Implementation of Apex/Netlinker Router with Microsoft Point To Point Tunneling Protocol (PPTP) and Virtual Private Networking (VPN)

Assumption

The Windows NT machine which will be used for VPN server is connected to a Company Network which connects to the Internet via Ethernet.

Application Diagram

A remote user first issues a PPP call to the ISP.  Without closing the active PPP connection established by the Apex router, the remote user issues a second call which initiates the PPTP connection to the VPN Server by using Microsoft VPN Adapter.  The VPN Server has established the Internet connection prior to the PPTP being brought up.

PPTP (Point To Point Tunneling Protocol) Server Setup in Windows NT 4.0

1. On the Windows NT machine which will accept VPN calls, Point To Point Tunneling Protocol has to be installed.  You can find this screen by going to Start > Settings > Control Panel > Network > Protocols Tab.  Click Add and select Point To Point Tunneling Protocol.  Windows NT installation CD will be needed when adding PPTP.

1. When adding the PPTP, You will be presented with a key question: how many Virtual Private Networks do you want to enable for access to this server, and through this server, to the rest of the network? Virtual Private Network dialog box allows you to choose how many VPNs you can have, based on your needs. Click on the scroll box and choose PPTP concurrent client connections to this RAS server. Click on OK when finished.

RAS Setup

1. The following message will pop up once the PPTP has been installed successfully, if your NT machine has RAS installed previously.  Window NT's RAS (Remote Access Service) will be installed after the PPTP has been installed, if the NT machine does not have RAS previously installed.

1. Click on OK. This will initiate configuration of the Remote Access Services, to which you will be adding the new PPTP Virtual Private Network ports. NT 4.0 will automatically load the RAS configuration dialog box.
2. RAS can be added/found and configured in under the following window.

1. Port, Device, and Type needs to be defined under RAS.  If the following screen is empty, click on Add and select the VPN device.

1. Under Remote Access Setup window, click on Configure... button.  If the PPTP server is only for accepting Telecommuters' calls, choose "Receive calls only".  Click OK.

1. Under Remote Access Setup window, click on Network button.  Different Protocol types, Encryption settings, and Multilink connection can be selected here.

1. Under Network Configuration window, Click on NetBEUI Configure... button.  Remote NetBEUI client's access right can be defined here.

1. Under Network Configuration window, Click on TCP/IP Configure... button.  Remote TCP/IP client's access right can be defined here.  Remote client's TCP/IP address can be determined here as well.

Note:  Based on Arescom's tests, it is not necessary to assign IP address to the remote client, either via DHCP, or a static pool.  Remote client does not have to request a predetermined IP address, either.  The reason is the remote client should have gotten an IP address from ISP.  But if more precise network management is preferred, or other applications involved, please consult with Microsoft and the application vender.

Now the PPTP and RAS setup has completed.

User Setup

1. Dialin access has to be granted to the user account then VPN can take effect.  This is done by Windows NT's User Manager for Domains by clicking Start > Programs > Administrative Tools > User Manager for Domains.  Select the user name which will have the access right.  Double click on it.  Click on the dialin button.

1. Check the Grant dialin permission to user box.  Click OK.  Then click OK in User Properties window.

VPN setup on the server side now has completed.

VPN Client Setup

Windows 95/98 as a VPN Client

1. Create a dial-up connection using Microsoft VPN Adapter.  Go to My Computer > Dial-Up Networking.  Double click on Make New Connection.  In this example the name "To VPN Server" is given.  Select Microsoft VPN Adapter as the device.  Click Next.

Note: If Windows 95 is used, Microsoft Dial-Up Networking (DUN) 1.2 or higher upgrade has to be installed to the system prior to use Virtual Private Networking.  An easy check to see if your Windows 95 machine is capable making VPN call is go to Start > Control Panel > System > Device Manager Tab > Double click on Network Adapter.  Check and see if there is a device called "Microsoft Virtual Private Networking Adapter".  Another device under Network Adapter category should be found as well called "Dial Up Adapter (VPN Support)".  If you have a modem in the machine, this device will be shown as "Dial Up Adapter #2 (VPN Support)".  If those two devices are not found in the machine, please upgrade the DUN into 1.2 or higher.  However, Windows 98 does not need additional upgrade.

1. Insert Host name or IP Address of the VPN Server.  In this example, the VPN server's IP 200.200.200.20 is given.  Click Next.

1. A finish screen shows the connection icon has been created successfully.

1. Double click on the connection just created and the following screen shows up.  Provide the User name and correct password assigned in the VPN Server.  Also verify the IP address of the VPN Server is correct.

Windows NT 4.0 Server/Workstation as a Client

1. Create a dial-up connection using Microsoft VPN Adapter.  Go to Start > Programs > Accessories > Dial-Up Networking.  Click on New.  In this example the name "To VPN Server" is given.  Click Next.

Note:  PPTP and RAS has to be installed on the Client NT machine.  The procedures are the same as described in the PPTP Server Setup section.   When you reach step 7, configure the VPN port for Dial-out Only. Otherwise, the configuration is identical.

1. Check "I am calling the Internet" box.  Click Next.

1. Enter Host name or IP Address of the VPN Server in the Phone number field.  In this example, the VPN server's IP 200.200.200.20 is given.  Click Next.

1. A finish screen shows the phonebook entry has been created successfully.

1. Choose the "To VPN Server" entry just created.  Click on More > Edit Entry and Modem Properties...

1. Make sure the VPN Adapter has been selected in "Dial using".  Click OK.

Making the connection with Apex 1100 Router

1. Go to the Apex Manager > Status > Click Connect.  Or trigger the router by launching the browser or issuing pings if Dial-On-Demand is enabled.
2. Without closing the currently active PPP connection established by the Apex router, go to the "To VPN Server" connection entry, and click on Connect (Win95/98) or Dial (WinNT) to initiate the PPTP connection.
3. If you obtain a second login box provided by the distant NT 4.0 Server, you have succeeded in establishing the "tunnel", and can operate through the PPTP connection. Logon as you would on the normal network, with a valid User ID and Password.

Note:  No Port-Mapping and special setup is required if the Apex router is in IP Master mode.  However, IP Master LAN only allows one user at a time to access the VPN Server, while a Static IP LAN allows multiple users to access the VPN Server at the same time.  This is due to the limitations of NAT (Network Address Translation).

Extra Notes regarding other Arescom's products  

Reference pages:

Overview of Microsoft Virtual Private Networking -- from the Sitebuilder Network
Guide to PPTP and Implementation of Virtual Private Networking
Microsoft Windows98 and Virtual Private Networking on the Internet
Virtual Private Networking Solutions for Your Business