Setting Up the Windows 98 PPTP and L2TP/IPSec Client

 

Windows 98 VPN clients can connect to the ISA Server firewall/VPN server using either PPTP or L2TP/IPSec. If you have a Windows 98 computer that meets the following specifications:

 

·         Installed with the default installation settings

·         Completely updated with all updates on the Windows Update site

 

Then you need to carry out the following procedures to connect to the ISA Server firewall/VPN server:

 

  • Install Dial-Up Networking version 1.4 (DUN 1.4)
  • Install the Microsoft L2TP/IPSec VPN client
  • Obtain a user certificate
  • Create the PPTP Dial-up Networking Entry
  • Create the L2TP/IPSec Dial-up Network Entry

 

You will be able to establish both PPTP and L2TP/IPSec VPN connections to the ISA Server firewall/VPN server after completing these steps.

 

Installing Dial-Up Network Version 1.4 (DUN 1.4)

 

Perform the following steps to install DUN 1.4 on the Windows 98 Computer:

 

  1. Go to http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q285/1/89.ASP&NoWebContent=1 and follow the link to the Windows 98 DUN 1.4 download. Click the link and download the Dun14-98.exe file. You must install Microsoft DUN 1.4 before you can install and use the Microsoft L2TP/IPSec client. Download the Dun14-98.exe file to the desktop.
  2. Double click on the dun14-98.exe file on the desktop. Click Yes on the dialog box informing you Microsoft Dial-up Networking 1.4 for Windows 98 will be installed.
  3. Click Yes in the dialog box indicating you accept all terms of the License Agreement. The DUN 1.4 file is installed.
  4. You will be asked for the Windows 98 CD-ROM. Click OK on the Insert Disk dialog box. Type a path to the Setup folder in the Copying Files dialog box (figure 1) and click OK.

 

Figure 1 (Fig1)

 

  1. If you encounter a Version Conflict dialog box (figure 2), click Yes on each of them to keep the new file. If you click No, older versions of the file will be installed and the VPN client connections may not establish properly.

 

Figure 2 (Fig2)

 

  1. Click Yes in the System Settings Change dialog box. This restarts your computer.

 

Installing the Microsoft L2TP/IPSec VPN Client

 

Now that the Dial-up Networking version 1.4 is installed, you can download and install the Microsoft L2TP/IPSec VPN Client software and install it on the Windows 98 computer. You must install this update before attempting an L2TP/IPSec connection:

 

1.       Open Internet Explorer and go to http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp to download the Microsoft L2TP/IPSec VPN Client. There is an administrators guide for the Microsoft L2TP/IPSec VPN client on this page. We recommend that you review the administrators guide either prior or after installing the client software. Click the msl2tp.exe link and download the file to your desktop.

2.       Double click on the msl2tp.exe file on the desktop. Click Yes on the Microsoft L2TP/IPSec VPN Client Setup v1.0 dialog box.

3.       Click Yes in the dialog box to indicate that you accept all the terms of the licensing agreement. The MS L2TP/IPSec VPN Client software installs (figure 3).

 

Figure 3 (Fig3)

 

4.       Click Yes in the dialog box asking if you want to restart your computer. The computer restarts after clicking Yes.

5.       You may be presented with a Location Information dialog box (figure 4) after restarting the computer. If so, enter your Area Code, and then click Close. Log onto the Windows 98 computer.

 

Figure 4 (Fig4)

 

 

Obtain a User Certificate to Allow L2TP/IPSec Connections

 

Dial-up Networking 1.4 (DUN 1.4) and the Microsoft L2TP/IPSec VPN Client are now installed on the Windows 98 computer. The next step is to obtain a user certificate. The Microsoft L2TP/IPSec VPN Client can uses this certificate to create L2TP/IPSec connections with the ISA Server firewall/VPN Server.

 

*      Note:
The Microsoft L2TP/IPSec VPN Client is not required if you wish to create only PPTP connections to the ISA Server firewall/VPN server.

 

There are many methods available to obtain user certificates from a Microsoft Certificate Server. The most common scenario is when there is a standalone or enterprise Microsoft Certificate Server located on the internal network and the Web enrollment site is installed on the standalone Certificate Server. We will go through the steps of obtaining a user certificate from the Web enrollment site of a standalone Microsoft Certificate Server running on a Windows Server 2003 machine.

 

*      Note:
You can get more information on Enterprise and Standalone Microsoft Certificate Server configurations in the ISA Server VPN Deployment Kit documents Installing and Configuring a Windows Server 2003 Standalone Certification Authority and Installing and Configuring a Windows Server 2003 Enterprise Certification Authority

 

Perform the following steps on the Windows 98 computer to obtain the user certificate:

 

  1. On the Windows 98 computer, open Internet Explorer and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address and Fully Qualified Domain Name of the standalone Microsoft Certificate Server. The IP address or FQDN can be an internal address or FQDN or an external IP address or FQDN. External addresses are used when the Certificate Server is published to the Internet.

 

*      Note:
For more information on how to publish the Certificate Server to the Internet, please refer to ISA Server VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List

 

  1. On the Microsoft Certificate Services Welcome page (figure 5), click the Request a certificate link.

 

Figure 5 (Fig5)

 

  1. On the Request a Certificate page, click the Web Browser Certificate link (figure 6).

 

Figure 6 (Fig6)

 

  1. Click Yes on the Security Warning dialog box (figure 7) that asks if you want to install and run the Microsoft Certificate Enrollment Control. Click Yes again if you see the dialog box a second time.

 

Figure 7 (Fig7)

 

  1. Type in your user information in the text boxes on the Web Browser Certificate – Identifying Information page (figure 8), then click Submit.

 

Figure 8 (Fig8)

 

  1. Click Yes on the Potential Scripting Violation dialog box informing you that you should trust the Web enrollment site before continuing.
  2. The Certificate Pending page appears and informs you that your request must be approved (figure 9). In this example the standalone Microsoft Certificate Server is using its default settings, which requires the certificate request to be approved. If you are using the default settings on the standalone Certificate Server, then you must approve the request. For more information on how to setup and configure standalone Microsoft Certificate Servers, refer to ISA Server VPN Deployment Kit document Installing and Configuring a Windows Server 2003 Standalone Certification Authority.

 

Figure 9 (Fig9)

 

  1. Click the Home link on the Certificate Pending page (figure 9). This takes you back to the Welcome page (figure 10). On the Welcome page, click the View the status of a pending certificate request link.

 

Figure 10 (Fig10)

 

  1. On the View the Status of a Pending Certificate Request page (figure 11), click the Web Browser Certificate (Date/Time) link. In this example the link says Web Browser Certificate (Thursday May 08 2003 8:48:09 AM) (figure 11).

 

Figure 11 (Fig11)

 

  1. On the Certificate Issued page (figure 12), click the Install this certificate link. Click Yes in the Potential Scripting Violation dialog box that warns you need to trust the Web enrollment site.

 

Figure 12 (Fig12)

 

  1. Click Yes on the Root Certificate Store dialog box (figure 13). This dialog box tells you the certificate authority’s self-signed (Self Issued) certificate will be added to the Trusted Root Authorities certificate store.

 

Figure 13 (Fig13)

 

  1. Close Internet Explorer after you see the Certificate Installed page.

 

Create the PPTP Dial-up Networking Entry

 

The Windows 98 VPN client now has DUN 1.4, the Microsoft L2TP/IPSec VPN client, and a user certificate installed. Now we can create the VPN connectoids that we use to connect to the ISA Server firewall/VPN server. Let’s start with creating a PPTP VPN connectoid.

 

*      Note:
A VPN connectoid is a Dial-up Networking entry represented by an icon in the Dial-up Networking Window.

 

Perform the following steps to create the PPTP VPN connectoid:

 

  1. Click Start and point to Programs. Point to Accessories and then point to Communications. Click on Dial-up Networking.
  2. If this is the first time you’ve run Dial-up networking on this machine, you should click Next on the Welcome to Dial-Up Networking dialog box (figure 14). If you have run the Dial-up networking application on the Windows 98 computer at some time in the past, then the Dial-up Networking windows will appear. Double click on the Make New Connection icon in the Dial-Up Networking window.

 

Figure 14 (Fig14)

 

  1. In the Make New Connection dialog box (figure 15), type in a name for the PPTP VPN connectoid in the Type a name for the computer you are dialing text box. In this example, we’ll call it PPTP VPN. Click the down arrow for the Select a device drop down list. Select the Microsoft VPN Adapter entry. Click Next.

 

Figure 15 (Fig15)

 

  1. On the Make New Connection page (figure 16), type in an IP address or FQDN for the ISA Server firewall/VPN server. In this example we’ll use an IP address. If you choose to use a FQDN, make sure the FQDN resolves to the primary IP address on the external interface of the ISA Server firewall/VPN server. The primary IP address is the top listed IP address seen in the Advanced TCP/IP Properties dialog box (on the Windows 2000/Windows Server 2003 Server machine). Click Next.

 

Figure 16 (Fig16)

 

  1. Click Finish on the Make New Connection dialog box (figure 17). The PPTP VPN connectoid is placed in the Dial-up Networking folder (figure 18).

 

Figure 17 (Fig17)

 

  1. Return to the Dial-Up Networking folder (figure 18) and right click on the PPTP VPN connectoid. Click the Properties command.

 

Figure 18 (Fig18)

 

  1. Click the Server Types tab (figure 19) in the PPTP VPN dialog box. Place checkmarks in the Require encrypted password and Require data encryption checkboxes. Remove the checkmarks from the NetBEUI and IPX/SPX checkboxes. Click OK.

 

Figure 19 (Fig19)

 

  1. Double click on the PPTP VPN connectoid in the Dial-Up Networking window. Type in a User name and Password of a user that has Remote Access permission to connect to the VPN server in the Connect To dialog box (figure 20).

 

Figure 20 (Fig20)

 

  1. You will see the You are connected to PPTP VPN dialog box (figure 21) when the connection succeeds. If you right click on the Dial-up networking connection icon in the system tray and click the Status command, you’ll see the Connected to PPTP VPN dialog box. Click the Details button. This dialog box gives you information about the speed of the link, how long the link has been up, and bytes sent and received. You can also see details about the security protocols used in the Protocols list.

 

Figure 21 (Fig21)

 

 

Creating the L2TP/IPSec Dial-up Networking Entry

 

Now that we’ve seen how the PPTP connection works, let’s create an L2TP/IPSec VPN connectoid on the Windows 98 computer.

 

Perform the following steps to create an L2TP/IPSec VPN connectoid that will allow the Windows 98 computer to connect to the ISA Server firewall/VPN server:

 

1.       Click Start and point to Programs. Point to Accessories and then point to Communications. Click on Dial-up Networking.

2.       Double click on the Make New Connection icon in the Dial-Up Networking window.

3.       In the Make New Connection dialog box (figure 22), type in a name for the connectoid in the Type a name for the computer you are dialing text box. In this example we’ll call it L2TP-IPSec VPN. Click the down-arrow in the Select a device drop down list box and select the Microsoft L2TP/IPSec VPN Adapter 1 option. Click Next.

 

Figure 22 (Fig22)

 

4.       In the Make New Connection dialog box (figure 23), type in the FQDN or IP address of the ISA Server firewall/VPN server in the Host name or IP Address text box. Click Next.

 

Figure 23 (Fig23)

 

5.       Click Finish in the Make New Connection dialog box. The L2TP/IPSec VPN connectoid is saved in the Dial-Up Networking folder.

6.       Double click on the L2TP/IPSec connectoid in the Dial-Up Networking folder and enter your credentials. The L2TP/IPsec VPN connection is established.

 

At this point the Windows 98 computer will be able to make L2TP/IPSec connections to the ISA Server firewall/VPN server. In addition, the Windows 98 computer will be able to make outbound L2TP/IPSec connections through a NAT device such as a NAT router or NAT-based firewall such as ISA Server. Please refer to ISA Server VPN Deployment Kit Documents Configuring the ISA Server Firewall/VPN Server to Support L2TP/IPSec NAT Traversal Client Connections and Configuring the ISA Firewall/VPN Server to Support Outbound L2TP/IPSec NAT-T Connections for more information on how to configure the ISA Server firewall/VPN server to allow inbound and outbound L2TP/IPSec connections by Windows 98 VPN clients.