Professional Documents
Culture Documents
Microsoft Corporation Author: Dave Bishop Editor: Scott Somohano Published: May 22, 2009
Abstract
VPN Reconnect is a new feature of Routing and Remote Access Services (RRAS) in Windows 7 or Windows Server 2008 R2 that provides users with seamless and consistent VPN connectivity, automatically reestablishing a VPN when users temporarily lose their Internet connections. This guide provides step-by-step instructions for setting up VPN Reconnect in a test lab with three computers and then demonstrating persistent connectivity through a change in the network connection used to access the Internet.
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Server, ActiveX, and Internet Explorer are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect.................1 Abstract ...................................................................................................................................1 Contents..........................................................................................................................................3 Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect.................4 About Remote Access with VPN Reconnect...................................................................................5 Windows Firewall with Advanced Security and VPN Reconnect traffic........................................6 Configuring DC1.............................................................................................................................7 Install the operating system.........................................................................................................7 Configure TCP/IP.........................................................................................................................7 Install Active Directory and DNS..................................................................................................8 Create a user account with remote access permission................................................................9 Create a shared folder and file..................................................................................................10 Configuring VPN1.........................................................................................................................11 Install the operating system.......................................................................................................11 Configure TCP/IP.......................................................................................................................12 Name the computer and join the Contoso domain.....................................................................13 Install Active Directory Certificate Services and Web Server.....................................................13 Create and install the Server Authentication certificate..............................................................14 Install Network and Policy Access Server Role.........................................................................17 Configure Routing and Remote Access.....................................................................................18 Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication ...............................................................................................................................................19 Configuring CLIENT1....................................................................................................................21 Install the operating system.......................................................................................................21 Configure TCP/IP.......................................................................................................................21 Configure the VPN client with the root certificate.......................................................................23 Creating and Configuring the Remote Connection with VPN Reconnect on CLIENT1.................25 Simulating Connection Persistence When the Internet Link Changes..........................................27 Conclusion.................................................................................................................................28
Remote Access Step-by-Step Guide: Deploying Remote Access with VPN Reconnect
This guide provides step-by-step instructions that enable you to configure three computers in a test lab environment with which you can configure and test virtual private network (VPN) remote access using the VPN Reconnect feature available in the Windows 7 or Windows Server 2008 R2 operating systems. Important The following instructions are for configuring a test lab using a minimum number of computers and procedure steps. To minimize setup time and complexity, services were combined on the network servers rather than using individual computers to separate the services in a more secure manner. This configuration is designed to reflect neither best practices nor a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the Springboard Series for Windows 7 on the Windows Client TechCenter.
Setting Up the Test Lab for VPN Reconnect The VPN Reconnect test lab network consists of three computers, which perform the following services: DC1: A computer running Windows Server 2008 R2 that is acting as a domain controller, a Domain Name System (DNS) server, and a file server on a private (intranet) network. Note Alternatively, DC1 can run Windows Server 2008 or Windows Server 2003. VPN1: A computer running Windows Server 2008 R2, with two network adapters installed. VPN1 is configured with the Network Policy and Access Services (NPAS) and Active Directory Certificate Services (AD CS) server roles. The RRAS role service is installed to allow VPN1 to acts as a VPN server. In addition, VPN1 is configured with Network Policy Services (NPS) to configure and enable remote access policies required for a VPN connection. CLIENT1: A computer running Windows 7 that acts as a VPN client on a public (Internet) network. The following diagram shows the configuration of the VPN test lab.
Note The firewall illustrated in the diagram is not a separate device or computer; instead it is the Windows Firewall that runs as part of Windows on VPN1. In a production environment, the scenario likely does include a separate firewall through which the VPN tunnel must be able to pass. For more information, see the next section.
Configuring DC1
DC1 is a computer running Windows Server 2008 R2 that provides the following services: A domain controller for the contoso.com Active Directory domain. A DNS server for the Contoso.com DNS domain. A file server. Install the operating system. Configure TCP/IP. Install Active Directory and DNS. Create a user account with remote access permission. Create a shared folder and file.
Configure TCP/IP
Configure TCP/IP properties so that DC1 has a static IP address of 192.168.0.1 with the subnet mask 255.255.255.0 and a default gateway of 192.168.0.2. 7
To configure TCP/IP properties 1. After DC1 restarts, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Configure networking. 2. In the Network Connections dialog box, right-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 4. Click Use the following IP address, and configure the following settings: a. In IP address, type 192.168.0.1. b. In Subnet mask, type 255.255.255.0. c. In Default gateway, type 191.168.0.2. d. In Preferred DNS server, type 192.168.0.1. 5. Click OK, and then click Close. 6. Close the Network Connections window.
Next. e. On the Set Forest Functional Level page, select Windows Server 2008 R2, and then click Next. Note The choice does not affect the outcome of this step-by-step guide. f. In the Additional Domain Controller Options page, ensure that DNS server is selected, and then click Next. g. On the notice dialog that indicates that a delegation for the DNS server cannot be created, click Yes. h. On the Location for Database, Log Files, and SYSVOL page, click Next. i. On the Directory Services Restore Mode Administrator Password page, type Pass@word1 in both text boxes, and then click Next. j. k. l. Important You must allow the computer to restart after installing Active Directory before proceeding. On the Summary page, click Next. On the progress dialog box, select Reboot on completion. On the Completing page, click Finish, and then click Restart Now.
10
Configuring VPN1
VPN1 is a computer running Windows Server 2008 R2 that provides the following roles and services: Active Directory Certificate Services, a certification authority (CA) that issues the computer certificate to a VPN server required for a remote connection with VPN Reconnect. Certification Authority Web Enrollment, a service that enables the issuing of certificates through a Web browser. Web Server (IIS), which is installed as a required role service for Certification Authority Web Enrollment. Network Policy and Access Services, which provides support for VPN connections through NPS and RRAS. VPN1 configuration consists of the following steps: Install the operating system. Configure TCP/IP for Internet and intranet networks. Name the computer and join the Contoso.com domain Install the Active Directory Certificate Services and Web Server (IIS) server roles. Create and install the Server Authentication certificate. Install the NPAS server role Configure VPN1 to be a VPN server. Configure the NPS server to grant access for EAP-MSCHAPv2 authentication.
Configure TCP/IP
Configure TCP/IP properties so that VPN1 has a static IP address of 131.107.0.2 for the public (Internet) connection and 192.168.0.2 for the private (intranet) connection. To configure TCP/IP properties 1. On VPN1, in the Initial Configuration Tasks window, under 1. Provide Computer Information, click Configure networking. 2. In the Network Connections dialog box, right-click the connection for the adapter that is connected to the public (Internet) network, and then click Properties. 3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 4. Click Use the following IP address, and configure the following settings: a. In IP address, type 131.107.0.2. b. In Subnet mask, type 255.255.0.0. c. Do not configure a default gateway or DNS server on this connection. d. Click OK twice to return to Network Connections. 5. Right-click the connection for the adapter that is connected to the private network, and then click Properties. 6. Click Use the following IP address, and configure the following settings: a. In IP address, type 192.168.0.2. b. In Subnet mask, type 255.255.255.0. c. Do not configure a default gateway on this connection. d. In Preferred DNS server, type 192.168.0.1. e. Click OK twice to return to Network Connections. 7. To rename the network connections, right-click a network connection, and then click Rename. 8. Rename the network connections with the following names: a. On the interface connected to the public (Internet) network, type Public. b. On the interface connected to the private (intranet) network, type Private. 9. Close the Network Connections window. Use the ping command to verify network connectivity between VPN1 and DC1, and to verify that VPN1 can use DC1 for name resolution. To use the ping command to check network connectivity 1. On VPN1, click Start, click Run, in the Open box, type cmd, and then click OK. In the Command Prompt window, type ping dc1 /4. 2. Verify that you can successfully ping DC1. 3. Close the Command Prompt window. 12
Enrollment? dialog box, click Add Required Role Services. 8. Click Next. 9. On the Specify Setup Type, select Enterprise, and then click Next. 10. On the Specify CA Type page, select Root CA, and then click Next. 11. On the Set Up Private Key page, select Create a new private key, and then click Next. 12. On the Configure Cryptography for CA page, click Next to accept the default cryptographic settings. 13. On the Configure CA Name page, click Next to accept the default CA common name and suffix. 14. On the Set Validity Period page, click Next to accept the default validity period. 15. On the Configure Certificate Database page, click Next to accept the default locations. 16. On the Web Server (IIS) page, click Next. 17. On the Select Role Services page, click Next to accept the default choices. 18. In the Confirm Installation Selections dialog box, click Install. The installation might take several minutes. 19. In the Installation Results dialog box, click Close.
9. On the Subject Name tab, select Supply in the request. If a warning message appears, click OK. 10. On the Extensions tab, select Application Policies, and then click Edit. 11. The IP security IKE intermediate policy is already present. Keep it. If there are any others, select them and click Remove. 12. Click Add, select Server Authentication, and then click OK. 13. Click OK to return to the Extensions tab. 14. Select Key Usage, and then click Edit. 15. In the Signature section, ensure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK. 16. Click OK to save your completed template. 17. Close the Certificate Templates Console window. The certificate template has been created. It must be issued before it can be used to request a certificate. To issue the certificate template 1. In the Certification Authority console window, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 2. In the Enable Certificate Templates dialog box, select VPN Reconnect, and then click OK. The template is now ready to be used for certificate requests. Before you can request one, you must configure Internet Explorer security settings to work with the certificate publishing web page. To configure Internet Explorer to allow certificate publishing 1. On VPN1, click Start, right-click Internet Explorer, and then click Run as administrator. 2. Click Tools, and then click Internet Options. 3. On the Security tab, under Select a zone to view or change security settings, click Local intranet. 4. Change the security level for Local intranet from Medium-low to Low, and then click OK. Note In a real-world scenario, you should configure individual ActiveX control settings using Custom level rather than lowering the overall security level. Internet Explorer is now ready to be used to request and install certificates on the local computer.
15
To request a Server Authentication certificate using Internet Explorer 1. On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER. 2. Under Select a Task, click Request a Certificate. 3. Under Request a Certificate, click Advanced Certificate Request. 4. Under Advanced Certificate Request, click Create and submit a request to this CA. 5. On the first confirmation dialog box, click Yes to allow the ActiveX control. 6. On the second confirmation dialog box, click Yes to allow the certificate operation. 7. In the Certificate Template list, select VPN Reconnect. 8. Under Identifying Information, in the Name field, type vpn1.contoso.com. Note The name is the certificate subject name and must be the same as the Internet address used in the IKEv2 connection settings configured later in this document. 9. Under Key Options, select Mark keys as exportable, and then click Submit. 10. Click Yes in each of the confirmation dialog boxes. The server authentication certificate is created in the user personal store. It must be moved to the machine store to be used. To move the certificate to the machine store 1. On VPN1, click Start, type MMC, and then press ENTER. 2. In Console1, click File, and then click Add/Remove Snap-in. 3. Under Available snap-ins, click Certificates, and then click Add. 4. Click Finish to accept the default setting of My user account. 5. Click Add a second time, click Computer account, and then click Next. 6. In the Select Computer dialog box, click Finish to accept the default setting of Local computer. 7. Click OK to close the Add or Remove Snap-ins dialog box. 8. In the navigation tree, expand Certificates - Current User, expand Personal, and then click Certificates. 9. In the details pane, right-click the vpn1.contoso.com certificate, click All Tasks, and then click Export. 10. On the Welcome page, click Next. 11. On the Export Private Key page, click Yes, export the private key, and then click Next. 12. On the Export File Format page, click Next to accept the default file format. 13. On the Password page, type Pass@word1 in both text boxes, and then click Next. 16
14. On the File to Export page, click Browse. 15. Under Favorites, click Desktop 16. In the File name text box, type vpn1cert, and then click Save to save the certificate to the desktop. 17. Back on the File to Export page, click Next. 18. On the Completing the Certificate Export Wizard page, click Finish to close the wizard, and then click OK in the confirmation dialog box. 19. In the console tree pane, expand Certificates (Local Computer), and then expand Personal. 20. Right-click Certificates, point to All Tasks, and then click Import. 21. On the Welcome page, click Next. 22. On the File to Import page, click Browse. 23. Under Favorites, click Desktop. 24. In the file type drop-down list, select Personal Information Exchange (*.pfx, *.p12). 25. In the list of files, double-click vpn1cert. 26. Back on the File to Import page, click Next. 27. On the Password page, type Pass@word1, and then click Next. 28. On the Certificate Store page, click Next to accept the Personal store location. 29. Click Finish to close the Import Export Wizard, and then click OK in the confirmation dialog box. To generate the trusted root certificate 1. On VPN1, in the Internet Explorer address bar, type http://localhost/certsrv, and then press ENTER. 2. Under Select a task, click Download a CA certificate, certificate chain, or CRL. 3. Click Yes to allow the ActiveX control, and Yes to allow the certificate operation. 4. Click Download CA certificate. 5. Click Save, select Desktop, type the name RootCACert, click Save, and then click Close. Later, you will move this certificate to the Client1 computer. Important The root certificate for the CA is already installed on VPN1, because the root certificate for a CA is installed when the computer is made a CA. If your CA is a separate computer from VPN1, then you must separately download and install the root CA certificate to VPN1.
To install the NPS and RRAS service roles 1. On VPN1, in the Initial Configuration Tasks window, under Customize This Server, click Add roles. Note If the Initial Configuration Tasks window is not already open, you can open it by clicking Start, typing oobe in the text box, and then clicking OK. 2. On the Before You Begin page, click Next. 3. On the Select Server Roles page, click Network Policy and Access Services, click Next. 4. On the Network Policy and Access Services page, click Next. 5. On the Select Role Services page, select both Network Policy Server and Routing and Remote Access Services, and then click Next. 6. On the Confirm Installation Selections page, click Install. 7. On the Installation Results page, click Close. Now that the services are installed, you can configure them.
9. On the Address Range Assignment page, click New. 10. On the New IPv4 Address Range dialog box, in Start IP address type 192.168.0.200, in End IP address type 192.168.0.210, click OK to add the range, and then click Next. (This is the set of IP addresses available to assign to VPN clients). 11. On the Managing Multiple Remote Access Servers page, click Next to accept the default setting of not working with a RADIUS server. In this scenario, RRAS uses Windows Authentication. 12. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish. 13. On the warning about possible NPS policy conflicts, click OK. 14. On the warning about the need to configure the DHCP Relay Agent, click OK.
Configure the Network Policy Server (NPS) to grant access for EAP-MSCHAPv2 authentication
Configure VPN1 by using Network Policy Services (NPS) to enable and configure the remote access policies required for an IKEv2-based VPN connection. Note You can choose to have NPS installed on any other server also have the NPS installed on DC1 or any other server. NPS running on Windows Server 2008 is also supported. For the sake of simplicity in this guide, we are deploying it on VPN1. IKEv2 supports both machine certificate and EAP based authentication. NPS is required to when using EAP-based authentication, and is not required when using machine certificate based authentication. Configuring the NPS server 1. click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. On VPN1, in the Routing and Remote Access navigation tree, expand VPN1 (local). 3. Right-click Remote Access Logging & Policies, and then select Launch NPS. 4. In the Network Policy Server window, in the Network Access Policies section, click the Network Access Policies link. 5. Double-click Connections to Microsoft Routing and Remote Access server. 6. On the Overview tab, in the Access Permission section, select Grant access. Grant access if the connection request matches this policy. 7. On the Constraints tab, in the Contstraints list, select Authentication Methods. 8. If Microsoft: Secured password (EAP-MSCHAPv2) is not present in the EAP 19
Types list, then follow these steps: a. Click Add. b. In the Add EAP dialog box select Microsoft: Secured Password (EAPMSCHAP v2), and then click OK. 9. Select Microsoft: Smart Card or other certificate and click Remove to remove the EAP type. 10. Click OK to save your changes. 11. Close the Network Policy Server window.
20
Configuring CLIENT1
CLIENT1 is a computer running Windows 7 that functions as a remote access VPN client for the Contoso.com domain.CLIENT1 configuration consists of the following steps: Install the operating system Configure TCP/IP Configure the VPN Client with the root certificate
Note When configuring the client, a trusted root certificate is not required when using EAP based authentication. However, the trusted root certificate is required when computercertificate-based authentication is used.
Configure TCP/IP
Configure TCP/IP properties so that CLIENT1 has a static IP address of 131.107.0.3 for the public (Internet) connection. To configure TCP/IP properties 1. On CLIENT1, click Start, and then click Control Panel. 2. Under Network and Internet, click View network status and tasks. 3. In Network and Sharing Center, click Change adapter settings. 4. In Network Connections, right-click Local Area Connection, and then click Properties. 5. In the Local Area Connection Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 6. In the Intenet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the 21
following IP address. In IP address type 131.107.0.3, and in Subnet mask type 255.255.0.0 for the subnet mask. 7. Click OK, and then click Close. Configure the hosts file to have a record for VPN1. This simulates a real-world scenario in which the corporate VPN server would have a publicly resolvable host name. To configure the hosts file 1. On CLIENT1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. 2. In the User Account Control dialog box, click Continue. 3. In the Administrator: Command Prompt window, type the following and then press ENTER: notepad %windir%\system32\drivers\etc\hosts. 4. Add the following text in a new line at the end of the document: 131.107.0.2 vpn1.contoso.com 5. Save and close the hosts file. Use Windows Firewall with Advanced Security to ensure that the appropriate firewall rules are enabled. To ensure that appropriate firewall rules in Windows Firewall with Advanced Security are enabled and configured to allow connections 1. On VPN1, click Start, type wf.msc and the press ENTER. 2. In the navigation tree, click Inbound Rules. 3. In the details pane, double-click File and Printer Sharing (Echo Request - ICMPv4In) for the Private and Public profiles. 4. In the rule properties dialog box, under General select Enabled, under Action select Allow the connection, and then click OK. 5. Close the Windows Firewall with Advanced Security window. For the purposes of this test lab, a successful ping response from vpn1.contoso.com to CLIENT1 signifies that the remote user can connect to the office VPN server over the public Internet. To use ping to verify connection to vpn1.contoso.com 1. On CLIENT1, in the Administrator: Command Prompt window, type ping vpn1.contoso.com, and then press ENTER. 2. Verify that you can successfully ping VPN1. 3. Close the Command Prompt window.
22
24
Creating and Configuring the Remote Connection with VPN Reconnect on CLIENT1
On CLIENT1, you use Network and Sharing Center to create a connection to vpn1.contoso.com and save the connection. You then configure the properties of that connection to use VPN Reconnect. To create the VPN Reconnect connection to vpn1.contoso.com 1. On CLIENT1, click Start, and then click Control Panel. 2. Under Network and Internet, click View network status and tasks. 3. In Networking and Sharing Center, click Set up a new connection or network 4. Click Connect to a workplace, and then click Next. 5. Click Use my Internet connection (VPN). 6. Click I'll set up an Internet connection later. 7. In Internet address, type vpn1.contoso.com. In Destination name, type VPN Reconnect Connection and then click Next. 8. In the Type your user name and password dialog box, type the following information: In User name, type user1. In Password, type Pass@word1. Click Remember this password. In Domain, type contoso.
9. Click Create, and then click Close. To configure and test the VPN Reconnect Connection 1. On CLIENT1, in Network and Sharing Center, click Change adapter settings. 2. Double-click VPN Reconnect Connection, and then click Properties. 3. On the Security tab, in the Type of VPN list, select IKEv2, and then click OK. 4. In the Connect VPN Reconnect Connection dialog box, click Connect. 5. If the Set Network Location dialog box appears, select Work. CLIENT1 should successfully connect to VPN1 using the VPN Reconnect connection. To verify the connection, access the corporate file server from the CLIENT1 using the VPN Reconnect connection you just set up.
25
To test the remote connection by connecting to a remote file share 1. Click Start, click All Programs, click Accessories, and then click Run. 2. Click Start, type \\dc1.contoso.com\corpdata, and then press ENTER. 3. Double-click VPNTest to open it, add some text, and then save the file. 4. Close Notepad. 5. In the Network Connections window, right-click VPN Reconnect Connection, and then click Disconnect.
26
27
To establish the Internet interface through a wireless (or other) network connection 1. In Network and Sharing Center, click Connect to a network. 2. Select the wireless (or other) Internet connection from the list of available connections, and then click Connect. 3. Open Network and Sharing Center and under View your active networks, note Identifying for your new internet interface. 4. Wait for a few seconds until Internet connectivity is restored. The VPN Reconnect connection automatically restores the application connectivity after the restoration of Internet connectivity. 5. Click the network icon in the notification area of the Start bar again. The status of your connection changes to Dormant: waiting to reconnect, and then changes to Connected. 6. Click Start, type cmd and then press ENTER. 7. In the Command Prompt window, type ping dc1.contoso.com. 8. Verify that you can successfully ping DC1 again.
Conclusion
In this guide you configured a lab computer to serve as a VPN gateway server that could accept IKEv2-based VPN connections from a remote client. For more information about RRAS and VPN servers, see Routing and Remote Access Server (http://go.microsoft.com/fwlink/?linkid=149606) in the Windows Server Technical Library.
28