Migrate Network Policy Server (NPS) From Windows Server 2008 R2 to Windows Server 2012 R2

Scenario:

  1. Migrate to a new server with new NetBIOS Name and New IP Address
  2. Migrate to a new server retaining NetBIOS Name and IP Address

Step1: Backup NPS Server, NPS Policy & certificate

  1. Open NPS Policy Server from Server Manager>Right Click on NPS(Local)>Export Configuration.
  2. Select I am aware that I am exporting all shared secret. Click Ok>Export as a XML File into a UNC path accessible to new server.
  3. right Click on Template Management>Export Template to a File. Export as a XML File into a UNC path accessible to new server.
  4. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Export Certificate with Private Key.
  5. Use Windows Backup to backup NPS server. If NPS server is virtualized, then simply right click the virtual machine from Hyper-v manager and rename the machine. Now Power of the VM.

Step2: Build a new Server.

  1. Build a new server. Activate Windows. Assign TCP/IP and join to the domain.
  2. Open MMC>Add Certificate Snap-in>Computer Account>Select Personal>Certificate>Import Certificate with Private Key.
  3. From Roles and Feature Wizard>add network Policy and Services>Select NPS, NAP and Health registration services, Click Next>Select Certificate Authority>Select Certificate>Select Finish Installation.

Step3: Register NPS.

  1. If you have retained NetBIOS Name and IP Address mentioned in scenario 2 then you don’t  need to re-register. It’s already registered.
  2. If you have a different NetBIOS Name and IP address then Right Click NPS(Local)>Register NPS Server to Active Directory.

Step4: Import NPS Policies

  1. Open NPS Policy Server>right Click on NPS(Local)>Import Configuration. Point to the XML file you have exported in step1 and import the file.
  2. Right Click on Template Management>Import template from a File. Point to the XML file you have exported in step1 and import the file.

Step5: Test Client

  1. Connect a client using WIFI or VPN whichever purpose you have configured NPS.
  2. Open Event Viewer in NPS Server and Check Security log. You will see clients are connected successfully.

Relevant Articles:

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Windows Server 2012 Step by Step Book

Windows Server 2012 Step by Step

This is my first book published on December 2 2012. The following is the chapters available in detailed in the book titled “Windows Server 2012 Step by Step”

Chapter 1: Introduction to windows server 2012

Chapter 2: Installing and navigating windows server 2012

Chapter 3: Server Roles and Features

Chapter 4: Active Directory Domain Services

Chapter 5: Active Directory Certificate Services

Chapter 6: Active Directory Federation Services

Chapter 7: Active Directory Rights Management Services

Chapter 8: Networking Infrastructure

Chapter 9: Failover Clustering

Chapter 10: Remote Desktop Services

Chapter 11: Security, Protection and protection

Chapter 12: Building Private Cloud with Hyper-V

Chapter 13: Web Server (IIS)

Chapter 14: BranchCache Server configuration

Chapter 15: Routing and Remote Access Server Configuration

Chapter 16: Windows Deployment Services

Chapter 17: Windows Server Update Services

Chapter 18: Volume Activation

Chapter 19: File and Storage Services

Chapter 20: Print and Document Services

Chapter 21: Network Policy and Access Server

Chapter 22: Group Policy Object

Chapter 23: Migrating from Server 2008 to Server 2012

Chapter 24: Supporting Windows Server 2012

 

Configure Forefront TMG as a NPS (Radius) Client for VPN and local clients

In this article, I will describe how to configure Forefront TMG as a RADIUS client. As a radius client FF TMG act as a messenger sending RADIUS request to NPS for authentication and authorization of VPN connection. The following Visio diagram shows placement of TMG as radius client.

image

To configure FF TMG as a RADIUS client

Log on to TMG server, open Forefront TMG Management console, click Remote Access Policy (VPN)>click Radius Server or Specify RADIUS Configuration.

35

You will see VPN property. On the RADIUS tab, click Use RADIUS for authentication>click RADIUS Servers.

34

click Add. Type Server name or IP address of the NPS server. create a new shared secret. This Shared Secret will be same as shared secret in NPS server when you add TMG as a client in NPS.

  4

3

Click OK>Click OK. Apply Changes and click ok.

Note: Above configuration apply for ONLY VPN clients.

To configure Forefront TMG to authenticate local client

33

Open Forefront TMG Management console, click the Firewall Policy node>Click Tasks pane> click Configure Client Access. Select Internal (Local Networks)>click Configure.

29

30

Click on Web Proxy tab>click Authentication> Under Method, clear any other selected methods, and then select RADIUS. Click RADIUS Servers>click Add.

31

32

Now add Server name or IP address of the RADIUS server, add New Shared secret as you did in previous steps. Apply changes you have made. 

To create Radius Firewall Policy using FF TMG 2010

Open Forefront TMG Management console, right click the Firewall Policy node>Click New>Click Access Policy. You will see new policy wizard. Type the name of the policy>Click next

9

10

Click Allow on Rule Action>Click Add on protocol property>add Radius and Radius Accounting protocol

11

12

On the access rule window, add VPN clients as source. If you are creating this policy for internal clients than add internal networks instead of VPN clients.

13

Specify destination that is NPS server location on the next screenshot. in this article NPS server is placed in internal networks so I added internal network.

14

On the next window, add Active Directory Group which this rule has been applied for.

15

16

Click Finish and apply changes.

17

8

Note: you have to create firewall policy for the clients. In this example, I have shown firewall policy for VPN client. If you want to create policy for internal client, you have to change source of clients. Protocol will be same as shown above screen shots.

To add Forefront TMG as a RADIUS client on NPS

Log on to Network Policy Server, Open NPS management console>right click RADIUS Clients>click New RADIUS Client.

18

On the New RADIUS Client dialog box>type a name>type a description of FF TMG>Type IP address of Forefront TMG. In the shared secret box, type a shared secret. This shared secret is the same shared secret you typed in FF TMG as mentioned at the beginning of this article.

19

21

Select the RADIUS client is NAP-capable check box, if you want to enforce VPN client’s health policy. click OK.

20

To enforce Health Policy for VPN clients:

On Network Policy Server or a different windows server 2008, open Server Manager>Click Role>Click Add Role>Select Health Registration Authority Role>Click Next and follow the screenshots.

22

Open NPS Management Console>Right Click on Health Policy>Click New

23

Type Policy Name>Select Client’s SHV Checks>Check Windows Security Health Validator

24

Select and Check appropriate firewall policy, windows update and antivirus update policy. Apply and Click Ok.

25

2627

Click Configure to add remediation server for health registration.

28

 

 

Blogging year 2010—-what stats says

Sharing stats of my blog https://araihan.wordpress.com with my visitors. I started this free wordpress before founding http://microsoftguru.com.au

Team WordPress.com + Stats Helper Monkeys
January 2nd, 2011, 03:35pm

Here’s a high level summary of my overall blog health:

Blog-Health-o-Meter
Wow

Blog-Health-o-Meter™

“We think you did great!” comments by WordPress

Crunchy numbers

Featured image

 

This blog (https://araihan.wordpress.com) was viewed about 200,000 times in 2010.

The most popular post that day was Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step.

Where did they come from?

The top referring sites in 2010 were google.com, google.co.in, microsoftguru.com.au, experts-exchange.com, and en.wordpress.com.

Some visitors came searching, mostly for exchange 2010 edge, network policy server radius, exchange 2010 edge transport, installing tmg 2010, and exchange 2010 edge subscription.

Attractions in 2010

These are the posts and pages that got the most views in 2010. You can see all of the year’s most-viewed posts and pages in your Site Stats

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step March 2010
 

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide November 2009
 

Install and configure WSUS 3.0 SP2 – Step-By-Step August 2009
 

Step by Step Guide on Exchange Server 2010 Edge Transport Role November 2009
 

Transitioning from Exchange Server 2003 to Exchange Server 2010—-Step by Step October 2009
 

Comments from WordPress: “Some of your most popular posts were written before 2010. Your writing has staying power! Consider writing about those topics again”.

See you in 2011!

Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server

Pre-requisites:

  1. Microsoft Active Directory and DNS
  2. DHCP Server with new scope configured
  3. IP helper-address configured
  4. Microsoft Radius (IAS) Server 2003 or Microsoft Network Policy Server 2008
  5. Microsoft Enterprise root CA
  6. Cisco Wireless LAN controller (WLC) 5500
  7. Cisco AIR-LAP1142N wireless access point (AP)
  8. Separate VLAN for wireless infrastructure
  9. WLC, AP and IAS placed in same VLAN
  10. Windows 7 or Windows XP or Mac OSX/snow leopard client

Assumptions:

1) AD and DNS working perfect.

2) DHCP Server IP: 10.10.9.4

New scope for Wireless Network

IP range: 10.10.10.1-10.10.11.254 Subnet Mask:255.255.255.0

Gateway:10.10.10.1 Exclusion:10.10.10.1-10.10.10.10

NTP :10.10.9.5

3) WLC

IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1

Time provider:10.10.9.5

4) IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1

5) IP ranges 10.10.10.1-10.10.11.254 added in the internal networks in ISA or forefront TMG.

6)Interface 1 of WLC connected to a trunk port of Layer3 switch or core switch

7)wireless infrastructure VLAN ID/Tag 100

Add Lightweight Cisco Aironet 1142 in DHCP Server

Note: Follow these steps for newly added DHCP scope mentioned in assumptions.

1.In order to configure these options in the Windows DHCP server, open the DHCP Server Administration Tool or MMC. Right-click the DHCP root, and then choose Define Vendor Classes.

2.The DHCP Vendor Classes utility appears. Click Add.

3.A New Class configuration box appears. Enter a value for the Display Name field, for example, “Cisco Aironet c1142 AP”, and an appropriate description such as “Vendor Class identifier for Cisco Aironet c1142 AP”. Click the ASCII Section and enter the appropriate string value such as “Cisco AP c1142” (without inverted coma) for the Vendor Class Identifier. Click OK. Then, click Close on the DHCP Vendor Classes window.

4.Add an entry for the WLAN controller sub-type as a pre-defined option configured for the Vendor Class. Right-click the DHCP Server Root, and then choose Set Predefined Options.

5.Choose the newly created Vendor Option Class in the Option Class field, and then click Add.

6.The Option Type box appears. In the Name field, enter a string value, for example, Option 43. Choose IP Address as the Data Type. Check the Array check box. In the Code field, enter the sub-option code value 241 (0xf1). Enter a Description such as Wireless LAN Controller IP address. Click OK.

7.The Vendor Class and sub-option are now programmed into the DHCP server. Now, the vendor specific information must be defined for the AP DHCP scope. Choose the appropriate DHCP scope. Right-click Scope Options, and choose Configure Options.

8.Click the Advanced tab. Choose the Vendor Class you previously defined. Check the 241 Option 43 check box, and then enter each WLC management interface IP address(s) Example: 10.10.10.2. Click Apply.

9.Once you complete this step, the DHCP Option 43 is configured. This DHCP option is IP address, the DHCP server sends the option 43 as well as to the LAPs. Now the DHCP option 43 (241 Cisco Wireless AP) that is made available for a newly created DHCP scope for Cisco.

10. To verify, click on the scope options in the newly created DHCP scope, you will see 241 Cisco Wireless AP or what you mentioned in Description.

Add a new VLAN in core switch(example: Cisco 4506) or L3 switch:

Note: Entire wireless infrastructure will be placed in this VLAN.

Switch#vlan database

Switch(vlan)#vlan 100

Switch(vlan)#name Wireless Network

Switch(vlan)#exit

switch#configure terminal

Switch(config-if)#interface vlan 100

Switch(config-if)#Description Wireless Network

Switch(config-if)#ip helper-address 10.10.9.4

Switch(config-if)#IP address 10.10.10.1 255.255.255.0

Switch(config-if)#no shutdown

Switch(config-if)#end

switch#wr

Create a Trunk Port in Core switch (Cisco 4506) or L3 Switch

Note: This trunk will be connecting with Cisco WLC 5500 using CAT6 or Fibre optic.

Switch# configure terminal

Switch(config)#interface gigabitethernet  6/11

(6/11 means Module 6 and Port 11)

Switch(config)#switchport trunk encapsulation dot1q

Switch(config)#SwitchPort Mode trunk

Switch(config)#end

Switch# wr                                              

Switch#show run

Create VLAN  in a switch (Example: Cisco 2960G)

Note: This port will be connecting with Cisco 1142 AP. Wherever you want an wireless AP, configure a port with same vlan. For this article VLAN 100. connect AP with this port after configuring the following. repeat for all the APs.                     

Switch# configure terminal

Switch(config)#

Switch(config)#interface Gigabitethernet 0/7           

Switch(config)#switchport access vlan 100            

Switch(config)#end

Switch# wr             

Create AAA Server(s):

Authorization: IAS Policies (Remote Access Policies applied in IAS server for wireless 802.1x)

Authentication:Radius Server (EAP Type:PEAP,Encryption: MSCHAPv2)

Accounting:Radius server (Logs any successful and/or failed connection attempt)   

Use this link to configure Enterprise Root CA  

Install IAS in a member server. Install computer certificate in the IAS server and create new policy using this link Configure PEAP and EAP methods or follow step by step guide line in these links configure Microsoft Radius Server and Network Policy Server . It would redundant to write again.

Cisco 5500 Series Wireless Controller Installation Guide Using the Start-up Wizard

Mount Cisco 5500 in rack. Connect WLC with laptop using console port. Connect WLC with core switch or L3 switch using CAT6 cable or fibre optic if you have SFP. Now power on WLC.

Note The available options appear in brackets after each configuration parameter. The default value appears in all uppercase letters.

Note Press the hyphen key if you need to return to the previous command line. To configure the controller for basic operation using the Start-up Wizard, follow these steps:

Step 1 When prompted to terminate the Auto-Install process, enter yes. If you do not enter yes, the Auto-Install process begins after 30 seconds.

Note The Auto-Install feature downloads a configuration file from a TFTP server and then loads the configuration onto the controller automatically.

Step 2 Enter the system name, which is the name you want to assign to the controller. You can enter up to 32 ASCII characters. (Example:MS_5500)

Step 3 Enter the administrative username and password to be assigned to this controller. You can enter up to 24 ASCII characters for each. The default administrative username and password are admin and admin, respectively.(Example:username:Admin and password:cisco)

Step 4 If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter

DHCP. If you do not want to use the service port or if you want to assign a static IP address to the service-port interface, enter none.

Important! In Cisco 5500, management interface act as service interface also. No avoid any complicacy, just hit enter in this option. The service-port interface controls communications through the service port. Its IP address must be on a different subnet from the management interface. This configuration enables you to manage the controller directly or through a dedicated management network to ensure service access during network downtime.

Step 5 If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next two lines.

Step 6 Enable or disable link aggregation (LAG) by choosing yes or no. You may type No if you don’t have two or more Cisco WLC.

Step 7 Enter the IP address, netmask, default router IP address, and optional VLAN identifier (a valid VLAN identifier or 0 for an untagged VLAN) for the management interface.

Note The VLAN identifier should be set to match the switch interface configuration. Example: IP:10.10.10.2 WLC subnet:255.255.255.0 Gateway:10.10.10.1  and VLAN tag/ID 100

Step 8 Enter the IP address of the default DHCP server that will supply IP addresses to clients, the controller’s management interface, and optionally the service-port interface.

Note The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers.Example DHCP Server IP: 10.10.9.4

Step 9 Enter the IP address of the controller’s virtual interface, which will be used by all controller Layer 3 security and mobility managers. You should enter a fictitious, unassigned IP address, such as 1.1.1.1.

Note The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security such as guest web authentication and VPN termination. All controllers within a mobility group must be configured with the same virtual interface IP address.

Step 10 If desired, enter the name of the mobility group/RF group to which you want the controller to belong.

Note Although the name that you enter here is assigned to both the mobility group and the RF group, these groups are not identical. Both groups define clusters of controllers, but they have different purposes. All of the controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates scalable, system-wide dynamic RF management.

Step 11 Enter the network name, or service set identifier (SSID). The initial SSID enables basic functionality of the controller and allows access points that have joined the controller to enable their radios. (Example:Mycompanywireless)

Step 12 Enter yes to allow clients to assign their own IP address or no to make clients request an IP address from a DHCP server. (Type yes in the step)

Step 13 To configure a RADIUS server now, enter yes and then enter the IP address, communication port, and secret key of the RADIUS server. Otherwise, enter no. (Type yes, IAS IP:10.10.10.3 subnet:255.255.255.0 Gateway:10.10.10.1)

Step 14 Enter the code for the country in which the controller will be used.

Note Enter help to view the list of available country codes. (Example: For Australia Country code is AU)

Step 15 Enter yes to enable or no to disable each of the 802.11b, 802.11a, 802.11g, and 802.11n lightweight access point networks. (Type yes)

Step 16 Enter yes to enable or no to disable the controller’s radio resource management (RRM) auto RF feature. (Type yes)

Note The auto RF feature enables the controller to automatically form an RF group with other controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power assignment, for the group.

Step 17 If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it powers up, enter yes to configure an NTP server. Otherwise, enter no. (Type yes,Time provider:10.10.9.5 )

Step 18 If you entered no in the previous step and want to manually configure the system time on your controller now, enter yes. If you do not want to configure the system time now, enter no.

Step 19 If you entered yes in the previous step, enter the current date in MM/DD/YY format and the current time in HH:MM:SS format.

Step 20 When prompted to verify that the configuration is correct, enter yes or no. The controller saves your configuration, reboots, and prompts you to log in.

Verifying Interface Settings and Port Operation

Follow these steps to verify that your interface configurations have been set properly and the controller’s ports are operational.

Step 1 Enter show interface summary. The controller’s current interface configurations appear:

Interface Name Port VLAN Id IP Address Type AP Mgr Guest

———-

management 1 100 10.10.10.2 Static Yes No

service-port N/A N/A 0.0.0.0 Static No No

virtual N/A N/A 1.1.1.1 Static No No

Step 2 Enter show port summary. The following information appears, showing the status of the controller’s distribution system ports, which serve as the data path between the controller and Cisco lightweight access points and to which the controller’s management interface is mapped.

STP Admin Physical Physical Link Link Mcast

Pr Type Stat Mode Mode Status Status Trap Appliance POE

— —

1 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

2 Normal Forw Enable Auto 1000 Full Up Enable Enable N/A

Configure Security and AAA Server in WLC 5500

1. Open IE or Firefox Type IP address of WLC in the address bar as https://10.10.10.2 (bypass proxy if you need to)and hit enter.

2. Click Login and provide login credentials you created in start-up wizard.

3. Click on Wireless. In the left hand pan click Authentication. You will see the IP address and port number 1812 of Radius Server.

4. In the left hand pan Click on Accounting. Click new on right hand top corner. You will be presented with a window to add Radius server. provide IP of Radius server, Shared secret and Port 1813. Apply changes.

5. Click on WLANs>Click on 1>Click on General Tab>Check Enable on Status and Check Enabled on broadcast SSID

6.Click on Security Tab>Click Layer2 Tab>Select WPA+WPA2 from Layer2  security drop-down list>Check WPA policy and TKIP or WPA2 policy and TKIP. In the same page, in Auth Key Mgmt, select 802.1x. Now click on Apply button.

7.Click on AAA Servers>Select Authentication and Accounting server from the server1 drop down list. here Authentication and Accounting server are Radius Server. Check Enabled in both Authentication and Accounting radio button. Click Apply.

8.In the left hand side top corner, click on to Monitor and scroll down to make sure you see the all APs.

Add WLC 5500 in the IAS server as a Radius Client

1. Log on to IAS server as an administrator.

2.Open Internet Authentication Service from Administrative Tools

3.Right click on Radius Clients>Click add Radius client. You will be presented with new radius client window. Type IP address of WLC 5500 and a Friendly Name such as WLC. Click Next.

4. In the this window, Select Radius Standard as Client-Vendor, Provide shared secret (must be same as WLC configuration in step 13) and repeat shared secret and click finish.

5.Close IAS console and log out.

Testing network

Log on to Windows XP or Windows 7 client as a domain users while client is connected via CAT5 or CAT6 . Make sure this domain user is a member of wireless access group and allowed to have remote access(dialin TAB of AD user property). Install computer and user certificate in that client. Now turn on wireless NIC. unplug CAT5 cable. View available wireless network. Select the SSID, you created in previous steps and double click. You will be connected.

Important! if you setup WPA and TKIP in WLC then you must setup WPA and TKIP in Client also. Similar for WPA2 and TKIP or WPA2 and AES. Both sides must match each other.

For Mac client, see my previous post in the link

Configure Group Policy for 802.1x wireless network

  1. Open the Group Policy Management Console (GPMC).
  2. Create and link a new group policy object with desired OU
  3. Right click on newly created GPO and edit
  4. Go to Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.
  5. right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Policy and Type Policy name
  6. Open New Network Policy Properties >Click on preferred network Tab>To add a new profile, click Add>type the SSID that corresponds to the SSID configured on your WLC security tab.
  7. In the Wireless key network, select WPA and TKIP or whatever configured in WLC
  8. In the IEEE 802.1x tab,Set EAPOL start message to transmit per IEEE 802.1x
  9. In the EAP type select PEAP
  10. Check authenticate as computer when computer information is available and also computer authentication with user authentication from drop down box.
  11. Now press Ok, Apply and ok.

Work Around with WLC 5500 

Open IE, Type IP of WLC in the address bar (bypassing proxy), hit enter. Click on Logon. provide logon credentials, click ok.

 1 2 3 4 5 6 7 8 9 10

Accessing WLC using telnet.

Open command prompt and type telnet IP_Address

11

Necessary Links

Export a certificate with the private key

Import a certificate

Cisco 5500 WLC

Cisco Wireless AP

Microsoft Radius Server

Relevant Articles

WLAN Controller Failover for Lightweight Access Points Configuration Example

Wireless LAN Controller (WLC) Configuration Best Practices

How to configure Microsoft Radius Server (IAS) for Macintosh OSX 10.5, Windows 7 and windows XP Pro client

Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide

Overview of the Wi-Fi Protected Access (WPA) security update in Windows XP

Share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

How to configure L2TP IPSec VPN using Network Policy Server in Windows Server 2008 R2

The virtual private network (VPN) technology allows users working outside the office premises connect to  their private network in a cost-effective and secure way. Creating this type of internetwork is call virtual private networking. VPN uses ordinary internet as a medium to reach end point i.e. private network or inside corporate network.

In a VPN connection, data is encapsulated or wrapped up and encrypted with a header that provides routing information allowing it to traverse the shared or public transit internetwork to reach its destination. The portion of the connection in which the private data is encapsulated is known as the tunnel. VPN connections use either Point-to-Point Tunnelling Protocol (PPTP) or Layer Two Tunnelling Protocol/Internet Protocol security (L2TP/IPSec) over internet as medium.

clip_image001[4]

Figure: A typical VPN connection, source Microsoft Corp.

So what is required to deploy VPN in an organisation. A systems administrator can accomplish VPN if he/she has the following components in place.

VPN Server (Windows 2008/2003)

Internet infrastructure with Public IP

VPN Clients (Windows 7, Windows XP or Mac OSX 10.5.x)

Intranet infrastructure (Microsoft networks, AD, DNS and DHCP with enough IP available) 

Certificate infrastructure (Microsoft AD CS)

Authentication, authorization and accounting (AAA) infrastructure (Windows/Radius)

Deployment: you can install Windows server 2008 in a standard hardware with two NICs. In my situation, I used three NICs as my VPN server is also wireless authentication server. So, it works both for me (VPN+Wireless). One NIC for internal network, another for public IP (VPN) and another for wireless networks (ignore third NIC if you are not in same situation). All NICs must have static IP. You have to pipe through public IP to your VPN server. VPN server must be a domain member and computer/machine certificate installed in VPN server. I configure DHCP in VPN server. So that VPN client can obtain IP from this server not from internal DHCP server. It makes my life easy and got enough IP. You can mention existing DHCP server also while configuring VPN if you choose not to configure DHCP in VPN server. Here, I will explain about L2TP IPSec deployment. L2TP IPSec is secure and preferred VPN for me. The following screen shots will do the rest for you.

 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Here, you can select VPN+NAT, that will do.

18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

NASport1 

NASport   

Here, you have to select tunnel type, Encryption method, NASPort Type. It’s highly important.

35 36 37 38

39

I used Microsoft server 2008 R2 as VPN server using L2TP IPSec. I used windows authentication not Radius. In this case, the secure connection appears to the user as a private network communication, however this VPN connects over a public networks. An user and a machine certificate are required to connect to VPN server. Also user must be a domain user.  In your situation would certainly be different. Do as appropriate in your situation. I hope this would help you to configure VPN server.