This page has been robot translated, sorry for typos if any. Original content here.

We raise VPN + billing UTM5 on win2003



  • 1. Install and configure Routing and Remote Access
  • 2. Installing UTM
  • 3. Configure UTM
  • 4. Files


  • So, where to start implementing the VPN + UTM5 bundle on Windows Server 2003. Before you begin to configure RASS, you need to check whether the Internet Authentication Service (IAS) is installed. To check this, you need to go to the installation / uninstall of programs on the control panel in the INSTALLING WINDOWS COMPONENTS section and see the contents of the Networking Services components. If this service is installed, uncheck it (uninstall). This service is something like Windows-RADIUS. It is clear that 2 RADIUS servers (UTM-RADIUS and Windows-RADIUS) cannot work on the same computer, since use the same ports for operation. Accordingly, when IAS is installed, UTM-RADIUS simply does not start.

    Another service that interferes with the proper operation of UTM, or rather Apache, is the World Wide Web Service, which is part of the Windows component, the Application Server, in the Internet Information Services (IIS) group. It also needs to be uninstalled, otherwise Apache will not start, because This service uses port 80. If the server requires a WEB-server, then the same Apache can successfully replace it using port 80. UTM provides user access to statistics via the HTTPS protocol, and it connects to port 443 with certificate-based encryption. You can, of course, install Apache on port 8080, but why are there 2 WEB servers on one computer?

    SQL Server and MySQL should not be installed on the server.
    After uninstalling these services, you can install and configure RASS.

    1. Install and configure Routing and Remote Access


    1.1. Run the installation wizard RASS.

    1.2. We abandon all standard schemes and select the manual adjustment mode. It seems he is the last in the list of options offered by the master.
    1.3. After starting RASS, we start its configuration.

    1.4. Go to the properties of the server RASS (right-click on the server icon with the green arrow and select PROPERTIES).

    1.5. On the GENERAL tab, select the LAN AND ROLLER ROUTER ON REQUIREMENT mode and the REMOTE ACCESS SERVER, click OK and restart RASS.

    1.6. Again, go to the properties of the RASS server on the SAFETY tab.

    1.7. Here in the section CHECK SERVICE
    AUTHENTITY we specify RADIUS Authentication and click the SET UP button and in the window that opens, click the ADD button.

    1.8. If UTM-RADIUS is installed on the same computer, then in the field SERVER NAME we write - 127.0.0.1. If UTM-RADIUS is on another computer, then specify its IP.

    1.9. In the SECRET field we press the CHANGE button and write the secret and confirm again.

    1.10. We do not touch the timeout, the initial estimate and the port. The port should be - 1812. Be sure to tick the ALWAYS USE MESSAGE CERTIFICATE and click OK.
    1.11. Now, in the ACCOUNT SERVICE, select RSDIUS Accounting and press the SETUP button.

    1.12. In the window that appears, we press the ADD button.

    1.13. The SERVER NAME is also 127.0.0.1, Secret - secret, port - 1813, we leave the default timeout and initial assessment, do not tick the RADIUS COMMUNICATION ON / DISABLE ACCOUNT. Let's press OK.
    1.14. We will use PPTP for VPN connections, so the ENABLE USER IPSEC POLICIES FOR L2TP CONNECTION checkbox is not ticked, and we are not setting it up.

    1.15. Go to the IP tab. There is generally a very interesting thing.

    1.16. First, put all the checkboxes that are on this tab (there are three).
    1.17. As an adapter for receiving addresses of DHCP, DNS and WINS servers for VPN clients, we select an interface adapter that looks to the Internet. All requests to VPN users will be transmitted from it.

    1.18. Now the fun part. In order for the internal RASS interface to receive an IP that will be used as an IP server when a VPN client is connected via a PPTP tunnel via PPP, in the DESTINATION of IP ADDRESSES section, select the STATIC ADDRESS BOX and specify this IP here. But, for some reason, the glorious Microsoft company decided that RASS would work only with Windows-RADIUS and with no other. Therefore, when setting a static address pool, Microsoft wrote a check on the number of addresses in the pool and considered that there should be at least two of them. This is true only when working with Windows-RADIUS, where the IP addresses for the client and server are taken from this pool. In our case, from this pool, only the address for the server is taken, and the client is assigned the address by UTM. At first glance, there are no problems. If not vile users. As practice has shown, if one user gave another his login and password to the VPN and they connect simultaneously, the first one connecting from them gets the IP from UTM, and the second from this pool. The problem is that traffic will be counted only on the IP that is registered in the UTM, and the second user will sit for free. But it is not all that bad. Exit the properties of the server RASS (click OK button below). We are waiting for the Start button, then Run and write a command

    netsh ras ip add range 192.168.2.254 192.168.2.254

    Again we go into the properties of the RASS server in the IP tab and observe there a static pool from the same address 192.168.2.254. Problem solved. By the way, the network that we will use for VPN will be - 192.168.2.0/255.255.255.0.

    1.19. Go to the PPP tab and remove the tick from the items MULTI-CHANNEL CONNECTIONS and PROGRAMMING DATA. Put a tick on the item EXTENSION OF THE COMMUNICATION CONTROL PROTOCOL (LCP).

    1.20. Go to the tab MAGAZINE MANAGEMENT. Select the item NEWS MAGAZINE ERRORS AND WARNINGS. It is necessary for informational purposes in order to know who and when connected to the RASS via VPN. The log of additional information is unnecessary to include.

    1.21. Now it’s boring to configure virtual ports for VPN connections.

    1.22. Go to the properties of the ports (right-click on the PORT and select PROPERTIES).

    1.23. Sequentially configure each type of port in the list .. Choose L2TP and poke into SETUP. Remove all the checkboxes and set the maximum number of ports to 0. Select PPPoE and click SETUP. Remove all the checkmarks. Select PPTP, click SETUP. Set the checkbox ONLY INCLUDING, remove the check mark INCLUDED AND OUTBOUND. The maximum number of ports is set to 128. (This is how many people can connect to the VPN at the same time. If you don’t need that much, you can put less. It doesn’t affect the weather.) Select Direct Parallel and remove all the checkboxes. This item may not exist if the server does not have a parallel port for the printer or it is disabled in the BIOS.
    Ultimately there should be such a picture.

    1.24. Moving on to IP routing.

    1.25. Here it is necessary to immediately determine the firewall. If your server is not a third-party firewall, then you need to deal with it separately. If it is ISA, then it must be demolished. It is not needed to work with a VPN. The issue with the firewall is very serious - the final decision on how to use the firewall is yours. I can only say that in the basic version you can configure the firewall built into the RASS, although it is very short, but the task with the distribution of traffic is performed almost completely.

    1.26. We poke the GENERAL mouse in the left window and check which interfaces are present in the right window. There must be both network interfaces (which looks to the Internet and that looks to the local network), the Internal interface and the Short to Itself, i.e. in your case 4 interfaces. If there are none, or some are missing, then you need to add them by clicking on the empty space in the right window and select the NEW INTERFACE item.

    1.27. In our case, IP routing should contain 3 items GENERAL, STATIC ROUTES and NAT / SIMPLE BRANDMAUER. If there is not something or something else is present, then the extra should be removed, and the necessary should be added by clicking on GENERAL and selecting the NEW ROUTING PROTOCOL.

    1.28. Item STATIC ROUTES we do not need. There must be empty. We cannot delete it - it is an integral part of RASS. Go directly to NAT.

    1.29. NAT is needed to convert global addresses to local and vice versa. Poke the mouse in NAT. In the right window, add an interface that looks to the Internet and go to its properties (click on it with the right mouse button and select PROPERTIES)


    1.30. We declare it a common interface for connecting to the Internet and tick the TURN ON NAT ON THIS INTERFACE checkbox. The second tick ENABLE MAIN BRANDMAUER FOR THIS INTERFACE does not need to be set if you have a firewall. If there is no firewall, you must install it, otherwise your server will be visible on the Internet. Click OK. There is nothing more to configure in NAT.

    1.31. Now, if you have a firewall, then the RASS setup can be considered complete. If you do not have it, then you need to configure packet filters to block the distribution of the Internet over the local network and put it into VPN.

    1.32. To do this, we poke at the GENERAL and go to the properties of the interface, looking into the local network. PUSHING THE OUTPUT FILTERS button. In the opened window click the button CREATE. We tick the INITIAL NETWORK and register our local network there. In your case, 192.168.1.0/255.255.255.0. We say OK. We press the second time to CREATE. We tick the source network and register the IP address of the VPN server there. In our case, 192.168.2.254/255.255.255.255. We say OK. Select at the top of the filter action - DISCARD ALL PACKAGES, EXCEPT THAT THAT RESPOND TO THE CANNED BELOW CRITERIA and click OK.

    1.33. EVERYTHING!!! Now RASS is set up !!!


    2. Installing UTM.


    2.1. Run the UTM5Setup. Language, select, respectively, Russian.

    2.2. First put the car JAVA.

    2.3. We restart UTM5Setup. Now we put everything else by removing the tick from JAVA. With further installation, there is no wisdom. After the installation is complete, you need to go to the services and see that MySQL-NT and UTM5_CORE are running. If everything works, then great.

    2.4. Next, we put RADIUS. There are never problems with him.

    2.5. Now NDSAD. There are a lot of problems here. In order for NDSAD to collect traffic on a VPN, it is necessary for the WinPCAP driver to be version 3.1 and higher.

    2.6. After the reboot, the ndsad service should start. If it still does not start, then port 9996 is used on the server, which ndsad uses to communicate with UTM.

    2.7. Now we install (if this service does not appear in the services) utm5_rfw. To do this, run the command:

    utm5_rfw.exe --install.

    After that utm5_rfw should appear in the services.

    2.8. Now we need another program that is not part of the UTM, but without which you can’t manage the disconnection of users' VPN connections, whose balance has passed over 0. This is the utm5_kill_vpn.exe program. When I launched UTM for the first time, I discovered that when working with RASS Windows, developers do not have a mechanism for disabling VPN connections. By the way, turning off the Internet is the most sensitive issue in most billing systems. It's good that they even wrote utm5_rfw, which allows you to transfer control to other programs, otherwise it would be a pipe. This program must be copied to the root of the disk c: The shutdown scheme works like this. UTM detects that the user's balance has become negative. She gives the command utm5_rfw, to disconnect the user. Utm5_rfw calls utm5_kill_vpn and it gives the RASS Windows command to terminate the VPN connection for a specific user.

    (In order for the GAP to occur automatically =) in the UTM go to the FIREWALL RULES, click the UPDATE button. Remove everything except the first. First call for editing. Put a tick - All users. User ID - 0, group ID - 0, fare ID - 0, On - do not write anything (must be empty), Shutdown - c: /utm5_kill_vpn.exe ULOGIN, firewall ID - 1. The variable ULOGIN contains the name of the VPN connection and is passed utm5_kill_vpn.exe to disable the corresponding VPN.)


    2.9. It seems everything is installed. Now go to the settings.




    3. Configure UTM


    3.1. Configuration files

    3.1.1. UTM5.CFG

    database_type = mysql - database type
    database = utm5 - database name
    database_host = 127.0.0.1 - IP of the computer with the database
    database_login = root - login to the database
    database_password = - database password (without password)

    urfa_bind_host = 0.0.0.0 - IP from which we connect to the database (from any)

    urfa_lib_file = liburfa \ librpc.dll
    urfa_lib_file = liburfa \ liburfa_utils.dll
    urfa_lib_file = liburfa \ liburfa_card.dll
    urfa_lib_file = liburfa \ liburfa_hotspot.dll - libraries for external modules
    urfa_lib_file = liburfa \ liburfa_graph.dll
    urfa_lib_file = liburfa \ liburfa_radius.dll

    nfbuffer_port = 9996 - NDSAD connection port


    3.1.2. RADIUS5.CFG

    core_host = 127.0.0.1 - IP on which the UTM is located
    core_port = 11758 - UTM connection port

    radius_login = radius - system user login
    radius_password = radius - system user password

    radius_auth_mppe = enable - VPN authorization

    radius_auth_vap = 1 - do not authorize with a negative balance

    radius_ssl_type = none - encryption type (disabled)

    radius_ippool_timeout = 0 - re-authorization delay (immediately)
    radius_ippool_acct_timeout = 0 - release IP immediately after a VPN break


    3.1.3. RFW5.CFG

    rfw_name = 127.0.0.1 - name of the firewall (IP is used)

    firewall_type = local - firewall type (local)

    core_host = 127.0.0.1 - UTM IP address
    core_port = 11758 - port for communication with UTM

    rfw_login = web - system user login
    rfw_password = web - system user password

    3.1.4. NDSAD.CFG

    dummy all - disable statistics collection from any devices except those specified in the force command, i.e. we will collect traffic only on VPN

    force \ Device \ NPF_GenericDialupAdapter - VPN statistics collection mode

    nf_lifetime 1 - instantly terminates sessions when a user’s balance goes over 0


    3.1.5. WEB5.CFG

    core_host = 127.0.0.1 - UTM IP address

    web_login = web - login of the system user

    web_password = web - system user password


    3.1.6. After the configuration files are corrected, you need to restart the computer for all changes to take effect.

    4. files:


    Name: NDSAD_setup_1_33.exe
    Link for downloading the file: http://ifolder.ru/10599261

    Name: utm5_kill_vpn.exe
    Link to download file: http://ifolder.ru/10599276

    UTM5 can be downloaded at http://www.netup.ru/

    Also included in the kit YuTM Apache and muscle. You will also need to install OpenSSL and sign certificates for logging in to the web admin. Although I have seen, there are alternative web mords.