Logo
CAR REVIEW
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Windows Server 2008 R2 : Traditional VPN Scenario (part 1) - Setting Up the Certificate Server & Certificate Autoenrollment

3/20/2011 5:23:31 PM
The best way to illustrate the concepts in this article is to walk through a sample VPN scenario. The example will walk through the setup and testing of a VPN infrastructure that will include health checks and remediation of a client. The sample VPN scenario architecture is shown in Figure 1.
Figure 1. VPN scenario diagram.


The scenario will use the systems with the basic configuration shown in Table 1. These examples assume that an Active Directory domain companyabc.com has been created and that DC1 is the domain controller.

Table 1. VPN Scenario Servers
ServerRolesOperating SystemIP Address
DC1Directory serverWindows Server 2008 R2172.16.1.100
NPS1Network Policy Server Certificate serverWindows Server 2008 R2172.16.1.151
VPN1RRAS serverWindows Server 2008 R2172.16.1.152 (internal) 192.168.1.201 (external)
VISTA1VPN clientWindows Vista SP1 

The steps to configure the VPN architecture will consist of the following:

  • Set up the certificate server.

  • Set up the Network Policy Server.

  • Configure the Network Policy Server.

  • Set up the RRAS.

  • Set up the VPN client.

  • Test the VPN connection.

  • Control unhealthy VPN clients.

In Windows Server 2008 R2 Active Directory, the users would need to be enabled in the Dial-in tab of the account properties. As you can see in Figure 2, the default option is Control Access Through NPS Network Policy.

Figure 2. Dial-in tab in Windows Server 2008 R2 Active Directory.


We’ll now step through the setup, configuration, and testing of a Windows Server 2008 R2 traditional VPN infrastructure.

Setting Up the Certificate Server

The first step is to configure the certificate server. This server will be used to issue certificates for the VPN infrastructure. The example uses Microsoft Certificate Services, but a third-party CA and certificates could be used as well.

The NPS1 server was chosen for this example, as it will be the centralized policy server and so is well situated to provide certificate services. A completely separate server could have been configured as well. The procedure assumes that the Windows Server 2008 R2 operating system has been installed and that the NPS1 server has joined the companyabc.com domain.

Install the Active Directory Certificate Services role on the NPS1 server using the following steps:

1.
Launch Server Manager.

2.
In the Roles Summary pane, select Add Roles to start the wizard.

3.
Click Next.

4.
Select Active Directory Certificate Services, and click Next.

5.
Click Next.

6.
Check the Certification Authority Web Enrollment to add the check mark.

7.
A window opens with an additional set of role services and features required to support web enrollment. Click Add Required Role Services to add these prerequisites.

8.
Click Next.

9.
Leave the Enterprise option to create an enterprise CA, and click Next.

10.
Leave the Root CA option selected, and click Next.

11.
Leave the Create a New Private Key option selected, and click Next.

12.
Click Next to accept the cryptography options for the CA.

13.
Click Next to accept the CA name.

14.
Click Next to accept the default validity period of five years.

15.
Click Next to accept the default directories.

16.
Click Next.

17.
Click Next to accept the default web server role services.

18.
Click Install to install the roles.

19.
When the installation finishes, click Close to close the wizard.

This certificate server will be used on each of the components in the VPN infrastructure.

Certificate Autoenrollment

Next, configure the root CA so that computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.

To configure the computer certificate autoenrollment using the enterprise CA, use the following steps:

1.
On the domain controller DC1, launch Server Manager.

2.
Expand Features, Group Policy Management, Forest: companyabc.com, Domains, and select companyabc.com.

3.
In the console tree, right-click the domain companyabc.com and select Create a GPO in the Domain and Link It Here.

4.
Enter the name Cert Auto Enrollment Group Policy Object and then click OK.

5.
Right-click the Cert Auto Enrollment Group Policy Object and select Edit.

6.
In the console tree of the Group Policy Management Editor, open Computer Configuration, Policies, Windows Settings, Security Settings, and select Public Key Policies.

7.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

8.
In the Automatic Certificate Request Wizard, click Next.

9.
On the Certificate Template page, click Computer (shown in Figure 3), click Next, and then click Finish.

Figure 3. Certificate autoenrollment.

10.
Close the Group Policy Management Editor and Group Policy Management Console.

Now each computer that is a member of the domain will be enrolled automatically with a computer certificate.

Other -----------------
- Installing Exchange Server 2010 : Understanding the Active Directory Requirements for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Prerequisites for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Exchange Server 2010 Server Roles
- Active Directory Domain Services 2008 : View Schema Class and Attribute Definitions
- Active Directory Domain Services 2008 : Apply Active Directory Schema Administrative Permissions
- Active Directory Domain Services 2008 : Install the Active Directory Schema Snap-In
- Microsoft Content Management Server : Deleting Objects
- Microsoft Content Management Server : Managing Resources (part 2) - Replacing Resources
- Microsoft Content Management Server : Managing Resources (part 1) - Creating Resources
- Routing with Windows Server 2003 : Configuring Packet Filters
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 2) - OSPF Overview & Understanding DHCP Relay Agent
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 1) - Configuring RIP
- Routing with Windows Server 2003 : Configuring NAT
- Windows Server 2008 R2 : Choosing Between Traditional VPN Technologies and DirectAccess
- DirectAccess in Windows Server 2008 R2 (part 2)
- DirectAccess in Windows Server 2008 R2 (part 1)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Understanding AD Functionality Modes and Their Relationship to Exchange Server Groups
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Exploring DSAccess, DSProxy, and the Categorizer
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 2)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 1)
 
 
Most view of day
- Microsoft Dynamic CRM 4 : Data Migration (part 2) - Scribe Workbench - Target Configuration
- Microsoft Exchange Server 2010 : Completing Transport Server Setup (part 1) - Configuring Transport Limits
- Microsoft Excel 2010 : Calculating the Median
- Adobe Dreamweaver CS5 : Using Library Items and Server-side Includes (part 2) - Using the Library Assets Panel - Inserting a Library item in your Web page
- Microsoft Systems Management Server 2003 : Understanding Status Summarizers (part 3) - Configuring Status Summarizers - Site System Status Summarizer
- Microsoft Visio 2010 : Sharing and Publishing Diagrams - Saving Visio-Created Websites on a SharePoint Server
- Preparing Windows PE : Working with Windows PE (part 2)
- BizTalk Server 2006 : Starting a New BizTalk Project - Starting Preliminary Design
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Selecting Trusted Publishers and Locations
- Microsoft Systems Management Server 2003 : Patch Management - Preparing for Patch Management
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro