Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2008 R2 : Traditional VPN Scenario (part 3) - Setting Up the RRAS Server & Setting Up the VPN Client

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/20/2011 5:27:27 PM

Setting Up the RRAS Server

The RRAS server is the entity that will actually connect to the Internet or DMZ, providing the direct communications with the VPN clients, although the NPS system will be authenticating and authorizing those connections.

The following steps assume that Windows Server 2008 R2 is already installed, that the VPN1 server is configured with an internal network interface card (NIC; 172.16.1.152) and an external NIC (192.168.1.201), and that the VPN1 server is a member of the companyabc.com Active Directory domain. In addition, the network interfaces have been renamed to Internal and External to reflect their connection.

The next step is to add and configure the Routing and Remote Access role to the VPN server:

1.
Launch Server Manager on the VPN server, and select Add Roles in the Roles Summary window.

2.
Click Next.

3.
Select the Network Policy and Access Services role, and click Next.

4.
Click Next.

5.
Select the Remote Access Service check box, and click Next.

6.
Click Install to install the role.

7.
Click Close to exit the wizard.

8.
Click Start, Administrative Tools, and Routing and Remote Access to launch the RRAS MMC.

9.
Right-click on the VPN server name, and select Configure and Enable Routing and Remote Access.

10.
Click Next.

11.
Select Remote Access (Dial-Up or VPN), and click Next.

12.
Check the VPN check box, and click Next.

13.
Select the Internet-facing network interface—in this example, the interface named External.

14.
Uncheck the Enable Security on the Selected Interface by Setting Up Static Packet Filters, and click Next.

15.
Leave the IP Address Assignment as Automatically, and click Next.

16.
Select Yes, Set Up This Server to Work with a RADIUS Server, and click Next.

17.
Enter the NPS system FQDN into the Primary RADIUS Server Name field, which in this example is nps1.companyabc.com.

18.
Enter the secret password in the Shared Secret field, which is the same password used earlier in the RADIUS Client setup.

19.
Click Next and then click Finish.

20.
A message box appears, indicating that the properties of the DHCP Relay Agent will need to be configured. This is because of the selection to automatically assign IP addresses. Click OK to close the message box.

21.
Select the VPN server in the Routing and Remote Access MMC.

22.
Select Action and Properties.

23.
Select the Security tab.

24.
Click on the Authentication Methods button and confirm that Extensible Authentication Protocol (EAP) and Microsoft Encrypted Authentication Version 2 (MS-CHAP v2) are selected.

25.
Click OK to close the Authentication Methods window.

26.
Select the IPv4 tab.

27.
Verify that the correct adapter is selected for the VPN server to obtain DHCP services—in this case, the Internal adapter.

28.
Click OK to close the Properties window.

The RRAS server is now configured and ready to accept VPN client connections.

Setting Up the VPN Client

The next step is to set up the VPN client. The four major tasks in this process are as follows:

  • Enable Security Center

  • Enable the System Health Agent (SHA)

  • Configure certificate trusts

  • Configure the VPN client

These tasks prepare the client to connect and also validate, enforce, and remediate health policies.

If the client is a domain member, the Security Center will be disabled. This can be enabled in the local security policy through the following procedure:

1.
On the VPN Client computer, select Start, Run.

2.
Enter gpedit.msc and click OK.

3.
Expand Local Computer, Computer Configuration, Administrative Templates, Windows Components, and select Security Center.

4.
Double-click on Turn on Security Center (Domain PCs Only).

5.
Select Enabled and click OK.

6.
Close the Group Policy Edit tool.

The Remote Access Quarantine Enforcement Client is normally disabled, so it will need to be enabled on the client. This is done with the NAP Client Configuration MMC (napclcfg.msc).

1.
On the client, select Start, Run.

2.
Enter napclcfg.msc and click OK.

3.
Select the Enforcement Clients folder.

4.
Select the Remote Access Quarantine Enforcement Client. (In Windows 7, use EAP Quarantine Enforcement Client.)

5.
Select Action, Enable to enable the client.

6.
Exit the NAP Client Configuration MMC.

The Network Access Protection Agent service is normally set to manual, so it will need to be started and set to start automatically.

1.
On the client, select Start, Run and then enter Services.msc.

2.
Highlight the Network Access Protection Agent service, and select Action, Properties.

3.
Change the Startup Type to Automatic, and click Start.

4.
Click OK to exit the service properties.

For PEAP to function correctly, the client will need to trust the Certificate Authority. This can be done using automatic enrollment for Active Directory domain members, via the certificate enrollment site, or manually by exporting and importing the certificate. For this example, we assume that the client is not a domain member and that the certificate needs to be distributed manually, such as via email.

To export the certificate from the Certificate Authority, execute the following steps:

1.
On the Certificate Authority server, select Start, Administrative Tools, and then Certification Authority.

2.
Highlight the Certificate Authority (in this case, companyabc-NPS1-CA) and select Action, Properties.

3.
Click on the View Certificate button.

4.
Select the Details tab, and click the Copy to File button.

5.
Click Next.

6.
Click Next to accept the default Export File Format.

7.
Enter a name for the certificate (in this case, c:\nps1 ca certificate) and click Next.

8.
Click Finish to export the certificate.

9.
Click OK to acknowledge the export, and then exit the Certification Authority MMC.

This certificate will be used to certify the NPS1 Certificate Authority to the client, which will allow the client to trust certificates issued by the Certificate Authority. This will require that the client import the certificate into the local computer trusted Certificate Authority store. To import a certificate into the local computer trusted Certificate Authority store, do the following:

1.
Copy the CA certificate file to the VPN client.

2.
Select Start, Run.

3.
Type mmc and click OK.

4.
Select File, Add or Remove Snap-ins.

5.
Select the Certificates snap-in and click the Add button.

6.
Select Computer Account and click Next.

7.
Click Next to select the Local computer.

8.
Click OK.

9.
Expand the Certificates (Local Computer) folder.

10.
Expand the Trusted Root Certification Authorities folder, and highlight the Certificates subfolder.

11.
Right-click the Certificates subfolder, and select All Tasks, Import.

12.
Click Next.

13.
Click the Browse button and navigate to the CA certificate file—in this example, nps1 ca certificate.cer.

14.
Click OK.

15.
Click Next.

16.
Click Next to place the certificate in the Trusted Root Certification Authorities folder.

17.
Click Finish and then click OK to acknowledge the certificate installation.

18.
Exit the console without saving.

This allows the client to trust the certificates issued by the NPS1 Certificate Authority. The next step is to set up and configure the VPN connection on the VPN client:

1.
On the client, select Start, Control Panel.

2.
Click on Network and Internet.

3.
Click on Network and Sharing Center.

4.
Click on Set Up a Connection or Network.

5.
Select Connect to a Workplace, and click Next.

6.
Click on Use My Internet Connection (VPN).

7.
Enter the Internet address—in this case, 192.168.1.201. You can also enter the FQDN vpn1.companyabc.com.

8.
Enter a destination name, such as Company ABC VPN Connection.

9.
Check the Don’t Connect Now check box, as we will need to configure additional settings.

10.
Click Next.

11.
Enter the username, the password, and the domain, and check the Remember This Password check box.

12.
Click Create to create the connection.

13.
Click Close.

14.
Click Manage Network Connections.

15.
Right-click on the Company ABC VPN Connection, and select Properties.

16.
Select the Security tab.

17.
In the Security Options window, select the Advanced (Custom Settings) option button.

18.
Click the Settings button.

19.
In the Logon Security window, select the Use Extensible Authentication Protocol (EAP) option button.

20.
Select Protected EAP (PEAP) (Encryption Enabled) from the drop-down list, and click the Properties button.

21.
Uncheck the Connect to These Servers check box.

22.
Check the box next to the previously imported CA certificate in the Trusted Root Certification window—in this example, companyabc-NPS1-CA.

23.
Verify that Secured Password (EAP-MS-CHAP v2) is selected in the Select Authentication Method drop-down list.

24.
Uncheck the Enable Fast Reconnect check box.

25.
Check the Enable Quarantine Checks check box. The result should look like Figure 7.

Figure 7. VPN connection security options.


26.
Click OK to close the Protected EAP Properties dialog box.

27.
Click OK to close the Advanced Security Settings dialog box.

28.
Click OK to close the connection properties.

The connection is now ready for use. The next step is to test the connection.

Other -----------------
- Windows Server 2008 R2 : Traditional VPN Scenario (part 2) - Setting Up the Network Policy Server & Configuring the Network Policy Server
- Windows Server 2008 R2 : Traditional VPN Scenario (part 1) - Setting Up the Certificate Server & Certificate Autoenrollment
- Installing Exchange Server 2010 : Understanding the Active Directory Requirements for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Prerequisites for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Exchange Server 2010 Server Roles
- Active Directory Domain Services 2008 : View Schema Class and Attribute Definitions
- Active Directory Domain Services 2008 : Apply Active Directory Schema Administrative Permissions
- Active Directory Domain Services 2008 : Install the Active Directory Schema Snap-In
- Microsoft Content Management Server : Deleting Objects
- Microsoft Content Management Server : Managing Resources (part 2) - Replacing Resources
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server