Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab Part2
[LEFT][URL="http://technet.microsoft.com/en-us/library/cc757206%28WS.10%29.aspx"]http://technet.microsoft.com/en-us/library/cc757206(WS.10).aspx[/URL]
[B]Configure the VPN server [/B]
[LIST=1][*]Install Windows Server 2003 with SP1, Standard Edition, as a member server named VPN1 in the example.com domain.[*]Open the [B]Network Connections[/B] folder.[*]For the intranet local area connection, rename the connection to [B]CorpNet[/B]. For the Internet local area connection, rename the connection to [B]Internet[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.165c5ac1-8505-47d7-8364-13530cd59757%28en-us%29.gif[/IMG][*]Configure the TCP/IP protocol for the CorpNet connection with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.[*]Configure the TCP/IP protocol for the Internet connection with the IP address of 10.0.0.2 and the subnet mask of 255.255.255.0.[/LIST]
Windows Firewall and Routing and Remote Access cannot run simultaneously on VPN1. If Windows Firewall is turned on, you will need to turn it off; if the Windows Firewall/Internet Connection Sharing (ICS) service has started or is set to automatic before you configure Routing and Remote Access, you must disable it.
[B] Disable the Windows Firewall/Internet Connection Sharing (ICS) service [/B]
[LIST=1][*]Click [B]Administrative Tools[/B], and then click [B]Services[/B].[*]In the [B]Services[/B] details pane, right-click [B]Windows Firewall/Internet Connection Sharing (ICS)[/B] service, and then click [B]Properties[/B].[*]If the service [B]Startup Type[/B] is either [B]Automatic[/B] or [B]Manual[/B], change it to [B]Disabled[/B].[*]Click [B]OK[/B] to close the [B]Windows Firewall/Internet Connection Sharing (ICS)[/B] dialog box, and then close the [B]Services[/B] page.[/LIST]
[B] Configure Routing and Remote Access [/B]
[LIST=1][*]Run the [B]Routing and Remote Access[/B] snap-in from the [B]Administrative Tools[/B] folder.[*]In the console tree, right-click [B]VPN1[/B], then and click [B]Configure and Enable Routing and Remote Access[/B].[*]On the [B]Welcome to the Routing and Remote Access Server Setup Wizard[/B] page, click [B]Next[/B].[*]On the [B]Configuration[/B] page, [B]Remote access (dial-up or VPN)[/B] is selected by default. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.0fa3d4e7-3f81-4874-bee1-0779bdd1fe15%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Remote Access[/B] page, select [B]VPN[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.7f11a8b7-94c2-4b8f-9713-14db10323083%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]VPN Connection[/B] page, click the [B]Internet[/B] interface in [B]Network[/B] interfaces. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.6af42188-66b5-4d39-8fae-f70a362ae20e%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]IP Address Assignment[/B] page, [B]Automatically[/B] is selected by default. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.4c9d50db-5cf9-41ce-8dff-2193b66d3cb7%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Managing Multiple Remote Access Servers[/B] page, click [B]Yes, set up this server to work with a RADIUS server[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.62a084d8-2851-45f6-a92c-1e9d5d53437a%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]RADIUS Server Selection[/B] page, type [B]172.16.0.2[/B] in [B]Primary RADIUS server[/B] and the shared secret in [B]Shared secret[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.90b720f8-257d-40db-b4ec-b19d48b6bec6%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Completing the Routing and Remote Access Server Setup Wizard[/B] page, click [B]Finish[/B].[*]You are prompted with a message describing the need to configure the DHCP Relay Agent. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.fd727318-9965-4e9b-b85c-459aea5ce36c%28en-us%29.gif[/IMG][*]Click [B]OK[/B].[*]In the console tree, open [B]VPN1 (local)[/B], then [B]IP Routing[/B], and then [B]DHCP Relay Agent[/B]. Right-click [B]DHCP Relay Agent[/B], and then click [B]Properties[/B].[*]In the [B]DHCP Relay Agent Properties[/B] dialog box, type [B]172.16.0.1[/B] in [B]Server address[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.5dc92c80-e5e4-4fc6-aa34-402204160da9%28en-us%29.gif[/IMG][*]Click [B]Add[/B], and then click [B]OK[/B].[/LIST]
[B]CLIENT1[/B]
CLIENT1 is a computer running Windows XP Professional with SP2 that is acting as a VPN client and gaining remote access to intranet resources across the simulated Internet.
[B] Configure Client1 as a VPN client for a PPTP connection [/B]
[LIST=1][*]Connect CLIENT1 to the intranet network segment.[*]On CLIENT1, install Windows XP Professional with SP2 as a member computer named CLIENT1 of the example.com domain.
[IMG]http://i.technet.microsoft.com/cc757206.note%28en-us%29.gif[/IMG]Note Installing Windows XP Professional with SP2 also installs and automatically turns on Windows Firewall. Leave Windows Firewall turned on for this scenario. You will not need to configure any port or program exceptions.[*]Add the VPNUser account in the example.com domain to the local Administrators group.[*]Log off and then log on using the VPNUser account in the example.com domain.[*]In Control Panel, open the [B]Network Connections[/B] folder, obtain properties on the Local Area Network connection, and then obtain properties on the Internet protocol (TCP/IP).[*]Click the [B]Alternate Configuration[/B] tab, and then click [B]User configured[/B].[*]In [B]IP address[/B], type [B]10.0.0.1[/B]. In [B]Subnet mask[/B], type [B]255.255.255.0[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.21e86af7-93ee-4d40-9c21-635197a3c3f6%28en-us%29.gif[/IMG][*]Click [B]OK[/B] to save changes to the TCP/IP properties. Click [B]OK[/B] to save changes to the Local Area Network connection.[*]Shut down the CLIENT1 computer.[*]Disconnect CLIENT1 from the intranet network segment, and connect it to the simulated Internet network segment.[*]Restart CLIENT1 and log on using the VPNUser account.[*]On CLIENT1, in Control Panel, open the [B]Network Connections[/B] folder.[*]In [B]Network Tasks[/B], click [B]Create a new connection[/B].[*]On the [B]Welcome to the New Connection Wizard [/B]page of the New Connection Wizard, click [B]Next[/B].[*]On the [B]Network Connection Type[/B] page, click [B]Connect to the network at my workplace[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.f47867e3-79f3-46db-8d93-76d7bd1defed%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Network Connection[/B] page, click [B]Virtual Private Network connection[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.49d1a9d2-790f-4aee-84ad-e8b160c08074%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Connection Name[/B] page, type [B]PPTPtoCorpnet[/B] in [B]Company Name[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.9c40b9d6-918b-42e9-86bc-bf32baef49be%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]VPN Server Selection[/B] page, type [B]10.0.0.2[/B] in [B]Host name or IP address[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.6aa5b8fd-3d2e-4d6c-87cb-752baa0f3d28%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Connection Availability[/B] page, click [B]Next[/B].[*]On the [B]Completing the New Connection Wizard[/B] page, click [B]Finish[/B]. The [B]Connect PPTPtoCorpnet[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.8c1800b7-2596-4fac-a1cf-adcd0d55ad34%28en-us%29.gif[/IMG][*]Click [B]Properties[/B], and then click the [B]Networking[/B] tab.[*]On the [B]Networking[/B] tab, in [B]Type of VPN[/B], click [B]PPTP VPN[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.65fba36f-6115-424b-994f-7d538800dac4%28en-us%29.gif[/IMG][*]Click [B]OK[/B] to save changes to the [B]PPTPtoCorpnet[/B] connection. The [B]Connect PPTPtoCorpnet[/B] dialog box appears.[*]In [B]User name[/B], type [B]example\VPNUser[/B]. In [B]Password[/B], type the password you chose for the VPNUser account.[*]Click [B]Connect[/B].[*]When the connection is complete, run Internet Explorer.[*]If prompted by the Internet Connection Wizard, configure it for a LAN connection. In [B]Address[/B], type [B][URL]http://IIS1.example.com/iisstart.htm[/URL][/B]. You should see a message saying the Web page is under construction.[*]Click [B]Start[/B], click [B]Run[/B], type [B]\\IIS1\ROOT[/B], and then click [B]OK[/B]. You should see the contents of the local drive (drive C) on IIS1.[*]Right-click the [B]PPTPtoCorpnet[/B] connection, and then click [B]Disconnect[/B].[/LIST]
[B]L2TP/IPsec-based Remote Access VPN Connections[/B]
L2TP/IPsec-based remote access VPN connections require computer certificates on the VPN client and the VPN server. L2TP/IPsec is typically used when there are stronger requirements for security and a public key infrastructure (PKI) is in place to issue computer certificates to VPN clients and servers.
[B]DC1[/B]
[B] Configure DC1 for autoenrollment of computer certificates [/B]
[LIST=1][*]Open the Active Directory Users and Computers snap-in.[*]In the console tree, double-click [B]Active Directory Users and Computers[/B], right-click the [B]example.com[/B] domain, and then click [B]Properties[/B].[*]On the [B]Group Policy[/B] tab, click [B]Default Domain Policy[/B], and then click [B]Edit[/B].[*]In the console tree, open [B]Computer Configuration[/B], open [B]Windows Settings[/B], open [B]Security Settings[/B], open [B]Public Key Policies[/B], and then open [B]Automatic Certificate Request Settings[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.460649f2-4036-4ba3-a2f8-f926a965687a%28en-us%29.gif[/IMG][*]Right-click [B]Automatic Certificate Request Settings[/B], point to [B]New[/B], and then click [B]Automatic Certificate Request[/B].[*]On the [B]Welcome to the Automatic Certificate Request Setup Wizard[/B] page, click [B]Next[/B].[*]On the [B]Certificate Template[/B] page, click [B]Computer[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.92f71a62-40e3-4f3e-88c0-4821afc6ba51%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the Completing the [B]Automatic Certificate Request Setup Wizard[/B] page, click [B]Finish[/B]. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.2e55731d-b4d7-48ba-8eea-5600c96a7094%28en-us%29.gif[/IMG][*]Type [B]gpupdate[/B] at a command prompt to update Group Policy on DC1.[/LIST]
[B]VPN1[/B]
[B] Update Group Policy on VPN1 [/B]
[LIST][*]To immediately update Group Policy and request a computer certificate, type [B]gpupdate[/B] at a command prompt.[/LIST]
After updating VPN1 with the new certificates you need to stop and restart the IPsec Policy Agent and Routing and Remote Access services.
[B] Restart IPsec Policy Agent and Routing and Remote Access [/B]
[LIST=1][*]Click [B]Start[/B], point to [B]Administrative Tools[/B], and then click [B]Services[/B].[*]In the details pane, point to [B]IPSEC Services[/B], point to [B]Action[/B], and then click [B]Restart[/B].[*]In the details pane, point to [B]Routing and Remote Access[/B], point to [B]Action[/B], and then click [B]Restart[/B].[/LIST]
[B]CLIENT1[/B]
To obtain a computer certificate on CLIENT1 and then configure an L2TP/IPsec-based remote access VPN connection, perform the following steps.
[B] Obtain a computer certificate and configure an L2TP/IPsec-based remote access VPN connection [/B]
[LIST=1][*]Shut down the CLIENT1 computer.[*]Disconnect CLIENT1 from the simulated Internet network segment, and connect it to the intranet network segment.[*]Restart CLIENT1 and log on using the VPNUser account. The computer and user Group Policy is automatically updated.[*]Shut down CLIENT1.[*]Disconnect CLIENT1 from the intranet network segment, and connect it to the simulated Internet network segment.[*]Restart CLIENT1 and log on using the VPNUser account.[*]On CLIENT1, in Control Panel, open the [B]Network Connections[/B] folder.[*]In [B]Network Tasks[/B], click [B]Create a new connection[/B].[*]On the [B]Welcome to the New Connection Wizard[/B] page of the [B]New Connection Wizard[/B], click [B]Next[/B].[*]On the [B]Network Connection Type[/B] page, click [B]Connect to the network at my workplace[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.5b319a0a-af3d-41c1-be52-cd74189c83ae%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Network Connection[/B] page, click [B]Virtual Private Network connection[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.ca04e073-4ded-49d5-8147-d521b2eb0fac%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Connection Name[/B] page, type [B]L2TPtoCorpnet[/B] in [B]Company Name[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.963637c6-133b-4115-a489-13eaba14cdba%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Public Network[/B] page, click [B]Do not dial the initial connectio[/B][B]n[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.cb48abaf-360e-43b1-be89-218c92bd7352%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]VPN Server Selection[/B] page, type [B]10.0.0.2[/B] in [B]Host name or IP address[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.64af9c27-88a8-46fc-b3ea-d7b7036e6f01%28en-us%29.gif[/IMG][*]Click [B]Next[/B]. On the [B]Connection Availability[/B] page, click [B]Next[/B].[*]On the [B]Completing the New Connection Wizard[/B] page, click [B]Finish[/B]. The [B]Connect L2TPtoCorpnet[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.76e48991-30db-488a-a27a-e0b5e6dd00df%28en-us%29.gif[/IMG][*]Click [B]Properties[/B], and then click the [B]Networking[/B] tab.[*]On the [B]Networking[/B] tab, in [B]Type of VPN[/B], click [B]L2TP IPSec VPN[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.42aba3c2-95b0-4034-b36e-8063f6d6231b%28en-us%29.gif[/IMG][*]Click [B]OK[/B] to save changes to the [B]L2TPtoCorpnet[/B] connection. The [B]Connect L2TPtoCorpnet[/B] dialog box appears.[*]In [B]User name[/B], type [B]example\VPNUser[/B]. In [B]Password[/B], type the password you chose for the VPNUser account.[*]Click [B]Connect[/B].[*]When the connection is established, run the Web browser.[*]In [B]Address[/B], type [B][URL]http://IIS1.example.com/iisstart.htm[/URL][/B]. You should see a message saying the Web site is under construction.[*]Click [B]Start[/B], click [B]Run[/B], type [B]\\IIS1\ROOT[/B], and then click [B]OK[/B]. You should see the contents of the local drive (drive C) on IIS1.[*] Right-click the [B]L2TPtoCorpnet[/B] connection, and then click [B]Disconnect[/B].[/LIST]
[B]EAP-TLS-based Remote Access VPN Connections[/B]
EAP-TLS-based remote access VPN connections require a user certificate on the VPN client and a computer certificate on the IAS server. EAP-TLS is for authenticating your VPN connection with the most secure user-level authentication protocol. Locally installed user certificates, enabled in the following steps, make it easier to set up a test lab. In a production environment, it is recommended that you use smart cards, rather than locally installed user certificates, for EAP-TLS authentication.
[B]DC1[/B]
[B] Configure DC1 for autoenrollment of user certificates [/B]
[LIST=1][*]Click [B]Start[/B], click [B]Run[/B], type [B]mmc[/B], and then click [B]OK[/B].[*]On the [B]File[/B] menu, click [B]Add/Remove Snap-in[/B], and then click [B]Add[/B].[*]Under [B]Snap-in[/B], double-click [B]Certificate Templates[/B], click [B]Close[/B], and then click [B]OK[/B].[*]In the console tree, click [B]Certificate Templates[/B]. All of the certificate templates will be displayed in the details pane. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.5836ed97-3710-4f21-a848-efbd39f26ece%28en-us%29.gif[/IMG][*]In the details pane, click the [B]User[/B] template.[*]On the [B]Action[/B] menu, click [B]Duplicate Template[/B].[*]In the [B]Template display name[/B] box, type [B]VPNUser[/B].[*]Verify that the [B]Publish Certificate in Active Directory[/B] check box is selected. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.5fef7b1d-4fa7-4c99-a90b-e103a2ecb5bb%28en-us%29.gif[/IMG][*]Click the [B]Security[/B] tab.[*]In the [B]Group or user names[/B] list, click [B]Domain Users[/B].[*]In the [B]Permissions for Domain Users[/B] list, select the [B]Read[/B], [B]Enroll,[/B] and [B]Autoenroll[/B] check boxes so that these permissions are allowed. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.318c0bfc-3b9e-4e71-8560-46cc9e985481%28en-us%29.gif[/IMG][*]Click the [B]Subject Name[/B] tab.[*]Clear the [B]Include E-mail name in subject name[/B] and [B]E-mail name[/B] check boxes. Because you did not configure an e-mail name for the VPNUser user account, you must clear these check boxes to allow a user certificate to be issued. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.63b41b2d-f231-4dc8-9471-1ad84805bc57%28en-us%29.gif[/IMG][*]Click [B]OK[/B].[*]Open the [B]Certification Authority[/B] snap-in from the [B]Administrative Tools[/B] folder.[*]In the console tree, open [B]Certification Authority[/B], open [B]Example CA[/B], and then open [B]Certificate Templates[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.f60778be-3426-4e5a-8674-15d56eef2b55%28en-us%29.gif[/IMG][*]On the [B]Action[/B] menu, point to [B]New[/B], and then click [B]Certificate Template to Issue[/B].[*]Click [B]VPNUser[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.9ef99ac4-a0b7-42ab-a58f-126c9873a3c5%28en-us%29.gif[/IMG][*]Click [B]OK[/B].[*]Open the Active Directory Users and Computers snap-in.[*]In the console tree, double-click [B]Active Directory Users and Computers[/B], right-click the example.com domain, and then click [B]Properties[/B].[*]On the [B]Group Policy[/B] tab, click [B]Default Domain Policy[/B], and then click [B]Edit[/B].[*]In the console tree, open [B]User Configuration[/B], open [B]Windows Settings[/B], open [B]Security Settings[/B], and then open [B]Public Key Policies[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.cf8661c3-70c3-4c04-8db2-ba2ccf71fdeb%28en-us%29.gif[/IMG][*]In the details pane, double-click [B]Autoenrollment Settings[/B].[*]Click [B]Enroll certificates automatically[/B]. Select the [B]Renew expired certificates, update pending certificates, and remove revoked certificates[/B] check box. Select the [B]Update certificates that use certificate templates[/B] check box. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.6093aa9e-7ca0-4328-b3e0-d37c315fdfd8%28en-us%29.gif[/IMG][*]Click [B]OK[/B].[/LIST]
[B]IAS1[/B]
[B] Configure IAS1 with a computer certificate for EAP-TLS authentication [/B]
[LIST=1][*]Restart IAS1 to ensure that IAS1 has autoenrolled a computer certificate.[*]Open the Internet Authentication Service snap-in.[*]In the console tree, click [B]Remote Access Policies[/B].[*]In the details pane, double-click [B]VPN remote access to intranet[/B]. The [B]VPN remote access to intranet Properties[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.2e46c225-2e85-4873-9713-504fb70e7d4a%28en-us%29.gif[/IMG][*]Click [B]Edit Profile[/B], and then click the [B]Authentication[/B] tab. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.04f1c04d-21bf-4c4a-8f54-155298b59da9%28en-us%29.gif[/IMG][*]On the [B]Authentication[/B] tab, click [B]EAP Methods[/B]. The [B]Select EAP Providers[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.17a4cc1e-bc04-4c2f-95fe-75aa8276e9c0%28en-us%29.gif[/IMG][*]Click [B]Add[/B]. The [B]Add EAP[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.cf974dfd-3570-455a-81af-e50439c27167%28en-us%29.gif[/IMG][*]Click [B]Smart Card or other certificate[/B], and then click [B]OK[/B].[*]Click [B]Edit[/B]. The [B]Smart Card or other Certificate Properties[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.7c8ef2eb-4563-4fb4-a2d7-efc1237fc71f%28en-us%29.gif[/IMG][*]The properties of the computer certificate issued to the IAS1 computer are displayed. This step verifies that IAS1 has an acceptable computer certificate installed to perform EAP-TLS authentication. Click [B]OK[/B].[*]Click [B]OK[/B] to save changes to EAP providers. Click [B]OK[/B] to save changes to the profile settings.[*]When prompted to view help topics, click [B]No[/B]. Click [B]OK[/B] to save changes to the remote access policy.[/LIST]
These configuration changes will allow the [B]VPN remote access to intranet[/B] remote access policy to authorize VPN connections using the EAP-TLS authentication method.
[B]CLIENT1[/B]
[B] Obtain a user certificate on CLIENT1, and then configure an EAP-TLS-based remote access VPN connection [/B]
[LIST=1][*]Shut down the CLIENT1 computer.[*]Disconnect CLIENT1 from the simulated Internet network segment, and connect it to the intranet network segment.[*]Restart CLIENT1 and log on using the VPNUser account. The computer and user Group Policy is automatically updated.[*]Shut down CLIENT1.[*]Disconnect CLIENT1 from the intranet network segment, and connect it to the simulated Internet network segment.[*]Restart CLIENT1 and log on using the VPNUser account.[*]On CLIENT1, in Control Panel, open the [B]Network Connections[/B] folder.[*]In [B]Network Tasks[/B], click [B]Create a new connection[/B].[*]On the [B]Welcome to the New Connection Wizard[/B] page of the New Connection Wizard, click [B]Next[/B].[*]On the [B]Network Connection Type[/B] page, click [B]Connect to the network at my workplace[/B].[*]Click [B]Next[/B]. On the [B]Network Connection[/B] page, click [B]Virtual Private Network[/B] connection.[*]Click [B]Next[/B]. On the [B]Connection Name[/B] page, type [B]EAPTLStoCorpnet[/B] in [B]Company Name[/B].[*]Click [B]Next[/B]. On the [B]Public Network[/B] page, click [B]Do not dial the initial connection[/B].[*]Click [B]Next[/B]. On the [B]VPN Server Selection[/B] page, type [B]10.0.0.2[/B] in [B]Host name or IP address[/B].[*]Click [B]Next[/B]. On the [B]Connection Availability[/B] page, click [B]Next[/B].[*]On the [B]Completing the New Connection Wizard[/B] page, click [B]Finish[/B]. The [B]Connect EAPTLStoCorpnet[/B] dialog box appears. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.92ca5143-1185-4467-9c5a-d89b682016ed%28en-us%29.gif[/IMG][*]Click [B]Properties[/B], and then click the [B]Security[/B] tab.[*]On the [B]Security[/B] tab, click [B]Advanced[/B], and then click [B]Settings[/B]. The [B]Advanced Security Settings[/B] dialog box appears.[*]In the [B]Advanced Security Settings[/B] dialog box, click [B]Use Extensible Authentication Protocol (EAP)[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.bd02aa0d-7050-4c04-93ba-10b164784801%28en-us%29.gif[/IMG][*]Click [B]Properties[/B]. In the [B]Smart Card or other Certificate Properties[/B] dialog box, click [B]Use a certificate on this computer[/B]. This is shown in the following figure.
[IMG]http://i.technet.microsoft.com/cc757206.80046ebe-98a4-4342-aec3-f06cc607708b%28en-us%29.gif[/IMG][*]Click [B]OK[/B] to save changes to the [B]Smart Card or Other Certificate [/B]dialog box. Click [B]OK[/B] to save changes to the [B]Advanced Security Settings[/B]. Click [B]OK[/B] to save changes to the [B]Security[/B] tab. The connection is immediately initiated using the installed user certificate. The first time you try to connect, it may take several attempts to successfully make a connection.[*]When the connection is successful, run the Web browser.[*]In [B]Address[/B], type [B][URL]http://IIS1.example.com/iisstart.htm[/URL][/B]. You should see a message saying the Web site is under construction.[*]Click [B]Start[/B], click [B]Run[/B], type [B]\\IIS1\ROOT[/B], and then click [B]OK[/B]. You should see the contents of the local drive (drive C) on IIS1.[*]Right-click the [B]EAPTLStoCorpnet[/B] connection, and then click [B]Disconnect[/B].[/LIST]
[B]Summary[/B]
This guide described in detail the steps required to configure secure VPN remote access using PPTP, L2TP/IPsec, and EAP-TLS in a test lab with five computers simulating an organization intranet and the Internet.
[/LEFT]