Windows Server 2008 R2

Setting up a Virtual Private Network This document will focus on setting up a Virtual Private Network in Windows Server 2008 R2. A Virtual Private Network is used to connect remote computers or networks to an internal network that would not be accessible any other way. VPN’s can connect remote computers or networks or multiple networks together. A VPN provides security so that traffic sent through the VPN connection is isolated from external computers and networks. The VPN connection allows remote users to directly connect to a remote network to gain access to resources on that network. Definitions: VPN - Connect Remote users and/or networks to local resources PPTP - Point-to-Point Tunneling Protocol: Creates a tunnel used to ensure that traffic sent from one point to the next is secure GRE - Generic Routing Encapsulation is a tunneling protocol to encapsulate traffic L2TP - Layer 2 Tunneling Protocol: Tunneling protocol that relies on an encryption protocol to encrypt the data within the tunnel IPsec - Internet Protocol Security secures IP traffic by authenticating and encrypting each packet in a session Digital Certificate – Certificate is an electronic document that uses a digital signature to verify the user/device identity Direct Access – Introduced in Windows 7 and Windows 2008 R2, it allows remote users to securely access internal resources on the corporate network. The access connects from a direct access enabled portable computer before the user logs into the device. Windows 2008 R2 requires a Public Key Infrastructure to work. It also requires Windows 7 Enterprise/Ultimate and Windows Server 2008 R2. Network Policy Service (NPS) - Microsoft implementation of Remote Authentication Service. NPS provides Authentication, Authorization and Accounting for Wireless, Network Access and VPN services. Setting up VPN requirements: This demo will be using: Two Windows 2008 R2 with two network connections (one internal (Private) and one external (Public) Windows 7 to connect to the remote VPN server. Windows 7 to Windows 2008 R2 VPN connection Windows 2008 R2 to Windows 2008 R2 site-to-site connection

Jim Long – MOREnet 221 N. Stadium Blvd., Suite 201, Columbia, Mo. 65203 Oct 2012

Configure the Windows Server 2008 R2 VPN: Pre-Setup Steps: Install your Windows 2008 R2 server Load all updates Secure server Add to Active Directory Domain Configure external network connection Configure host firewall Configure external firewall to allow VPN connections Setting up VPN: On the Windows 2008 R2 Server we will install the VPN Role: Open Server Manager Click Start Click Administrator Tools Click Server Manager

Click Roles Click Add Roles

Add Roles Wizard The Roles Wizard will walk you through adding Roles to your server

Click Next Select Network Policy and Access Services

Click Next

Network Policy and Access Services Review this screen for more information about the service and review the links for additional information

Click Next Select Role Services

Click Next

Select Role Services

Choose the roles that you need Minimum roles: NPS – Create and enforce network access policies Routing and Remote Access Services – Provides remote user access Remote Access Services – Allow access through VPN Routing – Provides support for NAT routing and LAN routing Additional Roles:

Health Registration Authority – Validates certificate requests that contain health claims and issues certificates based on the health status Host Credentials Authorization Protocol – Integrate Microsoft Network Access Protection with Cisco Network Access controls Select the Roles that you require Click Next

Confirm Installation Selections

Click Install Install Progress

Installation Results

Confirm that all Roles were successfully installed Click Close You will be returned to Server Manager

You will notice that the Role is showing errors

Click Network Policy and Access Services

Notice that it states that the service is installed but additional steps are required to configure the service Click Go to the NPS console Click Routing and Remote Access (Left Frame)

Click More Actions (Right Frame) Click Configure and Enable Routing and Remote Access

Routing and Remote Access Wizard

Click Next Configuration This screen has several options to install a combination of services. Since we only want to install a VPN server we will choose Custom Configuration

Click Custom Configuration Click Next

Custom Configuration

Select VPN Access Click Next Complete the Routing and Remote Access Server Setup Wizard

Click Finish

Warning! Routing and Remote access has created a default connection request policy called Microsoft Routing and Remote Access Service Policy…

Click OK Start the Service

Click Start service Starting Service

Install Complete

Routing and Remote Access is Configured on This Server

Out of the box we can not connect to the server because the Policies that were created will not allow connections. We will need to check the Routing and Remote Access settings and make sure everything is setup properly.

Verify Routing and Remote Access Configuration This section will focus on checking the settings and ensuring that everything is setup properly with our VPN configuration that we just finished installing. Open Routing and Remote Access Management Console Click Start / Administrative Tools Click Routing and Remote Access

Routing and Remote Access Console

Checking the Properties for the Server Right Click the server name

Click Properties General Tab

By default it is setup for IPv4

Security Tab

The Security tab will allow us to setup additional security settings. Because Windows 2008 R2 uses NPS the Authentication Methods need to be configured in the Connection Policies. We will look at that Policy later. IPsec Policy / PreShared Key for L2TP connections You will need to determine by Internal Policies if you will require L2TP connections. By default a PPTP connection is created, PPTP is basically creating an encrypted tunnel that sends the unencrypted data back and forth through the tunnel. L2TP uses the encrypted tunnel but the data that is sent is then encrypted as well, this is the most secure method but it can cause additional overhead on the client and server as it will have to encrypt/decrypt the data at each end of the communication tunnel To configure a basic L2TP policy you will click the Allow custom IPsec policy for L2TP connection and enter a preshared key. This key will then have to configure on the client computers when setting up the VPN client in order to connect to the server. SSL Certificate Binding To configure your server to use Secure Socket Tunneling Protocol you will need to have a Server Authentication certificate to bind to the server. You can use an internal certificate store and the clients will also be required to have certificates How to setup SSTP: http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx

IPv4 Tab

This screen allows us to define the IP addresses that will be used to hand out to our clients. IPv4 address assignment – IP addresses can be handed out by the server or by a DHCP server. If you do not have an IP server defined then check Static Address pool Enable IPv4 Forwarding – You will have to have this enabled if you want the traffic that is coming through this VPN server to route from your public network to your private network. If you want clients to be able to access the entire network that the server is attached to then you should enable this.

Static Address Pool Click Add Add the IP addresses you want the server to hand out

Click Ok Enable Broadcast Name Resolution this allows remote clients to resolve broadcast names on the subnet that they are connecting to If you are using a DHCP server then leave the DHCP Server checked and then you can either allow RRAS to automatically select the adapter or you can select the adapter

* Allowing RAS to select the adapter will result in RRAS randomly selecting an adapter every time the service is started

IPv6 Tab

This tab allows you to define the IPv6 settings necessary for the server. Enable IPv6 Routing – Same as IPv4, specifies if the RRAS server will be forwarding the IPv6 Traffic Enable Default Route Advertisement – Specifies whether a default route is advertised on the server IPv6 prefix assignment – Enter your IPv6 assigned prefix Use the Following adapter for DHCP, DNS … - This is used the same as in IPv4 above

IKEv2 IKEv2 – Internet Key Exchange is used to setup security associations with IPsec protocol

There are no changes to be made on this screen unless you encounter specific issues related to IKEv2 IKEv2 client connection timeouts Idle time-out – refers to the number of minutes that an IKE client can be idle before the connection is terminated Network Outage Time – refers to the amount of time that packets are retransmitted to the client without a response before the connection is considered severed. Security Association(SA) expiration control Security Association expiration time – refers to the time that is allowed to create a SA connection to the IKE server before the session has to be re-negotiated. The negotiation must succeed before the computers can exchange data Security Association data size – refers to the maximum amount of data that can be transferred between the computers before SA must negotiate and create a new session

PPP Tab

Multilink – Determines whether you will allow clients to combine multiple physical connections to a single logical connection Dynamic bandwidth control using BAP or BACP – Defines whether the server uses these protocols to control multiple physical connections fore clients Link control protocol (LCP) extensions – Clearing this checkbox prevents the server from Sending Time-Remaining and Identification checks to the client Software Compression – Defines whether the server uses the Microsoft point-to-point Compression Protocol (MPPC) to compress data sent on the remote access connection

Logging Tab

Select the event types you want logged Log Errors only –Writes errors only to the Events Log files Log Errors and Warnings – Writes errors and Warnings to the Event Log files Log all events – Writes all log events to the Event Log files Do not log events – Does not write any events to the Event Log files Log Additional Routing and Remote Access information (used for debugging) – Writes events in to the ppp.log located at %windir%/tracing location This completes the settings needed for the RRAS server itself, we will take a closer look at some of the additional settings and the configuration in the RRAS console

Network Interfaces

Shows the Network Interfaces associated with this server. I have named mine by IP address and which is Public/Private so I can easily manage these connections Remote Access Clients

Shows the clients that are currently connected to this RRAS server

Ports

This shows the Number of available ports per protocol that clients can access. You can change the number of ports. Right Click Ports Click Properties

The default number of ports created is listed. You can change the number of ports available by selecting the type and clicking Configure… I have selected PPTP connections

You can change whether Remote access connections are allowed for this connection type You can change whether Demand Dial connections are allowed for this connection type You can also change the Maximum number of ports allowed. Once you have made your changes Click Ok Click Ok to close the properties window

Remote Access Logging and Policies

This setting will be controlled by the Network Policy Server. This will be discussed later in this document.

IPv4 Section General

This screen again shows the network connections but on this screen we can click on the connections and view the properties. The properties for the network connection from this screen will allow us to setup Inbound and Outbound firewall rules. Right Click on one of the network connection

You will see that you can now update the Routes as well as showing additional information about this interface

Click Properties

Enable IP Routing – Specifies whether TCP/IP is enabled on this interface Enable router discovery advertisements – Specifies whether Internet Control message Protocol (ICMP) router discovery is enabled on this interface Inbound\Outbound Filters

Configure inbound/outbound rules to control network traffic by IP source/Destination and Protocol

Enable fragmentation checking – Specifies whether the router discards all fragmented IP packets that do not correspond with the allowed traffic filters Multicast Boundaries

Limit the range of the multicast scope Multicast Heartbeat

Multicast Heartbeat listens for periodic traffic to confirm that the multicast infrastructure is functioning normally

Static Routes

Allows for Static Routes to be defined for the network connections to this Routing and Remote Access server Right Click static Routes Click New

Enter the information to create new static routes and click Ok to create

DHCP Relay Agent

DHCP Relay Agent listens for broadcast DHCP messages on the local subnet and routes them to the DHCP server on a different subnet. To add additional Interfaces Right Click the DHCP Relay agent Click New Interface

Select the interface and click OK This is not needed if you have setup the RRAS server as a router which it is setup as by default or you are having your RRAS server hand out the IP addresses as in this document

IGMP

IGMP – Internet Group Management Protocol is a used to manage host membership in IPv4 multicast groups on a network segment Configure this only if needed

IPv6 General

This screen again shows the network connections but on this screen we can click on the connections and view the properties. The properties for the network connection from this screen will allow us to setup Inbound and Outbound firewall rules. Similar to the IPv4 above, allows you to configure Inbound\Outbound filters for the traffic but does not show you the Update Routes or other information viewable with the IPv4 interfaces. Static Routes

Same as IPv4 above; lets you create static route statements This completes the settings and examples for this section.

Network Policy Server (NPS) Console Configures and Manages Network Policy Servers The Network Policy server is used to create, manage and enforce network access policies, connection requests for authentication and authorization to connect to your network Open Network Policy Server Click Start Click Administrative Tools Click Network Policy Server

Network Policy Server The NPS server handles more than just the VPN policies it also handles: RADIUS Clients and Servers Policies Network Access Protection (NAP) Accounting Template Management I will overview each Section but to learn more about the details of each component you can select the component and click the Learn more link.

This will open the Windows Help file with additional information about the selected item.

The Learn more link is available once you select ANY of the top level categories

NPS Overview Radius Clients and Servers

This section allows you to add services or devices that can use this server to authenticate users. One of the most common uses today is to allow authenticated users access to Wireless network resources. It will also allow Radius proxies to be configured so that this server can forward requests to other Radius Servers on the network.

Policies There are 3 types of Policies that can be managed Connection Request Policies – These allow you to designate whether connection requests are processed locally or forwarded to remote Radius Servers Network Policies – Designate who is authorized to connect to the network and under what circumstances they can connect Health Policies – Setup Policies to control NAP-capable client computers to access the network

Network Access Protection (NAP) NAP allows you to setup system health checks such as ensuring that systems are up-to-date with the latest patches that they are running current anti-virus software and other checks that you deploy. There are 2 sections System Health Validators – Allow you to specify the settings required by NAP-capable clients Remediation Server Groups – Allow you to define servers that can provide services and updates to non-compliant clients

Accounting Accounting allows the logs to be sent to an external server running a remote SQL server for accounting purposes. Some of the data that is collected: Who Connected? How long were they Connected? Connection Errors And more…

Templates Configuration You can use templates to create and manage several different settings for the server; templates include: Shared Secrets Radius Clients Remote Radius Servers Health Policies Remediation Server Groups IP Filters Templates are not applied to the server but are stored for reuse later. These templates can be applied to specific component configurations in the NPS console and can be re-used. This can save time when dealing with multiple configurations that need the same settings.

Now that we have taken a look at what is available in this console let’s go back to the Policies section and focus on what is needed to allow remote connections to our VPN server. The Policy that will allow users to connect to the VPN server was created when the VPN service was loaded. The Policy is located here: NPS / Policies / Network Policies

The default connection policy is ‘Connections to Microsoft Routing and Remote Access server’ and it is setup to Deny access to this server. To allow access to the VPN server all we have to do is open the policy and Check Grant Access Granting Access Right Click Connections to Microsoft Routing and Remote Access server Click Properties

Notice that Grant access is not checked

Check Grant Access We will also set the ‘Type of network access server’ at this time. Make these changes and Click Apply

All Users will now be able to connect to the VPN server. Congratulations! You now have a working VPN server!!!

We have created a VPN server; however we have not looked at the security settings. As you can see from the screen shot above there are additional tabs available. These tabs will provide additional settings that we can use to apply more strict security to the server. Let’s open the ‘Connections to Microsoft Routing and Remote Access Policy again. Right Click the Policy

Notice that you have some additional options Move Up\Down – Polices are read in a TOP-DOWN manner so that you can have multiple policies Disable – Disable the selected policy Delete – Deletes the selected policy Rename – Renames the selected policy Duplicate policy – This will allow you to duplicate the policy so that you can work with selected policy. This is perfect for creating new policies off known ‘good’ policies so that if mistakes are made you can revert back to the original ‘working’ policy Properties – Displays the selected policy properties Help – Displays the Microsoft help files Click Properties

We are now back in the policy and we can explore the remaining tabs Conditions

The Conditions tab allows us to define what conditions will need to be met in order for remote access clients to connect to this server. To add specific conditions click Add

You can now choose from an extensive list of conditions to allow remote clients to access the VPN server. The easiest and most popular are located at the top of the list. We will add a Windows Group. Adding a Windows Group will allow you to control the specific users that have access. As stated once the policy was changed to grant access then all users were allowed to connect to this server, We will limit this to a specific group that we will call VPN Users Click Windows Group Click Add

Click Add Groups…

Enter the Group to add Click Ok

Add as many groups as necessary Click Ok

You can now see that the group specified is listed Click Apply

Users that are not in this group will no longer be able to connect to the VPN server and will receive an error

Using Conditions such as Windows Groups we can restrict who can connect to the VPN server

Constraints

Constraints set criteria that must be matched in order to connect. There are 6 available constraints Authentication – Define the authentication method for connecting to this server Idle Timeout – If the session is idle for a specific amount of time then disconnect the client Session Timeout – limits the amount of time a client can be connected to the server Called Station ID – specify the ‘phone number’ of the calling client Day and time restrictions – restrict access to this server to defined days and times NAS Port Type – Specify what is allowed to connect to this server such as another VPN server, 802.11 warless etc

Authentication Set the allowed authentication methods

The most secure method is to allow certificate authentication only, however this can be an expensive and time consuming method Secured Password (EAP-MSCHAP v2) is also a secure method of authentication and it is setup by default You can also add Protected PEAP by clicking Add in the center window All Authentication methods that are chosen will be allowed to connect. I would recommend removing MS-CHAP as it is an older protocol and is less secure. Newer Windows operating systems support MS-CHAP v2 and this is the preferred encryption method NONE of the other encryption methods should be used as they are not secure!!!

Idle Timeout The Idle Timeout setting is not enabled by default. This forces the client to disconnect from the VPN if the session is idle for a specific amount of time.

Configure the settings you want to use and Click Apply Session Timeout The session timeout specifies a maximum amount of time that a client can be connected to the server. The client will be disconnected after the timeout limit is reached and will have to establish a new connection.

Configure the maximum time allowed in minutes that you want and Click Apply Called Station ID The called station ID allows you to configure a string such as a phone number or an IP address that is allowed to connect to the server, it can use pattern matching so that you can use partial information in order to define where the connection is coming from.

Configure the settings you want to allow and Click Apply

Day and time restrictions The day and time restriction will allow you to limit when clients can access the server. If an attempt is made to connect to the server outside the allowed day/time then the request will be refused.

To enable and modify these restrictions click the checkbox and click Edit

Modify the allowed connection day/time and click Ok. Click Apply NAS Port Type Define the allowed NAS port types that will be used to connect to this server. Check all that apply, only the types checked will be allowed to connect.

We have completed Configuring our VPN server and our Connection Policies. Clients can now connect.

Connecting a the VPN server In this section we will use a Windows 7 machine to connect to our VPN server and test our connection to the Internal Network. I have setup my local intranet page and I only allow my internal network of 192.168.100.1/24 to connect. I have setup IP restrictions so that this is enforced and I have tested connecting to the webpage from my web server’s public IP address of 192.168.0.240 I am connecting to the web site from my Windows 7 workstation and I receive this error:

In order to connect to the Internal Resource I will have to connect to my VPN server to gain access to my intranet site and internal resources. Configure VPN connection from Windows 7 Click Start Type Network and Sharing in the search bar

Click Network and Sharing Center to open the link

Click set up a new connection or network

Select Connect to workplace Click Next

Click Use my Internet Connection

Enter the IP address or DNS name of the VPN server Give the connection a name (Destination Name) Click Next

Enter Username, Password and Domain information Click Connect Connecting

I have connected successfully to my VPN server. Now that we have connected let’s check to see that we have a proper internal IP address

Notice the PPP adapter shows that I have an IP address but no gateway. When setting up my VPN server I did not define a gateway since I did not want people using the VPN connection to browse the Internet. However with my default settings I cannot browse at all. We can fix this by modifying the VPN connection that we setup By disabling the gateway I can save bandwidth by forcing the client to use their own internet connection to browse the internet and this means they are only using the VPN connection to connect to local resources.

Configure VPN client to NOT use remote gateway First we will disconnect from the VPN we do this by clicking the Network Connections Icon in the task bar

Click on MyDomain VPN Server and Click Disconnect Right Click on the Connection Click Properties

This will open the connection properties

Click on the Networking tab Click on Internet Protocol Version 4 (TCP/IPv4) Click Properties

Click Advanced

Remove the check for Use default gateway on remote network

Click Ok Click Ok Click Ok to close all the Windows Click the Network Connection Icon in the task menu Click on the VPN connection

Click Connect

Enter the appropriate Information Click Connect Let’s check our IP information now

Now we can see that there is no Gateway listed

Now that I have connected I need to access my work Intranet site. Let’s try and connect to our intranet site Open IE Browse to http://192.168.100.100

I can now connect and see the Intranet Site!!! This completes the section on setting up a test connection to the VPN server.

Setting up a Site-to-Site VPN connection In this section we will work on setting up a site-to-site VPN connection. VPN site-to-site connections can be used for connecting a branch office back to the primary office or for an offsite server to have an active connection back to the main site. We will be using the VPN server we configured previously in this document as our primary site. We will configure a secondary 2008 server to be our remote site. Follow the steps outlined above to install the VPN service (pg 2-7) on the secondary VPN server. You will only need to install Routing and Remote Access Services at this site:

NPS is not needed for this site since we will not be using this to allow remote connections Routing is needed only if you intend to route traffic between the two remote networks.

Configure Remote Access Demand-Dial Open Service Manager Expand Roles Expand Network Policy and Access Server Click Routing and Remote Access (Left Frame)

Click More Actions (Right Frame) Click Configure and Enable Routing and Remote Access

Routing and Remote Access Wizard

Click Next Configuration This screen has several options to install a combination of services.

Click Custom Configuration Click Next

Custom Configuration

Select Demand-dial connections Click Next Complete Install Wizard

Click Next

Start the Service

Click Start service Service is starting

RRAS is Configured

Create Demand-Dial Interface Right Click on Network Interfaces

Click New Demand-dial Interface…

Demand-dial Interface Wizard

Click Next Interface Name

Enter the name for this Interface Click Next

Connection Type

Select Connect using virtual private networking (VPN) Click Next VPN Type

Select the VPN type you can use Automatic selection Click Next

Destination Address

Enter the DNS name or Public IP of the VPN server Click Next Protocols and Security

Select: Route IP packets on this interface (For routing traffic between networks) Select: Add a user account so a remote router can dial-in These settings are not needed for this connection Click Next

Dial-Out Credentials Create a secure user account on the remote VPN server

Enter the appropriate credentials Click Next Complete the Wizard

Click Finish

Once we have completed the Wizard we will have a new Interface. This interface will need to be configured. Right Click the new Interface

Click Properties MyDomain Connection Properties

Notice that by default ONLY IPv6 is enabled If using IPv6 addressing then this connection should work

Enable IPv4 Addressing

Since we are only using IPv4 in this demo we will uncheck IPv6 and check IPv4 Enable all necessary protocols for this connection Create this as a Persistent connection

We will want this connection to maintain a persistent connection to out remote site Click Options tab

Change the Connection type from Demand-Dial to Persistent Click Ok to close the Properties Window

Test the Connection Right Click MyDomain Connection

Click Connect

You should now see that you are connected:

Success!!!!

Issue: After creating a successful connection you will not be able to access some resources or Ping the remote network. This is due to an issue with Windows 2008 R2 server not adding the appropriate route statement. Fix: In Routing and Remote Access Console Expand IPv4 Right Click Static Routes

Click New Static Route…

Select the Demand-dial interface you created Enter the Remote Network Enter the Remote Network Mask Check: Use this route to initiate demand-dial connections Click Ok

Your Route should now be displayed in the static routes window Test: Open the Command Prompt and Ping Remote site IP address:

You can now access the resources from the remote network!

Can we access our Intranet now?

You have successfully setup the Site-to-Site VPN using a Demand-dial access rule! Congratulations!!!

Links: Virtual Private Networks http://technet.microsoft.com/en-us/network/bb545442.aspx Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect http://technet.microsoft.com/library/dd637783.aspx Direct Access http://technet.microsoft.com/en-us/network/dd420463.aspx Remote Access (Windows 2012) http://technet.microsoft.com/library/hh831416 How to Setup SSTP Remote Access Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx Routing and Remote Access Blog http://blogs.technet.com/b/rrasblog/ Cannot Ping Windows 2008 RRAS server IP http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/9ff109e5-0de4-4028-96fe-20aae218c6c4 Network Policy Server http://technet.microsoft.com/en-us/network/bb629414.aspx Windows Server 2008 “How Do I” Videos http://technet.microsoft.com/en-US/windowsserver/dd334524.aspx Windows 2008 Step-By-Step Guides (Downloadable Guides) http://www.microsoft.com/en-us/download/details.aspx?id=17157