Full of I.T.

Kevin Remde's IT Pro WebLog

Windows Server 2003 Administration Webcast Series (Part 10 – VPN and RAS) Q-and-A

Here, is this week’s “best of” Q&A log from the webcast.  Sincere thanks again to my teammates for doing such a great job helping to answer questions!  I give them the bulk of the credit for the information in this document.  You guys are the best!

Also I want to make sure also have the link to the Session Resources I posted for Part 10, and the homework assignment also.

Part 10 Questions and Answers:

“Who’s serving the popcorn?”

Yum… I don’t know.  I can’t smell it on my end.


“I hear a country station, is that normal?”

Um… let’s see… how do I answer this without offending Country Music fans?  <chuckle>   I think I’ll just not say anything.


“Kevin, out of all the presenters I’ve heard, you provide clear on-point info, and your presenting is top notch!!!! GJ”

I know you can’t see it now, but I’m blushing.   Thanks!


“Is the Connection Manager in SBS 2003 basically a VPN connection?”

Connection Manager is the package that allows you to install the client side of a connection – It will help you set up a VPN among many other connectivity options.


“Using ISA 2004 and AD can I restrict what servers a remote client can access?”

Yes you can.


“Can I use IAS authentication without active directory?”

Check out this great resource on IAS:


“Why does the VPN disconnect after about 3 minutes when connecting from a XP-SP2 machine?”

Do you have the VPN connection setting set to disconnect after three minutes of inactivity?  If so, then after 3 minutes of doing nothing on the connection, it would disconnect.


“Well I create an entry in DNS to redirect www to other machine inside the network which has the company website.”

If this server on the internal side of the network is not accessible from the Internet, then users coming from the Internet will fail.


“For the umpteenth time I had problems connecting to these webcasts. I missed the beginning and effectively missed the whole webcast. I have wasted my time again fighting the system. This is getting beyond serious – to being utterly ridiculous!!!”

I agree wholeheartedly.  We’re very sorry for the troubles these issues have caused.  You are right, it is inexcusable.  I encourage you to please visit this link to report these issues and voice your opinions:   http://register.microsoft.com/contactus30/contactus.asp?domain=multimedia/webcast


“How much overhead in the protocol is estimated for the Microsoft VPN flavor?”

There is no specific number on this but PPTP has less overhead than L2TP.  The reason there is no specific information is because hardware and connections are so varied.


“Has MPPE-128 been cracked?”

Not that I’m aware of.


“Certainly software based solutions generate more overhead than hardware based solutions. I was just curious on the overhead for Microsoft’s version. Thanks”

We have always seen great performance and very little overhead.  As a previous network engineer for Microsoft, I have never seen a limit hit.


“Is there a step-by-step guide for setup of L2TP with IPSec?  Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server?”

To use different pre-shared keys for all L2TP over IPSec router-to-router VPN connections, configure the following…see http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/intwork/inbe_vpn_qaax.asp


“The wire server room is used a lot by you guys. Don’t you have other pictures?”

Yes we have a few, but that is by far one of all our favorites because we can relate, as we hope you can too.  I guess I’ll use it a little less often now. <sigh>


“Can I save this event for resume later?”

You can download and view the event later.


“Is the following correct: VPN can accept 11 connections? If you need more create another VPN object?”

No, VPN can accept much more than 11 connections. If you have configured it to be limited to 11, then you are more than welcome to increase the limit. 


“Is VPN in sbs2003?”

Yes, it is exactly the same as in a regular server.  But one drawback is managing the VPN endpoint on a DC.   That is a security risk.  I would recommend one NIC and a router that allows PPTP (GRE and 1433) or L2TP NAT traversal to the one internal address.


“Where I can download the event?”

You will be receiving an email tomorrow with links to download.


“Is VPN preferable over Terminal Services for remote access?”

Both have a high level of encryption. VPN with RDP would be the most secure.

Why is there two VPN servers? is this another office? i though you just need one.

I think what you were seeing there was the use of VPN for a site-to-site connection – so instead of it just being an employee connecting to the office, it’s also used for connecting one office to another, with two VPN servers on either side of the pipe.


“Has PPTP been broken?”

I do believe that was the case back in the Windows 95 / 98 hey days (1999).  However, updated DUN components were released for W9x to address this. Windows 2000, XP and 2003 are not susceptible to this (to the best of my knowledge).



Thanks for coming!  Any questions are good questions!


“Are there any webcasts coming on ms cluster services?”

There was one done last Friday (April 8, 2005) with Clustering and SQL – Other than that one try searching on Clustering at http://www.microsoft.com/webcasts


“Was presenter referring 11 connections limit to something else or I have misunderstood?”

At that point I was just talking about the demo systems and the configuration implemented.


“I understood that UDP is not as reliable as TCP so, can you use TCP with L2TP?”

Yes L2TP is only the tunneling protocol, whatever packets TCP or UDP are then sent over that.


“Is there a step-by-step guide for setup of L2TP with IPSec?  Is there a step-by-step guide to setting up an L2TP VPN with IPSec on a Windows 2003 Server?  RE: Step-by-step Guide for L2tP/IPSec – How about using certificates instead of pre-shared keys – can that be done? Is there a step-by-step?”

Might start here – http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/l2tpclientadmin.asp


“If they (hackers, listeners) go to that extent, don’t you think they will find another way to get in (listen).  I just find it amusing that anyone would make a VPN on a dial-up connection.”

Well.. consider this scenario: Someone only has dialup for Internet Access (Netscape, Net Zero, EarthLink, whatever) at home, but their employer has only set up Internet VPN access which this person will need to use.  So – they’re doing VPN over the Internet, but via their dialup connection.  In fact, I was doing this very thing for at least a year before I had highspeed access at home.


“If PPTP is only set on the RRAS server is there any benefit to selecting automatic on type of VPN?”

If you mean the client, then yes, auto is fine.  It will try both.


“When you create a VPN connection is there a way to keep a connection to the local network?”

Once, you’ve created your VPN connection you’re still on the local network. You’re given a new IP address for the destination network but you have two IP addresses one for the local network and one for the VPN network.  Now.. that doesn’t mean that your default gateway for Internet Access hasn’t changed.  That’s another issue.


“For VPNs, for which firewall ports do I need to configure an allow policy?”

PPTP is 1723 and the GRE protocol 47. Most routers will not work with L2TP.

“What happens if both local networks have the same local IP configs. ie: both are 192.168.0.x?”

There is no way to route between them if both networks are the same.


“Do you need to put an ACL on your firewall to allow a VPN that you have set up on your DC and workstation?”

You have to allow 1723 and GRE


“Is there a good way to export and import large amount of RADIUS clients?”

How to Add and Remove Radius Clients, see http://www.microsoft.com/technet/security/topics/cryptographyetc/secmod190.mspx


“What does RADIUS stand for?”

Remote Authentication Dial-In User Service (RADIUS)


“What’s the RADIUS port(s)?”

RADIUS messages are sent as User Datagram Protocol (UDP) messages. UDP port 1812 is used for RADIUS authentication messages and UDP port 1813 is used for RADIUS accounting messages. Some network access servers might use UDP port 1645 for RADIUS authentication messages and UDP port 1646 for RADIUS accounting messages. By default, IAS supports receiving RADIUS messages destined to both sets of UDP ports. For information about changing the UDP ports that are used by IAS, see Configure IAS port information. Only one RADIUS message is included in the UDP payload of a RADIUS packet.


“Why won’t most routers work with L2TP and what can you do, if anything, to work around this? What about PPTP?”

Until 2003 there was no way to get through NAT with IPSec or L2TP.  Most companies use NAT to allow them to address their internal network in a way that doesn’t require large numbers of valid external IP addresses to be used internally.  These are L2TP connections are UDP connections usually over port 500. You have to make sure you have a router that can perform and allow NAT traversal back to your VPN server. It is in most newer routers.


“How many ram have machine hosting the virtual machines?”

My laptop has a total of 2 GB of physical RAM.  The virtual machines I am running for this series are configured to use 512MB, 512MB, and 256MB (two servers and an XP Pro Client).


“Is there information configuring radius for use with a wireless access point?”

A RADIUS client (typically a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. The RADIUS server authenticates and authorizes the RADIUS client request, and sends back a RADIUS message response. RADIUS clients also send RADIUS accounting messages to RADIUS servers. Additionally, the RADIUS standards support the use of RADIUS proxies. A RADIUS proxy is a computer that forwards RADIUS messages between RADIUS-enabled computers. See


“To all you out there configuring a ISA… Unpulg your connection to the interned until your ISA is configured. I was hacked between the time i configured the NIC and the ISA server. This was a timeframe less then 10 mins”.

Good point.  And a good indication of the state of things today.  NEVER connect a server or any PC directly to the Internet without first protecting it in some way.  In your case, with your new server that is eventually going to be a firewall, you ran into something that is all too common.  It takes now on average only 20 minutes for an unprotected machine to become infected.  That is EXACTLY why we’re including things like Post Setup Security Update (PSSU) functions in Windows Server 2003 SP1 – installing the Windows Firewall and locking down external access until the machine is configured and up-to-date with the latest security updates.


“Thanks.  I think I’ll see the recording.  When will this be available?  It`s 23.00 in Norway.  Must get sleep :-)”

Thanks for staying up for us!


“I thought it was not a good practice to run RRAS or IAS on a domain controller.”

Generally speaking, yes.  For our demos, we tend to “break” a lot of the best practices rules due to limitations on number of virtual machines we can run effectively in one session.


“OK Thanks. You guys are great.”

Thanks for attending.  Always a pleasure to help.


“Can you specify a backup RADIUS server?”

Check out – http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/54f4f112-d473-4b18-9501-53e92c5d4467.mspx


”1. Install 2003 server. 2. Configure NIC 3. Get hacked 4. Install ISA Server. Between 3 and 4 you are totally exposed, right?!”


If you are connected to the Internet during this installation process; yes, that is correct. If you were installing Windows 2003 with SP1 (slipstreamed), then the Firewall service would come active immediately to prevent step 3.  (See my PSSU comment earlier) 
However, I would highly recommend that you install your servers without direct connectivity to the Internet until you’ve fully configured and secured it.


“Will there be a webcast on wireless w/certificate services for windows 2003?”

None currently planned that I’m aware of.


“Can I make this work with a Cisco router?”

As long as your router is up to date, PPTP is easy and L2TP is dependent on you having 2003 server and the ability for the router to pass L2TP.



[bow]  Thanks!


“Thank you ….when does this whole series repeat?”

You will be able to view or download the webcasts from this series anytime you want.


“My Cisco router has no firewall, but NAT is enabled. Is this a problem for L2TP?”

You will need to find out if it has the ability to allow l2tp traffic to pass through.


“I received an invitation to attend TechEd Europe in Amsterdam.  Is this worth the money?”

TechEd is a very informative conference.  And I am one of the biggest fans of TechEd you’re going to meet.  One other noteworthy item is that our people in the product groups are GOALED on attending TechED and a couple of conferences. Therefore I do believe it would be worth your time.


“netopia made it sound like I need their router for a vpn, not true?”

Netopia offers a hardware based VPN solution.  You can buy that, or you can go with a software solution such as the RRAS that’s already included in Windows Server 2003.


“I may be a little slow here, but what is the advantage of setting up a RADIUS server vs just VPN connections?”

RADIUS is just another way to authenticate users.  It is a standard for both authentication and authorization, as well as accounting.  Being standard, it can be used by many different hardware and software devices requiring authentication.  And if it’s Microsoft’s IAS, it’s also able to use Active Directory accounts for that authentication.  And it can be a central authorization point RAS servers with common Remote Access policies being managed there.


“I was thinking about choose the RAS client by IP or DNS”

I’m not sure what you were asking, but you may be referring to the demo where I configured the VPN client to connect to the external IP address of the VPN Server.  Yes, if you want, you could also have a name defined for that address and as long as DNS is able to resolve it, you can add that in the connection parameters as well.


“Would running remote desktop connections through a VPN be a good practice or is that just a redundant level of security?”

Redundancy is always good – especially in Security. But if you are assured of an encrypted connection for RDP, you are safe.


“Is this correct – A person is using a WiFi and VPN into a network. Is the Internet controlled by VPN network permissions of by the WiFi provider?”

Completely by the VPN.  WiFi would only be a concern if it was actually a connection on your internal network, then you would not need VPN.

“Can Kevin share those funny pictures with us?”



Have a great day!