This page has been robot translated, sorry for typos if any. Original content here.

We raise VPN + billing UTM5 on win2003

  • 1. Installing and Configuring Routing and Remote Access
  • 2. Installation of UTM
  • 3. Configuring UTM
  • 4. Files

  • So, where to start implementing the VPN + UTM5 bundle on Windows Server 2003. Before you start configuring RASS, you need to check whether IAS (Internet Authentication Service) is installed. To check this, you need to go to the installation / uninstallation of programs on the control panel in the INSTALLING WINDOWS COMONS section and see the composition of the Networking Services components. If this service is installed, then uncheck it (uninstall). This service is something else, like Windows-RADIUS. It is clear that 2 RADIUS servers (UTM-RADIUS and Windows-RADIUS) can not work on one computer, because use the same ports for work. Accordingly, when the IAS service is installed, UTM-RADIUS simply does not start.

    Another service that interferes with the proper operation of UTM, more specifically Apache, is the World Wide Web Service that is part of the Windows Application Server component in the Internet Information Services (IIS) services group. It also needs to be uninstalled, otherwise Apache does not start, because this service uses 80 port. If the server needs a WEB server, then it can successfully replace the same Apache, using the 80th port. UTM provides user access to statistics on the HTTPS protocol, and it connects to 443 port with certificate-based encryption. You can, of course, install Apache on port 8080, but why should 2 WEB servers on one computer?

    The server should not have SQL Server or MySQL installed.
    After uninstalling these services, you can start installing and configuring RASS.

    1. Installing and Configuring Routing and Remote Access

    1.1. Run the RASS installation wizard.

    1.2. We reject all standard schemes and choose the manual setting mode. It seems he is the last in the list of options offered by the master.
    1.3. After starting RASS, we begin setting it up.

    1.4. We go into the properties of the RASS server (right click on the server icon with the green arrow and select PROPERTIES).

    1.5. On the GENERAL tab, select the LOCAL NETWORK AND BENCH ROUGHTER by REQUIREMENT and the REMOTE ACCESS SERVER, click OK and restart RASS.

    1.6. Again, go to the properties of the RASS server on the SECURITY tab.

    1.7. Here in the SERVICE OF INSPECTION
    AUTHENTICATION we specify RADIUS Authentication and we press the SET button and in the opened window, we press the button ADD.

    1.8. If UTM-RADIUS is installed on the same computer, then in the SERVER NAME field write - If UTM-RADIUS is on another computer, then specify its IP.

    1.9. In the SECRET field, let's press the CHANGE button and write - secret and confirm again.

    1.10. We do not touch the time-out, the initial assessment and the port. The port must be 1812. Be sure to ALWAYS USE the MESSAGE CERTIFICATE and click OK.
    1.11. Now in the accounting service select RSDIUS Accounting and click the SET button.

    1.12. In the appeared window press the button ADD.

    1.13. SERVER NAME is also, Secret is secret, port is 1813, timeout and initial rating is left by default, the RADIUS MESSAGE tick is not set to enable / disable accounting. Press OK.
    1.14. We will use PPTP for VPN connections, therefore we will not be interested in RESOLVING USER IPSEC POLICIES FOR L2TP CONNECTION, and we do not.

    1.15. Go to the IP tab. Here in general a very interesting thing.

    1.16. First we put all the checkboxes that are on this tab (there are three of them).
    1.17. As an adapter for obtaining DHCP addresses, DNS and WINS servers for VPN clients, we select the adapter of the interface that looks on the Internet. It will broadcast all requests to VPN users.

    1.18. Now the most interesting. In order for the internal interface RASS to receive the IP that will be used as the IP server when connecting the VPN client over the PPTP tunnel using PPP protocol, in the APPOINTING IP ADDRESSES section, select the STATIC ADDRESS POINT and specify this IP here. But, the valorous firm Microsoft somehow decided that RASS will only work with Windows-RADIUS and with no more. Therefore, when specifying a static address pool, Microsoft wrote a check for the number of addresses in the pool and decided that there should be at least two of them. This is only true when working with Windows-RADIUS, where the IP addresses for the client and server are taken from this pool. In our case, only the address for the server is taken from this pool, and the address is assigned to the client by UTM. At first glance, there are no problems. If it were not for mean users. As practice shows, if one user gave another their login and password for VPN and they connect at the same time, the first one who connects from them receives IP from UTM, and the second one from this pool. The problem is that the traffic will be considered only on the IP that is registered in UTM, and the second user will sit for free. But it is not all that bad. We exit the properties of the server RASS (click the OK button below). We are waiting for the Start button, then Run and write the command

    netsh ras ip add range

    Again we go into the properties of the RASS server in the IP tab and observe there a static pool from one address The problem is solved. By the way, the network that we will use for VPN will be -

    1.19. We go to the PPP tab and remove the tick from the points MULTI-CHANNEL CONNECTIONS and SOFTWARE COMPRESSION. We put a check mark on the EXPANSION item of the COMMUNICATION CONTROL PROTOCOL (LCP).

    1.20. Go to the JOURNAL MANAGEMENT tab. We select the item NEW MAGAZINE ERRORS AND WARNINGS. It is necessary for information purposes to know who and when connected to RASS on VPN. The log of additional information is unnecessary.

    1.21. Now you need to configure virtual ports for VPN connections.

    1.22. Go to the properties of the ports (right-click on the PORTS and select PROPERTIES).

    1.23. Sequentially configure each type of port in the list. Select L2TP and poke in SETUP. Remove all the checkmarks and set the maximum number of ports to 0. Select PPPoE and click SETTING. We remove all the checkmarks. Choose PPTP, click SETUP. We set the checkbox ONLY INCOMING, uncheck the INPUT and OUTPUT. The maximum number of ports is set to 128. (This is how many people can connect to the VPN at the same time.) If you do not need that much, you can put less.) On the weather, this does not affect.) Select Direct Parallel and remove all the checkmarks. This item may not be if the server does not have a parallel port for the printer or it is disabled in the BIOS.
    In the end, there must be such a picture.

    1.24. Let's move on to IP routing.

    1.25. Here we must immediately determine the firewall. If you have on the server is not a third-party firewall, then you need to understand it separately. If ISA costs, then it must be demolished. It does not need to work with VPN. The question with the firewall is very serious - the final decision which firewall to use - for you. I can only say that in the basic version, you can configure the built-in RASS firewall, although it is very kooky, but the task with the distribution of traffic performs almost completely.

    1.26. Poke the mouse in the GENERAL in the left window and check which interfaces are present in the right window. There should be both network interfaces (which looks on the Internet and which looks to the local network), the Internal interface and the Closure to itself, i.e. in your case 4 interfaces. If they are missing or missing, add them by clicking on the empty space in the right window and selecting NEW INTERFACE.

    1.27. In our case, IP routing should contain 3 items GENERAL, STATIC ROUTES and NAT / SIMPLE FIREWALL. If there is not something there or something else is present, then you need to remove the unnecessary, and add the necessary ones by clicking on the COMMON and selecting the NEW ROUTE PROTOCOL item.

    1.28. Item STATIC ROUTES we do not need. There must be empty. We can not remove it - it is an integral part of the RASS. We pass directly to NAT.

    1.29. NAT is needed to convert global addresses to local addresses and vice versa. Poke the mouse in NAT. In the right window, add an interface that looks at the Internet and go into its properties (right click on it and select PROPERTIES)

    1.30. We declare it as the common interface for connecting to the Internet and set the checkbox to enable NAT on this interface. The second tick to turn on the main firewall for this interface does not need to be set if you have a firewall. If the firewall is not present, then it must be installed, otherwise your server will be visible on the Internet. We press OK. More in NAT, you do not need to configure anything.

    1.31. Now, if you have a firewall, then the RASS setting can be considered complete. If you do not have it, you need to configure packet filters to block the distribution of the Internet over the local network and start it in the VPN.

    1.32. For this, we poke on GENERAL and go into the properties of the interface that looks at the local network. Push the OUTPUT FILTER button. In the opened window click the CREATE button. We tick the source network and register our local network there. In your case We say OK. We press the second time CREATE. We tick off the source network and register the IP address of the VPN server there. In our case, We say OK. We select the action of the filter in the top - DISCARD ALL PACKAGES, EXCEPT THOSE THAT RESPOND TO THE CASHNER BELOW CRETERIA and click OK.

    1.33. ALL!!! Now RASS is tuned !!!

    2. Installation of UTM.

    2.1. Run the UTM5Setup. Language is chosen accordingly Russian.

    2.2. First put the car JAVA.

    2.3. We restart UTM5Setup. Now put the rest by unchecking JAVA. With further installation, there are no tricks. After the installation is complete, you need to go into the services and see that MySQL-NT and UTM5_CORE are started. If everything works, it's great.

    2.4. Then we put RADIUS. With him, there never is a problem.

    2.5. Now NDSAD. Here there are many problems. In order for NDSAD to collect traffic to the VPN, you need the WinPCAP driver to be version 3.1 and higher.

    2.6. After the reboot, the ndsad service should start. If it does not start, then the server is busy port 9996, which ndsad uses to communicate with UTM.

    2.7. Now install (if the service does not appear in the services) utm5_rfw. To do this, execute the command:

    utm5_rfw.exe --install.

    After that utm5_rfw should appear in the services.

    2.8. Now we need one more program that is not part of UTM, but without which you can not manage outages of VPN connections of users whose balance has passed through 0. This is utm5_kill_vpn.exe. When I first launched UTM, I found that when working with RASS Windows developers do not have a mechanism for disabling VPN connections. By the way, disabling the Internet is the most painful issue in most billing systems. It's good that they even wrote utm5_rfw, which allows you to transfer control to other programs, otherwise there would be a pipe. This program should be copied to the root of the disk c: The shutdown circuit works like this. UTM detects that the user's balance has become negative. It gives the utm5_rfw command to disconnect the user. Utm5_rfw calls utm5_kill_vpn and it gives the RASS Windows command to break the VPN connection for a certain user.

    (In order for the automaton to happen GAP =) in UTM go to the FIREWALL RULES, click the UPDATE button. We delete everything except the first. First we call for editing. Put a tick - All users. User ID is 0, Group ID is 0, Tariff ID is 0, Enable - nothing is written (should be empty), Shutdown is c: /utm5_kill_vpn.exe ULOGIN, Firewall ID is 1. The ULOGIN variable contains the name of the VPN connection and is transmitted program utm5_kill_vpn.exe to disable the corresponding VPN.)

    2.9. Like everything is installed. Now go to the settings.

    3. Configuring UTM

    3.1. Configuration files.

    3.1.1. UTM5.CFG

    database_type = mysql - type of database
    database = utm5 - name of the database
    database_host = - IP of the computer with the database
    database_login = root - login to the database
    database_password = - database password (no password)

    urfa_bind_host = - IP from which we connect to the database (from any)

    urfa_lib_file = liburfa \ librpc.dll
    urfa_lib_file = liburfa \ liburfa_utils.dll
    urfa_lib_file = liburfa \ liburfa_card.dll
    urfa_lib_file = liburfa \ liburfa_hotspot.dll - libraries for running external modules
    urfa_lib_file = liburfa \ liburfa_graph.dll
    urfa_lib_file = liburfa \ liburfa_radius.dll

    nfbuffer_port = 9996 - NDSAD connection port

    3.1.2. RADIUS5.CFG

    core_host = - The IP on which UTM resides
    core_port = 11758 - port of connection to UTM

    radius_login = radius - system user login
    radius_password = radius - the password of the system user

    radius_auth_mppe = enable - VPN authorization

    radius_auth_vap = 1 - do not authorize with negative balance

    radius_ssl_type = none - encryption type (disabled)

    radius_ippool_timeout = 0 - delay of reauthorization (immediately)
    radius_ippool_acct_timeout = 0 - release IP immediately after a VPN break

    3.1.3. RFW5.CFG

    rfw_name = - the name of the firewall (IP is used)

    firewall_type = local - firewall type (local)

    core_host = - IP address of UTM
    core_port = 11758 - port for communication with UTM

    rfw_login = web - system user login
    rfw_password = web - system user password

    3.1.4. NDSAD.CFG

    dummy all - disable the collection of statistics from any device, except those specified in the force command, i.e. traffic will be collected only on the VPN

    force \ Device \ NPF_GenericDialupAdapter - the mode of collecting statistics on the VPN

    nf_lifetime 1 - instantly breaks sessions, when the user's balance passes through 0

    3.1.5. WEB5.CFG

    core_host = - IP address of UTM

    web_login = web - system user login

    web_password = web - system user password

    3.1.6. After fixing the configuration files, you need to reboot the computer for all changes to take effect.

    4. Files:

    Name: NDSAD_setup_1_33.exe
    Link for downloading the file:

    Name: utm5_kill_vpn.exe
    Link for downloading the file:

    UTM5 can be downloaded at

    Also in the kit of UTM is apache and muscle. Just to enter the web admin you will need to put OpenSSL and sign certificates. Although I saw there are alternative versions of webmasters.