The following describes how to correctly configure Routing and Remote Access on Small Business Server (SBS) 2000 to accept incoming VPN connections from remote workstations.
It is assumed that an installation of SBS 2000 that has two network adapters. In addition, custom Remote Access Policies or logon scripts will need to be configure. Before proceeding , the following tasks must be completed:

1. Complete the steps to configure Small Business Server for full time Internet access with two network adapters Specifically,
   • Make sure that the SBS 2000 Internet Connection Wizard has been completed by the end of installing the two adapters and both of the Enable ISA Server packet filtering and
   • Virtual Private Networking (PPTP client access) settings are turned on. You can check these settings by checking the ISA Server packet filters for the appropriate filters. Look for the packet filters that are created by the Internet Connection Wizard for VPN support. To do so:
     1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
     2. Expand the Servers and Arrays branch, click server name, click Access Policy, and then click IP Packet Filters.
     3. On the right pane, look for "BackOffice PptpCallPredefinedType" and "BackOffice PptpReceivePredefinedType".
     4. If these are not present (or are turned off), run the Internet Connection Wizard again, and then
        1. click Do Not Change for Configure Hardware,
        2. click Do Not Change for Exchange Server, POP3 and "Enable ISA Server packet filtering", and then
        3. click to select the Virtual Private Networking (PPTP client access) check box.
        4. Ensure POP3 is checked. Otherwise mail cannot be received.
2. Make sure that the network binding order in the advanced settings for Network and Dial-up connections on the SBS 2000 computer is correct. Note that the internal network is frequently first in the list, the external network adapter is listed second, and Remote Access Connections is last.
3. Make sure that DNS is configured correctly. According to Microsoft, this means that the internal and external network adapter's DNS settings are pointing to the internal IP address of the SBS 2000 computer and the ISP's DNS servers are specified in the Forwarders tab in the DNS Management Console.
   However, having the internal NIC with the DNS settings of the server and the external NIC having DNS settings as provided by the ISP, also works.
4. Make sure that WINS is installed and running on the SBS 2000 computer and the internal network adapter on the SBS 2000 computer is configured to point to itself for WINS resolution. By default, note that WINS is installed and configured on SBS 2000.
5. If you have a third-party hardware firewall between the external network adapter on the SBS 2000 computer and the Internet, it must support the incoming VPN connection and be correctly configured to forward the incoming VPN request to the external network adapter of the SBS 2000 computer.
6. Microsoft recommends that you install the latest Windows 2000 Server service pack.

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
2. Right-click your server, and then click Configure and Enable Routing and Remote Access. If Routing and Remote Access is configured already, the Configure and Enable Routing and Remote Access command will be unavailable. In that case,
   1. Right-click the server, and then click Disable Routing and Remote Access.
   2. Right-click the server and click Configure and Enable Routing and Remote Access.
3. On the "Welcome to the Routing and Remote Access Server Setup" page, click Next.
4. Click Manually Configure Server, click Next, and then click Finish.
5. Click Yes to start the Routing and Remote Access service.
   Note that you must not click Virtual Private Network (VPN) Server. This configures Routing and Remote Access with the following parameters:
   • Filters: None.
   • Router: Enabled.
   • Remote Access Server: Enabled.
   • IP address assignment is set to DHCP.
   • VPN ports: There are five PPTP connections, and five L2TP connections.
6. Microsoft recommends that you set Routing and Remote Access to use a static pool of IP addresses for the remote VPN clients. When you select your static pool addressing scheme, note that:
   • The address pool must be included in the Internet Security and Acceleration (ISA) Server's local address table (LAT). To view the LAT in ISA Server,
     1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
     2. Expand Servers and Arrays, expand server name, expand Network Configuration, and then click Local Address Table (LAT).
   • The address pool must not be on the same subnet as the internal or external network adapter.
   • Note that a default installation of SBS 2000 contains 10.0.0.0 through 10.255.255.255 and 172.16.0.0 through 172.31.255.255.
   • Depending on your internal IP addressing scheme, you can use one of the ranges that are predefined in the LAT. If you have to add an additional LAT entry for the static pool range,
     1. Right-click Local Address Table (LAT),
     2. Point to New, and then click LAT Entry.
   To set Routing and Remote Access to use a static pool of IP addresses for incoming VPN clients:
   1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
   2. Right-click the server name (local), and then click Properties.
   3. Click the IP tab.
   4. Click Static address pool, and then click ADD. 172.16.0.0 through 172.31.255.255 should work.
   5. Type your static range.
   6. Click OK to close New Address Range Properties.
7. After the Routing and Remote Access service is started, right-click the server name on the left side of the Routing and Remote Access management snap-in, and then click Properties.
8. On the IP tab under server name (local) Properties, locate the Adapter box. In the Adapter box, change the selection from Allow RAS to select adapter to the internal network adapter. Click OK to close this dialog box. This setting allocates WINS and DNS server addresses that are defined on the internal network adapter on the SBS 2000 computer to the remote VPN (DHCP) clients.
9. On the left side of the screen, click Remote Access Policies, right-click Allow access if dial-in permission is enabled, and then click Properties.
10. Click Grant remote access permission.
11. Quit the Routing and Remote Access management console.
12. Start Active Directory Users and Computers, and then click the Users container. Open the properties of a user, and then grant the user "dial-in" permissions on the Dial-In tab.
13. Obtain and install the hotfix from "Q292822: Name Resolution and Connectivity Issues on Windows 2000 Domain Controller with Routing and Remote Access and DNS Installed".
14. There should be a Dial-up entry in the ISA server accessible from the SBS Administration Console for the ADSL connection
    Note that the entry is marked green.
    
    1. Right click the Dialup connection to the ISP, and select "Set as active Entry".
    2. Expand the "Access Policy" on the ISA management console, and right click on "IP Packet filters".
    3. Select Properties.
    4. On the General tab, select both "Enable IP Packet filtering" and "Enable IP routing".
    5. On the PPTP tab check the "PPTP through ISA firewall". Click Apply and OK.
    6. Back on the "IP Packet filter", you will see on the right pane a filter called "DHCP Client". The filter is disabled by default. Enable the filter.
    7. Restart the server.

The VPN miniports are setup by default in both 2003 Standard and Premium Editions. If you want to verify this you can go in and look at the RRAs settings and you should see 5 PPTP and L2TP miniports up.

Once the server is configured to allow remote connections, you must also give users permission to connect to the server remotely.