Configure Forefront TMG as a NPS (Radius) Client for VPN and local clients

In this article, I will describe how to configure Forefront TMG as a RADIUS client. As a radius client FF TMG act as a messenger sending RADIUS request to NPS for authentication and authorization of VPN connection. The following Visio diagram shows placement of TMG as radius client.

image

To configure FF TMG as a RADIUS client

Log on to TMG server, open Forefront TMG Management console, click Remote Access Policy (VPN)>click Radius Server or Specify RADIUS Configuration.

35

You will see VPN property. On the RADIUS tab, click Use RADIUS for authentication>click RADIUS Servers.

34

click Add. Type Server name or IP address of the NPS server. create a new shared secret. This Shared Secret will be same as shared secret in NPS server when you add TMG as a client in NPS.

  4

3

Click OK>Click OK. Apply Changes and click ok.

Note: Above configuration apply for ONLY VPN clients.

To configure Forefront TMG to authenticate local client

33

Open Forefront TMG Management console, click the Firewall Policy node>Click Tasks pane> click Configure Client Access. Select Internal (Local Networks)>click Configure.

29

30

Click on Web Proxy tab>click Authentication> Under Method, clear any other selected methods, and then select RADIUS. Click RADIUS Servers>click Add.

31

32

Now add Server name or IP address of the RADIUS server, add New Shared secret as you did in previous steps. Apply changes you have made. 

To create Radius Firewall Policy using FF TMG 2010

Open Forefront TMG Management console, right click the Firewall Policy node>Click New>Click Access Policy. You will see new policy wizard. Type the name of the policy>Click next

9

10

Click Allow on Rule Action>Click Add on protocol property>add Radius and Radius Accounting protocol

11

12

On the access rule window, add VPN clients as source. If you are creating this policy for internal clients than add internal networks instead of VPN clients.

13

Specify destination that is NPS server location on the next screenshot. in this article NPS server is placed in internal networks so I added internal network.

14

On the next window, add Active Directory Group which this rule has been applied for.

15

16

Click Finish and apply changes.

17

8

Note: you have to create firewall policy for the clients. In this example, I have shown firewall policy for VPN client. If you want to create policy for internal client, you have to change source of clients. Protocol will be same as shown above screen shots.

To add Forefront TMG as a RADIUS client on NPS

Log on to Network Policy Server, Open NPS management console>right click RADIUS Clients>click New RADIUS Client.

18

On the New RADIUS Client dialog box>type a name>type a description of FF TMG>Type IP address of Forefront TMG. In the shared secret box, type a shared secret. This shared secret is the same shared secret you typed in FF TMG as mentioned at the beginning of this article.

19

21

Select the RADIUS client is NAP-capable check box, if you want to enforce VPN client’s health policy. click OK.

20

To enforce Health Policy for VPN clients:

On Network Policy Server or a different windows server 2008, open Server Manager>Click Role>Click Add Role>Select Health Registration Authority Role>Click Next and follow the screenshots.

22

Open NPS Management Console>Right Click on Health Policy>Click New

23

Type Policy Name>Select Client’s SHV Checks>Check Windows Security Health Validator

24

Select and Check appropriate firewall policy, windows update and antivirus update policy. Apply and Click Ok.

25

2627

Click Configure to add remediation server for health registration.

28

 

 

Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Pre-requisites:

  1. Microsoft Active Directory and DNS
  2. DHCP Server with new scope configured
  3. IP helper-address configured
  4. Microsoft Radius (IAS) Server 2003 or Microsoft Network Policy Server 2008
  5. Microsoft Enterprise root CA
  6. Cisco Wireless LAN controller (WLC) 5500
  7. Cisco AIR-LAP1142N wireless access point (AP)
  8. Separate VLAN for wireless infrastructure
  9. WLC, AP and IAS placed in same VLAN
  10. Windows 7 or Windows XP or Mac OSX/snow leopard client

Assumptions:

1) AD and DNS working perfect.

2) DHCP Server IP: 10.10.9.4

New scope for Wireless Network

IP range: 10.10.10.1-10.10.11.254 Subnet Mask:255.255.255.0

Gateway:10.10.10.1 Exclusion:10.10.10.1-10.10.10.10

NTP :10.10.9.5

3) WLC

IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1

Time provider:10.10.9.5

4) IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1

5) IP ranges 10.10.10.1-10.10.11.254 added in the internal networks in ISA or forefront TMG.

6)Interface 1 of WLC connected to a trunk port of Layer3 switch or core switch

7)wireless infrastructure VLAN ID/Tag 100

Add Lightweight Cisco Aironet 1142 in DHCP Server

Note: Follow these steps for newly added DHCP scope mentioned in assumptions.

1.In order to configure these options in the Windows DHCP server, open the DHCP Server Administration Tool or MMC. Right-click the DHCP root, and then choose Define Vendor Classes.

2.The DHCP Vendor Classes utility appears. Click Add.

3.A New Class configuration box appears. Enter a value for the Display Name field, for example, “Cisco Aironet c1142 AP”, and an appropriate description such as “Vendor Class identifier for Cisco Aironet c1142 AP”. Click the ASCII Section and enter the appropriate string value such as “Cisco AP c1142” (without inverted coma) for the Vendor Class Identifier. Click OK. Then, click Close on the DHCP Vendor Classes window.

4.Add an entry for the WLAN controller sub-type as a pre-defined option configured for the Vendor Class. Right-click the DHCP Server Root, and then choose Set Predefined Options.

5.Choose the newly created Vendor Option Class in the Option Class field, and then click Add.

6.The Option Type box appears. In the Name field, enter a string value, for example, Option 43. Choose IP Address as the Data Type. Check the Array check box. In the Code field, enter the sub-option code value 241 (0xf1). Enter a Description such as Wireless LAN Controller IP address. Click OK.

7.The Vendor Class and sub-option are now programmed into the DHCP server. Now, the vendor specific information must be defined for the AP DHCP scope. Choose the appropriate DHCP scope. Right-click Scope Options, and choose Configure Options.

8.Click the Advanced tab. Choose the Vendor Class you previously defined. Check the 241 Option 43 check box, and then enter each WLC management interface IP address(s) Example: 10.10.10.2. Click Apply.

9.Once you complete this step, the DHCP Option 43 is configured. This DHCP option is IP address, the DHCP server sends the option 43 as well as to the LAPs. Now the DHCP option 43 (241 Cisco Wireless AP) that is made available for a newly created DHCP scope for Cisco.

10. To verify, click on the scope options in the newly created DHCP scope, you will see 241 Cisco Wireless AP or what you mentioned in Description.

Add a new VLAN in core switch(example: Cisco 4506) or L3 switch:

Note: Entire wireless infrastructure will be placed in this VLAN.

Switch#vlan database

Switch(vlan)#vlan 100

Switch(vlan)#name Wireless Network

Switch(vlan)#exit

switch#configure terminal

Switch(config-if)#interface vlan 100

Switch(config-if)#Description Wireless Network

Switch(config-if)#ip helper-address 10.10.9.4

Switch(config-if)#IP address 10.10.10.1 255.255.255.0

Switch(config-if)#no shutdown

Switch(config-if)#end

switch#wr

Create a Trunk Port in Core switch (Cisco 4506) or L3 Switch

Note: This trunk will be connecting with Cisco WLC 5500 using CAT6 or Fibre optic.

Switch# configure terminal

Switch(config)#interface gigabitethernet  6/11

(6/11 means Module 6 and Port 11)

Switch(config)#switchport trunk encapsulation dot1q

Switch(config)#SwitchPort Mode trunk

Switch(config)#end

Switch# wr                                              

Switch#show run

Create VLAN  in a switch (Example: Cisco 2960G)

Note: This port will be connecting with Cisco 1142 AP. Wherever you want an wireless AP, configure a port with same vlan. For this article VLAN 100. connect AP with this port after configuring the following. repeat for all the APs.                     

Switch# configure terminal

Switch(config)#

Switch(config)#interface Gigabitethernet 0/7           

Switch(config)#switchport access vlan 100            

Switch(config)#end

Switch# wr             

Create AAA Server(s):

Authorization: IAS Policies (Remote Access Policies applied in IAS server for wireless 802.1x)

Authentication:Radius Server (EAP Type:PEAP,Encryption: MSCHAPv2)

Accounting:Radius server (Logs any successful and/or failed connection attempt)   

Use this link to configure Enterprise Root CA  

Install IAS in a member server. Install computer certificate in the IAS server and create new policy using this link Configure PEAP and EAP methods or follow step by step guide line in these links configure Microsoft Radius Server and Network Policy Server . It would redundant to write again.

Cisco 5500 Series Wireless Controller Installation Guide Using the Start-up Wizard

Mount Cisco 5500 in rack. Connect WLC with laptop using console port. Connect WLC with core switch or L3 switch using CAT6 cable or fibre optic if you have SFP. Now power on WLC.

Note The available options appear in brackets after each configuration parameter. The default value appears in all uppercase letters.

Note Press the hyphen key if you need to return to the previous command line. To configure the controller for basic operation using the Start-up Wizard, follow these steps:

Step 1 When prompted to terminate the Auto-Install process, enter yes. If you do not enter yes, the Auto-Install process begins after 30 seconds.

Note The Auto-Install feature downloads a configuration file from a TFTP server and then loads the configuration onto the controller automatically.

Step 2 Enter the system name, which is the name you want to assign to the controller. You can enter up to 32 ASCII characters. (Example:MS_5500)

Step 3 Enter the administrative username and password to be assigned to this controller. You can enter up to 24 ASCII characters for each. The default administrative username and password are admin and admin, respectively.(Example:username:Admin and password:cisco)

Step 4 If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter

DHCP. If you do not want to use the service port or if you want to assign a static IP address to the service-port interface, enter none.

Important! In Cisco 5500, management interface act as service interface also. No avoid any complicacy, just hit enter in this option. The service-port interface controls communications through the service port. Its IP address must be on a different subnet from the management interface. This configuration enables you to manage the controller directly or through a dedicated management network to ensure service access during network downtime.

Step 5 If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next two lines.

Step 6 Enable or disable link aggregation (LAG) by choosing yes or no. You may type No if you don’t have two or more Cisco WLC.

Step 7 Enter the IP address, netmask, default router IP address, and optional VLAN identifier (a valid VLAN identifier or 0 for an untagged VLAN) for the management interface.

Note The VLAN identifier should be set to match the switch interface configuration. Example: IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1  and VLAN tag/ID 100

Step 8 Enter the IP address of the default DHCP server that will supply IP addresses to clients, the controller’s management interface, and optionally the service-port interface.

Note The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers.Example DHCP Server IP: 10.10.9.4

Step 9 Enter the IP address of the controller’s virtual interface, which will be used by all controller Layer 3 security and mobility managers. You should enter a fictitious, unassigned IP address, such as 1.1.1.1.

Note The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security such as guest web authentication and VPN termination. All controllers within a mobility group must be configured with the same virtual interface IP address.

Step 10 If desired, enter the name of the mobility group/RF group to which you want the controller to belong.

Note Although the name that you enter here is assigned to both the mobility group and the RF group, these groups are not identical. Both groups define clusters of controllers, but they have different purposes. All of the controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates scalable, system-wide dynamic RF management.

Step 11 Enter the network name, or service set identifier (SSID). The initial SSID enables basic functionality of the controller and allows access points that have joined the controller to enable their radios. (Example:Mycompanywireless)

Step 12 Enter yes to allow clients to assign their own IP address or no to make clients request an IP address from a DHCP server. (Type yes in the step)

Step 13 To configure a RADIUS server now, enter yes and then enter the IP address, communication port, and secret key of the RADIUS server. Otherwise, enter no. (Type yes, IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1)

Step 14 Enter the code for the country in which the controller will be used.

Note Enter help to view the list of available country codes. (Example: For Australia Country code is AU)

Step 15 Enter yes to enable or no to disable each of the 802.11b, 802.11a, 802.11g, and 802.11n lightweight access point networks. (Type yes)

Step 16 Enter yes to enable or no to disable the controller’s radio resource management (RRM) auto RF feature. (Type yes)

Note The auto RF feature enables the controller to automatically form an RF group with other controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power assignment, for the group.

Step 17 If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it powers up, enter yes to configure an NTP server. Otherwise, enter no. (Type yes,Time provider:10.10.9.5 )

Step 18 If you entered no in the previous step and want to manually configure the system time on your controller now, enter yes. If you do not want to configure the system time now, enter no.

Step 19 If you entered yes in the previous step, enter the current date in MM/DD/YY format and the current time in HH:MM:SS format.

Step 20 When prompted to verify that the configuration is correct, enter yes or no. The controller saves your configuration, reboots, and prompts you to log in.

Verifying Interface Settings and Port Operation

Follow these steps to verify that your interface configurations have been set properly and the controller’s ports are operational.

Step 1 Enter show interface summary. The controller’s current interface configurations appear:

Interface Name Port VLAN Id IP Address Type AP Mgr Guest

———-

management 1 100 10.10.10.2 Static Yes No

service-port N/A N/A 0.0.0.0 Static No No

virtual N/A N/A 1.1.1.1 Static No No

Step 2 Enter show port summary. The following information appears, showing the status of the controller’s distribution system ports, which serve as the data path between the controller and Cisco lightweight access points and to which the controller’s management interface is mapped.

STP Admin Physical Physical Link Link Mcast

Pr Type Stat Mode Mode Status Status Trap Appliance POE

— —

1 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

2 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

Configure Security and AAA Server in WLC 5500

1. Open IE or Firefox Type IP address of WLC in the address bar as https://10.10.10.2 (bypass proxy if you need to)and hit enter.

2. Click Login and provide login credentials you created in start-up wizard.

3. Click on Wireless. In the left hand pan click Authentication. You will see the IP address and port number 1812 of Radius Server.

4. In the left hand pan Click on Accounting. Click new on right hand top corner. You will be presented with a window to add Radius server. provide IP of Radius server, Shared secret and Port 1813. Apply changes.

5. Click on WLANs>Click on 1>Click on General Tab>Check Enable on Status and Check Enabled on broadcast SSID

6.Click on Security Tab>Click Layer2 Tab>Select WPA+WPA2 from Layer2  security drop-down list>Check WPA policy and TKIP or WPA2 policy and TKIP. In the same page, in Auth Key Mgmt, select 802.1x. Now click on Apply button.

7.Click on AAA Servers>Select Authentication and Accounting server from the server1 drop down list. here Authentication and Accounting server are Radius Server. Check Enabled in both Authentication and Accounting radio button. Click Apply.

8.In the left hand side top corner, click on to Monitor and scroll down to make sure you see the all APs.

Add WLC 5500 in the IAS server as a Radius Client

1. Log on to IAS server as an administrator.

2.Open Internet Authentication Service from Administrative Tools

3.Right click on Radius Clients>Click add Radius client. You will be presented with new radius client window. Type IP address of WLC 5500 and a Friendly Name such as WLC. Click Next.

4. In the this window, Select Radius Standard as Client-Vendor, Provide shared secret (must be same as WLC configuration in step 13) and repeat shared secret and click finish.

5.Close IAS console and log out.

Testing network

Log on to Windows XP or Windows 7 client as a domain users while client is connected via CAT5 or CAT6 . Make sure this domain user is a member of wireless access group and allowed to have remote access(dialin TAB of AD user property). Install computer and user certificate in that client. Now turn on wireless NIC. unplug CAT5 cable. View available wireless network. Select the SSID, you created in previous steps and double click. You will be connected.

Important! if you setup WPA and TKIP in WLC then you must setup WPA and TKIP in Client also. Similar for WPA2 and TKIP or WPA2 and AES. Both sides must match each other.

For Mac client, see my previous post in the link

Configure Group Policy for 802.1x wireless network

  1. Open the Group Policy Management Console (GPMC).
  2. Create and link a new group policy object with desired OU
  3. Right click on newly created GPO and edit
  4. Go to Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.
  5. right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Policy and Type Policy name
  6. Open New Network Policy Properties >Click on preferred network Tab>To add a new profile, click Add>type the SSID that corresponds to the SSID configured on your WLC security tab.
  7. In the Wireless key network, select WPA and TKIP or whatever configured in WLC
  8. In the IEEE 802.1x tab,Set EAPOL start message to transmit per IEEE 802.1x
  9. In the EAP type select PEAP
  10. Check authenticate as computer when computer information is available and also computer authentication with user authentication from drop down box.
  11. Now press Ok, Apply and ok.

Work Around with WLC 5500 

Open IE, Type IP of WLC in the address bar (bypassing proxy), hit enter. Click on Logon. provide logon credentials, click ok.

 1 2 3 4 5 6 7 8 9 10

Accessing WLC using telnet.

Open command prompt and type telnet IP_Address

11

Necessary Links

Export a certificate with the private key

Import a certificate

Cisco 5500 WLC

Cisco Wireless AP

Microsoft Radius Server

Relevant Articles

WLAN Controller Failover for Lightweight Access Points Configuration Example

Wireless LAN Controller (WLC) Configuration Best Practices

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

Overview of the Wi-Fi Protected Access (WPA) security update in Windows XP

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to configure HTTS Inspection in Forefront TMG 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.

1. Click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection

3. Click the Generate button and the Generate Certificate dialog box will appear

4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall

5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,

7. Click Automatic Deployment. You will see an authentication dialog box

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box

9. Click OK to close this dialog box.

10. Click OK to close the Certificate Deployment options dialog box.

11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list

12. Click Add to open the Add Network Entities dialog box

13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box

14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear

15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear

16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.

17. In the Block Expired Certificate After (Days) text box, type 7

18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.

19. Select Notify Users That Their HTTPS Traffic Is Being Inspected

20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.

21. Click OK to close the HTTPS Outbound Inspection dialog box.

22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change

23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,

Configuring the HTTP Filter

1. On the TMG Server computer (or using remote management console), open the TMG Management Console.

2. Click TMG (Array Name) in the left pane.

3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.

General

In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.

HTTP Methods

1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).

2. The Add button will became available. Click Add and type PUT

3. Click OK and your Methods tab will appear

4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.

Extensions

1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)

2. The Add button will become available. Click Add and type MP3

3. Click OK. The Methods tab will appear.

4. Click OK and then, in the main TMG console, click Apply to commit this change.

Headers

1. Click Firewall Policy, right-click the http://www.wolverine.com.au Web Publishing rule and choose Configure HTTP.

2. Click the Headers tab and the window will appear

3. In the Server Header drop-down list, choose Modify Header In Response

4. Type the name with which you want to substitute the Server’s name

5. Click OK and then click Apply in the main TMG console to commit the changes.

Blocking Signature

1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear

3. Click Add and the do the following in the Signature window:

· Type Block MSN Messenger in the Name field.

· Select Request Headers from the Search In drop-down list.

· Type Description as Block MSN Messenger signature

· In Signature Type, type MSN Messenger

4. Click OK and your Signature tab will appear

5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.

6. Repeat step 1 to 6 if you want block more signature

Important! blocking signature using Request URL my block entire web sites containing that specific signature.

Relevant Articles:

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to configure Microsoft SharePoint server 2007

Microsoft SharePoint Products and Technologies is a Content Management System with integrated search functionality developed by Microsoft that allows users to work in a web-based collaborative environment. Microsoft provides certain built-in functionality and third party developers can also develop custom modifications to extend functionality. Microsoft released SharePoint server 2010 64 bit beta. Here, I am going to talk about SharePoint Server 2007.

Systems requirements:

Windows server 2003 or windows server 2008

Internet Information Services (IIS) 6.0 or Higher

SMTP service is enabled in IIS

ASP.NET 2.0

.NET Framework 3.0

Windows Workflow Foundation

SQL Server 2000 or 2005 express or higher with Management studio

Antivirus & Forefront Protection for SharePoint

Hardware requirements:

Processor 2.5GHz minimum, dual processors, 3GHz recommended.

RAM 1GB minimum, 2GB or more recommended.

Disk 3GB free NTFS. More disk space is recommended, depending on your storage needs.

Network 1 gigabit per second is suggested

This was minimum spec. However, you must add more resources to SharePoint server depending on number of users and configurations you do.

Create and configure SQL

Once you have installed all pre-requisite. You need to configure SQL server before you start installing SharePoint. To do this open SQL Management studio from start menu>all program>Microsoft SQl server>SQL server management studio.

You will be presented SQL\SQLExpress database connection window. Click on connect using windows authentication. Create new database named SharePoint or your preferred. Right click on new database>property>options>Collation> Change to  Latin1_General_CI_AS_KS_WS.

12 13

14

15 

Important! Change database collation to Latin1_General_CI_AS_KS_WS. Otherwise you get this error  "The specified database has an incorrect collation.  Rebuild the database with the Latin1_General_CI_AS_KS_WS collation or create a new database”.

Installation:

 1 2 3

If you want to have more then one server then select Advanced>Complete Installation otherwise standalone installation will do. File location can be selected other then system partition. 

 4 5

6

Initial Configuration

 7 8 9 10 

11

 16 17 18

19

Publish SharePoint in ISA or Forefront TMG

Log on ISA server or Forefront TMG. Open management console>Task Pan>Publish new web sites (ISA) or Publish SharePoint (Forefront TMG). Follow these screen shots.

1 2 3 4 5 6

In this window, click new to add new listener.

7 8 9 10 11 12 13 14 15

Start Windows Services

 28

Configure Wiki, Document Library in SharePoint

Log on to sharepoint server. Open sharepoint central administrator. provide domain user name and password. You will be presented with SharePoint Central Administration window. Click on operations>Topology and services>services on this server>start all the services. To Setup Incoming and outgoing emails, you must have SMTP services installed and started.

22

27

Click on Site Action>Create. In this window you can document library, Wiki etc.

20 

21  23 24 25 26

SharePoint and DNS records

Log on to DNS server. In Active Directory environment, domain controller is a DNS server by default. Add Host(A) record and CNAME for SharePoint server if you want to call SharePoint by FQDN not by Netbios name.

Relevant Topics:

Deployment for 2007 Microsoft Office SharePoint Server

Microsoft SharePoint Server

share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Internet Authentication Service (IAS) is the Remote Authentication Dial-in User Service (RADIUS) server in Windows Server 2003 family. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. A RADIUS client (typically an access server such as a dial-up server, VPN server, or wireless access point) sends user credentials and connection parameter information in the form of a RADIUS message to a RADIUS server. Microsoft Radius supports Windows 7, Windows XP SP2 and Mac OSX clients. This article provided an overview of Microsoft RADIUS and PEAP security and described how RADIUS security are implemented and deployed in IT infrastructure.

Prerequisite : Microsoft Active Directory, DNS, DHCP and Certificate Server, Cisco 1200 series wireless AP, MAC OSX 10.5, Windows XP Pro/Windows 7.

AAA Infrastructure:

Aunthentication: Microsoft Active Directory, Authorization: Microsoft Radius (IAS), Accounting: Microsoft Radius (IAS)

Security Measures: PEAP and Shared Secret

Encryption: MSCHAPv2 

Configure IAS

Make sure all prerequisites mentioned above are ready and working. Install windows server and make it a member of Microsoft Active Directory domain.

1

Install machine certificate i.e. computer certificate in this server

7

Click on add/remove snap in

8 

Click add

9

Select Certificates, click add

10

Check computer account radio button, click next

11

Select local computer, click finish

12

Right mouse click on personal and click on request certificate, follow screen shot

13

14

Click next, then click ok.

Install IAS as follows

2

Go to Add remove windows component, select internet Authentication Service, click ok.

3

4

Open IAS console from administrative tools, right click on IAS as above, click register service in Active Directory

Add RADIUS Client, mention Cisco access point name and IP of Cisco Access Point, click next

5

Select Radius standard and provide shared secret and confirm, click finish. Shared secret must be same as you mentioned in Cisco wireless access point

6

Create Wireless access group in windows Active Directory and Add desired members in that group

image

go to administrative tools in IAS server, open IAS console, Add wireless access policy in Radius server

15

right click in wireless access policy and create new access policy

untitled

Select as above

untitled1

Check Wireless and click next

untitled2

Add wireless access group from active directory by click add button

untitled3

Select PEAP, click on configure

untitled4

Click ok

untitled5

Click finish

Now go to property of newly created access policy, click edit profile, click authentication tab, check EAP  methods as follows.

untitled6

Check  encryption and authentication method. Use MSCHAP v2. Encryption 128 bits.

Configure Wireless access point as shown in the link

https://araihan.wordpress.com/2009/08/02/how-to-configure-cisco-1242-ap-to-get-authentication-from-ms-ias/

Now infrastructure is ready to authenticate iMac OSX 10.5, Windows 7 and XP via wireless.

Log on to an XP machine using user credentials who is a member of wireless access group. Go to run, type mmc and press ok. follow the steps mentioned above on top to install machine certificate but this time install user certificate i.e. check user account instead of computer account.

Once user certificate installed, right click on user certificate, click All task, click export follow screen shot

image

image

image

image

image

image

Save certificate in usb stick.

Configure Mac OSX 10.5

Now open iMac/Mac book pro. Go to utility, open Key Chain, select login, drag certificate from USB stick and drop it in key chain login, click ok

image

Type the password used while exporting certificate

image

image

go to system preference, open network, select AirPort, click on advance, click on +

image

Click on show all, select desired Mac wireless SSID, follow screen shot

image

image

type AD user name and password who is a member of wireless access group, select certificate, click  add

image

Now authenticated as above. all done.

It is not necessary to bind Mac OSX 10.5 to AD to get wireless authentication via RADIUS. PEAP and certificate will do. now you can add user home drive, printer from print server. 

On Windows XP or Windows 7 machine, log on using domain user credential who is a member wireless access group, install user certificate and machine/computer certificate as mentioned above. Turn on wireless, select SSID, click on connect, in few seconds it will be connected.