Network Access Protection, Revisited (Part 3)
If you would like to read other parts to the article series please read:
In Part 2 of this article series, I showed you how to install an Enterprise Certificate Authority, and how to prepare the rest of the network infrastructure that would be required for facilitating Network Access Protection. In this article, I will continue the discussion by showing you how to configure the necessary VPN Server. For the purposes of this article series, I will be installing the Network Policy Server onto the same physical computer as will be used for the VPN Server. In a real world deployment, you would usually want to use two separate computers to host these roles for security reasons. Hosting both roles on the same computer should only be done in a lab environment.
Basic Configuration Tasks
Before I show you how to configure this server to act as a VPN server, you must perform some basic configuration tasks. Essentially, this means that you must install Windows Server 2008, and configure it to use a static IP address. The IP address must fall into the same range as the domain controller that you configured previously. Additionally, the server’s Preferred DNS Server setting in its TCP/IP configuration should point to the domain controller that you set up earlier in this series, since it is also acting as a DNS server. After you finish performing the VPN server’s initial configuration, you should use the PING command to verify that the VPN server can communicate with the domain controller.
Joining a Domain
Now that you have specified the machine’s TCP/IP configuration and tested its connectivity, it’s time to get started with the real configuration tasks. The first thing that you will have to do is to join the server to the domain that you created earlier in this series. The process of joining a domain works very similarly in Windows Server 2008 to the way that it works in Windows Server 2003.
To join a domain, right click on the Computer command found on the server’s Start menu, and choose the Properties command from the resulting shortcut menu. Upon doing so, Windows will open the Control Panel’s System applet. Now, click the Change Settings button found in the Computer Name, Domain, and Workgroup Settings section of this screen. Doing so will reveal the System Properties sheet. The System Properties sheet is nearly identical to the one found in Windows Server 2003, as shown in Figure A. Click the Change button to reveal the Computer Name Changes dialog box. In Figure A, the Change button is grayed out because the server has already been joined to a domain. Now, select the Domain radio button found in the dialog box’s Member of section. Enter the name of your domain into the Domain field and click OK.
Figure A: The System Properties sheet is nearly identical to the one found in Windows Server 2003
You should now see a dialog box prompting you for a set of credentials. Enter the username and password your domain administrator account, and click the Submit button. After a brief delay you should see a dialog box welcoming you to the domain. Click OK, and you’ll see another dialog box telling you that you must restart your computer. Click OK one more time, followed by the Close button. When you restart the computer, it should be a member of the domain that you specified.
Installing Routing and Remote Access
Now it’s time to install the Routing and Remote Access service. As a part of the installation process, we will configure this service to act as a VPN server. Begin the process by opening the Server Manager. You can find a shortcut to the Server Manager on the Administrative Tools menu. When the Server Manager opens, scroll to the Roles Summary section found in the details pane. Now, click the Add Roles link to launch the Add Roles Wizard.
When the wizard opens, click Next to bypass the Welcome screen. You should now see a screen prompting you as to which roles you want to install on the server. Click the checkbox corresponding to the Network Policy and Access Services option. Click the Next button and you will be taken to a screen that presents you with an introduction to the Network Policy and Access Services. Click Next one more time and you will see a screen prompting you to select the Network Policy and Access Services components that you want to install. Select the check boxes corresponding to Network Policy Server, and Routing and Remote Access Services, as shown in Figure B.
Figure B: Choose the Network Policy Server and the Routing and Remote Access Services options
When you select the Routing and Remote Access Services check box, the Remote Access Service, and the Routing check boxes will be selected automatically. You must leave these check boxes selected because they will install the components that will be necessary for the server to act as a VPN.
Click the Next button and you will be taken to a screen that displays a summary of the services that are about to be installed. Assuming that everything looks good, click the Install button to begin the installation process. This is a good time to go take a break, because the installation process can take several minutes to complete, depending on your hardware. When the installation process completes, click the Close button.
After the Network Access Services have been installed, it is time to configure the Routing and Remote Access Services to accept VPN connections. Begin by opening the Server Manager, and navigating through the console tree to Server Manager | Roles | Network Policy and Access Service | Routing and Remote Access. Now, right click on the Routing and Remote Access container and select the Configure and Enable Routing and Remote Access command from the resulting shortcut menu. This will cause Windows to open the Routing and Remote Access Server Set up Wizard.
Click Next to bypass the wizard’s welcome screen. You should now see a screen asking you which configuration you want to use. Choose the Remote Access (dial-up or VPN) option, as shown in Figure C, and click Next. The following screen will give you a choice between configuring dial-up or VPN access. Choose the VPN check box and click Next.
Figure C: Choose the Remote Access (Dial-Up or VPN) option, and click Next
The wizard will now take you to the VPN connection page. Now, choose the network interface that will be used by clients to connect to the VPN server and deselect the Enable Security on the Selected Interface by Setting up Static Packet Filters check box, as shown in Figure D.
Figure D: Choose the network adapter that you want to use for inbound VPN requests
Click Next and you will see a screen asking you if you want to assign IP addresses to clients automatically, or if you would rather get the addresses from a specified address range. Choose the From a Specified Range of Addresses option, and click Next.
At this point, you’ll see a screen asks you to enter an IP address range that can be assigned to VPN clients. Click the New button and enter a beginning and an ending address for the IP address range, as shown in Figure E. When you are done, click OK, followed by Next. Windows will now open the Managing Multiple Remote Access Server’s page.
Figure E: You must enter a range of IP addresses to be assigned to clients
The wizard will now ask you if you want the RRAS server to authenticate connection requests, or if you would rather use a RADIUS server. RRAS is fully capable of performing the necessary authentication, but large organizations often have multiple RRAS servers, and it is therefore easier from a management prospective to use a centralized RADIUS server for authentication.
Go ahead and choose the Yes option to configure the server to work with a Radius server. You will now be prompted to enter the IP address for your Radius server. We haven’t actually set up a RADIUS server yet, but later on, we will install RADIUS on our VPN server. Again though, in the real world, you would want to install RADIUS on a separate server. For our purposes, just enter the server’s own IP address as the primary and secondary Radius server address. You will also be prompted to enter a shared secret. For demonstration purposes, just enter rras as the shared secret. When you’re done, Click Next followed by Finish. You will now see a couple of warning messages. Just click OK to close each message.
The last step in the RRAS configuration process is to set up the authentication scheme. To do so, go back to the Server manager, and right click on the Routing and Remote Access container, and choose the Properties command from the resulting shortcut menu. When you do, you’ll see in the server’s properties sheet. Go to the Security tab and click the Authentication Methods button. Verify that the MSCHAPv2 and EAP check boxes are selected, as shown in Figure F, and click OK.
Figure F: Verify that the MSCHAPv2 and EAP options are selected
In this article, I have shown you how to install and configure the Routing and Remote Access Services in a way that will allow the server to act as a VPN server. In the next part of this article series, I will continue the discussion by showing you how to configure the Network Policy Server component.
If you would like to read other parts to the article series please read: