Cant Download Config File From Mdm Server
Tutorial – Deploy Always On VPN

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, non-domain-joined (workgroup), or Azure AD–joined devices, fifty-fifty personally owned devices. With E'er On VPN, the connection type does not have to be exclusively user or device but can be a combination of both. For example, you could enable device authentication for remote device management, and and then enable user hallmark for connectivity to internal company sites and services.
The purpose for this guide is to demonstrate how to deploy the E'er On feature easily. In this guide we volition deploy the following platforms primarily using PowerShell where possible:
- Active Directory (Advertisement DS)
- DNS
- Certificate Authority (Advertizing CS)
- DHCP
- Routing and Remote Access Service (RRAS)
- Network Policy Server (RADIUS)
Information technology volition non be demonstrated how to install Windows Server or Windows 10 operating arrangement.
Practice non attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is non supported, including both Remote Access VPN and DirectAccess.
Conditional admission through Azure Ad will not be demonstrated in this guide, but see the following resources for that:
- https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
Target Audition
This guide is targeted to operations engineers in Microsoft Server products. The target needs to take knowledge in the following technologies:
- PowerShell
- Windows Server
- Windows ten
The target also need to have some bones agreement of:
- DHCP
- DNS
- Active Directory (Advert DS)
- PKI infrastructure (AD CS)
- VPN (IKEv2/SSTP)
- Network Knowledge (IP, UDP, TCP)
- RADIUS
- Hypervisors (Virtualbox, VMware, HyperV)
Definitions
In the tutorial I will use brusk names, then hither is a brief list of the significant of those names.
| Definition | Name |
| AD DS | Active Directory Directory Services |
| Advertising CS | Active Directory Certificate Services |
| PKI | Public Key Infrastructure |
| DHCP | Dynamic Host Configuration Protocol |
| IKEv2 | Internet Key Exchange Version 2 |
| IP | Internet Protocol |
| UDP | User Datagram Protocol |
| TCP | Transmission Control Protocol |
| RADIUS | Remote Authentication Dial-In User Service |
| VPN | Fiveirtual Private Due northetwork |
| HDD | Hard Disk Drive |
| ACL | Access Control List |
| CRL | Certificate Revocation 50ist |
| CDP | CRL Distribution Point |
| AIA | Authority Information Access |
Limitations
For this deployment, it is non a requirement that your infrastructure servers, such as computers running Agile Directory Domain Services, Active Directory Certificate Services, and Network Policy Server, are running Windows Server 2016. You can use earlier versions of Windows Server, such every bit Windows Server 2012 R2, for the infrastructure servers and for the server that is running Remote Access.
Hardware Recommendations
For all servers in this guide the following is a minimum requirement:
- Processor: one.4Ghz 64-chip processor.
- RAM: 512 MB.
- Disk Space: 32 GB.
- Network: Gigabit (ten/100/1000baseT) Ethernet adapter.
- Optical Storage: DVD drive (if installing the Os from DVD media)
Overview
Technical Drawing

Ever On VPN – Overview
Servers
The following is a overview all servers/cllients used in this lab.
| FQDN | IP(s) | Role(s) | Description |
| w2016-dc.constoso.com | 192.168.0.10 | Advertising DS; DHCP | Domain Controller |
| w2016-ca.constoso.com | 192.168.0.xx | AD CS | Certificate Authorisation |
| w2016-nps.constoso.com | 192.168.0.30 | NPS | Network Policy Server aka. RADIUS |
| w2016-ras.constoso.com | 192.168.0.xl; External IP | RRAS | VPN gateway |
| w10-client.constoso.com | External IP | Client | Device that is connecting to the VPN |
DNS-records
At that place are besides some DNS-records that needs to be established. Here is a short overview of those.
| Record | Type | IP/Alias | Internal/External |
| vpn.contoso.com | A | w2016-ras.constoso.com | External |
| pki.contoso.com | A | 192.168.0.20 | Internal |
TCP/UDP
In this guide, all servers are located in the aforementioned subnet, which means at that place is no firewall between the servers for simplicity. It'south best exercise to split the servers into multiple subnets protected past one or more firewall(s). Fifty-fifty though the servers are placed in the same subnet, it'southward still required to open the ports in firewall on Windows.
w2016-dc.constoso.com
| Protocol & Port | Usage | Blazon of traffic |
| TCP and UDP 389 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP |
| TCP 636 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP SSL |
| TCP 3268 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC |
| TCP 3269 | Directory, Replication, User and Computer Authentication, Group Policy, Trusts | LDAP GC SSL |
| TCP and UDP 88 | User and Computer Authentication, Wood Level Trusts | Kerberos |
| TCP and UDP 53 | User and Reckoner Authentication, Proper noun Resolution, Trusts | DNS |
| TCP and UDP 445 | Replication, User and Computer Authentication, Group Policy, Trusts | SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc |
| TCP 25 | Replication | SMTP |
| TCP 135 | Replication | RPC, EPM |
| TCP Dynamic | Replication, User and Estimator Authentication, Group Policy, Trusts | RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS |
| TCP 5722 | File Replication | RPC, DFSR (SYSVOL) |
| UDP 123 | Windows Time, Trusts | Windows Time |
| TCP and UDP 464 | Replication, User and Figurer Hallmark, Trusts | Kerberos alter/prepare password |
| UDP Dynamic | Group Policy | DCOM, RPC, EPM |
| UDP 138 | DFS, Group Policy | DFSN, NetLogon, NetBIOS Datagram Service |
| TCP 9389 | AD DS Web Services | Lather |
| UDP 67 and UDP 2535 | DHCP DHCP is not a cadre AD DS service but it is often nowadays in many Advert DS deployments. | DHCP, MADCAP |
| UDP 137 | User and Computer Authentication, | NetLogon, NetBIOS Name Resolution |
| TCP 139 | User and Computer Hallmark, Replication | DFSN, NetBIOS Session Service, NetLogon |
w2016-ca.constoso.com
| Protocol & Port | Usage | Type of traffic |
| TCP/4000 | Document Enrolling | RPC |
| TCP/80 | AIA & CDP | HTTP |
w2016-nps.constoso.com
| Protocol & Port | Usage | Type of traffic |
| UDP 1645 | authentication and authorization | RADIUS |
| UDP 1646 | accounting | RADIUS |
| UDP 1812 | authentication and dominance | RADIUS |
| UDP 1813 | accounting | RADIUS |
w2016-ras.constoso.com
| Protocol & Port | Usage | Blazon of traffic |
| UDP 500 | IKEv2 | VPN |
| UDP 4500 | IKEv2 | VPN |
Accounts and Keys
Groups
We are also going to create som Active Directory groups.
| Group Scope | Group Type | samAccountName | Description |
| Global | Security | Contoso\sec-server-nps | Group that contains all NPS computer objects. |
| Global | Security | Contoso\sec-server-vpn | Grouping that contains all VPN (RRAS) figurer objects. |
| Global | Security | Contoso\sec-vpn-users | Members in this group are allowed to use the VPN connectedness. |
Users
Here is an overview of users, their password and usage.
| Username | Password | Description |
| Administrator | Pa$$w0rd | Local Administrator |
| Contoso\Administrator | Pa$$w0rd | Contoso Domain Administrator |
| Contoso\su-dhcp-update | Pa$$w0rd | DHCP/DNS dynamic update service account |
Keys
Nosotros are too going to apply some shared secrets.
| Key | Description |
| a7wr8urQKbmwD27m | Directory Services Restore Mode (DSRM) |
| 4hG9sBtW9hL2GGSE | RADIUS Shared Secret for w2016-ras.contoso.com |
Configuration
Nosotros are now going to configure all servers from scratch, let's get started!
w2016-dc.constoso.com
This server is running Active Directory, DNS and the DHCP function. Utilise the following instructions to setup a new AD forest, DNS and the DHCP server.
Prerequisites
Before proceeding with the configuration, the domain controller needs to accept a static IP address with a DNS pointing to itself.
- Open a PowerShell final with privileged permissions (run as ambassador).
- Execute the following, which volition rename the server, set a static IP with a static DNS and restart afterwards.
#Rename the server.
Rename-Computer -NewName W2016-DC -Restart $false ;
#Static IP and DNS.
$IP = "192.168.0.10"
$DNS = "127.0.0.1"
#Set static IP with DNS.
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress $IP -AddressFamily IPv4 -PrefixLength 24;
Set -DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses $DNS ;
#Restart the server.
Restart-Estimator -Force ;
- Open in the firewall to allow traffic to the server.
New-NetFirewallRule -DisplayName "DHCP (TCP) - Entering" -Management Inbound -LocalPort 67 -Protocol TCP -Action Allow ;
New-NetFirewallRule -DisplayName "DHCP (UDP) - Entering" -Management Entering -LocalPort 67 -Protocol UDP -Activity Allow ;
New-NetFirewallRule -DisplayName "MADCAP (TCP) - Entering" -Direction Inbound -LocalPort 2535 -Protocol TCP -Activity Allow ;
New-NetFirewallRule -DisplayName "MADCAP (UDP) - Entering" -Management Inbound -LocalPort 2535 -Protocol UDP -Action Allow ;
AD DS
The following will install the Windows Server role Agile Directory Domain Services.
- Open a PowerShell terminal with privileged permissions (run as administrator).
- Execute the following.
Install-WindowsFeature AD-Domain -Services -IncludeManagementTools -Confirm : $faux ;
- The following will create an Active Directory with "contoso.com" as the domain name and "Contoso" as the NETBIOS name. The server will restart automatically, during configuration.
#Directory Services Restore Style (DSRM).
$DSRM = ( "a7wr8urQKbmwD27m" | ConvertTo-SecureString -AsPlainText -Force )
#Install an Active Directory forest.
Import-Module ADDSDeployment ;
Install-ADDSForest -DomainName "contoso.com" -DomainNetbiosName "Contoso" -NoDnsOnNetwork -InstallDNS -SafeModeAdministratorPassword $DSRM -Confirm : $false ;
- When the server have restarted, login with the domain administrator credentials.
Users and Groups
The following script, will create all necessary users and groups in Agile Directory.
- We need to create some groups and add together members to them. Note that all servers and workstations needs to be joined the domain before the following code volition work.
#Add new group(southward).
New-ADGroup -GroupCategory Security -GroupScope Global -Proper noun "sec-server-nps" ;
New-ADGroup -GroupCategory Security -GroupScope Global -Name "sec-server-vpn" ;
New-ADGroup -GroupCategory Security -GroupScope Global -Name "sec-vpn-users" ;
#Add members to group.
Add-ADGroupMember -Identity "sec-server-nps" -Members "w2016-nps$" ;
Add-ADGroupMember -Identity "sec-server-vpn" -Members "w2016-ras$" ;
Add together-ADGroupMember -Identity "sec-vpn-users" -Members "Domain Users" ;
Add together-ADGroupMember -Identity "sec-vpn-users" -Members "Domain Computers" ;
DHCP
The post-obit will install the Windows Server role DHCP.
- Open a PowerShell last with privileged permissions (run equally administrator).
- Execute the following, which will install the DHCP function.
Add together - WindowsFeature - IncludeManagementTools DHCP - Confirm : $ false ;
Set - ItemProperty –Path registry :: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ ServerManager \ Roles \ 12 –Name ConfigurationState –Value 2 ;
- Now nosotros demand to create the security groups "DHCP Administrators" and "DHCP Users" on the local DHCP server. Open a control prompt with privileged permissions (run as administrator) and execute the following.
netsh dhcp add securitygroups
- Now go back to the PowerShell terminal and run the following, which will restart the DHCP service.
Restart-Service DHCPServer ;
- Now we need to let the DHCP to update A and PTR records. Run the following in the PowerShell terminal.
Prepare -DhcpServerv4DnsSetting -ComputerName "W2016-DC.contoso.com" -DynamicUpdates "Ever" -DeleteDnsRRonLeaseExpiry $True ;
- At present we need to create an Active Directory the DHCP server uses to annals or unregister customer records on the DNS server.
#Advert user password.
$Password = 'Pa$$w0rd' | ConvertTo-SecureString -AsPlainText -Force ;
#Create the new user.
New-ADUser -Name "su-dhcp-update" -SamAccountName "su-dhcp-update" -UserPrincipalName "su-dhcp-update@contoso.com" -AccountPassword $Password -Confirm : $false -Enabled $true ;
- Use the following command to configure the credentials that the DHCP server uses to annals or unregister client records on a DNS server.
#Credentials.
$Username = "Contoso\su-dhcp-update" ;
$Password = 'Pa$$w0rd' | ConvertTo-SecureString -AsPlainText -Force ;
$Credential = New-Object -TypeName System . Management . Automation . PSCredential -ArgumentList $Username , $Password ;
#Set DNS credential.
Set -DhcpServerDnsCredential -Credential $Credential -ComputerName "W2016-DC.contoso.com" ;
- Now we need to authorize the DHCP server in Agile Directoy, run the following in a PowerShell terminal.
#Authorize the DHCP server in AD.
Add together-DhcpServerInDC -DnsName "W2016-DC.contoso.com" -IPAddress "192.168.0.10" ;
- The following volition create a new DHCP telescopic and ready the telescopic options.
#Add a new DHCP scope.
Add together-DhcpServerv4Scope -name "Clients" -StartRange "192.168.0.100" -EndRange "192.168.0.200" -SubnetMask 255.255.255.0 -State Active ;
#Set DHCP scope options.
Ready -DhcpServerv4OptionValue -ComputerName "W2016-DC.contoso.com" -ScopeId 192.168.0.0 -DnsServer 192.168.0.10 -DnsDomain "contoso.com" ;
DNS
This will configure the DNS server.
- We need to add together some records to get the surround working. Run the following in a PowerShell final.
Add-DnsServerResourceRecordA -Name "pki" -ZoneName "contoso.com" -IPv4Address "192.168.0.20" ;
w2016-ca.contoso.com
Prerequisites
Before proceeding with the configuration, the certificate needs to take a static IP accost with a DNS pointing to the primary DNS server.
- Open a PowerShell terminal with privileged permissions (run as ambassador).
- Execute the following, which will rename the server, set a static IP with a static DNS and restart afterwards.
#Rename the server.
Rename-Computer -NewName W2016-CA ;
#Static IP and DNS.
$IP = "192.168.0.20"
$DNS = "192.168.0.ten"
#Gear up static IP with DNS.
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress $IP -AddressFamily IPv4 -PrefixLength 24;
Set -DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses $DNS ;
#Restart the server.
Restart-Calculator -Force ;
- At present we need to bring together the Contoso Advertising domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.
#Credentials.
$Username = "Contoso\Administrator" ;
$Password = 'Pa$$w0rd' | ConvertTo-SecureString -AsPlainText -Force ;
$Credential = New-Object -TypeName Organisation . Direction . Automation . PSCredential -ArgumentList $Username , $Password ;
#Join the server to the domain.
Add-Calculator -DomainName "contoso.com" -Credential $Credential -Restart ;
- The loopback check security feature is designed to help prevent reflection attacks on your figurer. Therefore, hallmark fails if the FQDN or the custom host header that you employ does not match the local reckoner proper name. Run in an elevated PowerShell final.
New-ItemProperty HKLM : \ Arrangement \ CurrentControlSet \ Control \ Lsa -Name "DisableLoopbackCheck" -Value "1" -PropertyType dword ;
- Open the Windows firewall to permit traffic to the server.
New-NetFirewallRule -DisplayName "HTTP (TCP) - Entering" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow ;
New-NetFirewallRule -DisplayName "HTTPS (TCP) - Entering" -Management Inbound -LocalPort 443 -Protocol TCP -Action Allow ;
New-NetFirewallRule -DisplayName "CA (TCP) - Inbound" -Management Inbound -LocalPort 4000 -Protocol TCP -Action Allow ;
New-NetFirewallRule -DisplayName "CA (UDP) - Inbound" -Management Entering -LocalPort 4000 -Protocol UDP -Action Allow ;
Ad CS
The following will install the Windows Server part Active Directory Certificate Services.
- Open up a PowerShell last with privileged permissions (run every bit administrator).
- Execute the following, which will install the certificate authority role.
Install-WindowsFeature Adcs -cert -Dominance -IncludeManagementTools ;
- At present we demand to configure the certificate say-so, use the following in a PowerShell terminal.
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa `
-CACommonName "Contoso-CA" `
-CADistinguishedNameSuffix "O=Contoso,C=Us" `
-KeyLength 2048 `
-HashAlgorithmName SHA256 `
-CryptoProviderName "RSA#Microsoft Software Central Storage Provider" `
-DatabaseDirectory "C:\Windows\system32\CertLog" `
-LogDirectory "C:\Windows\system32\CertLog" `
-ValidityPeriod Years `
-ValidityPeriodUnits 5 `
-Confirm : $false ;
- At present we need to add together some additional roles on the document authorization for allowing clients to perform tasks such as request and renew certificates, call up certificate revocation lists (CRLs) and enroll certificates. Run the following in a PowerShell last. This might take some fourth dimension to finish.
Add together-WindowsFeature ADCS-Enroll -Web -Pol , ADCS-Enroll -Web -Svc , ADCS-Web -Enrollment , Web-Server , Web-WebServer , Web-Common -Http , Spider web-Default -Dr. , Web-Dir -Browsing , Web-Http -Errors , Web-Static -Content , Web-Http -Redirect , Spider web-Health , Web-Http -Logging , Web-Log -Libraries , Web-Request -Monitor , Web-Http -Tracing , Web-Functioning , Web-Stat -Compression , Web-Security , Spider web-Filtering , Web-Client -Auth , Web-Cert -Auth , Spider web-Windows -Auth , Web-App -Dev , Web-Net -Ext45 , Web-ASP , Web-Asp -Net45 , Web-ISAPI -Ext , Web-ISAPI -Filter , Web-Mgmt -Tools , Spider web-Mgmt -Console , Web-Mgmt -Compat , Spider web-Metabase , Web-Scripting -Tools , NET-Framework -45 -ASPNET , NET-WCF -Services45 , NET-WCF -HTTP -Activation45 , NET-WCF -TCP -PortSharing45 ;
- To configure the "Certification Authority Web Enrollment" run the post-obit, this volition build the virtual applications under the "Default Web Site".
Install-AdcsWebEnrollment -Confirm : $simulated ;
- We now need to create a new website called "pki.contoso.com" for CDP and AIA. Run the following in an elevated PowerShell terminal.
#Create a new directory for the website.
New-Item -Path "C:\inetpub\wwwroot\pki.contoso.com\pki" -ItemType Directory -Force ;
#Create the new website.
New-WebSite -Name "pki.contoso.com" -Port eighty -HostHeader "pki.contoso.com" -PhysicalPath "C:\inetpub\wwwroot\pki.contoso.com" ;
- Nosotros now demand to enable double escape quoting on the newly created website. Run the following in control prompt.
cd "C:\Windows\System32\inetsrv"
Appcmd set up config "pki.contoso.com" /section:organisation.webServer /Security/requestFiltering -allowDoubleEscaping :True
- Configure the CA to support audit filters. Run the post-obit in an elevated command prompt.
certutil -setreg CA\AuditFilter 127
- Ordinarily when you start a Windows CA server it allocates a random high port number for the service to mind on. When clients desire to enroll certificates they detect this dynamic port number past asking the CA Server's RPC Endpoint mapper that always listens on port 135.Therefor we will set a static port to brand information technology easier establishing the firewall rules. This needs done on every certificate authorization server. The document authorization role needs to be installed earlier it'southward possible to brand it static. Open "%windir%\system32\comexp.msc" as "Run as Administrator".
- Then scan to "Component Services", "Computers", "My Calculator", "DCOM Config" and then find "CertSrv Request" right click and select "Backdrop".
- Click on the "Endpoints"-tab and click on "Add".
- Checkmark "Use static endpoint", and write "4000" in the port text field. Click "OK" two times.
- Now open a command prompt terminal with "Run as Administrator". Execute the following.
cyberspace cease certsvc
net start certsvc
- In the same CMD terminal, execute the post-obit.
- Go the following key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3}".
- Right click the key "{D99E6E74-FC88-11D0-B498-00A0C90312F3}", and cull "Permission".
- Click on "Advanced".
- Now click on "Change" in the "Possessor"-area.
- Add the "[NETBIOS]\Administrators" (supervene upon NETBIOS with the local car name). Click "OK".
- Click "OK" once more.
- Now we disable RPC for the interface ICertPassage. In an elevated command prompt, run the following command.
certutil -setreg ca\interfaceflags +0x8
- In the same terminal execute the following. Now nosotros have changed it to a static port, but the CA Server will not change listening ports until a new document request comes in.
net stop certsvc
cyberspace start certsvc
- Now re-create the certificate and revocation file to the newly created website for the CDP and AIA. Run the following in a command prompt, and choose "d" when information technology prompt yous for a file or directory.
xcopy "C:\Windows\System32\CertSrv\CertEnroll\*" "C:\inetpub\wwwroot\pki.contoso.com\pki" /south /d /z
- Configure the CDPs, run the following in PowerShell.
1
2
3
4
5
six
seven
8
9
10
11
12
xiii
14
15
xvi
17
18
19
20
#Get all CDPs.
$CRLList = Go-CACrlDistributionPoint ;
#Foreach each CDP.
Foreach ( $CRL in $CRLList )
{
Remove-CACrlDistributionPoint $CRL . uri -Forcefulness ;
}
#Restart the CA service.
cyberspace stop certsvc
net start certsvc
#Add CDPs.
Add together-CACRLDistributionPoint -Uri C : \ Windows \ System32 \ CertSrv \ CertEnroll \ %iii%8%nine. crl -PublishToServer -PublishDeltaToServer -Force ;
Add-CACRLDistributionPoint -Uri "http://pki.contoso.com/pki/%3%8%9.crl" -AddToCertificateCDP -Force ;
#Restart the CA service.
net stop certsvc
net beginning certsvc
- Finally publish the latest certificates and CRLs and copy them to the CDP/AIA. Run the following in a command prompt.
certutil -crl
xcopy "C:\Windows\System32\CertSrv\CertEnroll\*" "C:\inetpub\wwwroot\pki.contoso.com\pki" /due south /d /z
cyberspace end certsvc
net start certsvc
Group Policy
Certificate Autoenrollment
In this procedure, you configure Group Policy on the domain controller and then that domain members automatically request user and estimator certificates. Doing and so allows VPN users to request and retrieve user certificates that cosign VPN connections automatically. Besides, this policy allows NPS servers to request server hallmark certificates automatically.
- Logon on the domain controller, and open "%SystemRoot%\system32\gpmc.msc".
- Navigate to "Forest: constoso.com" Ã "Domains" Ã "com". Right click on the domain and cull "Create a GPO in this domain, and Link it hither".
- In the proper noun of the GPO type "Autoenrollment Policy", click "OK".
- In the navigation pane, correct-click "Autoenrollment Policy", and click "Edit".
- Navigate to "Figurer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies", correct click on "Document Services Client – Auto-Enrollment" and select "Properties".
- In "Configuration Model" cull "Enabled", then select the post-obit, and click "OK".
- Renew expired certificates, update awaiting certificates, and remove revoked certificates: Checked
- Update certificates that apply certificate templates: Checked
- In the same policy navigate to "User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies", right click on "Document Services Client – Auto-Enrollment" and choose "Properties".
- In "Configuration Model" cull "Enabled", then select the post-obit, and click "OK".
- Renew expired certificates, update pending certificates, and remove revoked certificates: Checked
- Update certificates that utilize document templates: Checked
Certificate Templates
In the following department we will configure certificates templates to distribute to servers and clients.
VPN Server Authentication
Earlier nosotros can create a network policy, we need to be able to enroll an "RAS and IAS Server" document to the VPN server. Execute the following on the certificate authority "w2016-ca.contoso.com".
- Open "%SystemRoot%\system32\certsrv.msc".
- Navigate to "Certification Authorisation (Local)", "Contoso-CA", then right click on "Certificate Templates" and click "Manage", this will open up a new window.
- In the new window find "RAS and IAS Server", right click and select "Duplicate Template".
- Now choose "Windows Server 2003" in the "Compatibility" tab.
- On the "General" tab in "Template display name" write "NPS Server Authentication".
- At present in the "Security" tab, add together the NPS server grouping "Contoso\sec-server-vpn", and checkmark "Enroll" and "Autoenroll" (autoenroll is not required in this example) to "Allow". Click "OK".
- On the "Extensions" tab, click on "Awarding Policies" and and then "Edit".
- Click on "Add".
- Observe "IP security IKE intermediate", and click "OK". Calculation IP security IKE intermediate to the EKU helps in scenarios where more than than ane server hallmark certificate exists on the VPN server. When IP security IKE intermediate is nowadays, IPSec only uses the certificate with both EKU options.
- On the "Asking Treatment" tab, checkmark "Allow private key to exist exported".
- At present go dorsum to "%SystemRoot%\system32\certsrv.msc", right click on "Certificate Templates", and choose "New" and so "Certificate Template to Issue".
- Select "VPN Server Authentication" and click "OK".
NPS Server Authentication
This template to create is the NPS Server Authentication template. The NPS Server Authentication template is a simple copy of the RAS and IAS Server template secured to the NPS Server group.
- Open "%SystemRoot%\system32\certsrv.msc".
- Navigate to "Certification Authority (Local)", "Contoso-CA", then correct click on "Certificate Templates" and click "Manage", this will open a new window.
- In the new window find "RAS and IAS Server", right click and select "Duplicate Template".
- Now choose "Windows Server 2003" in the "Compatibility" tab.
- In the "Template display proper name" write "NPS Server Authentication" on the "General" tab.
- On the "Security" tab, add the group "Contoso\sec-server-nps" with the NPS servers, and checkmark "Enroll" and "Autoenroll". Remove the grouping "Contoso\ RAS and IAS Servers". Click "OK".
- Now get back to "%SystemRoot%\system32\certsrv.msc", right click on "Certificate Templates", and cull "New" and and so "Document Template to Issue".
- Select "NPS Server Authentication" and click "OK".
User Hallmark
In this procedure, you configure a custom customer-server authentication template. This template is required considering you want to improve the certificate's overall security past selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. This last change lets y'all utilise the TPM on the client computers to secure the certificate.
- Open up "%SystemRoot%\system32\certsrv.msc".
- Navigate to "Certification Authorisation (Local)", "Contoso-CA", then right click on "Document Templates" and click "Manage", this will open a new window.
- In the new window find "User", right click and select "Indistinguishable Template".
- In the "General" tab, write "VPN User Authentication" in the "Template display name" text field, and and then clear "Publish certificate in Active Directory".
- On the "Security" tab, add together the grouping "sec-vpn-users", so checkmark "Enroll" and "Autoenroll".
- On the "Request Handling" tab, clear the "Let private cardinal to be exported" check box.
- On the "Compatibility" tab, in the "Certification Authority" dropdown choose "Windows Server 2012 R2", and in "Certificate recipient" choose "Windows 8.ane / Windows Server 2012 R2".
- On the "Cryptography" in "Provider Category", choose "Cardinal Storage Provider" and check "Requests must use one of the following providers" and checkmark "Microsoft Platform Crypto Provider". If you are on a virtual motorcar, y'all also need to permit "Microsoft Software Key Storage Provider".
- In the "Subject Name" tab, clear "Include east-mail proper noun in subject field proper name" and "East-mail name". Then click "OK".
- At present go back to "%SystemRoot%\system32\certsrv.msc", right click on "Certificate Templates", and choose "New" and and so "Certificate Template to Upshot".
- Choose "VPN User Authentication", click "OK".
Device Authentication
This certificate volition be enrolled to the workstation, and allows the client to make a device VPN tunnel.
- Open up "%SystemRoot%\system32\certsrv.msc".
- Navigate to "Certification Authority (Local)", "Contoso-CA", and so correct click on "Certificate Templates" and click "Manage", this will open a new window.
- In the new window find "Workstation Authentication", right click and select "Duplicate Template".
- In the "Full general" tab, write "VPN Device Authentication" in the "Template display proper name" text field, and then clear "Publish certificate in Active Directory".
- On the "Security" tab, add the group "Domain Computers", then checkmark "Read", "Enroll" and "Autoenroll". Click "OK" twice.
- Now go back to "%SystemRoot%\system32\certsrv.msc", correct click on "Certificate Templates", and choose "New" and and so "Certificate Template to Issue".
- Choose "VPN Device Authentication", click "OK".
w2016-nps.contoso.com
The following procedure volition configure the RADIUS server to authenticate users and devices trying to found connection through VPN.
Prerequisites
Earlier proceeding with the configuration, the network policy server (RADIUS) needs to take a static IP address with a DNS pointing to the main DNS server, and should be joined the Contoso domain.
- Open up a PowerShell terminal with privileged permissions (run as ambassador).
- Execute the following, which volition rename the server, set a static IP with a static DNS and restart later.
#Rename the server.
Rename-Figurer -NewName W2016-NPS ;
#Static IP and DNS.
$IP = "192.168.0.30"
$DNS = "192.168.0.x"
#Set static IP with DNS.
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress $IP -AddressFamily IPv4 -PrefixLength 24;
Set -DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses $DNS ;
#Restart the server.
Restart-Computer -Force ;
- At present we need to join the Contoso AD domain. Run the post-obit in a PowerShell last with elevated permissions. The server will restart.
#Credentials.
$Username = "Contoso\Administrator" ;
$Password = 'Pa$$w0rd' | ConvertTo-SecureString -AsPlainText -Forcefulness ;
$Credential = New-Object -TypeName Organisation . Direction . Automation . PSCredential -ArgumentList $Username , $Password ;
#Join the server to the domain.
Add-Computer -DomainName "contoso.com" -Credential $Credential -Restart ;
- Open the Windows firewall to allow traffic to the server.
New-NetFirewallRule -DisplayName "RADIUS 1645 (UDP) - Inbound" -Direction Inbound -LocalPort 1645 -Protocol UDP -Action Allow ;
New-NetFirewallRule -DisplayName "RADIUS 1646 (UDP) - Entering" -Direction Inbound -LocalPort 1646 -Protocol UDP -Action Permit ;
New-NetFirewallRule -DisplayName "RADIUS 1812 (UDP) - Inbound" -Direction Inbound -LocalPort 1812 -Protocol UDP -Action Allow ;
New-NetFirewallRule -DisplayName "RADIUS 1813 (UDP) - Entering" -Direction Entering -LocalPort 1813 -Protocol UDP -Action Permit ;
NPS
The post-obit will install and setup the network policy server (NPS) also known equally a RADIUS server.
- Open a PowerShell last with privileged permissions (run as administrator).
- Execute the post-obit which will install the NPS.
Install-WindowsFeature NPAS -IncludeManagementTools ;
- Annals the NPS server in Active Directory. Run the following in an elevated command prompt.
netsh nps add registeredserver
- We demand to add the "w2016-ras.contoso.com" equally a RADIUS client. Run the following in a PowerShell terminal with elevated permissions.
New-NpsRadiusClient -Address "192.168.0.40" -Proper name "W2016-RAS" -SharedSecret "4hG9sBtW9hL2GGSE" ;
- Open "%windir%\system32\nps.msc".
- Choose "RADIUS server for Dial-up or VPN Connections" and click "Configure VPN or Dial-up".
- Choose "Virtual Individual Network (VPN) Connections" and click "Adjacent".
- Click "Next" again.
- Clear the "Microsoft Encrypted Authentication version 2 (MS-CHAPv2)" checkbox, and checkmark "Extensible Hallmark Protocol" and in the dropdown cull "Microsoft: Protected EAP (PEAP)". Click on "Configure".
- Select "Secured password (EAP-MSCHAP v2)" and click "Remove".
- Now click "Add".
- Highlight "Smart Menu or other certificate" and click "OK" twice.
- At present click "Side by side".
- Now add "sec-vpn-users", click "Adjacent" iii times.
- Click "End".
w2016-ras.contoso.com
This server is running the RRAS function. Employ the following instructions to setup Remote Access equally a RAS Gateway VPN Server.
RRAS is designed to perform well as both a router and a remote admission server because it supports a wide array of features. For the purposes of this deployment, you require only a small subset of these features: support for IKEv2 VPN connections and LAN routing.
It is important to:
- Install two Ethernet network adapters in the physical server. If y'all are installing the VPN server on a VM, you must create 2 External virtual switches, one for each physical network adapter; and then create two virtual network adapters for the VM, with each network adapter connected to i virtual switch.
- Install the server on your perimeter network between your edge and internal firewalls, with ane network adapter connected to the External Perimeter Network, and ane network adapter connected to the Internal Perimeter Network. This will not be demonstrated.
Prerequisites
Earlier proceeding with the configuration, the domain controller needs to have a static IP address with a DNS pointing to itself, and join the Contoso domain.
- Open a PowerShell terminal with privileged permissions (run as administrator).
- Execute the post-obit, which will rename the server, set a static IP with a static DNS for the network card in the internal network and restart afterwards.
#Rename the server.
Rename-Computer -NewName W2016 -ras ;
#Static IP and DNS.
$IP = "192.168.0.twoscore"
$DNS = "192.168.0.10"
#Set static IP with DNS.
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress $IP -AddressFamily IPv4 -PrefixLength 24;
Set -DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses $DNS ;
#Restart the server.
Restart-Estimator -Strength ;
- Now we need to join the Contoso AD domain. Run the following in a PowerShell terminal with elevated permissions. The server will restart.
#Credentials.
$Username = "Contoso\Ambassador" ;
$Password = 'Pa$$w0rd' | ConvertTo-SecureString -AsPlainText -Forcefulness ;
$Credential = New-Object -TypeName System . Management . Automation . PSCredential -ArgumentList $Username , $Countersign ;
#Join the server to the domain.
Add-Calculator -DomainName "contoso.com" -Credential $Credential -Restart ;
- Open up the Windows firewall to allow traffic to the server.
New-NetFirewallRule -DisplayName "VPN 500 (UDP) - Entering" -Direction Inbound -LocalPort 500 -Protocol UDP -Activity Allow ;
New-NetFirewallRule -DisplayName "VPN 4500 (UDP) - Entering" -Direction Inbound -LocalPort 4500 -Protocol UDP -Activeness Permit ;
RRAS
This process will install the RRAS role, and configure information technology to let only IKEv2 connections.
- Open a PowerShell terminal with privileged permissions (run every bit administrator).
- Execute the following which will install the RAS.
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
- Restart the server (this is a requirement before enrolling the certificate).
- Open "mmc.exe", click on "File" and and then "Add/Remove Snap-in".
- Choose "Certificates" and click "Add".
- Choose "Computer account", and click "Next" and then "Terminate".
- At present click "OK".
- Navigate to "Certificates (Local Reckoner)" Ã "Personal". Right click on "Personal", choose "All Tasks" and click on "Request New Certificate".
- Click "Next".
- One time once more click "Side by side".
- Checkmark "VPN Server Authentication", click on "Properties".
- Under "Subject" tab configure the following values. Then click "OK".
- Subject name:Common proper noun: vpn.contoso.comAlternative name:DNS: vpn.contoso.comDNS: w2016-ras.contoso.comDNS: w2016-rasDNS: 192.168.0.xl
DNS: <external ip>
- Subject name:Common proper noun: vpn.contoso.comAlternative name:DNS: vpn.contoso.comDNS: w2016-ras.contoso.comDNS: w2016-rasDNS: 192.168.0.xl
- Click on "Enroll".
- Open "%SystemRoot%\system32\ServerManager.exe".
- Click on "Open the Getting Started Wizard" under notifications.
- If no window open, minimize all windows to see if it's hidden. Click on "Deploy VPN only".
- Correct click on "W2016-RAS (local)" and choose "Configure and Enable Routing and Remote Access".
- Click "Next".
- Choose "Custom configuration" and click "Next".
- Checkmark "VPN access" then Click "Next".
- Click on "Finish".
- Click on "OK" once more.
- Now click "Kickoff service".
- Correct click on "W2016-RAS (local)", and choose "Properties".
- On the "Security" tab, choose "RADIUS Hallmark" as the authentication provider. Then click on "Configure".
- Click on "Add together".
- Now enter "w2016-nps.contoso.com" in server proper noun and type the shared underground. Click "OK" two times.
- On the "IPv4" tab, choose the adapter that is on the internal network in this example "Internal". Then click "OK".
- Under "W2016-RAS (local)" right click on "Ports" and choose "Backdrop".
- Select "WAN Miniport (SSTP)" and click "Configure".
- Articulate "Remote access connections (entering only)" and "Demand-dial routing connections (inbound and outbound)". Click on "OK".
- Repeat pace 19 and 20 for "WAN Miniport (L2TP)", "WAN Miniport (PPPoE)" (Uncheck "Need-dial routing connections (outbound only)") and "WAN Miniport (PPTP)".
- If you are using Windows Server 2012 R2 or Windows Server 2016 Routing and Remote Access Service (RRAS) equally your VPN server, you must enable auto certificate hallmark for VPN connections and define a root certification authority for which incoming VPN connections volition be authenticated with. To exercise this, open up an elevated PowerShell command and run the following commands.
$VPNRootCertAuthority = "Contoso-CA" ;
$RootCACert = ( Get-ChildItem -Path cert : LocalMachine \ root | Where-Object { $_ . Field of study -Similar "*$VPNRootCertAuthority*" } ) ;
Set -VpnAuthProtocol -UserAuthProtocolAccepted Certificate , EAP -RootCertificateNameToAccept $RootCACert -PassThru ;
- Now reboot the server.
w10-client.contoso.com
On this device we are going to create the VPN profile template, so nosotros can push it to other machines either through grouping policy or Intune.
Prerequisites
Earlier proceeding with the configuration, the client need to exist renamed and joined the domain.
- Open a PowerShell terminal with privileged permissions (run as administrator).
- Execute the following, which will rename the client and restart afterwards.
#Rename the server.
Rename-Computer -NewName W10 -client ;
#Restart the server.
Restart-Reckoner -Force ;
- Now we need to join the Contoso AD domain. Run the post-obit in a PowerShell terminal with elevated permissions. The server will restart.
#Credentials.
$Username = "Contoso\Administrator" ;
$Password = 'Pa$$w0rd' | ConvertTo-SecureString -AsPlainText -Force ;
$Credential = New-Object -TypeName Organisation . Management . Automation . PSCredential -ArgumentList $Username , $Countersign ;
#Join the server to the domain.
Add together-Figurer -DomainName "contoso.com" -Credential $Credential -Restart ;
- Due to this beingness setup in a lab, when need to edit the customer hosts file. Open notepad as administrator, and open the file "C:\Windows\System32\drivers\etc\hosts", and so add the following line to the file.
<external IP of w2016-ras.contoso.com> vpn.contoso.com
Client VPN Template
This will create the VPN template for customer devices. Y'all will need to download the PsExec to the customer auto, before post-obit the procedure.
- Open a command prompt every bit ambassador.
- Change path to the downloaded PsExec utility, and run the post-obit.
- A new window volition open up, in this window type "powershell.exe".
- At present copy the following into a XML file and salvage it (in this example we save it on the desktop). Name it "vpn.contoso.com.xml"
1
2
3
4
5
vi
7
eight
9
10
xi
12
13
14
xv
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
<VPNProfile>
<NativeProfile>
<Servers> vpn.contoso.com </Servers>
<NativeProtocolType> IKEv2 </NativeProtocolType>
<Hallmark>
<MachineMethod> Document </MachineMethod>
</Authentication>
<RoutingPolicyType> SplitTunnel </RoutingPolicyType>
<!-- disable the addition of a class based road for the assigned IP accost on the VPN interface -->
<DisableClassBasedDefaultRoute> true </DisableClassBasedDefaultRoute>
</NativeProfile>
<!-- use host routes(/32) to foreclose routing conflicts -->
<Route>
<Address> 192.168.0.10 </Address>
<PrefixSize> 32 </PrefixSize>
</Route>
<Route>
<Address> 192.168.0.20 </Address>
<PrefixSize> 32 </PrefixSize>
</Route>
<Route>
<Address> 192.168.0.thirty </Address>
<PrefixSize> 32 </PrefixSize>
</Route>
<Route>
<Accost> 192.168.0.xl </Address>
<PrefixSize> 32 </PrefixSize>
</Route>
<!-- traffic filters for the routes specified above so that simply this traffic can go over the device tunnel -->
<TrafficFilter>
<RemoteAddressRanges> 192.168.0.x, 192.168.0.20, 192.168.0.30, 192.168.0.twoscore </RemoteAddressRanges>
</TrafficFilter>
<!-- demand to specify always on = true -->
<AlwaysOn> true </AlwaysOn>
<!-- new node to specify that this is a device tunnel -->
<DeviceTunnel> true </DeviceTunnel>
<!--new node to annals customer IP address in DNS to enable manage out -->
<RegisterDNS> true </RegisterDNS>
</VPNProfile>
- At present save the following powershell script (again in this case we save it to the desktop). Name it "VPN_Profile_Device.ps1".
1
ii
3
4
5
vi
7
8
nine
ten
11
12
thirteen
14
15
xvi
17
18
nineteen
20
21
22
23
24
25
26
27
28
29
thirty
31
32
33
34
35
36
37
38
39
forty
41
42
43
44
45
46
47
48
Param (
[ string ] $xmlFilePath ,
[ string ] $ProfileName
)
$a = Test-Path $xmlFilePath
echo $a
$ProfileXML = Get-Content $xmlFilePath
echo $XML
$ProfileNameEscaped = $ProfileName -supplant ' ' , '%xx'
$Version = 201606090004
$ProfileXML = $ProfileXML -supplant '<' , '<'
$ProfileXML = $ProfileXML -supersede '>' , '>'
$ProfileXML = $ProfileXML -supersede '"' , '"'
$nodeCSPURI = './Vendor/MSFT/VPNv2'
$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_VPNv2_01"
$session = New-CimSession
try
{
$newInstance = New-Object Microsoft . Management . Infrastructure . CimInstance $className , $namespaceName
$property = [ Microsoft . Management . Infrastructure . CimProperty ] :: Create ( "ParentID" , "$nodeCSPURI" , 'String' , 'Fundamental' )
$newInstance . CimInstanceProperties . Add together ( $property )
$property = [ Microsoft . Management . Infrastructure . CimProperty ] :: Create ( "InstanceID" , "$ProfileNameEscaped" , 'String' , 'Key' )
$newInstance . CimInstanceProperties . Add together ( $property )
$holding = [ Microsoft . Management . Infrastructure . CimProperty ] :: Create ( "ProfileXML" , "$ProfileXML" , 'String' , 'Holding' )
$newInstance . CimInstanceProperties . Add together ( $holding )
$session . CreateInstance ( $namespaceName , $newInstance )
$Message = "Created $ProfileName profile."
Write-Host "$Message"
}
catch [ Exception ]
{
$Message = "Unable to create $ProfileName profile: $_"
Write-Host "$Message"
go out
}
$Bulletin = "Consummate."
Write-Host "$Message"
- In the PowerShell final that was open up from PsExec, run the following.
. \ VPN_Profile_Device . ps1 -xmlFilePath "C:\Users\Administrator\Desktop\vpn.contoso.com.xml" -ProfileName "vpn.contoso.com" ;
- At present try to move the device to the external network in the lab. The profile should automatically connect to the VPN.
You are washed configuring your lab, the but affair left is to distribute the VPN profile through your mean of pick!
If you lot accept any bug of questions please experience complimentary to comment below.
DOWNLOAD HERE
Posted by: stevenswiturver1957.blogspot.com
Post a Comment