Setting Up the Windows ME PPTP and L2TP/IPSec Client

 

Windows ME computers can connect to the ISA Server firewall/VPN server using either PPTP or L2TP/IPSec. On a Windows ME computer that has been installed with the default settings, and updated with all updates from the Windows Update Site, you need to carry out the following procedures to allow PPTP and L2TP/IPSec connections from the Windows ME client to the ISA Server firewall/VPN server:

 

  • Install Windows ME VPN client software
  • Install the Microsoft L2TP/IPSec client
  • Obtain a user certificate
  • Create the PPTP Dial-up Networking Entry
  • Create the L2TP/IPSec Dial-up Network Entry

 

Installing the Windows ME VPN Client Software

 

Perform the following steps to install VPN support on the Windows ME computer:

 

  1. Click Start, point to Settings and click on Control Panel.
  2. In the Control Panel, click the Add/Remove Programs link.
  3. Click the Windows Setup tab in the Add/Remove Programs Properties dialog box.
  4. On the Windows Setup tab, click on the Communications entry, then click the Details button.
  5. In the Communications dialog box, scroll through the list of Components and put a checkmark in the Virtual Private Networking checkbox. Click OK.
  6. Click Apply in the Add/Remove Programs Properties dialog box.
  7. Click Yes in the System Settings Change dialog box. The computer will restart.

 

Installing the Microsoft L2TP/IPSec VPN Client Software

 

Now you can download and install the Microsoft L2TP/IPSec VPN Client software and install it on the Windows ME computer:

 

1.       Open Internet Explorer and go to http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp to download the Microsoft L2TP/IPSec VPN Client. There is also an administrator’s guide for the Microsoft L2TP/IPSec VPN client on this page. Take some time to review the administrators guide either before or after installing the client software. Click the msl2tp.exe link and download the file to your desktop.

2.       Double click on the msl2tp.exe file on the desktop. Click Yes on the Microsoft L2TP/IPSec VPN Client Setup v1.0 dialog box.

3.       Click Yes in the dialog box to indicate you accept the terms of the licensing agreement. The MS L2TP/IPSec VPN Client software installs (figure 1).

 

Figure 1 (Fig24)

 

4.       Click Yes in the dialog box that asks you if you want to restart your computer. The computer restarts.

 

Obtaining a User Certificate

 

The Windows ME VPN networking component and the Microsoft L2TP/IPSec VPN Client are now installed. The next step is to obtain a user certificate the Microsoft L2TP/IPSec VPN Client can use to create L2TP/IPSec connections with the ISA Server firewall/VPN Server.

 

*       Note:
The Microsoft L2TP/IPSec VPN Client is not required if you wish to create only PPTP connections to the ISA Server firewall/VPN server.

 

There are many ways to obtain a user certificate. The most common scenario is when you have a standalone or enterprise Microsoft Certificate Server located on the internal network and the Web enrollment site is installed on the Certificate Server. We will go through the steps of obtaining a user certificate from the Web enrollment site of a standalone Microsoft Certificate Server running on a Windows Server 2003 machine. Please refer to ISA Server 2000 VPN Deployment Kit document Installing and Configuring a Windows Server 2003 Standalone Certification Authority  for more information on installing and configuring a standalone Microsoft Certificate Server.

 

*       Note:
In this ISA Server 2000 VPN Deployment Kit document we assume the VPN client requesting the certificate is on the internal network behind the ISA Server. The VPN client computer can also request a certificate from a Certificate Server when the client is located on an external network. You must create a Web or Server Publishing Rule before the external VPN client can obtain a certificate. Please refer to ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List  for information on how to publish a Microsoft Certificate Server.

 

Perform the following steps to obtain the user certificate:

 

1.       On the Windows Me computer, open Internet Explorer and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address or Fully Qualified Domain Name of the standalone Microsoft Certificate Server.

2.       On the Microsoft Certificate Services Welcome page (figure 2), click the Request a certificate link.

 

Figure 2 (Fig5)

 

3.       On the Request a Certificate page (figure 3), click the Web Browser Certificate link.

 

Figure 3 (Fig6)

 

4.       Click Yes on the Security Warning dialog box (figure 4) that asks if you want to install and run the Microsoft Certificate Enrollment Control. Click Yes again if the dialog box appears a second time.

 

Figure 4 (Fig7)

 

5.       Type in your user information in the text boxes on the Web Browser Certificate – Identifying Information page (figure 5), then click Submit.

 

Figure 5 (Fig8)

 

6.       Click Yes on the Potential Scripting Violation dialog box that informs you that you should trust the Web enrollment site before continuing.

7.       In this example the standalone Microsoft Certificate Server is using its default settings, which requires the certificate request to be approved. We will approve the request at the certificate server before moving to the next step at the VPN client. Please refer to ISA Server 2000 VPN Deployment Kit document Installing and Configuring a Windows Server 2003 Standalone Certification Authority for information on how to approve Certificate requests.

 

Figure 6 (Fig9)

 

8.       Click the Home link on the Certificate Pending page (figure 6). This takes you back to the Welcome page (figure 7). On the Welcome page, click the View the status of a pending certificate request link.

 

Figure 7 (Fig10)

 

9.       On the View the Status of a Pending Certificate Request page (figure 8), click the Web Browser Certificate (Date/Time) link. In this example, the link says Web Browser Certificate (Thursday May 08 2003 8:48:09 AM).

 

Figure 8 (Fig11)

 

10.   On the Certificate Issued page (figure 9), click the Install this certificate link. Click Yes in the Potential Scripting Violation dialog box that warns you that you need to trust the Web enrollment site.

 

Figure 9 (Fig12)

 

11.   Click Yes on the Root Certificate Store dialog box (figure 10). This dialog box tells you that the certificate authority’s self-signed certificate will be added to the trusted root authorities’ certificate store.

 

Figure 10 (Fig13)

 

12.   Close Internet Explorer after you see the Certificate Installed page.

 

Create the PPTP Dial-up Networking Entry

 

The Windows ME client now has the VPN software and the Microsoft L2TP/IPSec client installed.  Now we can create the VPN Dial-up Networking connections. Let’s start with creating a PPTP VPN connectoid.

 

Perform the following steps to create the PPTP VPN connectoid:

 

1.       Click Start and point to Programs. Point to Accessories and then point to Communications. Click on Dial-up Networking.

2.       If this is the first time you’ve run Dial-up networking on this machine, you should click Next on the Welcome to Dial-Up Networking dialog box. Otherwise, double click on the Make New Connection icon in the Dial-Up Networking window (figure 11).

 

Figure 11 (Fig25)

 

3.       In the Make New Connection dialog box (figure 12), type in a name for the PPTP VPN connectoid in the Type a name for the computer you are dialing text box. In this example, we’ll call it PPTP VPN. Click the down arrow for the Select a device drop down list box. Select the Microsoft VPN Adapter entry. Click Next.

 

Figure 12 (Fig26)

 

4.       On the Make New Connection page (figure 13), type in an IP address or a FQDN for the ISA Server firewall/VPN server. In this example we’ll use an IP address. If you choose to use a FQDN, make sure that FQDN resolves to the primary IP address on the external interface of the ISA Server firewall/VPN server. The primary IP address is the IP address on the top of the list of addresses bound to the interface. Click Next.

 

Figure 13 (Fig27)

 

5.       Click Finish on the Make New Connection dialog box (figure 14). The PPTP VPN connectoid is placed in the Dial-up Networking folder.

 

Figure 14 (Fig28)

 

6.       Return to the Dial-Up Networking folder and right click on the PPTP VPN connectoid. Click the Properties command (figure 15).

 

Figure 15 (Fig29)

 

7.       Click the Security tab in the PPTP VPN dialog box (figure 16). Place checkmarks in the Require encrypted password and Require data encryption checkboxes. Click OK.

 

Figure 16 (Fig30)

 

8.       Double click on the PPTP VPN connectoid. Type in a user name and password of a user that has Remote Access permission to connect to the VPN server (figure 17).

 

Figure 17 (Fig31)

 

9.       You will see the You are connected to PPTP VPN dialog box when the connection is successful (figure 18). If you right click on the Dial-up networking connection icon in the system tray and click the Status command, you’ll see the Connected to PPTP VPN dialog box. Click the Details button. This dialog box gives you information about the speed of the link, how long the link has been up, and bytes sent and received. You can also see details about the security protocols used in the Protocols list.

 

Figure 18 (Fig32)

 

 

Creating the L2TP/IPSec VPN Dial-up Networking Connection

 

Perform the following steps to create an L2TP/IPSec VPN connections between the Windows ME computer and your ISA Server firewall VPN server:

 

1.       Click Start and point to Programs. Point to Accessories and then point to Communications. Click on Dial-up Networking.

2.       Double click on the Make New Connection icon in the Dial-Up Networking window.

3.       In the Make New Connection dialog box (figure 19), type in a name for the connectoid in the Type a name for the computer you are dialing text box. Click the down-arrow in the Select a device drop down list box and select the Microsoft L2TP/IPSec VPN Adapter 1 option. Click Next.

 

Figure 19 (Fig33)

 

4.       In the Make New Connection dialog box (figure 20), type in the FQDN or IP address of the ISA Server firewall VPN server in the Host name or IP Address text box. Click Next.

 

Figure 20 (Fig34)

 

5.       Click Finish in the Make New Connection dialog box. The L2TP/IPSec VPN connectoid will be saved in the Dial-Up Networking folder.

6.       Return to the Dial-Up Networking folder and right click on the L2TP-IPSec Dial-up Networking connection icon. Click the Properties command.

7.       Click the Security tab in the L2TP-IPSec VPN dialog box. Place checkmarks in the Require encrypted password and Require data encryption checkboxes. Click OK.

8.       Double click on the L2TP/IPSec connectoid in the Dial-Up Networking folder and enter your credentials (figure 21). Click the Connect button. The L2TP/IPsec VPN connection is established.

 

Figure 21 (Fig35)