Virtual Private Networks
VPNs
use public wires to join nodes to create a network. This network allows
the user to create their own private networks for the transfer of data.
There are a large number of security systems at play within the VPN,
such as encryption and other security measures. This makes certain that
no data is intercepted by unauthorized users. VPN has been used
successfully for several years, but has recently encountered problems.
Many organizations have widely increased the number of roaming users
that have access to their networks. Because of this, other methods have
been in development to accomplish this same type of access. IPSec and
SSL VPN are two such methods commonly in use by many organizations.
VPNs
typically use an encrypted tunnel that keeps data confidential within
the tunnel. By doing this, when the tunnel routes through typical NAT
paths, the VPN tunnel fails to remain active and stops working
completely. VPNs will most often connect a node directly to an
endpoint. If the node and the endpoint have the same internal LAN
address and NAT is involved, many problems and complications will arise
causing a lack of service to your end client.
Tip
Be
familiar with all of the tools available to you in Server Manager.
Windows Server 2008 provides a number of roles and snap-in features
that help immensely with your job as an administrator. When you are
prepping the day of the exam, make sure you can identify and locate
roles like RRAS and Network protection and Access roles. This will help
you gain a better understanding of the design structure for Windows
Server 2008, and help you to apply what you know on your exam.
Installing and Configuring a SSL VPN Server
Now
that you have an idea of how SSTP and new SSL VPNs work, we will
explain how to use the RRAS panel to install and configure a VPN.
Before beginning, be sure that you have a clean version of Windows
Server 2008 installed. Also, you must not have RRAS installed yet to
set up the SSL VPN. Before installing RRAS, you must request a machine
certificate server.
The
VPN server needs a machine certificate to create the SSL VPN connection
with the SSL VPN client computer. The name on the certificate should
match the name that the VPN client will use to connect to the SSL VPN
gateway computer. This means that you will need to create a public DNS
entry for the name on the certificate, so that it will resolve to the
external IP address on the VPN server or the IP address of a NAT device
in front of the VPN server, as described earlier in this chapter. This
will forward the connection to the SSL VPN server.
Perform the following steps to request and install the machine certificate on the SSL VPN server:
1. | Open Server Manager. Expand the Roles node in the left pane.
| 2. | Expand the Web Server (IIS) node. Click on Internet Information Services (IIS) Manager.
| 3. | Locate the Internet Information Services Manager console and find the pane to the right of the left pane, and click on the name of the server you are using.
| 4. | Click on the Server Certificates icon in the right pane of the IIS console.
| 5. | In the right pane of the console, click the Create Domain Certificate link.
| 6. | Fill out the information on the Distinguished Name Properties page. Remember to correctly enter the Common Name
entry as mentioned previously. This name is the name that VPN clients
will use to connect to the VPN server. You will need a public Domain
Name Server (DNS) entry for this name, so that it resolves either to
the external interface of the VPN server, or the public address of a
NAT device in front of the VPN server (e.g., the common name sstp.msexamfirewall.org). The VPN client computer should have Host files created so that it can resolve this name later.
| 7. | When finished click Next.
| 8. | On the Online Certification Authority page, find and click the Select button.
| 9. | In the Select Certification Authority dialog box, click the name of the Enterprise CA and click OK.
| 10. | Enter a name for the certificate in the Friendly name text box (e.g., the name SSLVPN).
| 11. | Click Finish on the Online Certification Authority page.
|
When the Wizard completes its work, you will see the certificate appear in the IIS console:
12. | Double click on the certificate and you can see the common name in the “Issued to” section, and that we have a private key that corresponds to the certificate.
| 13. | Click OK to close the Certificate dialog box.
|
Once
you have a certificate, you can then install the RRAS Server Role as
described earlier in this chapter. It is critical that you install the
certificate first, before you install the RRAS Server Role. If you do
not, you will have to use a fairly complex command-line routine to bind
the certificate to the SSL VPN listener.
To set up a VPN, proceed with the following steps. Once RRAS is installed, you must first enable RRAS.
Perform the following steps to enable the RRAS service:
1. | Open Server Manager and expand the Roles node in the left pane of the console.
| 2. | Expand the Network Policy and Access Services node and click on the Routing and Remote Access node. Right-click on the Routing and Remote Access node and click Configure and Enable Routing and Remote Access, as shown in Figure 6.
| 3. | Click Next on the Welcome to the Routing and Remote Access Server Setup Wizard page.
| 4. | On the Configuration page shown in Figure 7, select the Virtual private network (VPN) access and NAT option.
| 5. | Click Next.
| 6. | On the VPN Connection page, select the NIC in the Network interfaces section that represents the external interface of the VPN server.
| 7. | Click Next.
| 8. | On the IP Address Assignment page, select the Automatically option if you have a DHCP server. If you do not have a DHCP server, select the From a specified range of addresses option and provide a list of addresses that VPN clients would use when connecting to the network through the VPN gateway.
| 9. | Click Next.
| 10. | On the Managing Multiple Remote Access Servers page, select No, use Routing and Remote Access to authenticate connection requests.
Use this option when there is no NPS or RADIUS server available. If the
VPN server is a member of the domain, you can authenticate users using
domain accounts. If the VPN server is not a member of the domain, then
only local accounts on the VPN server can be used.
| 11. | Click Next.
| 12. | Review the summary information on the Completing the Routing and Remote Access Server Setup Wizard page for accuracy and click Finish.
| 13. | Click OK in the Routing and Remote Access dialog box telling you that relaying of DHCP messages requires a DHCP relay agent.
| 14. | Expand the Routing and Remote Access node and then click on the Ports node. In the middle pane you will see that WAN Miniport connections for SSTP are now available.
|
|
Warning
There
are a number of server types that can be set up in a given real-world
situation. It is up to you to determine which suits your clients’ needs
the best. For the exam, however, you must be aware of what type of
information concerning what type of access is being asked of you.
Remember that RRAS and NPS are two different means of setting up many
of the available services. Be sure to double check the type of server
information the question is calling for.