighbor on the desktop-> properties to open the network connection. Click Create connection ,:
2. The "Welcome to New Connection Wizard" is displayed. Next, select "connect to my workplace network" on the network connection type page ". Next ,:
3. Select "Virtual Private Network Connection" and click Next;
Tip: If the connection is established for the first time, the system will require you to enter the phone number of the region. This prompt is not displayed if other connections (such as connections connected to the Internet through ADSL) have been established before the VPN connection is established.
4. In the connection name dialog box, in the company name, enter the connection name (connect to the sungh.com domain) and click Next;
5. Select the host name or IP address for the VPN Server and click Next;
6. Select "only use" for available connections and click Next;
7. In the complete New Connection Wizard, select "add a shortcut to this connection on my desktop;
To avoid the problem that the client cannot access the Internet after the VPN Server is successfully connected, you also need to make a simple configuration for the newly created "enterprise VPN connection.
In the network connection window, right-click enterprise VPN connection> properties, switch to the network tab, and select Internet Protocol (TCP/IP ),;
Click properties. In the displayed dialog box, selectAdvanced,;
In the general dialog box of the Advanced TCP/IP Settings dialog box, deselect "use default gateway on remote network" and click OK ,.
After the client VPN connection is configured, the user has the conditions for establishing a VPN connection between the VPN Server and the client.
Click the enterprise VPN connection on the desktop, and enter the user name and password (the user name and password authorized ),
After a VPN connection is established, you can double-click the VPN connection icon in the lower-right corner of the desktop to view its status ,;
There are two ways to access Shared resources on a VPN Server:
1) directly access Shared resources through "Network neighbors;
2) access through the UNC path, that is, enter "\ Server Name" or \ Server address in the address bar, and access Shared resources through the browser window.
Prompt: After a VPN connection is established successfully, the "Network Neighbor" window between the client and the server may fail to find the other party's problem. In this case, check whether the netbeui protocol is installed. If you do not need to install it immediately, you can usually solve the problem.
If the client accesses shared resources on the server, a long search process may occur. If the server cannot be found, you can use "search computer" to search.
If the VPN Server serves as a host in the LAN at the same time, you can also allow the VPN Client to further access other hosts in the LAN. This requires the VPN Server to enable the router function and IP routing, but these functions are enabled by default after the VPN server is configured.