Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Traditional VPN Scenario (part 1) - Setting Up the Certificate Server & Certificate Autoenrollment

3/20/2011 5:23:31 PM
The best way to illustrate the concepts in this article is to walk through a sample VPN scenario. The example will walk through the setup and testing of a VPN infrastructure that will include health checks and remediation of a client. The sample VPN scenario architecture is shown in Figure 1.
Figure 1. VPN scenario diagram.


The scenario will use the systems with the basic configuration shown in Table 1. These examples assume that an Active Directory domain companyabc.com has been created and that DC1 is the domain controller.

Table 1. VPN Scenario Servers
ServerRolesOperating SystemIP Address
DC1Directory serverWindows Server 2008 R2172.16.1.100
NPS1Network Policy Server Certificate serverWindows Server 2008 R2172.16.1.151
VPN1RRAS serverWindows Server 2008 R2172.16.1.152 (internal) 192.168.1.201 (external)
VISTA1VPN clientWindows Vista SP1 

The steps to configure the VPN architecture will consist of the following:

  • Set up the certificate server.

  • Set up the Network Policy Server.

  • Configure the Network Policy Server.

  • Set up the RRAS.

  • Set up the VPN client.

  • Test the VPN connection.

  • Control unhealthy VPN clients.

In Windows Server 2008 R2 Active Directory, the users would need to be enabled in the Dial-in tab of the account properties. As you can see in Figure 2, the default option is Control Access Through NPS Network Policy.

Figure 2. Dial-in tab in Windows Server 2008 R2 Active Directory.


We’ll now step through the setup, configuration, and testing of a Windows Server 2008 R2 traditional VPN infrastructure.

Setting Up the Certificate Server

The first step is to configure the certificate server. This server will be used to issue certificates for the VPN infrastructure. The example uses Microsoft Certificate Services, but a third-party CA and certificates could be used as well.

The NPS1 server was chosen for this example, as it will be the centralized policy server and so is well situated to provide certificate services. A completely separate server could have been configured as well. The procedure assumes that the Windows Server 2008 R2 operating system has been installed and that the NPS1 server has joined the companyabc.com domain.

Install the Active Directory Certificate Services role on the NPS1 server using the following steps:

1.
Launch Server Manager.

2.
In the Roles Summary pane, select Add Roles to start the wizard.

3.
Click Next.

4.
Select Active Directory Certificate Services, and click Next.

5.
Click Next.

6.
Check the Certification Authority Web Enrollment to add the check mark.

7.
A window opens with an additional set of role services and features required to support web enrollment. Click Add Required Role Services to add these prerequisites.

8.
Click Next.

9.
Leave the Enterprise option to create an enterprise CA, and click Next.

10.
Leave the Root CA option selected, and click Next.

11.
Leave the Create a New Private Key option selected, and click Next.

12.
Click Next to accept the cryptography options for the CA.

13.
Click Next to accept the CA name.

14.
Click Next to accept the default validity period of five years.

15.
Click Next to accept the default directories.

16.
Click Next.

17.
Click Next to accept the default web server role services.

18.
Click Install to install the roles.

19.
When the installation finishes, click Close to close the wizard.

This certificate server will be used on each of the components in the VPN infrastructure.

Certificate Autoenrollment

Next, configure the root CA so that computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.

To configure the computer certificate autoenrollment using the enterprise CA, use the following steps:

1.
On the domain controller DC1, launch Server Manager.

2.
Expand Features, Group Policy Management, Forest: companyabc.com, Domains, and select companyabc.com.

3.
In the console tree, right-click the domain companyabc.com and select Create a GPO in the Domain and Link It Here.

4.
Enter the name Cert Auto Enrollment Group Policy Object and then click OK.

5.
Right-click the Cert Auto Enrollment Group Policy Object and select Edit.

6.
In the console tree of the Group Policy Management Editor, open Computer Configuration, Policies, Windows Settings, Security Settings, and select Public Key Policies.

7.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

8.
In the Automatic Certificate Request Wizard, click Next.

9.
On the Certificate Template page, click Computer (shown in Figure 3), click Next, and then click Finish.

Figure 3. Certificate autoenrollment.

10.
Close the Group Policy Management Editor and Group Policy Management Console.

Now each computer that is a member of the domain will be enrolled automatically with a computer certificate.

Other -----------------
- Installing Exchange Server 2010 : Understanding the Active Directory Requirements for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Prerequisites for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Exchange Server 2010 Server Roles
- Active Directory Domain Services 2008 : View Schema Class and Attribute Definitions
- Active Directory Domain Services 2008 : Apply Active Directory Schema Administrative Permissions
- Active Directory Domain Services 2008 : Install the Active Directory Schema Snap-In
- Microsoft Content Management Server : Deleting Objects
- Microsoft Content Management Server : Managing Resources (part 2) - Replacing Resources
- Microsoft Content Management Server : Managing Resources (part 1) - Creating Resources
- Routing with Windows Server 2003 : Configuring Packet Filters
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 2) - OSPF Overview & Understanding DHCP Relay Agent
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 1) - Configuring RIP
- Routing with Windows Server 2003 : Configuring NAT
- Windows Server 2008 R2 : Choosing Between Traditional VPN Technologies and DirectAccess
- DirectAccess in Windows Server 2008 R2 (part 2)
- DirectAccess in Windows Server 2008 R2 (part 1)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Understanding AD Functionality Modes and Their Relationship to Exchange Server Groups
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Exploring DSAccess, DSProxy, and the Categorizer
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 2)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 1)
 
 
Most view of day
- Developing Disk Images : Configuring the Lab Distribution Share (part 3) - Adding Packages
- Windows Server 2008 : Configuring Server Core after Installation (part 1) - Installing Server Core
- Microsoft Visio 2010 : Working with Data - Introducing Shape Data Fields
- Microsoft Exchange Server 2010 : Setting Up Transport Rules (part 3) - Selecting Actions
- Microsoft Word 2010 : Creating Desktop Publishing Documents - Adding Page Backgrounds (part 1) - Add Borders and Shading
- BizTalk Server 2009 Operations : Maintaining the BizTalk Group (part 2) - Backup Procedures
- Microsoft PowerPoint 2010 : Animating Slide Content (part 5) - Animating Parts of a Chart, Animation Tips
- Microsoft Dynamic GP 2010 : Sales Order Processing (part 2)
- Microsoft Visio 2010 : Modifying a Graphic (part 4) - Cropping a Graphic
- Customizing Windows 7 : Set Up a Desktop Slide Show
Top 10
- Windows Phone 8 : Configuring Mailbox Settings (part 5) - Configuring Automatic Replies
- Windows Phone 8 : Configuring Mailbox Settings (part 4) - Lightening the Display,Changing the Mailbox Sync Settings
- Windows Phone 8 : Configuring Mailbox Settings (part 3) - Message Signatures, Blind CCing Yourself
- Windows Phone 8 : Configuring Mailbox Settings (part 2) - Unlinking Mailboxes, Conversation View
- Windows Phone 8 : Configuring Mailbox Settings (part 1) - Linking Mailboxes
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 6) - Tracking installed roles, role services, and features
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 5) - Installing components at the prompt
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 4) - Managing server binaries
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 3) - Adding server roles and features
- Managing Windows Server 2012 Systems : Configuring Roles, Role Services, and Features (part 2) - Installing components with Server Manager - Viewing configured roles and role services
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro