Windows 2000 server configuration is a subject about which a 1600-page book could be (and has been) written. Here are a few points that may help get you connected (Windows Server 2003 may work similarly):
- Generally, you want two network interfaces (Ethernet connections, usually), one on the private LAN (with a NAT address like 192.168.0.1 or 10.0.0.1) and one on the Internet (which you tell RAS to use for VPN access). Only one Internet interface should have a TCP/IP default gateway; ours is set to the internal LAN gateway..
- VPN service is set up by the program Routing and Remote Access. Right-click the server to run the setup Wizard or configure Properties.
- The Wizard automatically creates IP Routing Filters to allow PPTP connections via the Internet interface, while blocking all other traffic. You may add in/out filters to allow ICMP so your server can be pinged. See Routing and Remote Access->IP Routing->General->(Name of your Internet interface)->Properties->General->Input Filters/Output Filters
- A private LAN IP address will be assigned to the Mac client(s) - this can be done by a DHCP server on the VPN or by specifying an address range of available NAT addresses in the RAS wizard.
- Under the server's Properties (under Routing and Remote Access), choose Security->Authentication. Make sure MSCHAPv2 is checked.
- To set bit-length of encryption key: Routing and Remote Access->Remote Access Policies->Allow Access...->Properties->Edit Profile. For 128-bit key, check "Strongest". Allow 30 seconds for a change to take effect after closing all dialogs.
- To connect via VPN, your user account on the server must have permission to "dial-in". This is controlled under Active Directory (or on basic, non-Domain systems, Computer Management). Under user properties->Dial-In->remote Access Permission, click Allow access. The "control access through remote Access Policy" also works, if you know how to configure the Policy (under Routing and Remote Access).
- The first time you set up Remote Access for VPN, you may have to reboot the server to get it working.
- In DigiTunnel's VPN-Only mode, connections to any servers on the Internet go over the VPN, through your Windows server, and out to the Internet through whatever Internet connection is available to your server (such as a proxy server or NAT gateway). On a two-network-interface system, if Windows sets the Internet interface as the default gateway, Internet connections won't work. There does not seem to be a setting to choose which interface is default. Windows documentation recommends that only one interface have a TCP/IP default gateway, but it seems like both must have gateways for the VPN to function.
First try omitting the gateway from the Internet interface. If that doesn't work, put gateways on both interfaces. To observe which gateway is in effect, run Command Prompt and enter "netstat -rn". To switch to the other gateway, momentarily disable the interface which has the undesired gateway. To do this, run Network and Dial-Up Connections, and right-click the interface.
Practicallynetworked.com has pointers to some PPTP articles.