Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows Server

Windows Server 2008 R2 : Traditional VPN Scenario (part 1) - Setting Up the Certificate Server & Certificate Autoenrollment

3/20/2011 5:23:31 PM
The best way to illustrate the concepts in this article is to walk through a sample VPN scenario. The example will walk through the setup and testing of a VPN infrastructure that will include health checks and remediation of a client. The sample VPN scenario architecture is shown in Figure 1.
Figure 1. VPN scenario diagram.


The scenario will use the systems with the basic configuration shown in Table 1. These examples assume that an Active Directory domain companyabc.com has been created and that DC1 is the domain controller.

Table 1. VPN Scenario Servers
ServerRolesOperating SystemIP Address
DC1Directory serverWindows Server 2008 R2172.16.1.100
NPS1Network Policy Server Certificate serverWindows Server 2008 R2172.16.1.151
VPN1RRAS serverWindows Server 2008 R2172.16.1.152 (internal) 192.168.1.201 (external)
VISTA1VPN clientWindows Vista SP1 

The steps to configure the VPN architecture will consist of the following:

  • Set up the certificate server.

  • Set up the Network Policy Server.

  • Configure the Network Policy Server.

  • Set up the RRAS.

  • Set up the VPN client.

  • Test the VPN connection.

  • Control unhealthy VPN clients.

In Windows Server 2008 R2 Active Directory, the users would need to be enabled in the Dial-in tab of the account properties. As you can see in Figure 2, the default option is Control Access Through NPS Network Policy.

Figure 2. Dial-in tab in Windows Server 2008 R2 Active Directory.


We’ll now step through the setup, configuration, and testing of a Windows Server 2008 R2 traditional VPN infrastructure.

Setting Up the Certificate Server

The first step is to configure the certificate server. This server will be used to issue certificates for the VPN infrastructure. The example uses Microsoft Certificate Services, but a third-party CA and certificates could be used as well.

The NPS1 server was chosen for this example, as it will be the centralized policy server and so is well situated to provide certificate services. A completely separate server could have been configured as well. The procedure assumes that the Windows Server 2008 R2 operating system has been installed and that the NPS1 server has joined the companyabc.com domain.

Install the Active Directory Certificate Services role on the NPS1 server using the following steps:

1.
Launch Server Manager.

2.
In the Roles Summary pane, select Add Roles to start the wizard.

3.
Click Next.

4.
Select Active Directory Certificate Services, and click Next.

5.
Click Next.

6.
Check the Certification Authority Web Enrollment to add the check mark.

7.
A window opens with an additional set of role services and features required to support web enrollment. Click Add Required Role Services to add these prerequisites.

8.
Click Next.

9.
Leave the Enterprise option to create an enterprise CA, and click Next.

10.
Leave the Root CA option selected, and click Next.

11.
Leave the Create a New Private Key option selected, and click Next.

12.
Click Next to accept the cryptography options for the CA.

13.
Click Next to accept the CA name.

14.
Click Next to accept the default validity period of five years.

15.
Click Next to accept the default directories.

16.
Click Next.

17.
Click Next to accept the default web server role services.

18.
Click Install to install the roles.

19.
When the installation finishes, click Close to close the wizard.

This certificate server will be used on each of the components in the VPN infrastructure.

Certificate Autoenrollment

Next, configure the root CA so that computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.

To configure the computer certificate autoenrollment using the enterprise CA, use the following steps:

1.
On the domain controller DC1, launch Server Manager.

2.
Expand Features, Group Policy Management, Forest: companyabc.com, Domains, and select companyabc.com.

3.
In the console tree, right-click the domain companyabc.com and select Create a GPO in the Domain and Link It Here.

4.
Enter the name Cert Auto Enrollment Group Policy Object and then click OK.

5.
Right-click the Cert Auto Enrollment Group Policy Object and select Edit.

6.
In the console tree of the Group Policy Management Editor, open Computer Configuration, Policies, Windows Settings, Security Settings, and select Public Key Policies.

7.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

8.
In the Automatic Certificate Request Wizard, click Next.

9.
On the Certificate Template page, click Computer (shown in Figure 3), click Next, and then click Finish.

Figure 3. Certificate autoenrollment.

10.
Close the Group Policy Management Editor and Group Policy Management Console.

Now each computer that is a member of the domain will be enrolled automatically with a computer certificate.

Other -----------------
- Installing Exchange Server 2010 : Understanding the Active Directory Requirements for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Prerequisites for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Exchange Server 2010 Server Roles
- Active Directory Domain Services 2008 : View Schema Class and Attribute Definitions
- Active Directory Domain Services 2008 : Apply Active Directory Schema Administrative Permissions
- Active Directory Domain Services 2008 : Install the Active Directory Schema Snap-In
- Microsoft Content Management Server : Deleting Objects
- Microsoft Content Management Server : Managing Resources (part 2) - Replacing Resources
- Microsoft Content Management Server : Managing Resources (part 1) - Creating Resources
- Routing with Windows Server 2003 : Configuring Packet Filters
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 2) - OSPF Overview & Understanding DHCP Relay Agent
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 1) - Configuring RIP
- Routing with Windows Server 2003 : Configuring NAT
- Windows Server 2008 R2 : Choosing Between Traditional VPN Technologies and DirectAccess
- DirectAccess in Windows Server 2008 R2 (part 2)
- DirectAccess in Windows Server 2008 R2 (part 1)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Understanding AD Functionality Modes and Their Relationship to Exchange Server Groups
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Exploring DSAccess, DSProxy, and the Categorizer
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 2)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 1)
 
 
Most view of day
- Securing Your SharePoint and Windows Azure Solutions : Configuring Shared Access Permissions for BLOB Storage - Using the Service Bus and Access Control Service
- Microsoft Exchange Server 2010 : Defining Email Addresses (part 2) - Email Address Policies - Changing an Existing Policy
- Microsoft Dynamic CRM 4 : Data Migration (part 4) - Creating a Data Migration
- Microsoft Project 2010 : Fine-Tuning Task Details (part 8) - Setting Up a Recurring Task
- SQL Server 2008 R2 : A Performance Monitoring Approach (part 3) - Monitoring Memory, Monitoring the Disk System
- SharePoint 2010 : Configuring Search Settings and the User Interface - Web Parts (part 2)
- Monitoring Windows Small Business Server 2011 : Using Windows SBS Console Monitoring (part 3) - Creating and Viewing Reports
- Maintaining Desktop Health : Monitoring Reliability and Performance (part 2)
- Microsoft Exchange Server 2010 : Managing Connectivity with Hub Transport Servers - Message Routing in the Organization
- System Center Configuration Manager 2007 : Desired Configuration Management - DCM Strategies
Top 10
- Windows Server 2012 : Administering Active Directory using Windows PowerShell (part 3) - Performing an advanced Active Directory administration task
- Windows Server 2012 : Administering Active Directory using Windows PowerShell (part 2) - Finding Active Directory administration cmdlets
- Windows Server 2012 : Administering Active Directory using Windows PowerShell (part 1) - Managing user accounts with Windows PowerShell
- Windows Server 2012 : Enabling advanced features using ADAC (part 3) - Creating fine-grained password policies
- Windows Server 2012 : Enabling advanced features using ADAC (part 2) - Configuring fine-grained password policies
- Windows Server 2012 : Enabling advanced features using ADAC (part 1) - Enabling and using the Active Directory Recycle Bin
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Marking a Workbook as Read-Only
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Working with Office Safe Modes
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Setting External Content Security Options
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Setting Privacy Options - Set Parental Controls for Online Research
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro