Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows 7

Troubleshooting Remote Access Issues (part 2) - Creating a VPN Connection & Add a Certificate

6/15/2011 6:22:44 PM

3. Creating a VPN Connection

A VPN connection actually requires two connections. First, you'll need to connect to the Internet, and then you'll connect to the VPN server. It doesn't matter how you connect to the Internet. It can be over a dial-up connection, a DSL line, a broadband connection, or even through a wireless router.

After creating the connection to the Internet, you can create the VPN connection. You follow the first steps just as you did when you created a dial-up connection. However, instead of choosing Dial Directly, you choose Use My Internet Connection (VPN), as shown in Figure 3.

Figure 3. Creating a VPN connection

If you aren't currently connected to the Internet, you'll be prompted to identify how you want to connect to the Internet. Figure 4 shows this screen. You can choose from one of the connections in the drop-down list. The Always Use This Connection check box is selected by default. If you launch the VPN connection but you're not connected to the Internet, you'll be prompted to connect using this connection.

You then enter the IP address or the hostname of the VPN server and a name for the connection. If you use the name of the VPN server, you'll need to ensure that it is resolvable from an Internet DNS server. If you put in the IP address directly, you'll bypass the DNS name-resolution step.

The wizard will then prompt you to enter credentials for the VPN server. These include the user name, password, and domain name if a domain is used.

Figure 4. Identifying Internet access for the VPN


Exercise: Creating a Remote Access VPN Connection

  1. Launch the Network and Sharing Center. Click Start => Control Panel => Network And Internet => Network And Sharing Center.

  2. Click Set Up A New Connection Or Network.

  3. Select Connect To A Workplace. Click Next.

  4. Ensure that No, Create A New Connection is selected. Click Next.

  5. Select Use My Internet Connection (VPN).

  6. On the Type The Internet Address page, enter the IP address or the name of the VPN server in the Internet Address text box. Enter a name for the VPN connection in the Destination Name text box.

  7. Select Don't Connect Now; Just Set It Up So I Can Connect Later. Click Next.

  8. Enter your user name, password, and domain (if needed). Click Create.


At this point, the connection is ready to use. While a lot of the connection activity is automatic, you may need to troubleshoot some connections.

4. Add a Certificate

If you're using IKEv2 or SSTP, a certificate is required for the connection. If you're using L2TP/IPSec, a certificate is recommended. The VPN server passes the certificate to the client during the connection process. However, the client won't necessarily trust this certificate.

As long as the certificate is issued from a trusted CA, the certificate is trusted. However, if the certificate is not issued from a trusted CA, the certificate won't be trusted and the user will see a warning.

Consider these two scenarios:

  1. Your company purchases a certificate from a public CA such as VeriSign. This certificate is installed on the VPN server and sent to the clients. Because Windows 7 clients have a certificate from VeriSign in their Trusted Root Certification Authorities store, they trust the certificate from the VPN server. They will not receive a warning.

  2. Your company chooses not to pay for the certificate. Instead, administrators create an internal CA. This internal CA issues a certificate to the VPN server. Because Windows 7 clients don't have a certificate from the internal CA in their Trusted Root Certification Authorities store, they do not trust the certificate from the VPN server. They will receive a warning.

The second scenario is cheaper, but the warning can be confusing to users. Users can ignore the warning, but with security as challenging as it is already, you probably don't want to train your users to ignore warnings. The solution is to add the certificate from the internal CA to the Windows 7 Trusted Root Certification Authorities store.


Exercise: Add a Certificate to a Windows 7 Client

  1. Click Start and type MMC in the Start Search box. If prompted by UAC, click Yes to continue.

  2. Select File => Add/Remove Snap-in.

  3. Select Certificates and click Add. Select Computer Account and click Next. Ensure Local Computer is selected and click Finish. Click OK.

  4. Expand Certificates => Trusted Root Certification Authorities => Certificates.

  5. Right-click Certificates and select Import. The Certificate Import Wizard will launch. Review the Welcome screen and click Next.

  6. Click Browse and go to the location of the certificate file. Click Open. Click Next.

  7. On the Certificate Store page, ensure that Place All Certificates In The Following Store is selected and the Certificate Store is listed as Trusted Root Certification Authorities. Your display will look similar to the following graphic. Click Next.



  8. Click Next.

  9. Review the information on the Completion screen and click Finish. A dialog box will appear indicating the import was successful. Click OK.


Once the certificate has been imported, the clients will no longer receive the warnings for certificates issues from the CA.

It's also possible to publish these certificates to internal clients using Group Policy. Certificates are deployed using the Computer Configuration => Policies => Windows Settings => Security Settings => Public Key Policies => Trusted Root Certification Authority Store node.

You can right-click the Trusted Root Certification Authority node and select Import. It uses a similar wizard to import the certificate. After the certificate is imported, Group Policy will deploy the certificate to all computers in the scope of the GPO.

Top Search -----------------
- Enabling and Customizing Pen and Touch Features
- Microsoft Visio 2010 : Creating Swimlane Diagrams
- Managing Printing : Deploying Printers Using Group Policy
- Activating and Validating Windows 7
- Managing Disks from the Command Prompt
- Microsoft Excel 2010 : Adding and Deleting a Data Series
- Networking with Windows 7 : Resolving Names to IP Addresses
- Sharing Printers, Scanners, and Fax Machines
- Microsoft Word 2010 : Saving a Document with Macros & Opening a Document with Macros
- Managing Printers Using Print Management (part 2) - Configuring Printer Driver Isolation Mode
Other -----------------
- Troubleshooting Remote Access Issues (part 1) - Remote Access Overview & Creating a Dial-up Connection
- Visual Basic 2010 : Consuming WCF Services
- Visual Basic 2010 : Implementing WCF Services
- Microsoft PowerPoint 2010 : Working Together on Office Documents - Downloading or Saving Documents in Office Web Apps
- Microsoft PowerPoint 2010 : Working Together on Office Documents - Downloading Documents from Windows Live
- Microsoft PowerPoint 2010 : Working Together on Office Documents - Working with Documents on Windows Live
- Configuring and Troubleshooting Wireless Connectivity (part 3) - Troubleshooting Wireless Connections
- Configuring and Troubleshooting Wireless Connectivity (part 2) - Connecting to a Wireless Network & Setting Up Connections
- Configuring and Troubleshooting Wireless Connectivity (part 1) - Using Wireless Security & Configuring Wireless on Windows 7
- Microsoft Visio 2010 : Identifying 1-D Shapes and Types of Glue & Positioning Shapes with Rulers and Guides
 
 
Most view of day
- Windows Server 2008 Server Core : Compressing Data with the Compact Utility
- Manage the Active Directory Domain Services Schema : Remove Attributes from the Index
- Add an InfoPath Form Web Part to a SharePoint Web Part Page
- Microsoft Systems Management Server 2003 : Defining Parent-Child Relationships (part 2) - Installing the Secondary Site Locally from the SMS CD
- Windows Server 2003 : Analyzing Traffic Using Network Monitor (part 1)
- BizTalk 2009 : Host Integration Server 2009 - Planning Your Host Integration Server Topology
- Using Windows Live Programs (part 2) - Using Windows Live Mail
Top 10
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 3) - Servicing the Operating System in an Image , Committing an Image
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 2) - Mounting an Image , Servicing Drivers in an Image
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 1) - Viewing Information about an Image with DISM
- Automating Windows 7 Installation : Applying an Image Using ImageX
- Automating Windows 7 Installation : Capturing an Image Using ImageX
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 4) - Fine-tuning Web Pages and Battling Bugs - Saving a Visio Drawing as a Web Page
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 3) - Fine-tuning Web Pages and Battling Bugs - Customizing Web Page Output
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 2) - Exploring Visio-Generated Web Pages
- Microsoft Visio 2010 : Creating Web Pages from Visio Drawings (part 1) - Saving as Web Page
- Microsoft Visio 2010 : Sending Visio Files in Email, Saving as PDF or XPS Files
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro