Connect to Your Corporate Network from Home with Windows XP
Published: July 15, 2002
Editor's Note: Past articles by members of the online community are archived for your use. The information may become outdated as technology changes. For the most current information, please search the Web site or post a question in the newsgroups.
In VPN Security, I covered some of the setup options for making a VPN connection to an internal corporate network. Here's a question from a reader whose scenario doesn't fit with that setup. Kevin McLoughlin, a reader in Singapore, writes that he's been "...searching for information on how to set up a VPN that uses different authentication for the initial connection and subsequent PDC authentication."
I didn't cover this scenario in VPN Security. But first, a disclaimer—there are a lot of different ways to do this and there's no way I can cover all of them. In this column, I'll cover logging on and authenticating to an Internet service provider (ISP), and then connecting to your VPN at work. I'll use CompuServe, because I know it and it's pretty ubiquitous. On the VPN side, I'm going to stick to a standard Windows Routing and Remote Access Server (RRAS) solution, but this time we'll let our RRAS server sit outside the domain, all on its own and not have it be part of any domain at all. So we're going to have three completely different set of credentials involved: your domain logon credentials, your ISP account, and your VPN account.
The first step in the process requires logging on to your Windows XP Professional laptop. Here you'll authenticate to your domain credentials, but you're going to use cached information stored on the laptop, since you aren't yet physically connected to your domain. You need to have logged on to your company account on the laptop while physically connected to the company network. This simplifies things, since it will retain cached credentials to verify who you are even when you're not at work. So log on to the laptop as if you were at work, as shown in Figure 1.
Figure 1
What is Credential Caching?
The ability to log on to a domain when not physically connected to the domain is known as credential caching. This feature may be turned off on your laptop as a matter of corporate security policy. If so, you must be physically connected to the domain to log on to it. This can be a problem for setting up a VPN and getting fully authenticated, but there are workarounds, primarily using the Run As command once you're connected to the VPN. Work with your corporate IT staff to identify viable workarounds for your situation. We don't have room to cover the Run As command and some of the other alternatives in this article, but maybe in a future one.
Connect to Your ISP
After you're logged on to your laptop, the next step is to connect to the Internet—a step that will require you to authenticate to your ISP, using a different set of credentials from your domain logon, of course.
To connect to your ISP
1. | On the Start Menu, point to Connect To, and then click Show All Connections. |
2. | Under Network Tasks, click Create a New Connection. The New Connection Wizard opens. |
3. | Click Next, click Connect to the Internet, and then click Next. |
4. | Either select from a list of Internet service providers that are built in, use the CD that your ISP gave you, or do what I did and manually configure the connection. If you used a CD from your ISP, or the built-in list, your steps will diverge at this point. Click Next. |
5. | Give your connection a name so you'll be able to easily identify it, click Next again, and type in the phone number for your ISP. I chose to use the 800 number for CompuServe, because hotel rooms have gotten to be a pain about phone calls lately. Click Next again. |
6. | Decide if you want this connection to be available only for yourself, or for anyone else that uses the computer. Unless you know you need to share the computer, I'd stick with just making it available for yourself. It's easy enough to re-create it for a local machine account if you need to, but you don't want everyone to have access to your CompuServe or other ISP account. Click Next again. |
7. | Now, enter your Internet account information. Clear the Make this the default Internet connection check box, if you're on the road only some of the time, and typically connect to a local area network to get to the Internet. |
8. | Click Next, and then Finish. The Connection dialog box opens automatically when you finish, ready to connect to the Internet. |
If you're using CompuServe, you'll need one more step: you need to use a script to sign in, as shown in Figure 2. Click Properties, and on the Security tab, select the Run script check box. Choose the cis.scp script and you should be fine.
Figure 2
Create Your VPN Connection
The next step is to create your VPN connection to the corporate network. Here I'm showing you the steps to connect to a Windows RRAS server that sits outside your company's internal network. You may have a different connection scenario if you're connecting using a third-party VPN solution. Check with your company's IT group for the details.
To create a VPN connection
1. | On the Start Menu, point to Connect To, click Show All Connections, and under Network Tasks, click Create a New Connection. The New Connection Wizard opens. |
2. | Click Connect to the network at my workplace, and then click Next. |
3. | Click Virtual Private Network connection, and then click Next. |
4. | Here you have a choice: Windows can automatically dial the connection you just created, or let you dial manually. If you use multiple connections to the Internet, stick to manual, but if you always use the same connection, let Windows XP do it for you. |
5. | Click Next, and then type in the host name or IP address of your RRAS server. If you don't know the host name, check with your IT department. Click Next again, and click My use only for this connection. You shouldn't share VPN connections. |
6. | Click Next again, and then click Finish to create the VPN connection. |
After you create the VPN connection, it automatically opens the Connect dialog box, shown in Figure 3.
Figure 3
Now you can set the dialing options for this connection.
1. | In the Connect dialog box, click the Properties button, and then click the Options tab to display the dialing options shown in Figure 4.  Figure 4 |
2. | Select the Include Windows logon domain check box, and then click OK to return to the Connect dialog box, where now you'll see a field for the domain as shown in Figure 5.  Figure 5 |
3. | The connection fields will show your regular username and company domain. You'll need to replace those with the special ones used for your companies RRAS server. Get these from your IT group. They may be similar to your normal ones, or they may be completely different. At least one place I know uses 15-character, randomly generated user names for the RRAS server. |
4. | After you've filled in the fields, select the check box to save the user name and password, but make sure it's only for yourself. Then click Connect to create the VPN connection. |
The VPN connection used a third set of authentication credentials, completely unrelated to your regular work credentials. Assuming all went well, you're not physically connected to your work network, and are using a secure and encrypted connection over the public Internet. You should be able to connect to company network drives, read your company e-mail, and connect to the Windows XP Professional workstation sitting on your desk.
Send in Your Questions
If you use Windows XP Professional at work, and you have a topic you'd like to see me cover in one of my columns, feel free to write me at Charlie@mvps.org. Please understand that it's impossible for me to acknowledge or answer individual e-mail messages, and I can't provide individual technical support by e-mail. But I really do want to hear from you and I will be happy to consider your topic request for a future column.
