Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Traditional VPN Scenario (part 1) - Setting Up the Certificate Server & Certificate Autoenrollment

3/20/2011 5:23:31 PM
The best way to illustrate the concepts in this article is to walk through a sample VPN scenario. The example will walk through the setup and testing of a VPN infrastructure that will include health checks and remediation of a client. The sample VPN scenario architecture is shown in Figure 1.
Figure 1. VPN scenario diagram.


The scenario will use the systems with the basic configuration shown in Table 1. These examples assume that an Active Directory domain companyabc.com has been created and that DC1 is the domain controller.

Table 1. VPN Scenario Servers
ServerRolesOperating SystemIP Address
DC1Directory serverWindows Server 2008 R2172.16.1.100
NPS1Network Policy Server Certificate serverWindows Server 2008 R2172.16.1.151
VPN1RRAS serverWindows Server 2008 R2172.16.1.152 (internal) 192.168.1.201 (external)
VISTA1VPN clientWindows Vista SP1 

The steps to configure the VPN architecture will consist of the following:

  • Set up the certificate server.

  • Set up the Network Policy Server.

  • Configure the Network Policy Server.

  • Set up the RRAS.

  • Set up the VPN client.

  • Test the VPN connection.

  • Control unhealthy VPN clients.

In Windows Server 2008 R2 Active Directory, the users would need to be enabled in the Dial-in tab of the account properties. As you can see in Figure 2, the default option is Control Access Through NPS Network Policy.

Figure 2. Dial-in tab in Windows Server 2008 R2 Active Directory.


We’ll now step through the setup, configuration, and testing of a Windows Server 2008 R2 traditional VPN infrastructure.

Setting Up the Certificate Server

The first step is to configure the certificate server. This server will be used to issue certificates for the VPN infrastructure. The example uses Microsoft Certificate Services, but a third-party CA and certificates could be used as well.

The NPS1 server was chosen for this example, as it will be the centralized policy server and so is well situated to provide certificate services. A completely separate server could have been configured as well. The procedure assumes that the Windows Server 2008 R2 operating system has been installed and that the NPS1 server has joined the companyabc.com domain.

Install the Active Directory Certificate Services role on the NPS1 server using the following steps:

1.
Launch Server Manager.

2.
In the Roles Summary pane, select Add Roles to start the wizard.

3.
Click Next.

4.
Select Active Directory Certificate Services, and click Next.

5.
Click Next.

6.
Check the Certification Authority Web Enrollment to add the check mark.

7.
A window opens with an additional set of role services and features required to support web enrollment. Click Add Required Role Services to add these prerequisites.

8.
Click Next.

9.
Leave the Enterprise option to create an enterprise CA, and click Next.

10.
Leave the Root CA option selected, and click Next.

11.
Leave the Create a New Private Key option selected, and click Next.

12.
Click Next to accept the cryptography options for the CA.

13.
Click Next to accept the CA name.

14.
Click Next to accept the default validity period of five years.

15.
Click Next to accept the default directories.

16.
Click Next.

17.
Click Next to accept the default web server role services.

18.
Click Install to install the roles.

19.
When the installation finishes, click Close to close the wizard.

This certificate server will be used on each of the components in the VPN infrastructure.

Certificate Autoenrollment

Next, configure the root CA so that computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.

To configure the computer certificate autoenrollment using the enterprise CA, use the following steps:

1.
On the domain controller DC1, launch Server Manager.

2.
Expand Features, Group Policy Management, Forest: companyabc.com, Domains, and select companyabc.com.

3.
In the console tree, right-click the domain companyabc.com and select Create a GPO in the Domain and Link It Here.

4.
Enter the name Cert Auto Enrollment Group Policy Object and then click OK.

5.
Right-click the Cert Auto Enrollment Group Policy Object and select Edit.

6.
In the console tree of the Group Policy Management Editor, open Computer Configuration, Policies, Windows Settings, Security Settings, and select Public Key Policies.

7.
In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

8.
In the Automatic Certificate Request Wizard, click Next.

9.
On the Certificate Template page, click Computer (shown in Figure 3), click Next, and then click Finish.

Figure 3. Certificate autoenrollment.

10.
Close the Group Policy Management Editor and Group Policy Management Console.

Now each computer that is a member of the domain will be enrolled automatically with a computer certificate.

Other -----------------
- Installing Exchange Server 2010 : Understanding the Active Directory Requirements for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Prerequisites for Exchange Server 2010
- Installing Exchange Server 2010 : Understanding the Exchange Server 2010 Server Roles
- Active Directory Domain Services 2008 : View Schema Class and Attribute Definitions
- Active Directory Domain Services 2008 : Apply Active Directory Schema Administrative Permissions
- Active Directory Domain Services 2008 : Install the Active Directory Schema Snap-In
- Microsoft Content Management Server : Deleting Objects
- Microsoft Content Management Server : Managing Resources (part 2) - Replacing Resources
- Microsoft Content Management Server : Managing Resources (part 1) - Creating Resources
- Routing with Windows Server 2003 : Configuring Packet Filters
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 2) - OSPF Overview & Understanding DHCP Relay Agent
- Routing with Windows Server 2003 : Configuring and Managing Routing Protocols (part 1) - Configuring RIP
- Routing with Windows Server 2003 : Configuring NAT
- Windows Server 2008 R2 : Choosing Between Traditional VPN Technologies and DirectAccess
- DirectAccess in Windows Server 2008 R2 (part 2)
- DirectAccess in Windows Server 2008 R2 (part 1)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Understanding AD Functionality Modes and Their Relationship to Exchange Server Groups
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Exploring DSAccess, DSProxy, and the Categorizer
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 2)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2010 : Defining the Global Catalog (part 1)
 
 
Most view of day
- Windows Server 2012 : Ensuring DHCP availability (part 2) - Implementing DHCP failover
- Windows Server 2003 on HP ProLiant Servers : Migration Case Studies (part 1) - County Government Office
- Microsoft Excel 2010 : Calculating the Mean (part 3) - Minimizing the Spread - Setting Up the Worksheet for Solver
- Exchange Server 2007 : Migrating from Windows 2000 Server to Windows Server 2003 (part 1) - Beginning the Migration Process
- Microsoft PowerPoint 2010 : Creating New Slides (part 2) - Creating a Slide from a Layout, Copying Slides
- Microsoft Word 2010 : Adding Graphics to Your Documents - Drawing Shapes in Word (part 1) - Drawing an AutoShape
- Client Access to Exchange Server 2007 : Getting the Most Out of the Microsoft Outlook Client - Understanding RPC Over HTTPS in Outlook 2007
- Windows 7 Mobility Features : Presentations A-Go-Go
- Integrating Systems Management Server 2003 into Patch Management Processes (part 2) - Authorizing and Distributing Software Updates
- QuarkXPress 8 : Checking spelling (part 2) - Searching and replacing, Exporting text
Top 10
- Configuring and Troubleshooting IPv6 in Windows Vista (part 4) - Troubleshooting IPv6 Connectivity
- Configuring and Troubleshooting IPv6 in Windows Vista (part 3) - Configuring IPv6 in Windows Vista Using Netsh , Other IPv6 Configuration Tasks
- Configuring and Troubleshooting IPv6 in Windows Vista (part 2) - Configuring IPv6 in Windows Vista Using the User Interface
- Configuring and Troubleshooting IPv6 in Windows Vista (part 1) - Displaying IPv6 Address Settings
- Deploying IPv6 : IPv6 Enhancements in Windows Vista
- Games and Windows 7 : Games for Windows - LIVE (part 2) - Accessing Games for Windows - LIVE from within Compatible Games
- Games and Windows 7 : Games for Windows - LIVE (part 1) - Using the Games for Windows - LIVE Marketplace
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 3)
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 2) - Working with the REST API in JavaScript
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 1) - Understanding REST fundamentals
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro