Friday, March 27, 2015

Implementing VPN in Windows Server 2012 R2

VPN provides secure access to organizations’ internal data and applications to clients and devices that are using the Internet.
To properly implement and support a VPN environment within your organization, you must understand how to select a suitable tunnelling protocol, configure VPN authentication, and configure the server role to support your chosen configuration.
As in previous versions of Windows Server, there are two types of VPN connection available in Windows Server 2012 R2 :
• Remote access
• Site-to-site
Remote Access VPN Connections
Remote access VPN connections enable your users who are working offsite, such as at home, at a customer site, or from a public wireless access point, to access a server on your organization’s private network by using the infrastructure that a public network, such as the Internet, provides.
Site-to-Site VPN Connections
Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your organization to establish routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN
connection operates as a data-link layer link.
So in my post this time, lets go through a simple step how you can implement VPN in your infrastructure and for this demo purposes, i will continue using the same VM that i had for my DirectAccess implementation.
Please do refer to my previous DirectAccess post on what kind of VM’s that i use to implement this VPN.
For more information about VPN / Remote Access, please do log in to : http://technet.microsoft.com/en-us/library/dn383589.aspx
Lets get started with our VPN configuration.
1st, lets review some of the Routing & Remote Access settings and do dome some changes on the RRAS.
1 – Log in to LON-RTR server, open Server Manager, click Tools and then click Remote Access Management Console…
1
2 – In the Remote Access Management Console, click DirectAccess and VPN, and from the Actions pane, under the VPN section, click Enable VPN…
2
3 – In the Enable VPN box, click OK…
3
4 – Verify that the configuration was applied successfully and then click Close…
4
5 – Next, switch to Server Manager, click Tools and then click Routing and Remote Access…
5
6 – Next, in the Routing and Remote Access console, expand LON-RTR, right-click ports, click Properties…
6
7 – Verify that 128 ports exist for SSTP, IKEv2, PPTP, and L2TP, then double-click WAN Miniport (SSTP)…
7
8 – In the Maximum ports box, type 5, and then click OK…
8
9 – In the Routing and Remote Access message box, click Yes…
9
10 – Repeat the same step no.8 & 9 for IKEv2, PPTP, and L2TP,  then click OK…
10
11 – Next, right-click LON-RTR (local), click Properties…
11
12 – In the General tab, verify that IPv4 Remote access server is selected…
12
13 – Next, click Security, and then verify that Certificate 131.107.0.10 is selected for SSL Certificate Binding, and then click Authentication Methods…
13
14 – In the Authentication Methods box, verify that EAP is selected as the authentication protocol and then click OK…
14
15 – Next, click the IPv4 tab, and then verify that the VPN server is configured to assign IPv4 addressing by using Dynamic Host Configuration Protocol (DHCP), click OK to close the Properties interface…
15
2nd, before we proceed, please make sure that you verify the certificate requirements for IKEv2 and SSTP in LON-RTR Server…
1 – In LON-RTR Server, open MMC, click File and then click Add/Remove Snap-in…
1
2 – In the Add/Remove Snap-in interface, click Certificates, click Add, select Computer account, and then click Next…
2
3 – Click Local computer and then click Finish…
3
4 – To close the Add or Remove Snap-in, click OK…
4
5 – Next, expand Certificates (Local Computer), expand Personal, and then click Certificates.
— Notice that certificate 131.107.0.10, this certificate is for Server Authentication (this is required for Secure Socket Tunneling Protocol (SSTP) and Internet Key Exchange version 2 (IKEv2) VPN connectivity).
5
3rd, its time now for us to configure the Remote Access Server…
1 – Still in the  LON-RTR server, open Server Manager, on the Tools menu, click Network Policy Server. ..
1
2 – In the Network Policy Server console, expand Policies, and then click Network Policies.
– Right-click the policy at the top & bottom of the list, and then click Disable…
2
3 – Next, in the navigation pane, right-click Network Policies, and then click New…
3
4 – In the New Network Policy wizard, in the Policy name box, type Adatum VPN Policy, then in the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next…
4
5 – On the Specify Conditions interface, click Add…
5
6 – In the Select condition interface, click Windows Groups, and then click Add…
6
7 – In the Windows Groups interface, click Add Groups…
7
8 – Type IT, and then click OK (you can choose your own group that you prefer)…
8
9 – In the Windows Groups interface, verify that ADATUM\IT is listed, and then click OK…
9
10 – In the Specify Conditions interface, click Next…
10
11 – In the Specify Access Permission interface, click Access granted, and then click Next…
11
12 – On the Configure Authentication Methods interface, make sure that you clear the Microsoft Encrypted Authentication (MSCHAP)
check box, and then to add EAP Types, click Add…
12
13 – On the Add EAP Types interface, select Microsoft Secured password (EAP-MSCHAP v2), and then click OK…
13
14 – repeat the same step above but this time choose Microsoft: Smart Card or other certificate, then click Next…
14
15 – On the Configure Constraints interface, click Next…
15
16 – On the Configure Settings interface, click Next…
16
17 – On the Completing New Network Policy interface, click Finish…
17

Till this step, we’ve successful modified the remote access server configuration to provide VPN connectivity.
4th, so now lets verify our VPN connectivity in our Windows 8.1 client…
1 – On the Windows 8.1 client PC, open Network and Sharing Center, then click Set up a new connection or network…
1
2 – Next, on the Choose a connection option interface, click Connect to a workplace, and then click Next…
2
3 – On the How do you want to connect? interface, click Use my Internet connection (VPN)…
3
4 – On the Connect to a Workplace interface, click I’ll set up an Internet connection later…
4
5 – In the Internet address box, type 131.107.0.10 (LON-RTR IP Address)…
— In the Destination name box, type HQ VPN, select Allow other people to use this connection checkbox, and then click Create…
5
6 – Next, right-click HQ VPN connection and select Properties…
6
7 – In the HQ VPN Properties, click the Security tab, select Allow these protocols, ensure that Microsoft CHAP version 2 (MSCHAP
v2) is selected, and then click OK…
7
8 – Next, right click HQ VPN, and then click Connect…
8
9 – In the Network list, under HQ VPN, click connect…
9
10 – In the sign-in dialog box, type the domain user from IT department and then click OK…
10
11 – Verify that you are connected to Adatum by using a PPTP connection, right click HQ VPN and then click Status…
11
12
Orait, that all for now, we’ve connected to HQ VPN successfully…
box, type Pa$$w0rd, and then click OK.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)