Cant Download Config File From Mdm Server UPDATED

Cant Download Config File From Mdm Server

Tutorial – Deploy Always On VPN

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non-domain-joined (workgroup), or Azure AD–joined devices, fifty-fifty personally owned devices. With E'er On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management, and and then enable user hallmark for connectivity to internal company sites and services.

The purpose for this guide is to demonstrate how to deploy the E'er On feature easily. In this guide we volition deploy the following platforms primarily using PowerShell where possible:

  • Active Directory (Advertisement DS)
  • DNS
  • Certificate Authority (Advertizing CS)
  • DHCP
  • Routing and Remote Access Service (RRAS)
  • Network Policy Server (RADIUS)

Information technology volition non be demonstrated how to install Windows Server or Windows 10 operating arrangement.

Practice non attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is non supported, including both Remote Access VPN and DirectAccess.

Conditional admission through Azure Ad will not be demonstrated in this guide, but see the following resources for that:

  • https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

Target Audition

This guide is targeted to operations engineers in Microsoft Server products. The target needs to take knowledge in the following technologies:

  • PowerShell
  • Windows Server
  • Windows ten

The target also need to have some bones agreement of:

  • DHCP
  • DNS
  • Active Directory (Advert DS)
  • PKI infrastructure (AD CS)
  • VPN (IKEv2/SSTP)
  • Network Knowledge (IP, UDP, TCP)
  • RADIUS
  • Hypervisors (Virtualbox, VMware, HyperV)

Definitions

In the tutorial I will use brusk names, then hither is a brief list of the significant of those names.

Definition Name
AD DS Active Directory Directory Services
Advertising CS Active Directory Certificate Services
PKI Public Key Infrastructure
DHCP Dynamic Host Configuration Protocol
IKEv2 Internet Key Exchange Version 2
IP Internet Protocol
UDP User Datagram Protocol
TCP Transmission Control Protocol
RADIUS Remote Authentication Dial-In User Service
VPN Fiveirtual Private Due northetwork
HDD Hard Disk Drive
ACL Access Control List
CRL Certificate Revocation 50ist
CDP CRL Distribution Point
AIA Authority Information Access

Limitations

For this deployment, it is non a requirement that your infrastructure servers, such as computers running Agile Directory Domain Services, Active Directory Certificate Services, and Network Policy Server, are running Windows Server 2016. You can use earlier versions of Windows Server, such every bit Windows Server 2012 R2, for the infrastructure servers and for the server that is running Remote Access.

Hardware Recommendations

For all servers in this guide the following is a minimum requirement:

  • Processor: one.4Ghz 64-chip processor.
  • RAM: 512 MB.
  • Disk Space: 32 GB.
  • Network: Gigabit (ten/100/1000baseT) Ethernet adapter.
  • Optical Storage: DVD drive (if installing the Os from DVD media)

Overview

Technical Drawing

Always On VPN - Overview

Ever On VPN – Overview

Servers

The following is a overview all servers/cllients used in this lab.

FQDN IP(s) Role(s) Description
w2016-dc.constoso.com 192.168.0.10 Advertising DS; DHCP Domain Controller
w2016-ca.constoso.com 192.168.0.xx AD CS Certificate Authorisation
w2016-nps.constoso.com 192.168.0.30 NPS Network Policy Server aka. RADIUS
w2016-ras.constoso.com 192.168.0.xl; External IP RRAS VPN gateway
w10-client.constoso.com External IP Client Device that is connecting to the VPN

DNS-records

At that place are besides some DNS-records that needs to be established. Here is a short overview of those.

Record Type IP/Alias Internal/External
vpn.contoso.com A w2016-ras.constoso.com External
pki.contoso.com A 192.168.0.20 Internal

TCP/UDP

In this guide, all servers are located in the aforementioned subnet, which means at that place is no firewall between the servers for simplicity. It'south best exercise to split the servers into multiple subnets protected past one or more firewall(s). Fifty-fifty though the servers are placed in the same subnet, it'southward still required to open the ports in firewall on Windows.

w2016-dc.constoso.com

Protocol & Port Usage Blazon of traffic
TCP and UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP
TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL
TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC
TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL
TCP and UDP 88 User and Computer Authentication, Wood Level Trusts Kerberos
TCP and UDP 53 User and Reckoner Authentication, Proper noun Resolution, Trusts DNS
TCP and UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP Dynamic Replication, User and Estimator Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and UDP 464 Replication, User and Figurer Hallmark, Trusts Kerberos alter/prepare password
UDP Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service
TCP 9389 AD DS Web Services Lather
UDP 67 and UDP 2535 DHCP

DHCP is not a cadre AD DS service but it is often nowadays in many Advert DS deployments.

DHCP, MADCAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution
TCP 139 User and Computer Hallmark, Replication DFSN, NetBIOS Session Service, NetLogon

w2016-ca.constoso.com

Protocol & Port Usage Type of traffic
TCP/4000 Document Enrolling RPC
TCP/80 AIA & CDP HTTP

w2016-nps.constoso.com

Protocol & Port Usage Type of traffic
UDP 1645 authentication and authorization RADIUS
UDP 1646 accounting RADIUS
UDP 1812 authentication and dominance RADIUS
UDP 1813 accounting RADIUS

w2016-ras.constoso.com

Protocol & Port Usage Blazon of traffic
UDP 500 IKEv2 VPN
UDP 4500 IKEv2 VPN

Accounts and Keys

Groups

We are also going to create som Active Directory groups.

Group Scope Group Type samAccountName Description
Global Security Contoso\sec-server-nps Group that contains all NPS computer objects.
Global Security Contoso\sec-server-vpn Grouping that contains all VPN (RRAS) figurer objects.
Global Security Contoso\sec-vpn-users Members in this group are allowed to use the VPN connectedness.

Users

Here is an overview of users, their password and usage.

Username Password Description
Administrator Pa$$w0rd Local Administrator
Contoso\Administrator Pa$$w0rd Contoso Domain Administrator
Contoso\su-dhcp-update Pa$$w0rd DHCP/DNS dynamic update service account

Keys

Nosotros are too going to apply some shared secrets.

Key Description
a7wr8urQKbmwD27m Directory Services Restore Mode (DSRM)
4hG9sBtW9hL2GGSE RADIUS Shared Secret for w2016-ras.contoso.com

Configuration

Nosotros are now going to configure all servers from scratch, let's get started!

w2016-dc.constoso.com

This server is running Active Directory, DNS and the DHCP function. Utilise the following instructions to setup a new AD forest, DNS and the DHCP server.

Prerequisites

Before proceeding with the configuration, the domain controller needs to accept a static IP address with a DNS pointing to itself.

  1. Open a PowerShell final with privileged permissions (run as ambassador).
  2. Execute the following, which volition rename the server, set a static IP with a static DNS and restart afterwards.

  3. Open in the firewall to allow traffic to the server.

AD DS

The following will install the Windows Server role Agile Directory Domain Services.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following.
  3. The following will create an Active Directory with "contoso.com" as the domain name and "Contoso" as the NETBIOS name. The server will restart automatically, during configuration.
  4. When the server have restarted, login with the domain administrator credentials.

Users and Groups

The following script, will create all necessary users and groups in Agile Directory.

  1. We need to create some groups and add together members to them. Note that all servers and workstations needs to be joined the domain before the following code volition work.

DHCP

The post-obit will install the Windows Server role DHCP.

  1. Open a PowerShell last with privileged permissions (run equally administrator).
  2. Execute the following, which will install the DHCP function.

  3. Now nosotros demand to create the security groups "DHCP Administrators" and "DHCP Users" on the local DHCP server. Open a control prompt with privileged permissions (run as administrator) and execute the following.

  4. Now go back to the PowerShell terminal and run the following, which will restart the DHCP service.

  5. Now we need to let the DHCP to update A and PTR records. Run the following in the PowerShell terminal.

  6. At present we need to create an Active Directory the DHCP server uses to annals or unregister customer records on the DNS server.

  7. Use the following command to configure the credentials that the DHCP server uses to annals or unregister client records on a DNS server.

  8. Now we need to authorize the DHCP server in Agile Directoy, run the following in a PowerShell terminal.

  9. The following volition create a new DHCP telescopic and ready the telescopic options.

DNS

This will configure the DNS server.

  1. We need to add together some records to get the surround working. Run the following in a PowerShell final.

w2016-ca.contoso.com

Prerequisites

Before proceeding with the configuration, the certificate needs to take a static IP accost with a DNS pointing to the primary DNS server.

  1. Open a PowerShell terminal with privileged permissions (run as ambassador).
  2. Execute the following, which will rename the server, set a static IP with a static DNS and restart afterwards.

  3. At present we need to bring together the Contoso Advertising domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.

  4. The loopback check security feature is designed to help prevent reflection attacks on your figurer. Therefore, hallmark fails if the FQDN or the custom host header that you employ does not match the local reckoner proper name. Run in an elevated PowerShell final.

  5. Open the Windows firewall to permit traffic to the server.

Ad CS

The following will install the Windows Server part Active Directory Certificate Services.

  1. Open up a PowerShell last with privileged permissions (run every bit administrator).
  2. Execute the following, which will install the certificate authority role.

  3. At present we demand to configure the certificate say-so, use the following in a PowerShell terminal.

  4. At present we need to add together some additional roles on the document authorization for allowing clients to perform tasks such as request and renew certificates, call up certificate revocation lists (CRLs) and enroll certificates. Run the following in a PowerShell last. This might take some fourth dimension to finish.

  5. To configure the "Certification Authority Web Enrollment" run the post-obit, this volition build the virtual applications under the "Default Web Site".

  6. We now need to create a new website called "pki.contoso.com" for CDP and AIA. Run the following in an elevated PowerShell terminal.

  7. Nosotros now demand to enable double escape quoting on the newly created website. Run the following in control prompt.

  8. Configure the CA to support audit filters. Run the post-obit in an elevated command prompt.

  9. Ordinarily when you start a Windows CA server it allocates a random high port number for the service to mind on. When clients desire to enroll certificates they detect this dynamic port number past asking the CA Server's RPC Endpoint mapper that always listens on port 135.Therefor we will set a static port to brand information technology easier establishing the firewall rules. This needs done on every certificate authorization server. The document authorization role needs to be installed earlier it'southward possible to brand it static. Open "%windir%\system32\comexp.msc" as "Run as Administrator".
  10. Then scan to "Component Services", "Computers", "My Calculator", "DCOM Config" and then find "CertSrv Request" right click and select "Backdrop".AD CS
  11. Click on the "Endpoints"-tab and click on "Add".AD CS
  12. Checkmark "Use static endpoint", and write "4000" in the port text field. Click "OK" two times.
  13. Now open a command prompt terminal with "Run as Administrator". Execute the following.

  14. In the same CMD terminal, execute the post-obit.

  15. Go the following key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}".
  16. Right click the key "{D99E6E74-FC88-11D0-B498-00A0C90312F3}", and cull "Permission".AD CS
  17. Click on "Advanced".AD CS
  18. Now click on "Change" in the "Possessor"-area.
  19. Add the "[NETBIOS]\Administrators" (supervene upon NETBIOS with the local car name). Click "OK".AD CS
  20. Click "OK" once more.AD CS
  21. Now we disable RPC for the interface ICertPassage. In an elevated command prompt, run the following command.

  22. In the same terminal execute the following. Now nosotros have changed it to a static port, but the CA Server will not change listening ports until a new document request comes in.

  23. Now re-create the certificate and revocation file to the newly created website for the CDP and AIA. Run the following in a command prompt, and choose "d" when information technology prompt yous for a file or directory.

  24. Configure the CDPs, run the following in PowerShell.

  25. Finally publish the latest certificates and CRLs and copy them to the CDP/AIA. Run the following in a command prompt.

Group Policy

Certificate Autoenrollment

In this procedure, you configure Group Policy on the domain controller and then that domain members automatically request user and estimator certificates. Doing and so allows VPN users to request and retrieve user certificates that cosign VPN connections automatically. Besides, this policy allows NPS servers to request server hallmark certificates automatically.

  1. Logon on the domain controller, and open "%SystemRoot%\system32\gpmc.msc".
  2. Navigate to "Forest: constoso.com" à "Domains" à "com". Right click on the domain and cull "Create a GPO in this domain, and Link it hither".GPO
  3. In the proper noun of the GPO type "Autoenrollment Policy", click "OK".GPO
  4. In the navigation pane, correct-click "Autoenrollment Policy", and click "Edit".GPO
  5. Navigate to "Figurer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies", correct click on "Document Services Client – Auto-Enrollment" and select "Properties".GPO
  6. In "Configuration Model" cull "Enabled", then select the post-obit, and click "OK".
    • Renew expired certificates, update awaiting certificates, and remove revoked certificates: Checked
    • Update certificates that apply certificate templates: CheckedGPO
  7. In the same policy navigate to "User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies", right click on "Document Services Client – Auto-Enrollment" and choose "Properties".GPO
  8. In "Configuration Model" cull "Enabled", then select the post-obit, and click "OK".
    1. Renew expired certificates, update pending certificates, and remove revoked certificates: Checked
    2. Update certificates that utilize document templates: CheckedGPO

Certificate Templates

In the following department we will configure certificates templates to distribute to servers and clients.

VPN Server Authentication

Earlier nosotros can create a network policy, we need to be able to enroll an "RAS and IAS Server" document to the VPN server. Execute the following on the certificate authority "w2016-ca.contoso.com".

  1. Open "%SystemRoot%\system32\certsrv.msc".
  2. Navigate to "Certification Authorisation (Local)", "Contoso-CA", then right click on "Certificate Templates" and click "Manage", this will open up a new window.CA VPN Certificate
  3. In the new window find "RAS and IAS Server", right click and select "Duplicate Template".CA VPN Certificate
  4. Now choose "Windows Server 2003" in the "Compatibility" tab.CA VPN Certificate
  5. On the "General" tab in "Template display name" write "NPS Server Authentication".CA VPN Certificate
  6. At present in the "Security" tab, add together the NPS server grouping "Contoso\sec-server-vpn", and checkmark "Enroll" and "Autoenroll" (autoenroll is not required in this example) to "Allow". Click "OK".CA VPN Certificate
  7. On the "Extensions" tab, click on "Awarding Policies" and and then "Edit".CA VPN Certificate
  8. Click on "Add".CA VPN Certificate
  9. Observe "IP security IKE intermediate", and click "OK". Calculation IP security IKE intermediate to the EKU helps in scenarios where more than than ane server hallmark certificate exists on the VPN server. When IP security IKE intermediate is nowadays, IPSec only uses the certificate with both EKU options.CA VPN Certificate
  10. On the "Asking Treatment" tab, checkmark "Allow private key to exist exported".CA VPN Certificate
  11. At present go dorsum to "%SystemRoot%\system32\certsrv.msc", right click on "Certificate Templates", and choose "New" and so "Certificate Template to Issue".CA VPN Certificate
  12. Select "VPN Server Authentication" and click "OK".CA VPN Certificate

NPS Server Authentication

This template to create is the NPS Server Authentication template. The NPS Server Authentication template is a simple copy of the RAS and IAS Server template secured to the NPS Server group.

  1. Open "%SystemRoot%\system32\certsrv.msc".
  2. Navigate to "Certification Authority (Local)", "Contoso-CA", then correct click on "Certificate Templates" and click "Manage", this will open a new window.CA VPN Certificate
  3. In the new window find "RAS and IAS Server", right click and select "Duplicate Template".CA VPN Certificate
  4. Now choose "Windows Server 2003" in the "Compatibility" tab.CA VPN Certificate
  5. In the "Template display proper name" write "NPS Server Authentication" on the "General" tab.CA NPS Certificate
  6. On the "Security" tab, add the group "Contoso\sec-server-nps" with the NPS servers, and checkmark "Enroll" and "Autoenroll". Remove the grouping "Contoso\ RAS and IAS Servers". Click "OK".CA NPS Certificate
  7. Now get back to "%SystemRoot%\system32\certsrv.msc", right click on "Certificate Templates", and cull "New" and and so "Document Template to Issue".CA NPS Certificate
  8. Select "NPS Server Authentication" and click "OK".CA NPS Certificate

User Hallmark

In this procedure, you configure a custom customer-server authentication template. This template is required considering you want to improve the certificate's overall security past selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. This last change lets y'all utilise the TPM on the client computers to secure the certificate.

  1. Open up "%SystemRoot%\system32\certsrv.msc".
  2. Navigate to "Certification Authorisation (Local)", "Contoso-CA", then right click on "Document Templates" and click "Manage", this will open a new window.CA VPN Certificate
  3. In the new window find "User", right click and select "Indistinguishable Template".CA User Certificate
  4. In the "General" tab, write "VPN User Authentication" in the "Template display name" text field, and and then clear "Publish certificate in Active Directory".CA User Certificate
  5. On the "Security" tab, add together the grouping "sec-vpn-users", so checkmark "Enroll" and "Autoenroll".CA User Certificate
  6. On the "Request Handling" tab, clear the "Let private cardinal to be exported" check box.CA User Certificate
  7. On the "Compatibility" tab, in the "Certification Authority" dropdown choose "Windows Server 2012 R2", and in "Certificate recipient" choose "Windows 8.ane / Windows Server 2012 R2".CA User Certificate
  8. On the "Cryptography" in "Provider Category", choose "Cardinal Storage Provider" and check "Requests must use one of the following providers" and checkmark "Microsoft Platform Crypto Provider". If you are on a virtual motorcar, y'all also need to permit "Microsoft Software Key Storage Provider". CA User Certificate
  9. In the "Subject Name" tab, clear "Include east-mail proper noun in subject field proper name" and "East-mail name". Then click "OK".CA User Certificate
  10. At present go back to "%SystemRoot%\system32\certsrv.msc", right click on "Certificate Templates", and choose "New" and and so "Certificate Template to Upshot".CA User Certificate
  11. Choose "VPN User Authentication", click "OK".CA User Certificate

Device Authentication

This certificate volition be enrolled to the workstation, and allows the client to make a device VPN tunnel.

  1. Open up "%SystemRoot%\system32\certsrv.msc".
  2. Navigate to "Certification Authority (Local)", "Contoso-CA", and so correct click on "Certificate Templates" and click "Manage", this will open a new window.CA VPN Certificate
  3. In the new window find "Workstation Authentication", right click and select "Duplicate Template".CA Device Certificate
  4. In the "Full general" tab, write "VPN Device Authentication" in the "Template display proper name" text field, and then clear "Publish certificate in Active Directory".CA Device Certificate
  5. On the "Security" tab, add the group "Domain Computers", then checkmark "Read", "Enroll" and "Autoenroll". Click "OK" twice.CA Device Certificate
  6. Now go back to "%SystemRoot%\system32\certsrv.msc", correct click on "Certificate Templates", and choose "New" and and so "Certificate Template to Issue".CA Device Certificate
  7. Choose "VPN Device Authentication", click "OK".CA Device Certificate

w2016-nps.contoso.com

The following procedure volition configure the RADIUS server to authenticate users and devices trying to found connection through VPN.

Prerequisites

Earlier proceeding with the configuration, the network policy server (RADIUS) needs to take a static IP address with a DNS pointing to the main DNS server, and should be joined the Contoso domain.

  1. Open up a PowerShell terminal with privileged permissions (run as ambassador).
  2. Execute the following, which volition rename the server, set a static IP with a static DNS and restart later.

  3. At present we need to join the Contoso AD domain. Run the post-obit in a PowerShell last with elevated permissions. The server will restart.

  4. Open the Windows firewall to allow traffic to the server.

NPS

The post-obit will install and setup the network policy server (NPS) also known equally a RADIUS server.

  1. Open a PowerShell last with privileged permissions (run as administrator).
  2. Execute the post-obit which will install the NPS.

  3. Annals the NPS server in Active Directory. Run the following in an elevated command prompt.

  4. We demand to add the "w2016-ras.contoso.com" equally a RADIUS client. Run the following in a PowerShell terminal with elevated permissions.

  5. Open "%windir%\system32\nps.msc".
  6. Choose "RADIUS server for Dial-up or VPN Connections" and click "Configure VPN or Dial-up".NPS Connection
  7. Choose "Virtual Individual Network (VPN) Connections" and click "Adjacent".NPS Connection
  8. Click "Next" again.NPS Connection
  9. Clear the "Microsoft Encrypted Authentication version 2 (MS-CHAPv2)" checkbox, and checkmark "Extensible Hallmark Protocol" and in the dropdown cull "Microsoft: Protected EAP (PEAP)". Click on "Configure".NPS Connection
  10. Select "Secured password (EAP-MSCHAP v2)" and click "Remove".NPS Connection
  11. Now click "Add".NPS Connection
  12. Highlight "Smart Menu or other certificate" and click "OK" twice.NPS Connection
  13. At present click "Side by side".NPS Connection
  14. Now add "sec-vpn-users", click "Adjacent" iii times.NPS Connection
  15. Click "End".NPS Connection

w2016-ras.contoso.com

This server is running the RRAS function. Employ the following instructions to setup Remote Access equally a RAS Gateway VPN Server.

RRAS is designed to perform well as both a router and a remote admission server because it supports a wide array of features. For the purposes of this deployment, you require only a small subset of these features: support for IKEv2 VPN connections and LAN routing.

It is important to:

  • Install two Ethernet network adapters in the physical server. If y'all are installing the VPN server on a VM, you must create 2 External virtual switches, one for each physical network adapter; and then create two virtual network adapters for the VM, with each network adapter connected to i virtual switch.
  • Install the server on your perimeter network between your edge and internal firewalls, with ane network adapter connected to the External Perimeter Network, and ane network adapter connected to the Internal Perimeter Network. This will not be demonstrated.

Prerequisites

Earlier proceeding with the configuration, the domain controller needs to have a static IP address with a DNS pointing to itself, and join the Contoso domain.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the post-obit, which will rename the server, set a static IP with a static DNS for the network card in the internal network and restart afterwards.
  3. Now we need to join the Contoso AD domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.
  4. Open up the Windows firewall to allow traffic to the server.

RRAS

This process will install the RRAS role, and configure information technology to let only IKEv2 connections.

  1. Open a PowerShell terminal with privileged permissions (run every bit administrator).
  2. Execute the following which will install the RAS.
  3. Restart the server (this is a requirement before enrolling the certificate).
  4. Open "mmc.exe", click on "File" and and then "Add/Remove Snap-in".RRAS Configuration
  5. Choose "Certificates" and click "Add".RRAS Configuration
  6. Choose "Computer account", and click "Next" and then "Terminate".RRAS Configuration
  7. At present click "OK".RRAS Configuration
  8. Navigate to "Certificates (Local Reckoner)" à "Personal". Right click on "Personal", choose "All Tasks" and click on "Request New Certificate".RRAS Configuration
  9. Click "Next".RRAS Configuration
  10. One time once more click "Side by side".RRAS Configuration
  11. Checkmark "VPN Server Authentication", click on "Properties".RRAS Configuration
  12. Under "Subject" tab configure the following values. Then click "OK".
    • Subject name:Common proper noun: vpn.contoso.comAlternative name:DNS: vpn.contoso.comDNS: w2016-ras.contoso.comDNS: w2016-rasDNS: 192.168.0.xl

      DNS: <external ip>RRAS Configuration

  13. Click on "Enroll".RRAS Configuration
  14. Open "%SystemRoot%\system32\ServerManager.exe".
  15. Click on "Open the Getting Started Wizard" under notifications.RRAS Configuration
  16. If no window open, minimize all windows to see if it's hidden. Click on "Deploy VPN only".RRAS Configuration
  17. Correct click on "W2016-RAS (local)" and choose "Configure and Enable Routing and Remote Access".RRAS Configuration
  18. Click "Next".RRAS Configuration
  19. Choose "Custom configuration" and click "Next".RRAS Configuration
  20. Checkmark "VPN access" then Click "Next".RRAS Configuration
  21. Click on "Finish".RRAS Configuration
  22. Click on "OK" once more.RRAS Configuration
  23. Now click "Kickoff service".RRAS Configuration
  24. Correct click on "W2016-RAS (local)", and choose "Properties".RRAS Configuration
  25. On the "Security" tab, choose "RADIUS Hallmark" as the authentication provider. Then click on "Configure".RRAS Configuration
  26. Click on "Add together".RRAS Configuration
  27. Now enter "w2016-nps.contoso.com" in server proper noun and type the shared underground. Click "OK" two times.RRAS Configuration
  28. On the "IPv4" tab, choose the adapter that is on the internal network in this example "Internal". Then click "OK".RRAS Configuration
  29. Under "W2016-RAS (local)" right click on "Ports" and choose "Backdrop".RRAS Configuration
  30. Select "WAN Miniport (SSTP)" and click "Configure".RRAS Configuration
  31. Articulate "Remote access connections (entering only)" and "Demand-dial routing connections (inbound and outbound)". Click on "OK".RRAS Configuration
  32. Repeat pace 19 and 20 for "WAN Miniport (L2TP)", "WAN Miniport (PPPoE)" (Uncheck "Need-dial routing connections (outbound only)") and "WAN Miniport (PPTP)".
  33. If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) equally your VPN server, you must enable auto certificate hallmark for VPN connections and define a root certification authority for which incoming VPN connections volition be authenticated with. To exercise this, open up an elevated PowerShell command and run the following commands.
  34. Now reboot the server.

w10-client.contoso.com

On this device we are going to create the VPN profile template, so nosotros can push it to other machines either through grouping policy or Intune.

Prerequisites

Earlier proceeding with the configuration, the client need to exist renamed and joined the domain.

  1. Open a PowerShell terminal with privileged permissions (run as administrator).
  2. Execute the following, which will rename the client and restart afterwards.
  3. Now we need to join the Contoso AD domain. Run the post-obit in a PowerShell terminal with elevated permissions. The server will restart.
  4. Due to this beingness setup in a lab, when need to edit the customer hosts file. Open notepad as administrator, and open the file "C:\Windows\System32\drivers\etc\hosts", and so add the following line to the file.

Client VPN Template

This will create the VPN template for customer devices. Y'all will need to download the PsExec to the customer auto, before post-obit the procedure.

  1. Open a command prompt every bit ambassador.
  2. Change path to the downloaded PsExec utility, and run the post-obit.
  3. A new window volition open up, in this window type "powershell.exe".
  4. At present copy the following into a XML file and salvage it (in this example we save it on the desktop). Name it "vpn.contoso.com.xml"
  5. At present save the following powershell script (again in this case we save it to the desktop). Name it "VPN_Profile_Device.ps1".

  6. In the PowerShell final that was open up from PsExec, run the following.

  7. At present try to move the device to the external network in the lab. The profile should automatically connect to the VPN.

You are washed configuring your lab, the but affair left is to distribute the VPN profile through your mean of pick!

If you lot accept any bug of questions please experience complimentary to comment below.

DOWNLOAD HERE

Posted by: stevenswiturver1957.blogspot.com

Post a Comment

Previous Post Next Post

Iklan Banner setelah judul