Ryan Bass Trong bi ny Qun Tr Mng s gii thiu ln lt cc bc trin khai c bn truy cp VPN t xa.

iu u tin bn cn quyt nh trc khi xy dng mt my ch Window VPN l liu c nn s dng hay khng dch v chng thc Internet ca Microsoft (IAS) xc nhn ngi dng kt ni vi VPN. IAS l b sung RADIUS ca Microshop v khi xy dng my ch VPN l bn c th kim tra quyn truy cp hp php IAS ca ngi dng hay c th cho php ngi dng c chng thc trc tip ti Active Directory (AD). IAS cung cp mt s tin ch. u tin, n c nhiu kh nng truy cp tt hn bao gm gi d liu trc tip ti c s d liu SQL. Th hai, IAS cung cp mt ch n tp trung bn ch ti mt s my ch VPN khc. iu ny cho php bo tr mt tp hp cc phng php truy cp t xa m tt c cc my ch VPN c th s dng. Chng ta khng i qu chi tit v cc cch truy cp t xa trong bi ny, nhng y c m t nh l cch lm hiu qu xc nh ai c php truy cp VPN. Gi thit rng IAS l s la chn chng thc ca bn, hy xem cc cu hnh ca my ch IAS. Thc hin theo cc bc sau ci t my ch IAS. Nu phn cng trn my tnh khng th IAS c th c ci t trn cng mt my ch m bn dng truy cp VPN (ch vic lm ny khng m bo an ton bo mt).

Hnh 1 1. Start Control Panel Add or Remove Programs Add/Remove Windows Components Networking Services Details... Internet Authentication Service

2. Start Administrative Tools Internet Authentication Service Kch chut phi vo Internet Authentication Service (local) Register Server in Active Directory 3. Start Administrative Tools Internet Authentication Service Remote Access Logging Chn ty chn mong mun. 4. Start Administrative Tools Internet Authentication Service kch chut phi vo RADIUS Clients New RADIUS Client Nhp thng tin thch hp cho my ch VPN (bn s c yu cu chia s b mt, chn mt v lu lm m xc nhn sau ny) 5. Nu my ch IAS bt tng la th hy cho php cng UDP 1812 t my ch VPN khng b chn. M giao din qun tr IAS, thc hin theo cc bc thm mt im truy cp t xa cho php truy cp i vi ngi dng trong nhm AD c bit (hai nhm mc nh khng cho php bt k ai truy cp vo my ch VPN).

Hnh 2 1. Start Administrative Tools Internet Authentication Service kch chut phi vo Remote Access Policies New Remote Access Policy 2. Chn tn Next 3. Chn VPN Next

4. Kch Add... 5. Kch Locations... v chn domain 6. Thm MyVPNaccessGroup Next 7. Gi li ty chn duy nht MS-CHAPv2 Next 8. Gi li ty chn duy nht "Strongest encryption" Next Finish Cui cng bn cn cp nht cc hng truy cp t xa bo v chng li cc my tnh nguy him trn mng ngi dng t xa dng kt ni VPN theo gi thng qua my ch VPN. Thc hin theo cc bc sau: Start Administrative Tools Internet Authentication Service Remote Access Policies kch chut phi vo chnh sch mi v chn properties kch Edit Profile... chn tab IP Input Filters... New... OK kch "Permit only the packets listed below" OK OK OK My ch IAS gi y sn sng nhn cc yu cu chng thc t my ch VPN. Trc khi c th cu hnh mt my ch VPN, hy quan tm ti nhng yu cu thit yu ca my ch VPN: 1. Thit lp hai card giao din mng (NICs) trn my ch VPN, mt card ni vi mng c bo v bn ni b v card kia ni vi DMZ hay mng dng chung c th truy cp c (NIC ngoi). 2. Khng cu hnh DNS hoc WINS trn NIC ngoi. 3. Khng xc nh cc cng ni mc nh cho NIC trong, ch xc nh mt cng ni duy nht cho NIC ngoi. Sau y l cc bc cn thit cu hnh mi my ch VPN: 1. Start Administrative Tools Services Dng dch v "Windows Firewall/Internet Connection Sharing" v thit lp ch startup thnh Disabled 2. Start Administrative Tools Routing and Remote Access 3. Kch phi chut ti tn my ch ri kch Configure v Enable Routing and Remote Access (dch v tng la trong phi khng c kch hot) 4. Chn Remote Access Next chn VPN Next 5. Chn NIC ngoi (Ch hp kim "Enable security...") Next

6. Chn NIC trong Next 7. Chn "Automatically" hoc "From a specified range of addresses" (th tc ny theo ty chn th 2) Next 8. Kch New... nhp mt di cho cc IP OK Next 9. Chn "Yes, set up this server to work with a RADIUS server" Next 10. Nhp my ch IAS v chia s bo mt Next Finish 11. Routing and Remote Access MAYCHUCUABAN IP Routing DHCP Relay Agent Thm a ch IP ca mt my ch DHCP ti cu hnh DHCP Relay Agent (Ch rng my ch DHCP c yu cu tr li thng tin nh l mim mc nh, nhng khng nn iu khin bt k mt a ch IP no bi thit lp a ch tnh) 12. Nu mng ni b ch gm c mt mng th bn thnh cng! Ni cch khc, mt tuyn s cn c thm cho cc my khch truy cp vo cc mng trong khc. Routing and Remote Access MAYCHUCUABAN IP Routing kch chut phi vo Static Routes New Static Route... nhp mt tuyn lu lng bt k mng cp di no trong mng. Cch n gin nht l hng tt c cc lu lng ti cng ni mc nh m NIC ni b ang s dng. Tip theo bn cn thit lp mt kt ni VPN t my khch. Sau y l cc bc thc hin trn Window XP: Start Control Panel Network Connections To mt kt ni mi Next Kt ni ti mng cng ty Next Virtual Private Network connection Next Chn tn Next bn c th mun chn "Do not dial the initial connection" Next Nhp tn my ch hay a ch IP ca my ch VPN Next chn i tng to kt ni Next Finish Bn nn kch p vo kt ni VPN va c to v ng nhp bng mt ti khon ngi dng l thnh vin trong nhm c php truy cp ti im truy cp t xa to trn. Ch rng khi kt ni vi VPN bn khng th truy cp vo Internet. y thc s l vn cn c xem xt v gii php cho vn ny ph thuc vo cu trc lin kt mng. Mt tr ngi l cc b lc IP to trn NIC ngoi c cu hnh theo tuyn v truy cp t xa. Bn c th cu hnh chng theo tuyn hay truy cp t xa MAYCHUCUABAN IP Routing General kch phi chut ti giao din ngoi v chn Properties kch vo cc nt Inbound Filters hoc Outbound Filters. Hy cn thn khi thay i cc b lc ny khi chng c thit lp nh mt thc o bo mt. Sau y l cch cu hnh tch tunnel phn tch t mt tunnel nguyn vn: Start Control Panel Network Connections kch phi chut ti kt ni VPN Properties

 Chn th Networking chn Internet Protocol (TCP/IP) Properties Advanced... chn hoc hy chn "Use Default Gateway On Remote Network". Chn li ty chn ny s to ra mt phn chia tunnel khi bn mi lm quen vi kt ni VPN v hy chn s to ra mt ng hm nguyn vn. Sau y l cch bn c th p cc kt ni s dng mt trong 2 ty chn PPTP hay L2TP/IPSec (Ch rng L2TP/IPSec yu cu cc chng nhn) Start Control Panel Network Connections kch phi chut ti kt ni VPN Properties Chn th Networking thay i loi VPN. Su y l 2 thng tin cui cng gip bn thun tin khi chy my ch Window VPN: 1) Cc thit lp ti khon ngi dng trn tab Dail-up ca mt i tng ngi dng AD c th ghi ln cc thit lp chnh sch truy cp t xa c to trn my ch IAS. 2) Phin bn Windows Server 2003 Standard ch h tr di 1000 kt ni.