This action might not be possible to undo. Are you sure you want to continue?
Page 1 of 10
To print: Select File and then Print from your browser's menu -------------------------------------------------------------This story was printed from CNETAsia. --------------------------------------------------------------
Configure Windows XP Professional to be a VPN server
By Dr. Thomas Shinder, TechRepublic 23/8/2002 URL: http://asia.cnet.com/enterprise/netadmin/0,39035505,39050037,00.htm For the Small Office/Home Office (SOHO), Windows XP Professional VPN features are a real boon. Traveling users with laptops or handheld computers will inevitably want files on the home network; you just can’t bring everything with you. This is where the beauty of the Windows XP Professional computer connected to an always-on connection, such as DSL or cable modem, shines. That always-on link can be used to accept incoming VPN connections and allow your mobile users to access shared folders and files on your private network. In this article, I’ll explain how to configure a Windows XP Professional computer to accept incoming VPN connections and discuss some tips on improving the remote access experience for the VPN client computer user. Windows XP’s all-in-one VPN solution Windows XP Professional is designed as the one-stop solution for the SOHO, taking all the usability features available to Windows Me users and adding the powerful networking features available in Windows 2000. The combination lets you create the ideal remote access solution for the SOHO. The Windows XP Professional remote access server capabilities are very similar to those available in Windows 2000 Professional. A Windows XP computer can accept a single incoming connection on each interface that can accept a connection. For example, a Windows XP machine can accept incoming connections on each of the following interfaces:
l l l l
Dial-up modem serial interface Infrared interface Parallel port interface VPN interface
While it’s unlikely, a Windows XP Professional machine with the above configuration could conceivably accept up to four simultaneous RAS connections. However, the typical configuration consists of a single RAS client connection, either through a dial-up modem interface or a VPN interface.
and the other is connected to the internal LAN.Configure Windows XP Professional to be a VPN server Create an incoming connection with the New Connection Wizard Like Windows 2000 Professional. While ICS changes the IP address of the LAN interface of the ICS computer to 192.CNETAsia : Printer Friendly . Figure B http://asia. open the New Connection Wizard. it's easy to change the IP address to one that fits the existing network environment. I’ll assume the Windows XP Professional machine is not a member of a Windows NT 4. Windows XP Professional includes a New Connection Wizard.168.1 through 24 to fix the preexisting network configuration. 5.htm? AT=39050037-39035505t-39000223c 12/3/04 .cnet.0. step-by-step 1. In the Control Panel.0 or Windows 2000 domain.0. 2.com/enterprise/netadmin/printfriendly. Figure A Page 2 of 10 The Network Connections window 4. The IP address of the LAN interface of the ICS computer was changed to 10. How to create the VPN server interface. The machine has two network interface cards. 3.0. On the Network Connection Type page (see Figure B). On the Welcome To The New Connection Wizard page. select the Set Up An Advanced Connection option. Click Start | Control Panel. In the Network Connections window (see Figure A). one is directly connected to the Internet.1 through 16. I’ll show you how to use the New Connection Wizard to create the new VPN server interface. In addition. the external interface of the machine is configured for Internet Connection Sharing (ICS). click Next. open the Network Connections applet. In this example.
On the Devices For Incoming Connections page (see Figure D).Configure Windows XP Professional to be a VPN server Page 3 of 10 On the Advanced Connection Options page (see Figure C). Figure C Configuring XP to accept incoming connections 7.CNETAsia : Printer Friendly . http://asia.htm? AT=39050037-39035505t-39000223c 12/3/04 . you can select optional devices on which you want to accept incoming connections.com/enterprise/netadmin/printfriendly. select the Accept Incoming Connections option and click Next.cnet.
htm? AT=39050037-39035505t-39000223c 12/3/04 .CNETAsia : Printer Friendly .cnet. Figure E 9. select the users that are allowed to make http://asia. 8. On the User Permissions page (see Figure F).Configure Windows XP Professional to be a VPN server Figure D Page 4 of 10 Note that you are not presented with any of the network interfaces on the computer. select the Allow Virtual Private Connections option and click Next. On the Incoming Virtual Private Network (VPN) Connection page (see Figure E).com/enterprise/netadmin/printfriendly.
Figure G http://asia. 10. Figure F Page 5 of 10 Any user that isn’t selected won’t be able to initiate an incoming connection. click on the Internet Protocol (TCP/IP) entry and click the Properties button. Click Next.CNETAsia : Printer Friendly .cnet.Configure Windows XP Professional to be a VPN server incoming VPN connections.htm? AT=39050037-39035505t-39000223c 12/3/04 .com/enterprise/netadmin/printfriendly. On the Networking Software page (see Figure G).
Click OK to return to the Networking Software page and then click Next.cnet.com/enterprise/netadmin/printfriendly. Figure I http://asia.htm? AT=39050037-39035505t-39000223c 12/3/04 . right-click on the connection in the Network Connections window and select the Properties command (see Figure I). In the Incoming TCP/IP Properties dialog box (see Figure H). click Finish to create the connection. place a check mark in the Allow Callers To Access My Local Area Network check box. VPN callers will only be able to connect to resources on the Windows XP VPN server itself. On the Completing The New Connection Wizard page. Figure H Granting LAN access to callers 12.CNETAsia : Printer Friendly .Configure Windows XP Professional to be a VPN server Configuring TCP/IP properties Page 6 of 10 11. If this check box isn’t selected. After the Incoming Connection is complete. This will allow VPN callers to connect to other computers on the LAN.
there is no point in creating a VPN connection to the internal interface card. since you can now create VPN connections to both network interface cards.com/enterprise/netadmin/printfriendly. In practice.cnet. Figure J http://asia.CNETAsia : Printer Friendly .Configure Windows XP Professional to be a VPN server Page 7 of 10 Accessing the properties of the VPN server link Note that on the General tab of the Incoming Connections Properties page (see Figure J) that no devices are listed.htm? AT=39050037-39035505t-39000223c 12/3/04 . The comment No Hardware Capable Of Accepting Calls Is Installed isn’t true.
First.Configure Windows XP Professional to be a VPN server Page 8 of 10 VPN clients will only call the external IP address of the Windows XP Professional VPN server.com/enterprise/netadmin/printfriendly. note that you can create PPTP or L2TP/IPSec VPN connections. VPN server optimization tips The New Connection Wizard made it easy to create the VPN server interface. Figure K http://asia.CNETAsia : Printer Friendly . Figure K shows the connection status dialog box of a Windows XP VPN client connected to a Windows XP VPN server. but you can still do more to optimize your VPN connections. Note that MPPE 128-bit encryption is automatically enabled and that Microsoft CHAP v2 is used for authentication.cnet.htm? AT=39050037-39035505t-39000223c 12/3/04 .
Both of these services will let you dynamically register a computer’s IP address into the public DNS database. If the Windows XP Professional computer has a dedicated connection to the Internet.0. However. you’ll have to use an Internet host name and a method of registering the host name dynamically. then you should create a LMHOSTS file.0. If the Windows XP Professional client has a dedicated link to the Internet and a static IP address. Conclusion Windows XP Professional provides simple VPN server capabilities that let you connect single VPN clients to your internal network.com/enterprise/netadmin/printfriendly.cnet.CNETAsia : Printer Friendly . If name resolution on the private network is an issue for the VPN client. the IP address assigned to the VPN client should be on the same network ID as the internal interface of the Windows XP VPN server computer. A couple of services you might want to look into are TZO and DYNDNS.2 DEFIANT The VPN client must be configured with an IP address or host name for the Windows XP Professional VPN server.Configure Windows XP Professional to be a VPN server Page 9 of 10 If both machines had machine certificates from the same Certification Authority installed. For example. the routing table on the Windows XP VPN server needs to be configured with paths to the various internal network IDs. you can use that IP address in the VPN client configuration interface. an L2TP/IPSec VPN link could have been negotiated. you can connect to that computer from virtually anywhere in the world using a VPN link. all the machines on the internal network should have a default gateway set using the IP address of the internal interface of the Windows XP VPN server. one at a time.htm? AT=39050037-39035505t-39000223c 12/3/04 . The VPN server setup is simple and can accept calls from any http://asia. if the Windows XP Professional VPN server is assigned an IP address via DHCP. You can use the ROUTE ADD command to create these routing table entries. a simple text file that contains name and IP address mappings. In the unlikely event that the SOHO has multiple network segments. If you want the VPN client to access resources on the internal network. the following line could represent an entry in an LMHOSTS file: 10. In addition. Small networks that use a Windows XP Professional machine for a VPN server probably won’t have network services such as WINS or DNS.
com/enterprise/netadmin/printfriendly.CNETAsia : Printer Friendly .htm? AT=39050037-39035505t-39000223c 12/3/04 .cnet.Configure Windows XP Professional to be a VPN server Windows PPTP or L2TP/IPSec client. Page 10 of 10 http://asia.