Configuration:
- Win2000 AD server (acting as a PDC)
- Win2000 Professional workstations
- ADSL routers to connect workstation & server to the Internet
- Router/Firewall between the Server and the ADSL router

Questions:
- Step-by-step instructions to set up the server as a Remote Access
Server for VPN, including how to add/remove users
- Step-by-step instructions to set up VPN at a workstation
- Required firewall settings (ports etc) to enable VPN

---

Request for Question Clarification by theta-ga on 08 Apr 2003 03:18 PDT

Hi pegasus_oz-ga,
   The Oxford University Computing Services website features an
excellent guide containing step by step instructions for setting up
VPN on Win2000 servers. Below I have provided links to the articles
that satisfactory answer your questions.
  - Step-by-step instructions to set up the server as a Remote Access
Server for VPN, including how to add/remove users
     See the following article at the Oxford University Computing
Services website:
       - OUCS: Installing and Configuring VPN on a Windows 2000 Server
         (http://www.oucs.ox.ac.uk/network/vpn/microsoft/win2k/index.xml?style=printable)

  - Step-by-step instructions to set up VPN at a workstation 
     See the following article at the Oxford University Computing
Services website:
       - OUCS: Configuring Clients to Establish a Secure Connection
using Virtual Private Networking (VPN)
         (http://www.oucs.ox.ac.uk/network/vpn/microsoft/clients/index.xml?style=printable)

  - Required firewall settings (ports etc) to enable VPN
    The clients can connect to your server using either PPTP or L2TP.
The required firewall settings for them are:
     - PPTP[Point-to-Point Tunneling Protocol]
       Configure your router & firewall to allow TCP port 1723 and IP
protocol ID 47 (GRE) traffic.
     - L2TP[Layer 2 Tunneling Protocol]
       Configure your router & firewall to allow UDP Port 500 and IP
Protocol ID 50 [Encapsulating Security Payload]) traffic.

You might also want to take a look at the following articles:
   - Windows Web Solutions: Installing a Win2K VPN Server
     (http://www.windowswebsolutions.com/Articles/Index.cfm?ArticleID=23275)
   - MS TechNet: VPN Deployment Using Windows 2000
     (http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/profwin/pw0201.asp)

Please post here if the above information satisfactorily answers your
questions, and I will post this as an official answer.
If you need any clarifications, or further information, just post your
request here and I will get back to you.
Regards,
Theta-ga
:-)

---

Clarification of Question by pegasus_oz-ga on 08 Apr 2003 05:18 PDT

Your advice was good and works in principle. However, I need some
follow-up advice to turn this into a working proposition. I hope this
is within the scope of the original question.

ADSL Router Settings
====================
- The server is connected directly to an ADSL router.
- The workstation is connected to a switch that connects to an ADSL
  router. This router uses NAT to ensure that incoming packets are 
  directed to the correct internal IP address.
Q1: What port must I specify to ensure that when the workstation pings
    the server via the VPN, the packet completes the round trip?
Q2: What port must I specify so that the workstation can map server
shares?
Q3: Is it possible for more than one workstation on that same switch
to
    establish a VPN? If so, what are the port settings for pings and
    share connections?

---

Request for Question Clarification by theta-ga on 08 Apr 2003 17:02 PDT

Hi pegasus_oz-ga,
   To answer your questions:
     - Once you have setup VPN correctly, all the traffic for the
various ports utilises one of the tunneling protocols mentioned
earlier(PPTP or L2TP). As long as you have the firewall and router set
to forward all VPN traffic, as specified in the firewall settings in
my previous post, you should be able to ping easily using the IP
address assigned to the server.
     - Some users have complained of a problem with accessing network
shares with VPN's. You can find a discussion and solution to this
problem in the following TekTips forum FAQ entry:
            - Why can't I browse the Network Neighborhood over my....
             (http://www.tek-tips.com/gfaqs.cfm/lev2/5/lev3/34/pid/463/fid/2520)
     - For your third question, I am afraid that as I have had no
experience with the setup you describe, I cannot provide this answer
with a great deal of confidence. I came across the following newsgroup
posting, which describes a setup similar to yours:
            - Subject: Re: VPN access from behind a firewall?
              Newsgroups: comp.dcom.sys.bay-networks
              (http://groups.google.com/groups?selm=36F6AFB4.2EFDACB1%40oration.com)
      It mentions that "If  your NAT device has only one public IP
Address,
then it can only support one internal IPSec connection at  a time." To
connect with multiple machines, you would need to obtain multiple a
pool of IP addreses for the NAT. The ping and Share ports should
remain the same.

BTW, re your initial question, you can find Microsoft's comprehensive
guide to setting up VPN(complete with screenshots) here:
    - MS TechNet: Configuring a VPN Solution
      (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/confeat/vpnsol.asp)
    - VPN servers and firewall configuration
      (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/sag_VPN_und13.asp)

Hope this helps.
Regards,
Theta-ga
:-)