Setting Up the Windows NT Workstation 4.0 PPTP and L2TP/IPSec client

 

Windows NT Workstation 4.0 computers can connect to the ISA Server firewall/VPN server using either PPTP or L2TP/IPSec. The Windows NT Workstation 4.0 computer can use the native PPTP client software included with the operating system to create the PPTP connection, or use the new Microsoft L2TP/IPSec VPN client software to create the L2TP/IPSec link to the ISA Server firewall/VPN server.

 

The Windows NT 4.0 VPN client described in this ISA Server 2000 VPN Deployment Kit document has been configured with the default operating system installation settings and it has been updated with Windows NT 4.0 Service Pack 6a. All the available updates, as determined by the Windows Update site, have been installed on the Windows NT 4.0 Workstation computer.

 

You then need to carry out the following procedures to make the Windows NT 4.0 Workstation machine a PPTP and/or L2TP/IPSec VPN client:

 

  • Install the Remote Access Service
  • Install the PPTP VPN Protocol
  • Install the Microsoft L2TP/IPSec client
  • Obtain a user certificate
  • Create the PPTP Phonebook Entry
  • Create the L2TP/IPSec Phonebook Entry

 

Install the Remote Access Service and the PPTP VPN Protocol

 

Perform the following steps to install the Remote Access Service on a Windows NT 4.0 Workstation computer:

 

  1. Right click on Network Neighborhood and click the Properties command.
  2. Click on the Services tab in the Network dialog box. On the Services tab, click the Add button.
  3. Select the Remote Access Service entry in the Network Service list on the Select Network Service dialog box (figure 1). Click OK.

 

Figure 1 (Fig36)

 

  1. In the Windows NT Setup dialog box (figure 2), type in the path to the i386 folder containing the Windows NT Workstation 4.0 setup files. Click Continue after typing in the path.

 

Figure 2 (Fig37)

 

  1. Windows NT Workstation 4.0 requires you to have a RAS device installed. You can’t avoid this step, but you can point the installer to a non-existent modem so that you can proceed with installing the VPN RAS devices later. Click Yes in the Remote Access Setup dialog box asking if you want to install a modem. You must click Yes even if you do not have a modem installed on your computer (figure 3).

 

Figure 3 (Fig38)

 

  1. In the Install New Modem dialog box (figure 4), put a checkmark in the Don’t detect my modem; I will select it from a list checkbox on the Install New Modem dialog box. Click Next.

 

Figure 4 (Fig39)

 

  1. In the Install New Modem dialog box (figure 5), leave the selection in the Manufacturers column at (Standard Modem Types) and select the Standard 14400 bps Modem in the Models list. Click Next.

 

Figure 5 (Fig40)

 

  1. In the Install New Modem dialog box (figure 6), select the Selected ports option and then select one of the available COM ports by clicking on the port (such as COM1 or COM2 as shown in figure 6). You must select at least one COM port. You can select any COM port for the non-existent modem that we’re installing in this example,. Click Next.

 

Figure 6 (Fig41)

 

  1. Click Finish on the page (figure 7) informing you that the modem has been set up successfully.

 

Figure 7 (Fig42)

 

  1. Click OK in the Add RAS Device dialog box (figure 8).

 

Figure 8 (Fig43)

 

  1. Click Continue in the Remote Access Setup dialog box (figure 9).

 

Figure 9 (Fig44)

 

  1. Click Close in the Network dialog box. Click Yes in the Network Settings Change dialog box. This will restart your computer. Log on after restarting the computer.

 

Installing the PPTP VPN Protocol

 

Next, you need to install the PPTP VPN Protocol. Perform the following steps to install the PPTP VPN protocol:

 

1.       Right click on the Network Neighborhood icon on the desktop and click the Properties command.

2.       Click on the Protocols tab in the Network dialog box. Click the Add button on the Protocols tab.

3.       Select the Point to Point Tunneling Protocol in the Select Network Protocol dialog box (figure 10). Click OK.

 

Figure 10 (Fig45)

 

4.       In the Windows NT Setup dialog box (figure 11), type the path to the Windows NT Workstation 4.0 setup files in the i386 folder.  Click Continue after typing in the path.

 

Figure 11 (Fig46)

 

5.       You can select the number of PPTP connections you want to configure on this computer in the PPTP Configuration dialog box (figure 12). For example, if you wanted to connect to three different PPTP servers on the Internet, then you need to click the down arrow in the drop down list box and select the number 3. In this example, we only want to create a single connection to a single PPTP server, so we’ll select the number 1 for the Number of Virtual Private Networks value. Click OK.

 

Figure 12 (Fig47)

 

6.       Click OK in the Setup Message dialog box (figure 13) informing you that the RAS setup process will start. You will configure your PPTP port during this process.

 

Figure 13 (Fig48)

 

7.       Click Add in the Remote Access Setup dialog box (figure 14).

 

Figure 14 (Fig49)

 

8.       In the Add RAS Device dialog box (figure 15), confirm that VPN1 – RASPPTPM appears in the RAS Capable Devices list box. Click OK.

 

Figure 15 (Fig50)

 

9.       Select the VPN1 port in the Remote Access Setup dialog box and click the Configure button (figure 16).

 

Figure 16 (Fig51)

 

10.   Select the Dial out only option in the Configure Port Usage dialog box (figure 17) and click OK. When the VPN1 entry still selected, click the Network button.  Then click Continue in the Remote Access Setup dialog box.

 

Figure 17 (Fig52)

 

11.   With the VPN1 entry still selected, click the Network button in the Remote Access Setup dialog box (figure 18). Confirm that that only the TCP/IP entry is selected in the Network Configuration dialog box. Click OK in the Network Configuration dialog box.  Then click Continue in the Remote Access Setup dialog box.

 

Figure 18 (Fig53)

 

12.   You should see the Point to Point Tunneling Protocol entry in the Network dialog box (figure 19). Click Close.

 

Figure 19 (Fig54)

 

13.   Click Yes in the Network Settings Change dialog box. This restarts the computer. Log on as an administrator after the computer restarts.

1.       Reinstall Windows NT Service Pack 6a. The Service Pack needs to be applied to update the RAS components that were added from the original Windows NT 4.0 files. The service pack restarts the machine when it finishes installing.

 

Installing the Microsoft L2TP/IPSec VPN Client Software

 

Now with the Remote Access Service and the PPTP VPN Protocol installed, we can install the Microsoft L2TP/IPSec VPN client. Perform the following steps to install the Microsoft L2TP/IPSec VPN client on a Windows NT Workstation 4.0 computer:

 

1.       Open Internet Explorer and go to http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/l2tpclient.asp to download the Microsoft L2TP/IPSec VPN Client. There is an administrator’s guide for the Microsoft L2TP/IPSec VPN client on this page. You should review the administrators guide either before or after installing the software. Click the msl2tp.exe link and download the file to your desktop.

2.       Double click on the msl2tp.exe file on the desktop. Click Yes on the Microsoft L2TP/IPSec VPN Client Setup v1.0 dialog box.

3.       Click Yes in the dialog box to indicate you accept all the terms of the licensing agreement. The MS L2TP/IPSec VPN Client software installs.

4.       The Microsoft L2TP/IPSec VPN Client Setup v1.0 dialog box appears (figure 20) and soon afterward Notepad opens a file named nt40rel.txt. This text file contains instructions for installing the Microsoft L2TP/IPSec VPN client on a Windows NT Workstation 4.0 computer. You can ignore those instructions because you’re reading this document. Click the Add button in the Remote Access Setup dialog box (which has been automatically opened for you).

 

Figure 20 (Fig55)

 

5.       In the Add RAS Device dialog box, confirm that the VPN2 – RASL2TPM entry appears and click OK (figure 21).

 

Figure 21 (Fig56)

 

6.       Select the VPN2 RASL2TPM entry and click the Configure button on the Remote Access Setup dialog box (figure 22).

 

Figure 22 (Fig57)

 

7.       In the Configure Port Usage dialog box (figure 23), select the Dial out only option and click OK.

 

Figure 23 (Fig58)

 

8.       With the VPN2 RASL2TPM option selected, click the Network button on the Remote Access Setup dialog box. Confirm that only the TCP/IP checkbox is checked, then click OK (figure 24). Click OK in the Remote Access Setup dialog box.

 

Figure 24 (Fig59)

 

9.       Click Yes in the Microsoft L2TP/IPSec VPN Client Setup v1.0 dialog box. This restarts the computer. Log on as an administrator when the computer restarts.

 

Obtaining a User Certificate

 

Now that the Remote Access Service, the PPTP VPN Protocol and the Microsoft L2TP/IPSec VPN client are installed, you can obtain a user certificate you can use to create an L2TP/IPSec VPN connection to the ISA Server firewall/VPN server.

 

Perform the following steps on the Windows NT Workstation 4.0 computer to obtain the user certificate:

 

  1. On the Windows NT Workstation 4.0 computer, open Internet Explorer 6.0 and type in the URL http://<ip_address>/certsrv or http://fqdn/certsrv. Where <ip_address> and <fqdn> represent the IP address and Fully Qualified Domain Name of the standalone Microsoft Certificate Server. In this document we assume that the VPN client is on the internal network behind the ISA Server. The VPN client can request a certificate when it is on an external network only if the Certificate Server has been published to the Internet using either Web or Server Publishing Rules. Please refer to ISA Server 2000 VPN Deployment Kit document Publishing a Windows Server 2003 Certification Authority Web Enrollment Site and Certificate Revocation List for information on how to publish a Microsoft Certificate Server.
  2. On the Microsoft Certificate Services Welcome page, click the Request a certificate link (figure 25).

 

Figure 25 (Fig60)

 

  1. On the Request a Certificate page (figure 26), click the Web Browser Certificate link.

 

Figure 26 (Fig61)

 

  1. Put a checkmark in the Always trust content from Microsoft Corporation checkbox then click Yes in the Security Warning dialog box (figure 27) asking if you want to install and run the Microsoft Certificate Enrollment Control.

 

Figure 27 (Fig62)

 

  1. Fill out the information fields on the Web Browser Certificate – Identifying Information page (figure 28), then click Submit. Click Yes in the subsequent Potential Scripting Violation dialog box warning you need to trust the Web enrollment site.

 

Figure 28 (Fig63)

 

  1. Click the Home link on the Certificate Pending page. Make sure you go to the certificate server and approve the request before proceeding. The default configuration of a standalone Microsoft Certificate Server requires that an administrator approve certificate requests. In this example we’ll approve the certificate request before proceeding with the client configuration. For information on how to install and configure a standalone Microsoft Certificate Server, please see ISA Server 2000 VPN Deployment Kit document Obtaining a Machine Certificate via Web Enrollment from a Windows Server 2003 Standalone CA.
  2. On the Microsoft Certificate Server Welcome page (figure 29), click on the View the status of a pending certificate request link.

 

Figure 29 (Fig64)

 

  1. On the View the Status of a Pending Certificate Request page (figure 30), click the link that matches your pending certificate request. In this example, the link says Web Browser Certificate (Thursday May 08 2003 9:17:15 PM).

 

Figure 30 (Fig65)

 

  1. On the Certificate Issued page (figure 31), click the Install this certificate link. Click Yes on the Potential Scripting Violation dialog box.

 

Figure 31 (Fig66)

 

  1. Click Yes on the Root Certificate Store dialog box (figure 32) informing you it will add the certificate server’s self-signed certificate into the Windows NT Workstation 4.0 VPN client’s root certificate store.

 

Figure 32 (Fig67)

 

  1. Close the browser after you are taken to the Certificate Installed page.

 

Creating the PPTP Phonebook Entry

 

Now that all the building blocks are in place, let’s create the PPTP Phonebook entry that you will use to connect to the ISA Server firewall VPN server. Perform the following steps to create the PPTP connection:

 

  1. Click Start, point to Programs, point to Accessories and click on Dial-up Networking.
  2. In the Location Information dialog box (figure 33), type in an area code and click Close.

 

Figure 33 (Fig68)

 

  1. Click OK in the Dial-Up Networking dialog box (figure 34) informing you that the phonebook is empty.

 

Figure 34 (Fig69)

 

  1. On the first page of the New Phonebook Entry Wizard page (figure 35), type in a name for the phonebook entry in the Name the new phonebook entry dialog box. Click Next.

 

Figure 35 (Fig70)

 

  1. On the Server dialog box (figure 36), do not select any of the options. Click Next.

 

Figure 36 (Fig71)

 

 

  1. In the Modem or Adapter dialog box (figure 37), select the RASPPTPM (VPN1) entry from the Select the modem or adapter this entry will use list. Click Next.

 

Figure 37 (Fig72)

 

  1. On the phone number page (figure 38), type in the IP address of the ISA Server firewall/VPN server. You can also use a Full Qualified Domain Name (FQDN), but the FQDN must resolve to the primary IP address bound to the external interface of the ISA Server firewall/VPN server. The primary IP address is the address on the top of the list of addresses bound to the external interface of the ISA Server firewall/VPN server. In this example we’ll enter the IP address of the server and click Next.

 

Figure 38 (Fig73)

 

  1. Click Finish on the last page of the New Phonebook Entry Wizard.
  2. The Dial-up Networking dialog box appears (figure 39). Click the More button and then click the Edit entry and modem properties command.

 

Figure 39 (Fig74)

 

  1. In the Edit Phonebook Entry dialog box, click on the Security tab (figure 40). On the Security tab, select the Accept only Microsoft encrypted authentication option, then put a checkmark in the Require data encryption checkbox. Click OK in the Edit Phonebook Entry dialog box.

 

Figure 40 (Fig75)

 

  1. Click the Dial button. The connection is established and the dial up monitor appears in the system tray. You can get more information about the connection by double clicking on the dial up monitor in the tray. This brings up the Dial-Up Networking Monitor dialog box (figure 41).

 

Figure 41 (Fig76)

 

 

Creating the L2TP/IPSec VPN Phonebook Entry

 

Perform the following steps to create the L2TP/IPSec VPN connection to the ISA Server firewall/VPN server:

 

  1. Click Start, point to Programs, and then point to Accessories. Click on Dial-Up Networking.
  2. In the Dial-Up Networking dialog box, click on the New button (figure 42).

 

Figure 42 (Fig77)

 

  1. On the first page of the New Phonebook Entry Wizard (figure 43), type a name for the L2TP/IPSec connection in the Name the new phonebook entry text box. Put a checkmark in the I know all about phonebook entries and would rather edit the properties directly checkbox. Click Finish.

 

Figure 43 (Fig78)

 

  1. On the New Phonebook Entry dialog box (figure 44), click the down arrow in the Dial using drop down list box and select the RASL2TPM (VPN1) entry. In the Phone number text box, type in the IP address of the ISA Server firewall/VPN server.

 

Figure 44 (Fig79)

 

  1. Click on the Security tab (figure 45). Select the Accept only Microsoft encrypted authentication option. Put a checkmark in the Require data encryption checkbox. Click OK.

 

Figure 45 (Fig80)

 

  1. In the Dial-Up Networking dialog box (figure 46), click the Dial button.

 

Figure 46 (Fig81)

 

  1. Enter a User name, Password and Domain (figure 47). Click OK.

 

Figure 47 (Fig82)

 

  1. You can double click on the dial-up networking monitor in the system tray and see details of the connection (figure 48).

 

Figure 48 (Fig83)

 

bullet

Note:
If you have problems establishing either an L2TP/IPSec or PPTP connection, try reapplying Service Pack 6a. Make sure you reapply Windows NT 4.0 Service Pack 6a high encryption version if you wish to have 128 bit encryption for your VPN connections to the ISA Server firewall/VPN server. If you use the low encryption version of the service pack, you will not be able to use PPTP to connect to the ISA Server firewall VPN server.