p£¢ja

f¡W-14z Remote Access Server.

Install the operating system

Install Windows Server 2008
1. On DC1, start your computer by using the Windows Server 2008 product disc.
2. Follow the instructions that appear on your screen. When prompted for a password, type
P@ssword.

Configure TCP/IP
Configure TCP/IP properties so that DC1 has a static IP address of 192.168.0.1 with the subnet mask
255.255.255.0 and a default gateway of 192.168.0.2.

Configure TCP/IP properties

1. On DC1, in the Initial Configuration Tasks window, under Provide Computer Information,
click Configure networking.

Note : If the Initial Configuration Tasks window is not already open, you can open it by clicking
Start, clicking Run, typing oobe in the text box, and then clicking OK.

Figure 3. Initial Configuration Tasks window.

2. In the Network Connections window, right-click Local Area Connection, and then click
Properties.

3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties
4. Click Use the following IP address. Type 192.168.0.1 for the IP address, type 255.255.255.0 for the
subnet mask, type 192.168.0.2 for the default gateway, and type 192.168.0.1 for the preferred DNS
server.
5. Click OK, and then click Close.
1
p£¢ja
 p£¢ja

Install Active Directory and DNS

Configure the computer as a domain controller for the Contoso.com domain. This will be the first and
only domain controller in this network.

Configure DC1 as a domain controller

1. On DC1, in the Initial Configuration Tasks window, under Provide Computer Information, click
Provide computer name and domain.
Note: If the Initial Configuration Tasks window is not already open, you can open it by
clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
2. In the System Properties dialog box, on the Computer Name tab, click Change.
3. Change computer name to DC1, and then click OK.
4. In the Computer Name/Domain Changes dialog box, click OK.
5. Click Close, and then click Restart Now.
6. After the server restarts, in the Initial Configuration Tasks window, under Customize This
Server, click Add roles.
7. In the Add Roles Wizard dialog box, in Before You Begin, click Next.
8. Select the Active Directory Domain Services check box, and then click Next.
9. In the Active Directory Domain Services dialog box, click Next.
10. In the Confirm Installation Selections dialog box, click Install.
11. In the Installation Results dialog box, click Close.
12. Click Start, and then click Run. In Open, type dcpromo, and then click OK.
13. On the Welcome page of the Active Directory Domain Services Installation Wizard, click Next.
14. Click Create a new domain in a new forest, and then click Next.
15. In FQDN of the forest root domain, type contoso.com, and then click Next.
16. In Forest functional level, select Windows Server 2003, and then click Next.
17. Click Next to accept Windows Server 2003 for the domain functional level.
18. Click Next to accept DNS server for the additional options for this domain controller.
19. Click Yes, the computer will use a dynamically assigned IP address (not recommended).
20. Click Yes in the confirmation dialog box.
21. Click Next to accept the default folder locations.
22. In Directory Services Restore Mode Administrator Password, type a password, and then click
Next.
23. Click Next.

24. The Active Directory Domain Services Installation Wizard will begin configuring Active
Directory. When the configuration is complete, click Finish, and then click Restart Now.

2
p£¢ja
 p£¢ja

Create a user account with remote access permission :

Create a user account and configure the account with remote access permission.

Create and grant permission to a user account in Active Directory:

1. On DC1, click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
2. In the left side tree, expand contoso.com, right-click Users, point to New, and then click User.
3. In Full name, type user1, and in User logon name, type user1.
4. Click Next.
5. In Password, type P@ssword and in Confirm password, type P@ssword again.
6. Clear the User must change password at next logon check box, and then select the User cannot
change password and Password never expires check boxes.
7. Click Next, and then click Finish.

To grant remote access permission to user1:

1. In the left tree, click Users. In the details pane, right-click user1, and then click Properties.
2. On the Dial-in tab, in Network Access Permission, click Allow access, and then click OK.
Note : In a real-world scenario, you would use Network Policy Server (NPS) to configure and enable
remote access policies.
3. Close Active Directory Users and Computers.

Create a shared folder and file

DC1 is a file server that should be accessible to a remote user after access and authentication
methods have been configured.

Create a shared folder and file

1. On DC1, click Start, and then click Computer.
2. Double-click Local Disk (C:).
3. Right-click inside the blank space of the Windows Explorer window, point to New, and then click
Folder.
4. Name the folder CorpData.
5. Right-click the CorpData folder, and then click Share.
6. Type domain users, and then click Add.
7. Click Domain Users, and then click the Contributor permission level.
8. Click Share, and then click Done.
9. Double-click the CorpData folder, right-click the blank space in the empty folder, point to New,
and then click Text Document.
10. Name the document VPNTest.
11. Open VPNTest and add some text.
12. Save and close VPNTest.

3
p£¢ja
 p£¢ja

Configuring VPN1

VPN1 is a computer running Windows Server 2008 that provides the following roles:

 Active Directory Certificate Services, a certification authority (CA) that issues the computer
certificate required for an SSTP-based VPN connection.
 Certification Authority Web Enrollment, a service that enables the issuing of certificates through a
Web browser.
 Web Server (IIS), which is installed as a required role service for Certification Authority Web
Enrollment.
Note : Routing and Remote Access does not require IIS because it listens to HTTPS connections
directly over HTTP.SYS. IIS is used in this scenario so that CLIENT1 can obtain a certificate over the
Internet from VPN1.

 Network Policy and Access Services, which provides support for VPN connections through Remote
Access Service.

VPN1 configuration consists of the following steps:

 Install the operating system.
 Configure TCP/IP for Internet and intranet networks.
 Join the Contoso.com domain.
 Install the Active Directory Certificate Services and Web Server (IIS) server roles.
 Create and install the Server Authentication certificate.
 Install the Network Policy and Access Services (Routing and Remote Access) server role.
 Configure VPN1 to be a VPN server.
The following sections explain these steps in detail.

Install the operating system

To install Windows Server 2008 on VPN1:

Install Windows Server 2008

1. On VPN1, start your computer by using the Windows Server 2008 product disc.
2. Follow the instructions that appear on your screen. When prompted for a password, type
P@ssword.

Configure TCP/IP
Configure TCP/IP properties so that VPN1 has a static IP address of 131.107.0.2 for the public
(Internet) connection and 192.168.0.2 for the private (intranet) connection.

Configure TCP/IP properties

1. On VPN1, in the Initial Configuration Tasks window, under Provide Computer Information,
click Configure networking.
Note : If the Initial Configuration Tasks window is not already open, you can open it by
clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
2. In the Network Connections window, right-click a network connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4
p£¢ja
 p£¢ja

4. Click Use the following IP address.

5. Configure the IP address and subnet mask with the following values:
a. On the interface connected to the public (Internet) network, type 131.107.0.2 for the IP address,
and type 255.255.0.0 for the subnet mask.
b. On the interface connected to the private (intranet) network, type 192.168.0.2 for the IP address,
type 255.255.255.0 for the subnet mask, and type 192.168.0.1 for the preferred DNS server.
6. Click OK, and then click Close.
7. To rename the network connections, right-click a network connection, and then click Rename.
8. Configure the network connections with the following names:
a. On the interface connected to the public (Internet) network, type Public.
b. On the interface connected to the private (intranet) network, type Private.

9. Close the Network Connections window.

Run the ping command from VPN1 to confirm that network communication between VPN1 and DC1
works.

Use the ping command to check network connectivity

1. On VPN1, click Start, click Run, in the Open box, type cmd, and then click OK. In the
command window, type ping192.168.0.1.
2. Verify that you can successfully ping DC1.
3. Close the command window.

Join the Contoso domain

Configure VPN1 to be a member server in the Contoso.com domain.

Join VPN1 to the Contoso.com domain

1. On VPN1, in the Initial Configuration Tasks window, under Provide Computer Information,
click Provide computer name and domain.
Note
If the Initial Configuration Tasks window is not already open, you can open it by clicking
Start, clicking Run, typing oobe in the text box, and then clicking OK.
2. In the System Properties dialog box, on the Computer Name tab, click Change.
3. In Computer name, clear the text and type VPN1.
4. In Member of, click Domain, type contoso, and then click OK.
5. Enter administrator for the user name and P@ssword for the password.
6. When you see a dialog box welcoming you to the contoso.com domain, click OK.
7. When you see a dialog box telling you to restart the computer, click OK. Click Close, and then click
Restart Now.

5
p£¢ja
 p£¢ja

Install Active Directory Certificate Services and Web Server

To support SSTP-enabled VPN connections, first install Active Directory Certificate Services and Web
Server (IIS) to enable Web enrollment of a computer certificate.

Install VPN and certificate services roles

1. On VPN1, log on as [email protected] with the password P@ssword.

2. In the Initial Configuration Tasks window, under Customize This Server, click Add roles.
Note : If the Initial Configuration Tasks window is not already open, you can open it by
clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
3. In the Add Roles Wizard dialog box, in Before You Begin, click Next.
4. Select the Active Directory Certificate Services check box.

Figure 4. Select Server Roles window.

5. Click Next, and then click Next again.

6. In the Select Role Services dialog box, under Role services, select the Certification Authority
Web Enrollment check box.
7. In the Add Roles Wizard dialog box, click Add Required Role Services.

6
p£¢ja
 p£¢ja

Figure 5. Add Roles Wizard dialog box.

8. Click Next.
9. Click Standalone, and then click Next.
10. Click Root CA (recommended), and then click Next.
11. Click Create a new private key, and then click Next.
12. Click Next to accept the default cryptographic settings.
13. In the Configure CA Name dialog box, click Next to accept the default CA name.

Figure 6. Configure CA Name dialog box.

14. Click Next repeatedly to accept default settings.

7
p£¢ja
 p£¢ja

15. In the Confirm Installation Selections dialog box, click Install. The installation might take several
minutes.
16. In the Installation Results dialog box, click Close.

Create and install the Server Authentication certificate

The Server Authentication certificate is used by CLIENT1 to authenticate VPN1. Before installing the
certificate, you must configure Internet Explorer to allow certificate publishing.

Configure Internet Explorer

1. On VPN1, click Start, right-click Internet Explorer, and then click Run as
administrator.
2. If a phishing filter alert appears, click Turn off automatic Phishing Filter, and then
click OK.
3. Click the Tools menu, and then click Internet Options.
4. In the Internet Options dialog box, click the Security tab.
5. Under Select a zone to view or change security settings, click Local intranet.
6. Change the security level for Local intranet from Medium-low to Low, and then click
OK.
Note
In a real-world scenario, you should configure individual ActiveX® control
settings by using Custom level rather than lowering the security level.

Figure 7. Internet Options dialog box.

8
p£¢ja
 p£¢ja

Use Internet Explorer to request a Server Authentication certificate.

Request a Server Authentication certificate

1. On VPN1, in the Internet Explorer Address bar, type http://localhost/certsrv, and then
press ENTER.
2. Under Select a task, click Request a certificate.
3. Under Request a Certificate, click advanced certificate request.
4. Under Advanced Certificate Request, click Create and submit a request to this CA.
5. Click Yes to allow the ActiveX control.

Figure 8. Advanced Certificate Request page.

6. Under Identifying Information, in the Name field, type vpn1.contoso.com, and in the
Country/Region field, type US.
Note
The name is the certificate subject name and must be the same as the Internet
address used in the SSTP connection settings configured later in this document.
7. Under Type of Certificate Needed, select Server Authentication Certificate.
8. Under Key Options, select the Mark keys as exportable check box, and then click
Submit.
9. Click Yes in the confirmation dialog box.

9
p£¢ja
 p£¢ja

The Server Authentication certificate is now pending. It must be issued before it can be installed.

Issue and install the Server Authentication certificate

1. On VPN1, click Start, and then click Run.
2. In Open, type mmc, and then click OK.
3. In the Console1 snap-in, click File, and then click Add/Remove Snap-in.
4. Under Available snap-ins, click Certification Authority, then click Add.
5. Click Finish to accept the default setting of Local computer.
6. Click OK to close the Add or Remove Snap-ins dialog box.
7. In the newly created MMC console, in the left pane, double-click Certification
Authority (Local).
8. Double-click contoso-VPN1-CA, and then click Pending Requests.

Figure 9. Certification Authority console.

9. In the middle pane, right-click the pending request, point to All Tasks, and then click
Issue.
10. In Internet Explorer, in the Certificate Pending page, click Home. If this page is not
visible, browse to http://localhost/certsrv.
11. Under Select a task, click View the status of a pending certificate request.
12. Under View the Status of a Pending Certificate Request, select the just-issued
certificate.
13. Click Yes to allow the ActiveX control.
14. Under Certificate Issued, click Install this certificate.
15. Click Yes in the confirmation dialog box.
Move the installed certificate from the default store location.
10
p£¢ja
 p£¢ja

Move the certificate

1. On VPN1, in the previously created MMC console, click File, and then click Add/Remove
Snap-in.
2. Under Available snap-ins, click Certificates, and then click Add.

Figure 10. Certificates snap-in dialog box.

3. Click Finish to accept the default setting of My user account.

4. Click Add, click Computer account, and then click Next.
5. In the Select Computer dialog box, click Finish to accept the default setting of Local
computer.
6. Click OK to close the Add or Remove Snap-ins dialog box.
7. In the console tree pane, double-click Certificates - Current User, double-click Personal,
and then click Certificates.
8. In the middle view pane, right-click the vpn1.contoso.com certificate, point to All Tasks,
and then click Export.
9. In the Welcome page, click Next.
10. Click Yes, export the private key, and then click Next.
11. Click Next to accept the default file format.
12. Type P@ssword in both text boxes, and then click Next.
13. In the File to Export page, click Browse.
14. In the File name text box, type vpn1cert, and then click Browse Folders.
15. Under Favorite Links, click Desktop, and then click Save to save the certificate to the
desktop.
16. In the File to Export page, click Next.
11
p£¢ja
 p£¢ja

17. Click Finish to close the Certificate Export Wizard, and then click OK in the
confirmation dialog box.
18. In the console tree pane, double-click Certificates (Local Computer), and then double-
click Personal.
19. Click Certificates, and then right-click Certificates, point to All Tasks, and then click
Import.
20. In the Welcome page, click Next.
21. In the File to Import page, click Browse.
22. Under Favorite Links, click Desktop, and from the drop-down list, select Personal
Information Exchange for the file type.

Figure 11. Certificate Import Wizard.

23. In the middle view pane, double-click vpn1cert.

24. In the File to Import page, click Next.
25. In the Password text box, type P@ssword, and then click Next.
26. In the Certificate Store page, click Next to accept the Personal store location.
27. Click Finish to close the Import Export Wizard, and then click OK in the confirmation
dialog box.

Figure 12. Location of Server Authentication certificate.

12
p£¢ja
 p£¢ja

Important
If the procedures in this document are not followed in the order presented, the presence of an all
purpose certificate (contoso-VPN1-CA) could create issues. Delete the contoso-VPN1-CA
certificate in the Local Computer store to ensure the SSTP listener binds to the server
authentication certificate (vpn1.contoso.com).

Delete the all purpose certificate

1. In the middle view pane, double-click Certificates, right-click contoso-VPN1-CA, and
then click Delete.
2. Click Yes in the confirmation dialog box.

13
p£¢ja
 p£¢ja

Install Routing and Remote Access

Configure VPN1 with Routing and Remote Access to function as a VPN server.

Install VPN and certificate services roles

1. On VPN1, in the Initial Configuration Tasks window, under Customize This Server,
click Add roles.
Note If the Initial Configuration Tasks window is not already open, you can open it
by clicking Start, clicking Run, typing oobe in the text box, and then clicking OK.
2. In the Add Roles Wizard dialog box, in Before You Begin, click Next.
3. Select the Network Policy and Access Services check box, click Next, and then click
Next again.
4. In the Select Role Services dialog box, under Role services, select the Routing and
Remote Access Services check box.
5. Click Next, and then click Install.
6. In the Installation Results dialog box, click Close.

Configure Routing and Remote Access.

Configure VPN1 to be a VPN server providing remote access for Internet-based VPN clients.

Configure VPN1 to be a VPN server

1. On VPN1, click Start, point to Administrative Tools, and then click Routing and
Remote Access.
2. In the Routing and Remote Access console tree, right-click VPN1, and then click
Configure and Enable Routing and Remote Access.
3. In the Welcome to the Routing and Remote Access Server Setup Wizard page, click
Next.
4. In the Configuration page, click Next to accept the default setting of Remote access
(dial-up or VPN).
5. In the Remote Access page, click VPN, and then click Next.
6. In the VPN Connection page, under Network interfaces, click Public. This is the
interface that will connect VPN1 to the Internet.
7. Click Enable security on the selected interface by setting up static packet filters to
clear this setting, and then click Next.
Note
Normally, you would leave security enabled on the public interface. For the
purposes of testing lab connectivity, you should disable it.
8. Click From a specified range of addresses, and then click Next.
9. Click New, type 192.168.0.200 for the Start IP address, type 192.168.0.210 for the
End IP address, click OK, and then click Next.
10. Click Next to accept the default setting, which means VPN1 will not work with a
RADIUS server. In this scenario, Routing and Remote Access Server will use Windows
Authentication.
11. In the Completing the Routing and Remote Access Server Setup Wizard page, click
Finish.
12. If the dialog box that describes the need to add this computer to the remote access
14
p£¢ja
 p£¢ja

server list appears, click OK.

13. In the dialog box that describes the need to configure the DHCP Relay Agent, click OK.
14. Close the Routing and Remote Access snap-in.

Configuring CLIENT1

CLIENT1 is a computer running Windows Vista with SP1 that functions as a remote access VPN client
for the Contoso.com domain.
CLIENT1 configuration consists of the following steps:
 Install the operating system.
 Configure TCP/IP.
The following sections explain these steps in detail.

Install the operating system

To install Windows Vista with SP1 on CLIENT1:

Install Windows Vista SP1
1. On CLIENT1, start your computer by using the Windows Vista with SP1 product disc. Follow the
instructions that appear on your screen.
2. When prompted for the installation type, choose Custom.
3. When prompted for the user name, type user1.
4. When prompted for the computer name, type CLIENT1.
5. When prompted for the computer location, choose Home.

Configure TCP/IP
Configure TCP/IP properties so that CLIENT1 has a static IP address of 131.107.0.3 for the public
(Internet) connection.
Configure TCP/IP properties
1. On CLIENT1, click Start, and then click Control Panel.
2. Click Network and Internet, click Network and Sharing Center, and then click Manage network
connections.
3. Right-click Local Area Connection, and then click Properties. If a dialog box is displayed that
requests permissions to perform this operation, click Continue.
4. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
5. Click Use the following IP address. In IP address, type 131.107.0.3 for the IP address, and type
255.255.0.0 for the subnet mask.
6. Click OK, and then click Close.

15
p£¢ja
 p£¢ja

Configure the hosts file to have a record for VPN1. This simulates a real-world scenario in which
the corporate VPN server would have a publicly resolvable host name.

Configure the hosts file

1. On CLIENT1, click Start, click All Programs, click Accessories, right-click Command Prompt,
and then click Run as administrator.
2. In the User Account Control dialog box, click Continue.
3. In the command window, type the following and then press ENTER:
notepad %windir%\system32\drivers\etc\hosts
4. Add the following text in a new line at the end of the document:
131.107.0.2 vpn1.contoso.com
5. Save and close the hosts file.

Run the ping command from CLIENT1 to confirm that network communication between CLIENT1 and
VPN1 works.

Use the ping command to check network connectivity

1. On VPN1, click Start, point to Administrative Tools, and then click Windows Firewall with
Advanced Security.
2. In the console tree, click Inbound Rules.

Figure 13. Windows Firewall with Advanced Security snap-in.

16
p£¢ja
 p£¢ja

3. In the details pane, scroll down and double-click File and Printer Sharing (Echo Request -
ICMPv4-In) for the Public profile. Verify that this rule is enabled.

Figure 14. File and Printer Sharing (Echo Request - ICMPv4-In) Properties dialog box.

4. Under General, select the Enabled check box, and then click OK.
5. On CLIENT1, in the command window, type ping vpn1.contoso.com, and then press ENTER.
6. Verify that you can successfully ping VPN1.
For the purpose of this test lab, this connection signifies that the remote user can connect to the
office VPN server over the public Internet.
7. Close the command window.

17
p£¢ja