A Virtual Private Network (VPN) is a logical, secure connection over an insecure network, such as the web or a wireless access point. Remote users use their existing Internet connection to securely connect to the corporate network, just like they were if they were in the office. Windows NT/2000/XP/2003 offer native VPN support.

To create our VPN we need two servers, DC1 will be our domain controller, DNS/DHCP server, Certificate Authority and IAS (RADIUS) server. Install Windows 2003 Enterprise Edition and configure the server as a Domain Controller/DNS server. Install DHCP Server service and configure a scope on the LAN IP/Subnet range and configure the scope options to hand out the IP address of the LAN gateway and DNS server(s). When complete, authorize and activate the scope. The next step is to install a Certificate Authority. The reason why we needed Enterprise Edition is because we want to install an Enterprise Root CA. Launch the Add/Remove Windows Components applet and install Certificate Services. Enter a common name for your CA and set the certificate validity period (the default is 5 years).

Windows will begin generating cryptographic keys, once complete you will be prompted to enter a location for the certificate database. Select the default location and click Next. You will be prompted to restart the IIS services, click Yes, and Windows will install the necessary components. The next step is to configure is IAS. Internet Authentication Service is Microsofts implementation of the RADIUS service. It is also install from the Add/Remove Windows Components applet under the Networking Services group. Once installed. Browse to Administrative Tools | Internet Authentication Service, right click on the Internet Authentication Service (Local) container and select Register Server in Active Directory.

Right-click on the RADIUS Clients folder and select New RADIUS Client. Enter a common name and the IP address of the VPN server. If the VPN server has not been setup yet, enter any IP address, it can be changed later.

Select RADIUS Standard from the Client-Vendor drop-down list and enter a shared secret. The shared secret is an encryption key used by the RADIUS Server and the VPN client.

The final configuration on our DC is to create a Remote Access Policy. From the IAS MMC, right-click the Remote Access Policies container and select the New Remote Access Policy option.

This will open the New Remote Access Policy Wizard. Click Next to bypass the wizard's Welcome screen and continue with the "Use wizard to setup a typical policy for a common scenario" option.

Select VPN anc click Next.

Add the user(s) or group(s) you wish to grant VPN access too.

Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2).

Finally uncheck all the boxes EXCEPT Strongest Exncryption.

Verify the settings and click Finish to create the Remote Access Policy! That takes care of this server! Next we have to configure the VPN server. The onlt prerequisite we have for the VPN server is it must have two NIC's. For simplicity sake name one LAN and the other VPN. Open up Administrative Tools | Routing and Remote Access to open the Routing and Remote Access console. Right click on the server in the console tree and select Configure and Enable Routing and Remote Access; this will launch the Routing and Remote Access Server Setup Wizard.

Click Next to bypass the wizard's welcome screen, on the next screen select Remote Access (Dial-Up or VPN) and click Next.

Check the VPN checkbox and click Next.

The next screen will display the VPN servers network connections. Select the connection named VPN and verify that the Enable Security checkbox is selected and then click Next.

Verify that Automatically is selected and click Next.

Choose the option to set the server up to work with a RADIUS Server and click Next.

Enter the IP address of your RADIUS server and the shared secret that you assigned to the RADIUS Server.

When you click Finish you will be given a warning that you need to configure a DHCP Relay Agent. Click OK to clear the message, we will configure the DHCP Relay Agent next. From the RRAS MMC, expand the IP Routing node and right-click DHCP Relay Agent; select properties.

Enter the IP address of your DHCP server and click Add, then click OK to save the settings and close the window.

Our VPN server is now configured and ready to accept client connections!