This guide provides detailed information about how you can
use three computers to create a test lab with which to configure and test
virtual private network (VPN) remote access with Windows Server® 2008
and Windows Vista® with Service Pack 1 (SP1). These instructions are
designed to take you step by step through the configuration required for a
Secure Socket Tunneling Protocol (SSTP) connection.
Note
The following instructions are for configuring a test lab by
using a minimum number of computers and procedure steps. To minimize setup time
and complexity, services were combined on the network servers rather than using
individual computers to separate the services in a more secure manner. This
configuration is designed to reflect neither best practices nor a desired or
recommended configuration for a production network. The configuration,
including IP addresses and all other configuration parameters, is designed to
work only on a separate test lab network.
·
Consider using Virtual PC or Virtual Server
Microsoft Virtual PC or Virtual Server allows you to create
the computer lab used in this document by using only one or two physical
computers. After the virtual lab is configured, you can switch between the
three virtual computers needed for this lab with the click of a button. For
more information, see the following resources:
· TechNet
webcast: Virtual Server 2005 - Setting Up a Virtual Test and Development
Environment—Level 200 (http://go.microsoft.com/fwlink/?LinkId=69222)
·
Secure Socket Tunneling Protocol
Secure Socket Tunneling Protocol (SSTP) is a new form of VPN
tunnel with features that allow traffic to pass through firewalls that block
PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP
traffic over the SSL channel of the HTTPS protocol. The use of PPP allows
support for strong authentication methods such as EAP-TLS. The use of HTTPS
means traffic will flow through TCP port 443, a port commonly used for Web
access. Secure Sockets Layer (SSL) provides transport-level security with
enhanced key negotiation, encryption, and integrity checking.
·
SSTP-based VPN connection process
The data flow for an SSTP-based VPN connection takes place
as follows:
When a user on a computer running Windows Server 2008
or Windows Vista with SP1 initiates an SSTP-based VPN connection, the following
occurs:
1. The SSTP client establishes a TCP connection
with the SSTP server between a dynamically allocated TCP port on the SSTP
client and TCP port 443 on the SSTP server.
2. The SSTP client sends an SSL Client-Hello
message, indicating that the SSTP client wants to create an SSL session with
the SSTP server.
3. The SSTP server sends its computer
certificate to the SSTP client.
4. The SSTP client validates the computer
certificate, determines the encryption method for the SSL session, generates an
SSL session key and encrypts it with the public key of the SSTP server’s
certificate, and then sends the encrypted form of the SSL session key to the
SSTP server.
5. The SSTP server decrypts the encrypted SSL
session key with the private key of its computer certificate. All future
communication between the SSTP client and the SSTP server is encrypted with the
negotiated encryption method and SSL session key.
6. The SSTP client sends an HTTP over SSL
request message to the SSTP server.
7. The SSTP client negotiates an SSTP tunnel
with the SSTP server.
8. The SSTP client negotiates a PPP connection
with the SSTP server. This negotiation includes authenticating the user’s
credentials with a PPP authentication method and configuring settings for
Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6)
traffic.
9. The SSTP client begins sending IPv4 or IPv6
traffic over the PPP link.
Figure 1. Protocol level view of SSTP system architecture.
·
Setting up the test lab for SSTP remote access
VPN connections
The infrastructure for the VPN test lab network consists of
three computers, which perform the following services:
· A
server computer running Windows Server 2008 named DC1 that acts as a
domain controller, a Domain Name System (DNS) server, and a file server on a
private (intranet) network.
· A
server computer running Windows Server 2008 named VPN1 that is configured
with Routing and Remote Access and acts as a VPN server. In addition, VPN1 is
configured with Active Directory Certificate Services and Internet Information
Services (IIS) to allow Web enrollment of the computer certificate required for
an SSTP-based VPN connection. VPN1 has two network adapters installed.
· A
client computer running Windows Vista with SP1 named CLIENT1 that acts as a VPN
client on a public (Internet) network.
The following diagram shows the configuration of the VPN
test lab.
Figure 2. Configuration of the SSTP connection test lab.
·
Configuring DC1
DC1 is a computer running Windows Server 2008 that
provides the following services:
· A
domain controller for the Contoso.com Active Directory® domain.
· A
DNS server for the Contoso.com DNS domain.
· A
file server.
The configuration of DC1 requires the following steps:
· Install
the operating system.
· Configure
TCP/IP.
· Install
Active Directory and DNS.
· Create
a user account with remote access permission.
· Create
a shared folder and file.
The following sections explain these steps in detail.
·
Install the operating system
Install Windows Server 2008|
1. On DC1, start your computer by using the
Windows Server 2008 product disc.
2. Follow the instructions that appear on your
screen. When prompted for a password, type P@ssword.
|
·
Configure TCP/IP
Configure TCP/IP properties so that DC1 has a static IP
address of 192.168.0.1 with the subnet mask 255.255.255.0 and a default gateway
of 192.168.0.2.
Configure TCP/IP properties|
1. On DC1, in the Initial
Configuration Tasks window, under Provide Computer
Information, click Configure networking.
Note
If the Initial Configuration Tasks
window is not already open, you can open it by clicking Start,
clicking Run, typing oobe in the
text box, and then clicking OK.
Figure 3. Initial Configuration Tasks window.
2. In the Network Connections
window, right-click Local Area Connection, and then
click Properties.
3. On the Networking
tab, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
4. Click Use the following IP
address. Type 192.168.0.1 for the IP address,
type 255.255.255.0 for the subnet mask, type 192.168.0.2 for the default gateway, and type 192.168.0.1
for the preferred DNS server.
5. Click OK, and then
click Close.
|
·
Install Active Directory and DNS
Configure the computer as a domain controller for the
Contoso.com domain. This will be the first and only domain controller in this
network.
Configure DC1 as a domain
controller|
1. On DC1, in the Initial
Configuration Tasks window, under Provide Computer
Information, click Provide computer name and domain.
Note
If the Initial Configuration Tasks
window is not already open, you can open it by clicking Start,
clicking Run, typing oobe in the
text box, and then clicking OK.
2. In the System Properties
dialog box, on the Computer Name tab, click Change.
3. Change computer name to DC1,
and then click OK.
4. In the Computer Name/Domain
Changes dialog box, click OK.
5. Click Close, and then
click Restart Now.
6. After the server restarts, in the Initial Configuration Tasks window, under Customize
This Server, click Add roles.
7. In the Add Roles Wizard
dialog box, in Before You Begin, click Next.
8. Select the Active Directory
Domain Services check box, and then click Next.
9. In the Active Directory
Domain Services dialog box, click Next.
10. In the Confirm Installation
Selections dialog box, click Install.
11. In the Installation Results
dialog box, click Close.
12. Click Start, and then
click Run. In Open, type dcpromo, and then click OK.
13. On the Welcome page of
the Active Directory Domain Services Installation Wizard,
click Next.
14. Click Create a new domain in
a new forest, and then click Next.
15. In FQDN of the forest root
domain, type contoso.com, and then click Next.
16. In Forest functional level,
select Windows Server 2003, and then click Next.
17. Click Next to accept Windows Server 2003 for the domain functional level.
18. Click Next to accept DNS server for the additional options for this domain
controller.
19. Click Yes, the computer will
use a dynamically assigned IP address (not recommended).
20. Click Yes in the
confirmation dialog box.
21. Click Next to accept
the default folder locations.
22. In Directory Services Restore
Mode Administrator Password, type a password, and then click Next.
23. Click Next.
24. The Active Directory Domain
Services Installation Wizard will begin configuring Active Directory.
When the configuration is complete, click Finish, and
then click Restart Now.
|
·
Create a user account with remote access
permission
Create a user account and configure the account with remote
access permission.
Create and grant permission to a
user account in Active Directory|
1. On DC1, click Start,
point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the left side tree, expand contoso.com,
right-click Users, point to New,
and then click User.
3. In Full name, type user1, and in User logon name, type user1.
4. Click Next.
5. In Password, type P@ssword and in Confirm password, type P@ssword again.
6. Clear the User must change
password at next logon check box, and then select the User
cannot change password and Password never expires
check boxes.
7. Click Next, and then
click Finish.
To grant remote access permission to user1:
1. In the left tree, click Users.
In the details pane, right-click user1, and then click Properties.
2. On the Dial-in tab,
in Network Access Permission, click Allow
access, and then click OK.
Note
In a real-world scenario, you would use Network
Policy Server (NPS) to configure and enable remote access policies.
3. Close Active Directory Users
and Computers.
|
·
Create a shared folder and file
DC1 is a file server that should be accessible to a remote
user after access and authentication methods have been configured.
Create a shared folder and file|
1. On DC1, click Start,
and then click Computer.
2. Double-click Local Disk (C:).
3. Right-click inside the blank space of the
Windows Explorer window, point to New, and then click Folder.
4. Name the folder CorpData.
5. Right-click the CorpData
folder, and then click Share.
6. Type domain users,
and then click Add.
7. Click Domain Users,
and then click the Contributor permission level.
8. Click Share, and then
click Done.
9. Double-click the CorpData
folder, right-click the blank space in the empty folder, point to New, and then click Text Document.
10. Name the document VPNTest.
11. Open VPNTest and add
some text.
12. Save and close VPNTest.
|
·
Configuring VPN1
VPN1 is a computer running Windows Server 2008 that
provides the following roles:
· Active
Directory Certificate Services, a certification authority (CA) that issues the
computer certificate required for an SSTP-based VPN connection.
· Certification
Authority Web Enrollment, a service that enables the issuing of certificates
through a Web browser.
· Web
Server (IIS), which is installed as a required role service for Certification
Authority Web Enrollment.
Note
Routing and Remote Access does not require IIS
because it listens to HTTPS connections directly over HTTP.SYS. IIS is used in
this scenario so that CLIENT1 can obtain a certificate over the Internet from
VPN1.
· Network
Policy and Access Services, which provides support for VPN connections through
Remote Access Service.
VPN1 configuration consists of the following steps:
· Install
the operating system.
· Configure
TCP/IP for Internet and intranet networks.
· Join
the Contoso.com domain.
· Install
the Active Directory Certificate Services and Web Server (IIS) server roles.
· Create
and install the Server Authentication certificate.
· Install
the Network Policy and Access Services (Routing and Remote Access) server role.
· Configure
VPN1 to be a VPN server.
The following sections explain these steps in detail.
·
Install the operating system
To install Windows Server 2008 on VPN1:
Install Windows Server 2008|
1. On VPN1, start your computer by using the
Windows Server 2008 product disc.
2. Follow the instructions that appear on your
screen. When prompted for a password, type P@ssword.
|
·
Configure TCP/IP
Configure TCP/IP properties so that VPN1 has a static IP
address of 131.107.0.2 for the public (Internet) connection and 192.168.0.2 for
the private (intranet) connection.
Configure TCP/IP properties|
1. On VPN1, in the Initial
Configuration Tasks window, under Provide Computer
Information, click Configure networking.
Note
If the Initial Configuration Tasks
window is not already open, you can open it by clicking Start,
clicking Run, typing oobe in the
text box, and then clicking OK.
2. In the Network Connections
window, right-click a network connection, and then click Properties.
3. On the Networking
tab, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
4. Click Use the following IP
address.
5. Configure the IP address and subnet mask
with the following values:
a. On the interface connected to the public (Internet) network,
type 131.107.0.2 for the IP address, and type 255.255.0.0 for the subnet mask.
b. On the interface connected to the private (intranet) network,
type 192.168.0.2 for the IP address, type 255.255.255.0 for the subnet mask, and type 192.168.0.1
for the preferred DNS server.
6. Click OK, and then
click Close.
7. To rename the network connections,
right-click a network connection, and then click Rename.
8. Configure the network connections with the
following names:
a. On the interface connected to the public (Internet) network,
type Public.
b. On the interface connected to the private (intranet) network,
type Private.
9. Close the Network
Connections window.
|
Run the ping command from VPN1 to confirm that
network communication between VPN1 and DC1 works.
Use the ping command to check
network connectivity|
1. On VPN1, click Start,
click Run, in the Open box, type cmd,
and then click OK. In the command window, type ping192.168.0.1.
2. Verify that you can successfully ping DC1.
3. Close the command window.
|
·
Join the Contoso domain
Configure VPN1 to be a member server in the Contoso.com
domain.
Join VPN1 to the Contoso.com
domain|
1. On VPN1, in the Initial
Configuration Tasks window, under Provide Computer Information,
click Provide computer name and domain.
Note
If the Initial Configuration Tasks
window is not already open, you can open it by clicking Start,
clicking Run, typing oobe in the
text box, and then clicking OK.
2. In the System Properties
dialog box, on the Computer Name tab, click Change.
3. In Computer name,
clear the text and type VPN1.
4. In Member of, click Domain, type contoso, and then click OK.
5. Enter administrator
for the user name and P@ssword for the password.
6. When you see a dialog box welcoming you to
the contoso.com domain, click OK.
7. When you see a dialog box telling you to
restart the computer, click OK. Click Close,
and then click Restart Now.
|
·
Install Active Directory Certificate Services
and Web Server
To support SSTP-enabled VPN connections, first install
Active Directory Certificate Services and Web Server (IIS) to enable Web
enrollment of a computer certificate.
Install VPN and certificate
services roles|
1. On VPN1, log on as
administrator@contoso.com with the password P@ssword.
2. In the Initial Configuration
Tasks window, under Customize This Server, click
Add roles.
Note
If the Initial Configuration Tasks
window is not already open, you can open it by clicking Start,
clicking Run, typing oobe in the
text box, and then clicking OK.
3. In the Add Roles Wizard
dialog box, in Before You Begin, click Next.
4. Select the Active Directory
Certificate Services check box.
Figure 4. Select Server Roles window.
5. Click Next, and then
click Next again.
6. In the Select Role Services
dialog box, under Role services, select the Certification Authority Web Enrollment check box.
7. In the Add Roles Wizard
dialog box, click Add Required Role Services.
Figure 5. Add Roles Wizard dialog box.
8. Click Next.
9. Click Standalone, and
then click Next.
10. Click Root CA (recommended),
and then click Next.
11. Click Create a new private
key, and then click Next.
12. Click Next to accept
the default cryptographic settings.
13. In the Configure CA Name
dialog box, click Next to accept the default CA name.
Figure 6. Configure CA Name dialog box.
14. Click Next repeatedly
to accept default settings.
15. In the Confirm Installation
Selections dialog box, click Install. The
installation might take several minutes.
16. In the Installation Results
dialog box, click Close.
|
·
Create and install the Server Authentication
certificate
The Server Authentication certificate is used by CLIENT1 to
authenticate VPN1. Before installing the certificate, you must configure
Internet Explorer to allow certificate publishing.
Configure Internet Explorer|
1. On VPN1, click Start,
right-click Internet Explorer, and then click Run as administrator.
2. If a phishing filter alert appears, click Turn off automatic Phishing Filter, and then click OK.
3. Click the Tools menu,
and then click Internet Options.
4. In the Internet Options
dialog box, click the Security tab.
5. Under Select a zone to view
or change security settings, click Local intranet.
6. Change the security level for Local
intranet from Medium-low to Low,
and then click OK.
Note
In a real-world scenario, you should configure
individual ActiveX® control settings by using Custom level
rather than lowering the security level.
Figure 7. Internet Options dialog box.
 |
Use Internet Explorer to request a Server Authentication
certificate.
Request a Server Authentication
certificate|
1. On VPN1, in the Internet Explorer Address
bar, type http://localhost/certsrv, and then press
ENTER.
2. Under Select a task,
click Request a certificate.
3. Under Request a Certificate,
click advanced certificate request.
4. Under Advanced Certificate
Request, click Create and submit a request to this CA.
5. Click Yes to allow
the ActiveX control.
Figure 8. Advanced Certificate Request page.
6. Under Identifying
Information, in the Name field, type vpn1.contoso.com, and in the Country/Region
field, type US.
Note
The name is the certificate subject name and must
be the same as the Internet address used in the SSTP connection settings
configured later in this document.
7. Under Type of Certificate
Needed, select Server Authentication Certificate.
8. Under Key Options,
select the Mark keys as exportable check box, and then
click Submit.
9. Click Yes in the
confirmation dialog box.
|
The Server Authentication certificate is now pending. It
must be issued before it can be installed.
Issue and install the Server
Authentication certificate|
1. On VPN1, click Start,
and then click Run.
2. In Open, type mmc, and then click OK.
3. In the Console1 snap-in, click File, and then click Add/Remove Snap-in.
4. Under Available snap-ins,
click Certification Authority, then click Add.
5. Click Finish to
accept the default setting of Local computer.
6. Click OK to close the
Add or Remove Snap-ins dialog box.
7. In the newly created MMC console, in the
left pane, double-click Certification Authority (Local).
8. Double-click contoso-VPN1-CA,
and then click Pending Requests.
Figure 9. Certification Authority console.
9. In the middle pane, right-click the pending
request, point to All Tasks, and then click Issue.
10. In Internet Explorer, in the Certificate
Pending page, click Home. If this page is not
visible, browse to http://localhost/certsrv.
11. Under Select a task,
click View the status of a pending certificate request.
12. Under View the Status of a
Pending Certificate Request, select the just-issued certificate.
13. Click Yes to allow the
ActiveX control.
14. Under Certificate Issued,
click Install this certificate.
15. Click Yes in the
confirmation dialog box.
|
Move the installed certificate from the default store
location.
Move the certificate|
1. On VPN1, in the previously created MMC
console, click File, and then click Add/Remove
Snap-in.
2. Under Available snap-ins,
click Certificates, and then click Add.
Figure 10. Certificates snap-in dialog box.
3. Click Finish to
accept the default setting of My user account.
4. Click Add, click Computer account, and then click Next.
5. In the Select Computer
dialog box, click Finish to accept the default setting
of Local computer.
6. Click OK to close the
Add or Remove Snap-ins dialog box.
7. In the console tree pane, double-click Certificates - Current User, double-click Personal,
and then click Certificates.
8. In the middle view pane, right-click the vpn1.contoso.com certificate, point to All
Tasks, and then click Export.
9. In the Welcome page,
click Next.
10. Click Yes, export the private
key, and then click Next.
11. Click Next to accept
the default file format.
12. Type P@ssword in both
text boxes, and then click Next.
13. In the File to Export
page, click Browse.
14. In the File name text
box, type vpn1cert, and then click Browse
Folders.
15. Under Favorite Links,
click Desktop, and then click Save
to save the certificate to the desktop.
16. In the File to Export
page, click Next.
17. Click Finish to close
the Certificate Export Wizard, and then click OK in the confirmation dialog box.
18. In the console tree pane, double-click Certificates (Local Computer), and then double-click Personal.
19. Click Certificates,
and then right-click Certificates, point to All Tasks, and then click Import.
20. In the Welcome page,
click Next.
21. In the File to Import
page, click Browse.
22. Under Favorite Links,
click Desktop, and from the drop-down list, select Personal Information Exchange for the file type.
Figure 11. Certificate Import Wizard.
23. In the middle view pane, double-click vpn1cert.
24. In the File to Import
page, click Next.
25. In the Password text
box, type P@ssword, and then click Next.
26. In the Certificate Store
page, click Next to accept the Personal store location.
27. Click Finish to close
the Import Export Wizard, and then click OK in the confirmation dialog box.
Figure 12. Location of Server Authentication
certificate.
 |
Important
If the procedures in this document are not followed in the
order presented, the presence of an all purpose certificate (contoso-VPN1-CA)
could create issues. Delete the contoso-VPN1-CA certificate in the Local
Computer store to ensure the SSTP listener binds to the server authentication
certificate (vpn1.contoso.com).
Delete the all purpose certificate|
1. In the middle view pane, double-click Certificates, right-click contoso-VPN1-CA,
and then click Delete.
2. Click Yes in the
confirmation dialog box.
|
·
Install Routing and Remote Access
Configure VPN1 with Routing and Remote Access to function as
a VPN server.
Install VPN and certificate
services roles|
1. On VPN1, in the Initial
Configuration Tasks window, under Customize This Server,
click Add roles.
Note If
the Initial Configuration Tasks window is not already
open, you can open it by clicking Start, clicking Run, typing oobe in the text box, and
then clicking OK.
2. In the Add Roles Wizard
dialog box, in Before You Begin, click Next.
3. Select the Network Policy
and Access Services check box, click Next, and
then click Next again.
4. In the Select Role Services
dialog box, under Role services, select the Routing and Remote Access Services check box.
5. Click Next, and then
click Install.
6. In the Installation Results
dialog box, click Close.
|
·
Configure Routing and Remote Access
Configure VPN1 to be a VPN server providing remote access
for Internet-based VPN clients.
Configure VPN1 to be a VPN server|
1. On VPN1, click Start,
point to Administrative Tools, and then click Routing and Remote Access.
2. In the Routing and Remote
Access console tree, right-click VPN1, and then
click Configure and Enable Routing and Remote Access.
3. In the Welcome to the
Routing and Remote Access Server Setup Wizard page, click Next.
4. In the Configuration
page, click Next to accept the default setting of Remote access (dial-up or VPN).
5. In the Remote Access
page, click VPN, and then click Next.
6. In the VPN Connection
page, under Network interfaces, click Public.
This is the interface that will connect VPN1 to the Internet.
7. Click Enable security on the
selected interface by setting up static packet filters to clear this
setting, and then click Next.
Note
Normally, you would leave security enabled on the
public interface. For the purposes of testing lab connectivity, you should
disable it.
8. Click From a specified range
of addresses, and then click Next.
9. Click New, type 192.168.0.200 for the Start IP address,
type 192.168.0.210 for the End IP
address, click OK, and then click Next.
10. Click Next to accept
the default setting, which means VPN1 will not work with a RADIUS server. In
this scenario, Routing and Remote Access Server will use Windows
Authentication.
11. In the Completing the Routing
and Remote Access Server Setup Wizard page, click Finish.
12. If the dialog box that describes the need to
add this computer to the remote access server list appears, click OK.
13. In the dialog box that describes the need to
configure the DHCP Relay Agent, click OK.
14. Close the Routing and Remote Access snap-in.
|
·
Configuring CLIENT1
CLIENT1 is a computer running Windows Vista with SP1 that
functions as a remote access VPN client for the Contoso.com domain.
CLIENT1 configuration consists of the following steps:
· Install
the operating system.
· Configure
TCP/IP.
The following sections explain these steps in detail.
·
Install the operating system
To install Windows Vista with SP1 on CLIENT1:
Install Windows Vista SP1|
1. On CLIENT1, start your computer by using
the Windows Vista with SP1 product disc. Follow the instructions that appear
on your screen.
2. When prompted for the installation type,
choose Custom.
3. When prompted for the user name, type user1.
4. When prompted for the computer name, type CLIENT1.
5. When prompted for the computer location,
choose Home.
|
·
Configure TCP/IP
Configure TCP/IP properties so that CLIENT1 has a static IP
address of 131.107.0.3 for the public (Internet) connection.
Configure TCP/IP properties|
1. On CLIENT1, click Start,
and then click Control Panel.
2. Click Network and Internet,
click Network and Sharing Center, and then click Manage network connections.
3. Right-click Local Area
Connection, and then click Properties. If a
dialog box is displayed that requests permissions to perform this operation,
click Continue.
4. In the Local Area Connection
Properties dialog box, click Internet Protocol Version
4 (TCP/IPv4), and then click Properties.
5. Click Use the following IP
address. In IP address, type 131.107.0.3
for the IP address, and type 255.255.0.0 for the subnet
mask.
6. Click OK, and then
click Close.
|
Configure the hosts file to have a record for VPN1. This
simulates a real-world scenario in which the corporate VPN server would have a
publicly resolvable host name.
Configure the hosts file|
1. On CLIENT1, click Start,
click All Programs, click Accessories,
right-click Command Prompt, and then click Run as administrator.
2. In the User Account Control
dialog box, click Continue.
3. In the command window, type the following
and then press ENTER:
notepad
%windir%\system32\drivers\etc\hosts
4. Add the following text in a new line at the
end of the document:
131.107.0.2 vpn1.contoso.com
5. Save and close the hosts file.
|
Run the ping command from CLIENT1 to
confirm that network communication between CLIENT1 and VPN1 works.
Use the ping command to check
network connectivity|
1. On VPN1, click Start,
point to Administrative Tools, and then click Windows Firewall with Advanced Security.
2. In the console tree, click Inbound
Rules.
Figure 13. Windows Firewall with Advanced Security
snap-in.
3. In the details pane, scroll down and
double-click File and Printer Sharing (Echo Request -
ICMPv4-In) for the Public profile. Verify that this rule is enabled.
Figure 14. File and Printer Sharing (Echo Request -
ICMPv4-In) Properties dialog box.
4. Under General, select
the Enabled check box, and then click OK.
5. On CLIENT1, in the command window, type ping vpn1.contoso.com, and then press ENTER.
6. Verify that you can successfully ping VPN1.
For the purpose of this test lab, this connection
signifies that the remote user can connect to the office VPN server over the
public Internet.
7. Close the command window.
|
·
Simulating a PPTP-based connection failure
Now that the preceding steps have been completed, the lab
infrastructure is in place. This section covers how to configure your lab setup
so that PPTP-based VPN connections will fail. This simulates a real-world
scenario in which the remote access server is behind a firewall that blocks
PPTP connections. This lab will use Windows Firewall with Advanced Security on
VPN1 to serve as the perimeter firewall.
·
Configure PPTP-based VPN connection
Create a PPTP connection.
Configure PPTP-based VPN
connection|
1. On CLIENT1, click Start,
and then click Control Panel.
2. Click Network and Internet,
click Network and Sharing Center, and then click Set up a connection or network.
Figure 15. Set up a connection or network dialog box.
3. Click Connect to a workplace,
and then click Next.
4. Click Use my Internet
connection (VPN).
5. Click I'll set up an
Internet connection later.
6. In Internet address,
type vpn1.contoso.com, and then click Next.
Note
The Internet address must be the same as the
subject name previously configured in this document. This requirement is for
the SSTP connection used later in this document.
7. In the Type your user name
and password dialog box, type the following information:
a. In User name, type user1.
b. In Password, type P@ssword.
c. Click Remember this password.
d. In Domain, type contoso.
8. Click Create, and
then click Close.
|
·
Test PPTP-based connection
Test the PPTP connection. You should be able to successfully
connect to VPN1 by using the PPTP-based VPN connection created on CLIENT1.
Test PPTP-based connection|
1. On CLIENT1, in Network and
Sharing Center, click Manage network connections.
2. Double-click VPN Connection,
and then click Connect.
Figure 16. VPN Connection dialog box.
3. Verify that the connection was completed
successfully by right-clicking VPN Connection, and then
clicking Status. The Media State should be "Connected."
4. In the VPN Connection Status dialog box,
click Disconnect.
|
·
Configure Windows Firewall with Advanced
Security
PPTP traffic consists of traffic over TCP port 1723 for
tunnel maintenance and traffic over IP protocol 47 for Generic Routing Encapsulation
(GRE) for tunneling data. Configure Windows Firewall with Advanced Security to
block inbound GRE traffic to VPN1. This simulates a remote access server behind
a firewall that blocks PPTP connections.
Configure Windows Firewall with
Advanced Security to block PPTP-based connections|
1. On VPN1, click Start,
point to Administrative Tools, and then click Windows Firewall with Advanced Security.
2. In the console tree, click Inbound
Rules.
3. In the details pane, scroll down and
double-click Routing and Remote Access (GRE-In).
4. Under Action, select Block the connections, and then click OK.
Figure 17. Routing and Remote Access (GRE-In)
Properties dialog box.
 |
·
Test PPTP-based connection
Confirm that a PPTP-based connection to VPN1 is now blocked.
Test PPTP-based connection|
1. On CLIENT1, in Network and
Sharing Center, click Manage network connections.
2. Double-click VPN Connection,
and then click Connect.
3. Verify that the connection was not
completed. You should see a dialog box similar to the following:
Figure 18. PPTP-based VPN connection fails.
4. Click Close.
|
·
Configuring an SSTP-based connection
A VPN client using an SSTP connection must install the root
CA certificate of the VPN server's computer certificate. During the SSL
authentication phase, the VPN client validates the Server Authentication
certificate using the certificate installed on the client.
·
Obtain a trusted root CA certificate
The root certificate can be obtained through
auto-enrollment, if the client is joined to an Active Directory domain, or
through Web enrollment from the CA's certificate-issuing Web site. In this
scenario, CLIENT1 will obtain the root CA certificate from VPN1 by using Web
enrollment.
Obtain a computer certificate from
VPN1|
1. On CLIENT1, click Start,
and then click Internet Explorer.
2. In Internet Explorer,
clear the URL and type http://vpn1.contoso.com/certsrv,
and then press ENTER.
3. If a phishing filter alert appears, click Turn off automatic Phishing Filter, and then click OK.
4. On the Welcome page, under Select
a task, click Download a CA certificate, certificate
chain, or CRL.
5. If you receive an alert about the
Information Bar, click Close.
6. Click Download CA
certificate.
7. In the File Download
dialog box, click Open.
Figure 19. File Download dialog box for the security
certificate.
8. In the security alert dialog box, click Allow.
9. Click Install Certificate.
Figure 20. Certificate dialog box.
10. In the Certificate Import
Wizard, click Next.
11. In the Certificate Store
dialog box, click Next to accept the default automatic
store location.
12. Click Finish.
13. In the confirmation dialog box, click OK.
14. Click OK to close the Certificate dialog box.
|
Now that the computer certificate has been installed, it
must be moved to the correct store. The default automatic location for the
installed certificate is in the Current User, Intermediate Certification
Authority store. The certificate must be moved to the Local Computer, Trusted
Root Certification Authority store on CLIENT1. Begin by configuring an MMC with
user and computer certificate snap-ins.
Configure an MMC |
1. On CLIENT1, click Start,
click All Programs, click Accessories,
and then click Run.
2. In Open, type mmc, and then click OK.
3. In the User Account Control
dialog box, click Continue.
4. In the Console1 snap-in, click File, and then click Add/Remove Snap-in.
5. Under Available snap-ins,
click Certificates, and then click Add.
6. Click Finish to
accept the default setting of My user account.
7. Click Add, click Computer account, and then click Next.
8. In the Select Computer
dialog box, click Finish to accept the default setting
of Local computer.
9. Click OK to close the
Add or Remove Snap-ins dialog box.
|
Move the installed certificate from the default store
location. Because the certificate does not involve private key binding, you can
simply copy and paste the certificate to the new certificate store.
Move the certificate|
1. On CLIENT1, in the newly created MMC, in
the console tree pane, double-click Certificates - Current User,
double-click Intermediate Certification Authorities,
and then click Certificates.
2. In the middle pane, right-click the contoso-VPN1-CA certificate, and then click Copy.
3. In the console tree pane, double-click Certificates (Local Computer), double-click Trusted
Root Certification Authorities, and then click Certificates.
4. In the middle pane, right-click, and then
click Paste.
5. Refresh the view to verify that the
certificate has been added to this store.
Figure 21. New location for downloaded certificate.
 |
·
Configure and test an SSTP-based VPN connection
Now that the root CA certificate of the VPN server's
computer certificate is in the Trusted Root Certification Authorities
certificate store on CLIENT1, configure and test an SSTP connection.
Configure and test an SSTP
connection|
1. On CLIENT1, in Network and
Sharing Center, click Manage network connections.
2. Double-click VPN Connection,
and then click Properties.
3. Click the Networking
tab.
4. From the Type of VPN drop-down
list, select Secure Socket Tunneling Protocol (SSTP),
and then click OK.
Figure 22. VPN Connection Properties dialog box.
5. In the Connect VPN
Connection dialog box, click Connect.
CLIENT1 should successfully connect to VPN1 using the
SSTP connection. Verify that you can access the corporate file server from
the remote location.
6. Click Start, click All Programs, click Accessories, and
then click Run.
7. In Open, type \\dc1.contoso.com\corpdata,
and then click OK.
8. Double-click VPNTest
to open it, add some text, and then save the file.
9. Close VPNTest.
|
·
Additional Resources
· New
Networking Features in Windows Server 2008 and Windows Vista (http://go.microsoft.com/fwlink/?LinkId=71606)
No comments:
Post a Comment