Tutorial – Deploy Always On VPN

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non-domain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management, and then enable user authentication for connectivity to internal company sites and services.

The purpose for this guide is to demonstrate how to deploy the Always On feature easily. In this guide we will deploy the following platforms primarily using PowerShell where possible:

  • Active Directory (AD DS)
  • DNS
  • Certificate Authority (AD CS)
  • DHCP
  • Routing and Remote Access Service (RRAS)
  • Network Policy Server (RADIUS)

It will not be demonstrated how to install Windows Server or Windows 10 operating system.

Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess.

Conditional access through Azure AD will not be demonstrated in this guide, but see the following resource for that:

Target Audience

This guide is targeted to operations engineers in Microsoft Server products. The target needs to have knowledge in the following technologies:

  • PowerShell
  • Windows Server
  • Windows 10

The target also need to have some basic understanding of:

  • DHCP
  • DNS
  • Active Directory (AD DS)
  • PKI infrastructure (AD CS)
  • VPN (IKEv2/SSTP)
  • Network Knowledge (IP, UDP, TCP)
  • RADIUS
  • Hypervisors (Virtualbox, VMware, HyperV)

Definitions

In the tutorial I will use short names, so here is a brief list of the meaning of those names.

Definition Name
AD DS Active Directory Directory Services
AD CS Active Directory Certificate Services
PKI Public Key Infrastructure
DHCP Dynamic Host Configuration Protocol
IKEv2 Internet Key Exchange Version 2
IP Internet Protocol
UDP User Datagram Protocol
TCP Transmission Control Protocol
RADIUS Remote Authentication Dial-In User Service
VPN Virtual Private Network
HDD Hard Disk Drive
ACL Access Control List
CRL Certificate Revocation List
CDP CRL Distribution Point
AIA Authority Information Access

Limitations

For this deployment, it is not a requirement that your infrastructure servers, such as computers running Active Directory Domain Services, Active Directory Certificate Services, and Network Policy Server, are running Windows Server 2016. You can use earlier versions of Windows Server, such as Windows Server 2012 R2, for the infrastructure servers and for the server that is running Remote Access.

Hardware Recommendations

For all servers in this guide the following is a minimum requirement:

  • Processor: 1.4Ghz 64-bit processor.
  • RAM: 512 MB.
  • Disk Space: 32 GB.
  • Network: Gigabit (10/100/1000baseT) Ethernet adapter.
  • Optical Storage: DVD drive (if installing the OS from DVD media)

Overview

Technical Drawing

Always On VPN - Overview

Always On VPN – Overview

Servers

The following is a overview all servers/cllients used in this lab.

FQDN IP(s) Role(s) Description
w2016-dc.constoso.com 192.168.0.10 AD DS; DHCP Domain Controller
w2016-ca.constoso.com 192.168.0.20 AD CS Certificate Authority
w2016-nps.constoso.com 192.168.0.30 NPS Network Policy Server aka. RADIUS
w2016-ras.constoso.com 192.168.0.40; External IP RRAS VPN gateway
w10-client.constoso.com External IP Client Device that is connecting to the VPN

DNS-records

There are also some DNS-records that needs to be established. Here is a short overview of those.

Record Type IP/Alias Internal/External
vpn.contoso.com A w2016-ras.constoso.com External
pki.contoso.com A 192.168.0.20 Internal

TCP/UDP

In this guide, all servers are located in the same subnet, which means there is no firewall between the servers for simplicity. It’s best practice to split the servers into multiple subnets protected by one or more firewall(s). Even though the servers are placed in the same subnet, it’s still required to open the ports in firewall on Windows.

w2016-dc.constoso.com

Protocol & Port Usage Type of traffic
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos
TCP and UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389 AD DS Web Services SOAP
UDP 67 and UDP 2535 DHCP

DHCP is not a core AD DS service but it is often present in many AD DS deployments.

DHCP, MADCAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, NetLogon

w2016-ca.constoso.com

Protocol & Port Usage Type of traffic
TCP/4000 Certificate Enrolling RPC
TCP/80 AIA & CDP HTTP

w2016-nps.constoso.com

Protocol & Port Usage Type of traffic
UDP 1645 authentication and authorization RADIUS
UDP 1646 accounting RADIUS
UDP 1812 authentication and authorization RADIUS
UDP 1813 accounting RADIUS

w2016-ras.constoso.com

Protocol & Port Usage Type of traffic
UDP 500 IKEv2 VPN
UDP 4500 IKEv2 VPN

Accounts and Keys

Groups

We are also going to create som Active Directory groups.

Group Scope Group Type samAccountName Description
Global Security Contoso\sec-server-nps Group that contains all NPS computer objects.
Global Security Contoso\sec-server-vpn Group that contains all VPN (RRAS) computer objects.
Global Security Contoso\sec-vpn-users Members in this group are allowed to use the VPN connection.

Users

Here is an overview of users, their password and usage.

Username Password Description
Administrator Pa$$w0rd Local Administrator
Contoso\Administrator Pa$$w0rd Contoso Domain Administrator
Contoso\su-dhcp-update Pa$$w0rd DHCP/DNS dynamic update service account

Keys

We are also going to use some shared secrets.

Key Description
a7wr8urQKbmwD27m Directory Services Restore Mode (DSRM)
4hG9sBtW9hL2GGSE RADIUS Shared Secret for w2016-ras.contoso.com

 

Configuration

We are now going to configure all servers from scratch, let’s get started!

w2016-dc.constoso.com

This server is running Active Directory, DNS and the DHCP role. Use the following instructions to setup a new AD forest, DNS and the DHCP server.

Prerequisites

Before proceeding with the configuration, the domain controller needs to have a static IP address with a DNS pointing to itself.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will rename the server, set a static IP with a static DNS and restart afterwards.

     
  3. Open in the firewall to allow traffic to the server.

     

AD DS

The following will install the Windows Server role Active Directory Domain Services.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following.
  3. The following will create an Active Directory with “contoso.com” as the domain name and “Contoso” as the NETBIOS name. The server will restart automatically, during configuration.
  4. When the server have restarted, login with the domain administrator credentials.

Users and Groups

The following script, will create all necessary users and groups in Active Directory.

  1. We need to create some groups and add members to them. Note that all servers and workstations needs to be joined the domain before the following code will work.

     

DHCP

The following will install the Windows Server role DHCP.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will install the DHCP role.

     
  3. Now we need to create the security groups “DHCP Administrators” and “DHCP Users” on the local DHCP server. Open a command prompt with privileged permissions (run as administrator) and execute the following.

     
  4. Now go back to the PowerShell terminal and run the following, which will restart the DHCP service.

     
  5. Now we need to allow the DHCP to update A and PTR records. Run the following in the PowerShell terminal.

     
  6. Now we need to create an Active Directory the DHCP server uses to register or unregister client records on the DNS server.

     
  7. Use the following command to configure the credentials that the DHCP server uses to register or unregister client records on a DNS server.

     
  8. Now we need to authorize the DHCP server in Active Directoy, run the following in a PowerShell terminal.

     
  9. The following will create a new DHCP scope and set the scope options.

     

DNS

This will configure the DNS server.

  1. We need to add some records to get the environment working. Run the following in a PowerShell terminal.

     

 

w2016-ca.contoso.com

Prerequisites

Before proceeding with the configuration, the certificate needs to have a static IP address with a DNS pointing to the primary DNS server.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will rename the server, set a static IP with a static DNS and restart afterwards.

     
  3. Now we need to join the Contoso AD domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.

     
  4. The loopback check security feature is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name. Run in an elevated PowerShell terminal.

     
  5. Open the Windows firewall to allow traffic to the server.

     

AD CS

The following will install the Windows Server role Active Directory Certificate Services.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will install the certificate authority role.

     
  3. Now we need to configure the certificate authority, use the following in a PowerShell terminal.

     
  4. Now we need to add some additional roles on the certificate authority for allowing clients to perform tasks such as request and renew certificates, retrieve certificate revocation lists (CRLs) and enroll certificates. Run the following in a PowerShell terminal. This might take some time to finish.

     
  5. To configure the “Certification Authority Web Enrollment” run the following, this will build the virtual applications under the “Default Web Site“.

     
  6. We now need to create a new website called “pki.contoso.com” for CDP and AIA. Run the following in an elevated PowerShell terminal.

     
  7. We now need to enable double escape quoting on the newly created website. Run the following in command prompt.

     
  8. Configure the CA to support audit filters. Run the following in an elevated command prompt.

     
  9. Normally when you start a Windows CA server it allocates a random high port number for the service to listen on. When clients want to enroll certificates they find this dynamic port number by asking the CA Server’s RPC Endpoint mapper that always listens on port 135.Therefor we will set a static port to make it easier establishing the firewall rules. This needs done on every certificate authority server. The certificate authority role needs to be installed before it’s possible to make it static. Open “%windir%\system32\comexp.msc” as “Run as Administrator”.
  10. Then browse to “Component Services”, “Computers”, “My Computer”, “DCOM Config” and then find “CertSrv Request” right click and select “Properties”.AD CS
  11. Click on the “Endpoints”-tab and click on “Add”.AD CS
  12. Checkmark “Use static endpoint”, and write “4000” in the port text field. Click “OK” two times.
  13. Now open a command prompt terminal with “Run as Administrator”. Execute the following.

     
  14. In the same CMD terminal, execute the following.

     
  15. Go the following key “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}”.
  16. Right click the key “{D99E6E74-FC88-11D0-B498-00A0C90312F3}”, and choose “Permission”.AD CS
  17. Click on “Advanced”.AD CS
  18. Now click on “Change” in the “Owner”-area.
  19. Add the “[NETBIOS]\Administrators” (replace NETBIOS with the local machine name). Click “OK”.AD CS
  20. Click “OK” again.AD CS
  21. Now we disable RPC for the interface ICertPassage. In an elevated command prompt, run the following command.

     
  22. In the same terminal execute the following. Now we have changed it to a static port, but the CA Server will not change listening ports until a new certificate request comes in.

     
  23. Now copy the certificate and revocation file to the newly created website for the CDP and AIA. Run the following in a command prompt, and choose “d” when it prompt you for a file or directory.

     
  24. Configure the CDPs, run the following in PowerShell.

     
  25. Finally publish the latest certificates and CRLs and copy them to the CDP/AIA. Run the following in a command prompt.

     

Group Policy

Certificate Autoenrollment

In this procedure, you configure Group Policy on the domain controller so that domain members automatically request user and computer certificates. Doing so allows VPN users to request and retrieve user certificates that authenticate VPN connections automatically. Likewise, this policy allows NPS servers to request server authentication certificates automatically.

  1. Logon on the domain controller, and open “%SystemRoot%\system32\gpmc.msc”.
  2. Navigate to “Forest: constoso.com” à “Domains” à “com”. Right click on the domain and choose “Create a GPO in this domain, and Link it here”.GPO
  3. In the name of the GPO type “Autoenrollment Policy”, click “OK”.GPO
  4. In the navigation pane, right-click “Autoenrollment Policy“, and click “Edit“.GPO
  5. Navigate to “Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies”, right click on “Certificate Services Client – Auto-Enrollment” and select “Properties”.GPO
  6. In “Configuration Model” choose “Enabled”, then select the following, and click “OK”.
    • Renew expired certificates, update pending certificates, and remove revoked certificates: Checked
    • Update certificates that use certificate templates: CheckedGPO
  7. In the same policy navigate to “User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies”, right click on “Certificate Services Client – Auto-Enrollment” and choose “Properties”.GPO
  8. In “Configuration Model” choose “Enabled”, then select the following, and click “OK”.
    1. Renew expired certificates, update pending certificates, and remove revoked certificates: Checked
    2. Update certificates that use certificate templates: CheckedGPO

Certificate Templates

In the following section we will configure certificates templates to distribute to servers and clients.

VPN Server Authentication

Before we can create a network policy, we need to be able to enroll an “RAS and IAS Server” certificate to the VPN server. Execute the following on the certificate authority “w2016-ca.contoso.com”.

  1. Open “%SystemRoot%\system32\certsrv.msc”.
  2. Navigate to “Certification Authority (Local)”, “Contoso-CA”, then right click on “Certificate Templates” and click “Manage”, this will open a new window.CA VPN Certificate
  3. In the new window find “RAS and IAS Server”, right click and select “Duplicate Template”.CA VPN Certificate
  4. Now choose “Windows Server 2003” in the “Compatibility” tab.CA VPN Certificate
  5. On the “General” tab in “Template display name” write “NPS Server Authentication”.CA VPN Certificate
  6. Now in the “Security” tab, add the NPS server group “Contoso\sec-server-vpn”, and checkmark “Enroll” and “Autoenroll” (autoenroll is not required in this example) to “Allow”. Click “OK”.CA VPN Certificate
  7. On the “Extensions” tab, click on “Application Policies” and then “Edit”.CA VPN Certificate
  8. Click on “Add”.CA VPN Certificate
  9. Find “IP security IKE intermediate”, and click “OK”. Adding IP security IKE intermediate to the EKU helps in scenarios where more than one server authentication certificate exists on the VPN server. When IP security IKE intermediate is present, IPSec only uses the certificate with both EKU options.CA VPN Certificate
  10. On the “Request Handling” tab, checkmark “Allow private key to be exported”.CA VPN Certificate
  11. Now go back to “%SystemRoot%\system32\certsrv.msc”, right click on “Certificate Templates”, and choose “New” and then “Certificate Template to Issue”.CA VPN Certificate
  12. Select “VPN Server Authentication” and click “OK”.CA VPN Certificate

NPS Server Authentication

This template to create is the NPS Server Authentication template. The NPS Server Authentication template is a simple copy of the RAS and IAS Server template secured to the NPS Server group.

  1. Open “%SystemRoot%\system32\certsrv.msc”.
  2. Navigate to “Certification Authority (Local)”, “Contoso-CA”, then right click on “Certificate Templates” and click “Manage”, this will open a new window.CA VPN Certificate
  3. In the new window find “RAS and IAS Server”, right click and select “Duplicate Template”.CA VPN Certificate
  4. Now choose “Windows Server 2003” in the “Compatibility” tab.CA VPN Certificate
  5. In the “Template display name” write “NPS Server Authentication” on the “General” tab.CA NPS Certificate
  6. On the “Security” tab, add the group “Contoso\sec-server-nps” with the NPS servers, and checkmark “Enroll” and “Autoenroll”. Remove the group “Contoso\RAS and IAS Servers”. Click “OK”.CA NPS Certificate
  7. Now go back to “%SystemRoot%\system32\certsrv.msc”, right click on “Certificate Templates”, and choose “New” and then “Certificate Template to Issue”.CA NPS Certificate
  8. Select “NPS Server Authentication” and click “OK”.CA NPS Certificate

User Authentication

In this procedure, you configure a custom client-server authentication template. This template is required because you want to improve the certificate’s overall security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. This last change lets you use the TPM on the client computers to secure the certificate.

  1. Open “%SystemRoot%\system32\certsrv.msc”.
  2. Navigate to “Certification Authority (Local)”, “Contoso-CA”, then right click on “Certificate Templates” and click “Manage”, this will open a new window.CA VPN Certificate
  3. In the new window find “User”, right click and select “Duplicate Template”.CA User Certificate
  4. In the “General” tab, write “VPN User Authentication” in the “Template display name” text field, and then clear “Publish certificate in Active Directory”.CA User Certificate
  5. On the “Security” tab, add the group “sec-vpn-users”, then checkmark “Enroll” and “Autoenroll”.CA User Certificate
  6. On the “Request Handling” tab, clear the “Allow private key to be exported” check box.CA User Certificate
  7. On the “Compatibility” tab, in the “Certification Authority” dropdown choose “Windows Server 2012 R2”, and in “Certificate recipient” choose “Windows 8.1 / Windows Server 2012 R2”.CA User Certificate
  8. On the “Cryptography” in “Provider Category“, choose “Key Storage Provider” and check “Requests must use one of the following providers” and checkmark “Microsoft Platform Crypto Provider”. If you are on a virtual machine, you also need to allow “Microsoft Software Key Storage Provider“.CA User Certificate
  9. In the “Subject Name” tab, clear “Include e-mail name in subject name” and “E-mail name”. Then click “OK”.CA User Certificate
  10. Now go back to “%SystemRoot%\system32\certsrv.msc”, right click on “Certificate Templates”, and choose “New” and then “Certificate Template to Issue”.CA User Certificate
  11. Choose “VPN User Authentication”, click “OK”.CA User Certificate

Device Authentication

This certificate will be enrolled to the workstation, and allows the client to make a device VPN tunnel.

  1. Open “%SystemRoot%\system32\certsrv.msc”.
  2. Navigate to “Certification Authority (Local)”, “Contoso-CA”, then right click on “Certificate Templates” and click “Manage”, this will open a new window.CA VPN Certificate
  3. In the new window find “Workstation Authentication”, right click and select “Duplicate Template”.CA Device Certificate
  4. In the “General” tab, write “VPN Device Authentication” in the “Template display name” text field, and then clear “Publish certificate in Active Directory”.CA Device Certificate
  5. On the “Security” tab, add the group “Domain Computers”, then checkmark “Read”, “Enroll” and “Autoenroll”. Click “OK” twice.CA Device Certificate
  6. Now go back to “%SystemRoot%\system32\certsrv.msc”, right click on “Certificate Templates”, and choose “New” and then “Certificate Template to Issue”.CA Device Certificate
  7. Choose “VPN Device Authentication”, click “OK”.CA Device Certificate

w2016-nps.contoso.com

The following procedure will configure the RADIUS server to authenticate users and devices trying to establish connection through VPN.

Prerequisites

Before proceeding with the configuration, the network policy server (RADIUS) needs to have a static IP address with a DNS pointing to the primary DNS server, and should be joined the Contoso domain.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will rename the server, set a static IP with a static DNS and restart afterwards.

     
  3. Now we need to join the Contoso AD domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.

     
  4. Open the Windows firewall to allow traffic to the server.

     

NPS

The following will install and setup the network policy server (NPS) also known as a RADIUS server.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following which will install the NPS.

     
  3. Register the NPS server in Active Directory. Run the following in an elevated command prompt.

     
  4. We need to add the “w2016-ras.contoso.com” as a RADIUS client. Run the following in a PowerShell terminal with elevated permissions.

     
  5. Open “%windir%\system32\nps.msc”.
  6. Choose “RADIUS server for Dial-up or VPN Connections” and click “Configure VPN or Dial-up”.NPS Connection
  7. Choose “Virtual Private Network (VPN) Connections” and click “Next”.NPS Connection
  8. Click “Next” again.NPS Connection
  9. Clear the “Microsoft Encrypted Authentication version 2 (MS-CHAPv2)” checkbox, and checkmark “Extensible Authentication Protocol” and in the dropdown choose “Microsoft: Protected EAP (PEAP)”. Click on “Configure”.NPS Connection
  10. Select “Secured password (EAP-MSCHAP v2)” and click “Remove”.NPS Connection
  11. Now click “Add”.NPS Connection
  12. Highlight “Smart Card or other certificate” and click “OK” twice.NPS Connection
  13. Now click “Next”.NPS Connection
  14. Now add “sec-vpn-users”, click “Next” three times.NPS Connection
  15. Click “Finish”.NPS Connection

 

w2016-ras.contoso.com

This server is running the RRAS role. Use the following instructions to setup Remote Access as a RAS Gateway VPN Server.

RRAS is designed to perform well as both a router and a remote access server because it supports a wide array of features. For the purposes of this deployment, you require only a small subset of these features: support for IKEv2 VPN connections and LAN routing.

It is important to:

  • Install two Ethernet network adapters in the physical server. If you are installing the VPN server on a VM, you must create two External virtual switches, one for each physical network adapter; and then create two virtual network adapters for the VM, with each network adapter connected to one virtual switch.
  • Install the server on your perimeter network between your edge and internal firewalls, with one network adapter connected to the External Perimeter Network, and one network adapter connected to the Internal Perimeter Network. This will not be demonstrated.

Prerequisites

Before proceeding with the configuration, the domain controller needs to have a static IP address with a DNS pointing to itself, and join the Contoso domain.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will rename the server, set a static IP with a static DNS for the network card in the internal network and restart afterwards.
  3. Now we need to join the Contoso AD domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.
  4. Open the Windows firewall to allow traffic to the server.

RRAS

This procedure will install the RRAS role, and configure it to allow only IKEv2 connections.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following which will install the RAS.
  3. Restart the server (this is a requirement before enrolling the certificate).
  4. Open “mmc.exe”, click on “File” and then “Add/Remove Snap-in”.RRAS Configuration
  5. Choose “Certificates” and click “Add”.RRAS Configuration
  6. Choose “Computer account”, and click “Next” and then “Finish”.RRAS Configuration
  7. Now click “OK”.RRAS Configuration
  8. Navigate to “Certificates (Local Computer)” à “Personal”. Right click on “Personal”, choose “All Tasks” and click on “Request New Certificate”.RRAS Configuration
  9. Click “Next”.RRAS Configuration
  10. Once again click “Next”.RRAS Configuration
  11. Checkmark “VPN Server Authentication”, click on “Properties”.RRAS Configuration
  12. Under “Subject” tab configure the following values. Then click “OK”.
    • Subject name:Common name: vpn.contoso.comAlternative name:DNS: vpn.contoso.comDNS: w2016-ras.contoso.comDNS: w2016-rasDNS: 192.168.0.40

      DNS: <external ip>RRAS Configuration

  13. Click on “Enroll”.RRAS Configuration
  14. Open “%SystemRoot%\system32\ServerManager.exe”.
  15. Click on “Open the Getting Started Wizard” under notifications.RRAS Configuration
  16. If no window open, minimize all windows to see if it’s hidden. Click on “Deploy VPN only”.RRAS Configuration
  17. Right click on “W2016-RAS (local)” and choose “Configure and Enable Routing and Remote Access”.RRAS Configuration
  18. Click “Next”.RRAS Configuration
  19. Choose “Custom configuration” and click “Next”.RRAS Configuration
  20. Checkmark “VPN access” then Click “Next”.RRAS Configuration
  21. Click on “Finish”.RRAS Configuration
  22. Click on “OK” again.RRAS Configuration
  23. Now click “Start service”.RRAS Configuration
  24. Right click on “W2016-RAS (local)”, and choose “Properties”.RRAS Configuration
  25. On the “Security” tab, choose “RADIUS Authentication” as the authentication provider. Then click on “Configure”.RRAS Configuration
  26. Click on “Add”.RRAS Configuration
  27. Now enter “w2016-nps.contoso.com” in server name and type the shared secret. Click “OK” two times.RRAS Configuration
  28. On the “IPv4” tab, choose the adapter that is on the internal network in this example “Internal”. Then click “OK”.RRAS Configuration
  29. Under “W2016-RAS (local)” right click on “Ports” and choose “Properties”.RRAS Configuration
  30. Select “WAN Miniport (SSTP)” and click “Configure”.RRAS Configuration
  31. Clear “Remote access connections (inbound only)” and “Demand-dial routing connections (inbound and outbound)”. Click on “OK”.RRAS Configuration
  32. Repeat step 19 and 20 for “WAN Miniport (L2TP)”, “WAN Miniport (PPPoE)” (Uncheck “Demand-dial routing connections (outbound only)”) and “WAN Miniport (PPTP)”.
  33. If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) as your VPN server, you must enable machine certificate authentication for VPN connections and define a root certification authority for which incoming VPN connections will be authenticated with. To do this, open an elevated PowerShell command and run the following commands.

  34. Now reboot the server.

 

w10-client.contoso.com

On this device we are going to create the VPN profile template, so we can push it to other machines either through group policy or Intune.

Prerequisites

Before proceeding with the configuration, the client need to be renamed and joined the domain.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will rename the client and restart afterwards.
  3. Now we need to join the Contoso AD domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.
  4. Due to this being setup in a lab, when need to edit the client hosts file. Open notepad as administrator, and open the file “C:\Windows\System32\drivers\etc\hosts”, then add the following line to the file.

     

Client VPN Template

This will create the VPN template for client devices. You will need to download the PsExec to the client machine, before following the procedure.

  1. Open a command prompt as administrator.
  2. Change path to the downloaded PsExec utility, and run the following.
  3. A new window will open, in this window type “powershell.exe”.
  4. Now copy the following into a XML file and save it (in this example we save it on the desktop). Name it “vpn.contoso.com.xml
  5. Now save the following powershell script (again in this example we save it to the desktop). Name it “VPN_Profile_Device.ps1”.

     
  6. In the PowerShell terminal that was open from PsExec, run the following.

     
  7. Now try to move the device to the external network in the lab. The profile should automatically connect to the VPN.

 

You are done configuring your lab, the only thing left is to distribute the VPN profile through your mean of choice!

If you have any problems of questions please feel free to comment below.

Alex is a infrastructure consultant at Mansoft A/S. I have a Data Technician degree from Denmark, Copenhagen, where I also live and work. My goal is to be a MVP in digital technology industry. While I'm still in my younger years, I already have over 10+ years of experience in the field. I focuses on Microsoft technologies but I'm not limited to only that. I also does a lot of work in the Unix and Linux world.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.