Your Own [Virtual] Private Network!

Remote connectivity. These are buzz words for the future of law practice. As recently as ten years ago, if an attorney wanted to do work at home he had to take his work home with him in his briefcase. The only other alternative for working after hours was to remain at the office. Gurus tell us that in the future we will have all of the resources of our law office at our fingertips 24 hours a day no matter where we are. If you have the proper hardware and software, the future, for you, may be now!

The virtual private network (VPN) is a term that many of you may not have heard of. Although this may be a somewhat obscure term, it describes a relatively simple concept which may hold the key to the future of law practice for many firms. There are two scenarios wherein the virtual private network will play a major role. The first scenario is the attorney who wishes to connect to his office network from his house or from another remote location. The second involves the law firm which needs to connect two or more branch office locations. The majority of this article will deal with the first scenario: the remote user.

Remote Access Today

Surveys tell us that the majority of small and medium size law firms have no remote access to their computers or network. Those who do probably rely on a product such as PCanywhere or CarbonCopy for their remote access needs. These products are known as remote control software. They do not allow you to actually access your network from a remote location. Instead, they show a picture of the host screen on the remote computer and act as a conduit for transferring key strokes from the remote computer to the host. No data is actually transmitted across the phone lines in this sort of connection. The benefit of such a system is primarily speed; since the only thing passing across the phone line are key strokes and a picture of the host computer screen, these programs produce a relatively fast connection. The main disadvantage of this system is that its capabilities are extremely limited. Another disadvantage is the fact that during a remote control session, the host computer is unavailable for work locally. If the remote user is out of the local calling area, they incur the additional expense of a long-distance phone call to make the connection. The virtual private network overcomes all of these disadvantages.

Prerequisite: Windows NT Server 4.0

Before we go any further, I need to tell you what the virtual private network requires. The first and foremost requirement is a Windows NT 4.0 server. At this point in time, neither Novell nor any other server will work. Other requirements include an Internet connection on both the server and a client side. Strictly speaking, the virtual private network works much better with a dedicated connection to the Internet from the server, but there is a way to work around this which I will explain later. From the client side, a standard dial up Internet connection is sufficient. However, it is strongly recommended that the speed of this connection be 28.8 or greater. The client can run Windows 95, Windows NT workstation, or Windows for Workgroups. The connection is possible with Windows 3.1, but you must first download additional software from the Microsoft web site [http://www.microsoft.com]. In fact, many Windows 95 users may have to download the Dial-up-Networking [free] upgrade from the Microsoft web site. The upgrade installs support for the Point-to-Point Tunneling Protocol (PPTP) which is the heart of the VPN. Here is how you can tell if your Win95 computer requires the upgrade: When you connect to the Internet, what appears in the system tray at the bottom of your screen? If a small graphic representation of two computers connected appears, you already have the upgrade; if a small graphic representation of a modem with two lights appears, you need to upgrade. At this point, I will also mention that you need to have the latest Service Pack from Microsoft's web site installed on your NT server as well. In the original version of PPTP that shipped with NT Server 4.0, there was a security gap. The Service Pack fixes this problem. But more about security later…

The virtual private network takes advantage of that large free network: the Internet. OK, it's not exactly free, but at least you are not responsible for its maintenance and upkeep! With your Windows NT server connected to the Internet, you can access your office network via a local phone call anywhere in the world you can access your Internet service provider locally.

Connection Types

As I stated earlier, the VPN works much better when your server has a dedicated Internet connection. At this point, you are probably thinking that the cost of setting this up will be prohibitive. This is not necessarily the case. A T-1 connection to the Internet, which is what many large companies have, will cost around $1500-$2000 per month. But most law firms do not need anything close to this sort of connection. In many cases, a normal 33.6 analog connection will suffice. The typical cost from an Internet Service Provider (ISP) for a dedicated 33.6 connection will range from $50 to $125 per month. For this kind of connection, you do not need any special phone lines, so add about $30-$40 per month for the line. You could conceivably establish your Internet connection for less than $100 per month.

If cost is your controlling factor, the analog 33.6 connection may be sufficient for you. However, with a little more outlay, you could significantly improve your setup through the use of ISDN. ISDN will give you a true 64k digital connection. In addition to being more than twice as fast as the typical dial-up connection, digital connections generally do not experience any of the line noise, connection problems or dropped carriers which are all too frequent with analog. The familiar ritual we all hear when we initiate a dial-up connection and which takes anywhere from 15-45 seconds takes approximately 2-3 seconds with a digital line. In the Raleigh area, basic ISDN lines cost about $75 per month, but include two phone numbers, in essence giving you two lines. Only one of these numbers will be the 64k digital ISDN connection; the other will be basically a standard phone line [this is not exactly true, but close enough for purposes of this article; it is also possible to have two 64k channels and bind them together for a 128k digital connection, but this is also beyond the scope of this article.] Dedicated Internet connections at 64k ISDN typically range from $150 to $300 per month from ISP's.

If your firm chose to go the ISDN route, your dedicated connection would be of sufficient bandwidth to support not only your VPN, but also firm-wide e-mail. An ISDN connection could comfortably support 3-4 users simultaneously browsing the web. You could conceivably host your firm's web site on your own machine if you had an ISDN connection; however, if your traffic volume is very heavy, things could really slow down. I know of several sites which are hosted via 64k ISDN connections to the Internet and they all perform well. None of them, however, has more than 1000 hits per month. If you have a busy site or if you are just getting started, you should probably opt for a commercial web-site hosting service.

The main drawback of ISDN is that it is not universally available. Some telephone company central office (CO) switching equipment simply does not support ISDN. Other companies may have it available, but just not at your house or office. A multitude of factors control whether ISDN is available at your particular location. The only way to find out for certain is to call your local phone company.

Static IP Address

Once you decide which type of connection you want for your VPN, the next step is to contact your ISP and establish your dedicated service. I stated earlier that it is much easier to work with a dedicated connection. Actually, it is not enough to have a dedicated connection; you also need a static IP address. An IP address is a station's address on the network. IP addresses are a 32-bit number that can contain up to 12 digits, an unique code assigned to every network card. An example is 225.102.135.4. In the typical dial-up Internet connection scenario, your computer is dynamically assigned an IP address by the ISP server every time you connect. This number is usually not the same each time. For VPN purposes, it is very important that this number always be the same so that remote connections can find the server. Now, you are ready to install PPTP on your Windows NT server!

Installing PPTP Protocol on a Windows NT Server 4.0

To install the PPTP protocol on a computer running Windows NT Server version 4.0

1. Click Start, point to Settings, and click Control Panel.

2. Double-click Network in Control Panel.

3. Click the Protocols tab, and then click Add to display the Select Network Protocol dialog box. The Select Network Protocol dialog box is illustrated in the following figure.

Figure 1 - Selecting the PPTP network protocol

4. Select Point To Point Tunneling Protocol and click OK.

5. Type the drive and directory location of your Windows NT Server version 4.0 installation files in the Windows NT Setup dialog box, and then click Continue. The PPTP files are copied from the installation directory, and the PPTP Configuration dialog box appears, as shown in the following figure.

Figure 2 - Configuring the number of VPN devices for the PPTP server

6. Click the Number of Virtual Private Networks drop-down arrow to select the number of simultaneous VPNs you want the server to support. You can select a number between 1 and 256. Typically, multiple VPNs are installed on a PPTP server to enable multiple clients to connect simultaneously to the PPTP server. The server can be configured to support a maximum number of 256 simultaneous VPN connections.

7. Click OK, and then click OK again in the Setup Message dialog box.

8. In the Remote Access Setup dialog box you can do either of the following:

a) Temporarily stop installation of PPTP by clicking Cancel, closing Network, and shutting down and restarting the computer. Note that you must perform the procedure described in the following section "Adding VPN Devices as RAS Ports on a PPTP Server" to complete installation of PPTP.

b) Continue installation of PPTP by clicking Add to add the VPN devices installed with PPTP to RAS. (See step 5 of the following procedure.)

Adding VPN Devices as RAS Ports on a PPTP Server

After installing PPTP, you must add the VPN devices to RAS. Follow these steps to add VPN devices on a computer running Windows NT Server version 4.0.

To configure VPN devices on the PPTP server

1. Click Start, point to Settings, and then click Control Panel.

2. Double-click Network in Control Panel.

3. Click the Services tab and select Remote Access Service.

4. Click Properties to display the Remote Access Setup dialog box.

5. Click Add. The Add RAS Device dialog box appears, as shown in the following figure.

Figure 3 - Adding the VPN devices to RAS on the PPTP server

6. Click the RAS Capable Devices list arrow to display VPN devices that must be added and configured as a port and device in RAS.

7. Select a VPN device and click OK. Repeat steps 5, 6, and 7 until all the VPNs are added to the Remote Access Setup dialog box.

8. Select a VPN port and click Configure. Verify that the Receive calls only option in the Port Usage dialog box is selected and then click OK to return to the Remote Access Setup dialog box. (If you also use this server as a PPTP client and want to use this VPN device to dial out as a PPTP device, select Dial-out.)

9. Repeat the last step for each VPN device that is displayed in the Remote Access Setup dialog box. (By default, VPN devices on a computer running Windows NT Server version 4.0 are automatically configured with the Receive calls only option, but you should verify this configuration.)

10. Click Network to display the Network Configuration dialog box. Verify that only TCP/IP is checked in the Server Settings box in the Network Configuration dialog box. Click OK to return to the Remote Access Setup dialog box.

11. Click Continue.

12. Close Network, shut down, and then restart the computer.

Configuring PPTP Server Encryption and Authentication Options

This section provides procedures and information about configuring a PPTP server. This involves three steps:

Encrypting data sent over the Internet

Accepting only PPTP packets from the Internet

Accessing a private network

Configuring Server Encryption for PPTP

The encryption of data is performed by the remote access protocol, PPP. You enable encryption by configuring each VPN device that was added and configured in RAS. This configuration is identical to configuring encryption for other RAS devices, such as a modem.

To enable encryption on a VPN device on the PPTP server

1. Click Start, point to Settings, and then click Control Panel.

2. Double-click Network in Control Panel.

3. Click the Services tab and select Remote Access Service.

4. Click Properties to display the Remote Access Setup dialog box (shown below).

Figure 4 - Selecting a VPN device for encryption on the PPTP server

5. Select a VPN device for which you want to enable encryption, and then click Network. The Network Configuration dialog box appears.

Figure 5 - Configuring the VPN device with encryption on the PPTP server

6. Select Require Microsoft encrypted authentication and Require data encryption. This configures RAS and PPP to enforce Windows NT-based authentication of all remote clients connecting to the PPTP server.

7. Click OK to return to the Remote Access Setup dialog box.

8. Click Continue.

Close Network, shut down, and then restart the computer.

Installing PPTP on a Remote Client Running Windows 95

Now it is time to install support for PPTP on the client, or remote computer, side. For this example, we will assume the client is running Windows 95 [REMEMBER: For Windows 95, you must have previously installed the dial-up networking 1.2 upgrade!]:

To create a new ISP entry by using the Make New Connection wizard

Click Start, point to Programs, point to Accessories, and then click Dial-Up Networking. The Dial-Up Networking window appears.

Click Make New Connection. The Make New Connection wizard appears.

Click Next. The following screen appears.

Figure 6 - Creating a connection to an ISP

Type a name for the connection, such as the name of your ISP, in Type a name for the computer you are dialing.

Select your modem device in Select a modem, and then click Next. The following screen appears.

Figure 7 - Adding a phone number to the ISP connection

Type the ISP phone number in Telephone number.

Click Next, and then click Finish. A connection icon is created in the Dial-Up Networking folder, as shown in the following figure.

Figure 8 - Example icon for an ISP connection

Verify your connection by using the following procedure.

To verify or edit your ISP connection

In My Computer, right-click the connection icon in the Dial-Up Networking folder, and then click Properties to verify that your ISP connection is correctly configured. The following dialog box appears.

Figure 9 - Verifying the basic configuration of the ISP connection

Review the information on the General tab to ensure that the phone number is correct and that the correct modem or ISDN device is selected. Make any necessary changes.

Click the Server Types tab. The Server Types tab is illustrated in the following figure.

Figure 10 - Verifying the network configuration of the ISP connection

Review the information on the Server Types tab to verify that the Type of Dial-Up Server box displays "PPP: Windows 95, Windows NT 3.5, Internet."

In the Advanced options box, clear the Log on to the network checkbox. This option is not necessary for ISP connections, and clearing it will enable you to connect to your ISP more quickly.

Note

You do not generally need to change the Enable software compression or Require encrypted password options.

In the Allowed network protocols box, ensure that TCP/IP is selected and that the other network protocols are not selected. Canceling the selection of other network protocols will enable you to connect to your ISP more quickly.

Click TCP/IP Settings to display the PPP TCP/IP Settings dialog box. Ensure that the TCP/IP settings conform to the settings required by your ISP provider.

Note

You do not generally need to change the values on the Scripting tab. However, if your ISP requires a manual logon, you can use a script to automate the process. If you wish to use a script, consult your ISP for the correct configuration.

Also, you do not generally need to change the values on the Multilink tab. Multilink enables you to use two devices (such as modems or ISDN devices) of the same type and speed for a single dial-up link. If you have two such devices and your ISP supports the multilink feature, consult your ISP for the correct configuration.

Click OK.

Creating the Connection to a PPTP Server

You must create connection to your PPTP server by using a VPN device.