Virtual Private Network (VPN)
Thesis on Virtual Private Networks
VPN
This master thesis was published in the ITCom 2001 Information
Technologies and Communications Conference by SPIE (International
Society for Optical Engineering.) in Denver, Colorado. If you want
to order the entire thesis. Click in the following link.
Conference.
Step-by-Step Guide for Setting Up VPN-based Remote Access in a
Test Lab
On This Page
Introduction
This paper provides detailed information about how you can use
five computers to create a test lab with which to configure and test
virtual private network (VPN) remote access with Windows XP and the
Windows Server 2003 family. These instructions are designed to take
you step-by-step through the configuration required for
Point-to-Point Protocol (PPTP) and Layer Two Tunneling Protocol with
Internet Protocol security (L2TP/IPSec) connections, and finally a
VPN connection that uses certificate-based Extensible Authentication
Protocol-Transport Level Security (EAP-TLS) authentication.
Note: The following instructions are for configuring a
test lab using a minimum number of computers. Individual computers
are needed to separate the services provided on the network and to
clearly show the desired functionality. This configuration is
neither designed to reflect best practices nor is it designed to
reflect a desired or recommended configuration for a production
network. The configuration, including IP addresses and all other
configuration parameters, is designed only to work on a separate
test lab network.
PPTP-based Remote Access VPN Connections
The infrastructure for the VPN test lab network consists of five
computers performing the following services:
| • |
A computer running Windows Server 2003,
Enterprise Edition, named DC1 that is acting as a domain
controller, a Domain Name System (DNS) server, a Dynamic
Host Configuration Protocol (DHCP) server, and a
certification authority (CA). |
| • |
A computer running Windows Server 2003,
Standard Edition, named VPN1 that is acting as a VPN server.
VPN1 has two network adapters installed. |
| • |
A computer running Windows Server 2003,
Standard Edition, named IAS1 that is acting as a Remote
Authentication Dial-in User Service (RADIUS) server. |
| • |
A computer running Windows Server 2003,
Standard Edition, named IIS1 that is acting as a Web and
file server. |
| • |
A computer running Windows XP
Professional named CLIENT1 that is acting as a VPN client. |
Figure 1 shows the configuration of the VPN test lab.
Figure 1: Configuration of the VPN
test lab
There is a network segment representing a corporate intranet and
a network segment representing the Internet. All computers on the
corporate intranet are connected to a common hub or Layer 2 switch.
All computers on the Internet are connected to a separate common hub
or Layer 2 switch. Private addresses are used throughout the test
lab configuration. The private network of 172.16.0.0/24 is used for
the intranet. The private network of 10.0.0.0/24 is used for the
simulated Internet.
IIS1 obtains its IP address configuration using DHCP. CLIENT1
uses DHCP for its IP address configuration, however, it is also
configured with an alternate IP configuration so that it can be
placed on either the intranet network segment or the simulated
Internet. All other computers have a manual IP address
configuration. There are no Windows Internet Name Service (WINS)
servers present.
The following sections describe the configuration for each of the
computers in the test lab to set up the basic infrastructure and to
do a PPTP-based remote access connection. PPTP is typically used
when there is no public key infrastructure (PKI) to issue computer
certificates that are required for L2TP/IPSec connections.
To reconstruct this test lab, configure the computers in the
order presented. Additional sections of this paper describe
L2TP/IPSec and EAP-TLS-based remote access connections.
DC1
DC1 is a computer running Windows Server 2003, Enterprise Edition
that is providing the following services:
| • |
A domain controller for the example.com
Active Directory domain. |
| • |
A DNS server for the example.com DNS
domain. |
| • |
A DHCP server for the intranet network
segment |
| • |
The enterprise root certification
authority (CA) for the example.com domain. |
Note: Windows Server 2003, Enterprise Edition is used so
that autoenrollment of user certificates for EAP-TLS authentication
can be configured. This is described in the "EAP-TLS-based VPN
Remote Access Connections" section of this paper.
To configure DC1 for these services, perform the following steps.
| 1. |
Install Windows Server 2003, Enterprise Edition, as a
stand-alone server. |
| 2. |
Configure the TCP/IP protocol with the IP address of
172.16.0.1 and the subnet mask of 255.255.255.0. |
| 3. |
Run the Active Directory Installation Wizard
(dcpromo.exe) for a new domain named example.com in a new
forest. Install the DNS service when prompted. |
| 4. |
Using the Active Directory Users and Computers snap-in,
right-click the example.com domain, and then click Raise
Domain Functional Level. |
| 5. |
Click Windows Server 2003, and then click
Raise. |
| 6. |
Install Dynamic Host Configuration Protocol (DHCP) as a
Networking Services component using Control Panel-Add or
Remove Programs. |
| 7. |
Open the DHCP snap-in from the Administrative Tools
folder. |
| 8. |
Click Action, and then click Authorize to
authorize the DHCP service. |
| 9. |
In the console tree, right-click dc1.example.com,
and then click New Scope. |
| 10. |
On the Welcome page of the New Scope Wizard,
click Next. |
| 11. |
On the Scope Name page, type CorpNet in
Name. This is shown in the following figure.
|
| 12. |
Click Next. On the IP Address Range page,
type 172.16.0.10 in Start IP address,
172.16.0.100 in End IP address, and 24 in
Length. This is shown in the following figure.
|
| 13. |
Click Next. On the Add Exclusions page,
click Next. |
| 14. |
On the Lease Duration page, click Next. |
| 15. |
On the Configure DHCP Options page, click Yes,
I want to configure DHCP options now. This is shown in
the following figure.
|
| 16. |
Click Next. On the Router (Default Gateway)
page, click Next. |
| 17. |
On the Domain Name and DNS Servers page, type
example.com in Parent domain. Type 172.16.0.1
in IP address, and then click Add. This is
shown in the following figure.
|
| 18. |
Click Next. On the WINS Servers page,
click Next. |
| 19. |
On the Activate Scope page, click Yes, I want
to activate the scope now. This is shown in the
following figure.
|
| 20. |
Click Next. On the Completing the New Scope
Wizard page, click Finish. |
| 21. |
Install the Certificate Services component as an
enterprise root CA with the name "Example CA" using Control
Panel-Add or Remove Programs. |
| 22. |
Open the Active Directory Users and Computers snap-in. |
| 23. |
In the console tree, open example.com. |
| 24. |
Right-click Users, and then click Computer. |
| 25. |
In the New Object Computer dialog box, type
IAS1 in Computer name. This is shown in the
following figure.
|
| 26. |
Click Next. In the Managed dialog box,
click Next. In the New Object Computer dialog
box, click Finish. |
| 27. |
Use steps 24-26 to create additional computer accounts
with the following names: IIS1, VPN1, and CLIENT1. |
| 28. |
In the console tree, right-click Users, and then
click User. |
| 29. |
In the New Object User dialog box, type
VPNUser in First name and type VPNUser in
User logon name. This is shown in the following
figure.
|
| 30. |
Click Next. |
| 31. |
In the New Object User dialog box, type a
password of your choice in Password and Confirm
password. Clear the User must change password at next
logon check box and select the Password never expires
check box. This is shown in the following figure.
|
| 32. |
In the New Object User dialog box, click
Finish. |
| 33. |
In the console tree, right-click Users, and then
click Group. |
| 34. |
In the New Object Group dialog box, type
VPNUsers in Group name, and then click OK.
This is shown in the following figure.
|
| 35. |
In the details pane, double-click VPNUsers. |
| 36. |
Click the Members tab, and then click Add. |
| 37. |
In the Select Users, Contacts, Users, or Groups
dialog box, type vpnuser in Enter the object names
to select. This is shown in the following figure.
|
| 38. |
Click OK. In the Multiple Names Found
dialog box, click OK. The VPNUser user account is
added to the VPNUsers group. This is shown in the following
figure.
|
| 39. |
Click OK to save changes to the VPNUsers group. |
IAS1
IAS1 is a computer running Windows Server 2003, Standard Edition
that is providing RADIUS authentication, authorization, and
accounting for VPN1. To configure IAS1 as a RADIUS server, perform
the following steps:
| 1. |
Install Windows Server 2003, Standard Edition, as a
member server named IAS1 in the example.com domain. |
| 2. |
For the intranet local area connection, configure the
TCP/IP protocol with the IP address of 172.16.0.2, the
subnet mask of 255.255.255.0, and the DNS server IP address
of 172.16.0.1. |
| 3. |
Install Internet Authentication Service as a Networking
Services component in Control Panel-Add or Remove Programs. |
| 4. |
Open the Internet Authentication Service snap-in from
the Administrative Tools folder. |
| 5. |
Right-click Internet Authentication Service, and then
click Register Server in Active Directory. When the
Register Internet Authentication Service in Active
Directory dialog box appears, click OK. This is
shown in the following figure.
|
| 6. |
In the console tree, right-click Clients, and
then click New RADIUS Client. |
| 7. |
On the Name and Address page of the New RADIUS
Client wizard, for Friendly name, type VPN1.
In Client address (IP or DNS), type 172.16.0.3.
This is shown in the following figure.
|
| 8. |
Click Next. On the Additional Information
page of the New RADIUS Client wizard, for Shared secret,
type a shared secret for VPN1, and then type it again in
Confirm shared secret. This is shown in the following
figure.
|
| 9. |
Click Finish. |
| 10. |
In the console tree, right-click Remote Access
Policies, and then click New Remote Access Policy. |
| 11. |
On the Welcome to the New Remote Access Policy Wizard
page, click Next. |
| 12. |
On the Policy Configuration Method page, type
VPN remote access to intranet in Policy name.
This is shown in the following figure.
|
| 13. |
Click Next. On the Access Method page,
select VPN. This is shown in the following figure.
|
| 14. |
Click Next. On the User or Group Access
page, select Group. This is shown in the following
figure.
|
| 15. |
Click Add. In the Select Groups dialog
box, type vpnusers in Enter the object names to
select. This is shown in the following figure.
|
| 16. |
Click OK. The VPNUsers group in the example.com
domain is added to the list of groups on the Users or
Groups page. This is shown in the following figure.
|
| 17. |
Click Next. On the Authentication Methods
page, the MS-CHAP v2 authentication protocol is selected by
default. This is shown in the following figure.
|
| 18. |
Click Next. On the Policy Encryption Level
page, clear the Basic encryption and Strong
encryption check boxes. This is shown in the following
figure.
|
| 19. |
Click Next. On the Completing the New Remote
Access Policy page, click Finish. |
IIS1
IIS1 is a computer running Windows Server 2003, Standard Edition,
and Internet Information Services (IIS). It is providing Web and
file server services for intranet clients. To configure IIS1 as a
Web and file server, perform the following steps:
| 1. |
Install Windows Server 2003, Standard Edition, as a
member server named IIS1 in the example.com domain. |
| 2. |
Install Internet Information Services (IIS) as a
subcomponent of the Application Server component in the
Windows Components Wizard of Control Panel-Add or Remove
Programs. |
| 3. |
On IIS1, use Windows Explorer to create a new share for
the root folder of the C: drive using the share name ROOT
with the default permissions. |
| 4. |
To determine whether the Web server is working
correctly, run Internet Explorer on IAS1. If the Internet
Connection Wizard prompts you, configure Internet
connectivity for a LAN connection. In Internet Explorer, in
Address, type http://IIS1.example.com/winxp.gif.
You should see a Windows XP graphic. |
| 5. |
To determine whether file sharing is working correctly,
on IAS, click Start, Run, type \\IIS1\ROOT,
and then click OK. You should see the contents of the
root folder of the C: drive on IIS1. |
VPN1
VPN1 is a computer running Windows Server 2003, Standard Edition
that is providing VPN server services for Internet-based VPN
clients. To configure VPN1 as a VPN server, perform the following
steps:
| 1. |
Install Windows Server 2003, Standard Edition, as a
member server named VPN1 in the example.com domain. |
| 2. |
Open the Network Connections folder. |
| 3. |
For the intranet local area connection, rename the
connection to "CorpNet." For the Internet local area
connection, rename the connection to "Internet." This is
shown in the following figure.
|
| 4. |
Configure the TCP/IP protocol for the CorpNet connection
with the IP address of 172.16.0.4, the subnet mask of
255.255.255.0, and the DNS server IP address of 172.16.0.1. |
| 5. |
Configure the TCP/IP protocol for the Internet
connection with the IP address of 10.0.0.2 and the subnet
mask of 255.255.255.0. |
| 6. |
Run the Routing and Remote Access snap-in from the
Administrative Tools folder. |
| 7. |
In the console tree, right-click VPN1 and click
Configure and Enable Routing and Remote Access. |
| 8. |
On the Welcome to the Routing and Remote Access
Server Setup Wizard page, click Next. |
| 9. |
On the Configuration page, Remote access
(dial-up or VPN) is selected by default. This is shown
in the following figure.
|
| 10. |
Click Next. On the Remote Access page,
select VPN. This is shown in the following figure.
|
| 11. |
Click Next. On the VPN Connection page,
click the Internet interface in Network interfaces.
This is shown in the following figure.
|
| 12. |
Click Next. On the IP Address Assignment
page, Automatically is selected by default. This is
shown in the following figure.
|
| 13. |
Click Next. On the Managing Multiple Remote
Access Servers page, click Yes, set up this server to
work with a RADIUS server. This is shown in the
following figure.
|
| 14. |
Click Next. On the RADIUS Server Selection
page, type 172.16.0.2 in Primary RADIUS server
and the shared secret in Shared secret. This is shown
in the following figure.
|
| 15. |
Click Next. On the Completing the Routing and
Remote Access Server Setup Wizard page, click Finish. |
| 16. |
You are prompted with a message describing the need to
configure the DHCP Relay Agent. This is shown in the
following figure.
|
| 17. |
Click OK. |
| 18. |
In the console tree, open VPN1 (local), then
IP Routing, and then DHCP Relay Agent. Right
click DHCP Relay Agent, and then click Properties. |
| 19. |
In the DHCP Relay Agent Properties dialog box,
type 172.16.0.1 in Server address. This is
shown in the following figure.
|
| 20. |
Click Add, and then click OK. |
CLIENT1
CLIENT1 is a computer running Windows XP Professional that is
acting as a VPN client and gaining remote access to intranet
resources across the simulated Internet. To configure CLIENT1 as a
VPN client for a PPTP connection, perform the following steps:
| 1. |
Connect CLIENT1 to the intranet network segment. |
| 2. |
On CLIENT1, install Windows XP Professional as a member
computer named CLIENT1 of the example.com domain. |
| 3. |
Add the VPNUser account in the example.com domain to the
local Administrators group. |
| 4. |
Log off and then log on using the VPNUser account in the
example.com domain. |
| 5. |
From Control Panel-Network Connections, obtain
properties on the Local Area Network connection, and then
obtain properties on the Internet Protocol (TCP/IP). |
| 6. |
Click the Alternate Configuration tab, and then
click User configured. |
| 7. |
In IP address, type 10.0.0.1. In Subnet
mask, type 255.255.255.0. This is shown in the
following figure.
|
| 8. |
Click OK to save changes to the Internet Protocol
(TCP/IP). Click OK to save changes to the Local Area
Network connection. |
| 9. |
Shut down the CLIENT1 computer. |
| 10. |
Disconnect the CLIENT1 computer from the intranet
network segment, and connect it to the simulated Internet
network segment. |
| 11. |
Restart the CLIENT1 computer and log on using the
VPNUser account. |
| 12. |
On CLIENT1, open the Network Connections folder from
Control Panel. |
| 13. |
In Network Tasks, click Create a new
connection. |
| 14. |
On the Welcome to the New Connection Wizard page
of the New Connection Wizard, click Next. |
| 15. |
On the Network Connection Type page, click
Connect to the network at my workplace. This is shown in
the following figure.
|
| 16. |
Click Next. On the Network Connection
page, click Virtual Private Network connection. This
is shown in the following figure.
|
| 17. |
Click Next. On the Connection Name page,
type PPTPtoCorpnet in Company Name. This is
shown in the following figure.
|
| 18. |
Click Next. On the VPN Server Selection
page, type 10.0.0.2 in Host name or IP address.
This is shown in the following figure.
|
| 19. |
Click Next. On the Connection Availability
page, click Next. |
| 20. |
On the Completing the New Connection Wizard page,
click Finish. The Connect PPTPtoCorpnet dialog
box is displayed. This is shown in the following figure.
|
| 21. |
Click Properties, and then click the
Networking tab. |
| 22. |
On the Networking tab, in Type of VPN,
click PPTP VPN. This is shown in the following
figure.
|
| 23. |
Click OK to save changes to the PPTPtoCorpnet
connection. The Connect PPTPtoCorpnet dialog box is
displayed. |
| 24. |
In User name, type example/VPNUser. In
Password, type the password you chose for the VPNUser
account. This is shown in the following figure.
|
| 25. |
Click Connect. |
| 26. |
When the connection is complete, run Internet Explorer. |
| 27. |
If prompted by the Internet Connection Wizard, configure
it for a LAN connection. In Address, type
http://IIS1.example.com/winxp.gif. You should see a
Windows XP graphic. |
| 28. |
Click Start, click Run, type
\\IIS1\ROOT, and then click OK. You should see
the contents of the Local Drive (C:) on IIS1. |
| 29. |
Right-click the PPTPtoCorpnet connection, and
then click Disconnect. |
L2TP/IPSec-based Remote Access VPN Connections
L2TP/IPSec-based remote access VPN connections require computer
certificates on the VPN client and the VPN server. L2TP/IPSec is
typically used when there are stronger requirements for security and
a public key infrastructure (PKI) is in place to issue computer
certificates to VPN clients and servers.
DC1
To configure DC1 for autoenrollment of computer certificates,
perform the following steps.
| 1. |
Open the Active Directory Users and Computers snap-in. |
| 2. |
In the console tree, double-click Active Directory
Users and Computers, right-click the example.com domain,
and then click Properties. |
| 3. |
On the Group Policy tab, click Default Domain
Policy, and then click Edit. |
| 4. |
In the console tree, open Computer Configuration,
then Windows Settings, then Security Settings,
then Public Key Policies, then Automatic
Certificate Request Settings. This is shown in the
following figure.
|
| 5. |
Right-click Automatic Certificate Request Settings,
point to New, and then click Automatic Certificate
Request. |
| 6. |
On the Welcome to the Automatic Certificate Request
Setup Wizard page, click Next. |
| 7. |
On the Certificate Template page, click
Computer. This is shown in the following figure.
|
| 8. |
Click Next. On the Completing the Automatic
Certificate Request Setup Wizard page, click Finish.
The Computer certificate type now appears in the details
pane of the Group Policy Object Editor snap-in. This is
shown in the following figure.
|
| 9. |
Type gpupdate at a command prompt to update group
policy on DC1. |
VPN1
To immediately update group policy and request a computer
certificate, type gpupdate at a command prompt.
CLIENT1
To obtain a computer certificate on CLIENT1 and then configure an
L2TP/IPSec-based remote access VPN connection, perform the following
steps:
| 1. |
Shut down CLIENT1. |
| 2. |
Disconnect the CLIENT1 computer from the simulated
Internet network segment, and connect it to the intranet
network segment. |
| 3. |
Restart the CLIENT1 computer and log on using the
VPNUser account. Computer and user group policy is
automatically updated. |
| 4. |
Shut down the CLIENT1 computer. |
| 5. |
Disconnect the CLIENT1 computer from the intranet
network segment, and connect it to the simulated Internet
network segment. |
| 6. |
Restart the CLIENT1 computer and log on using the
VPNUser account. |
| 7. |
On CLIENT1, open the Network Connections folder from
Control Panel. |
| 8. |
In Network Tasks, click Create a new
connection. |
| 9. |
On the Welcome to the New Connection Wizard page
of the New Connection Wizard, click Next. |
| 10. |
On the Network Connection Type page, click
Connect to the network at my workplace. This is shown in
the following figure.
|
| 11. |
Click Next. On the Network Connection
page, click Virtual Private Network connection. This
is shown in the following figure.
|
| 12. |
Click Next. On the Connection Name page,
type L2TPtoCorpnet in Company Name. This is
shown in the following figure.
|
| 13. |
Click Next. On the VPN Server Selection
page, type 10.0.0.2 in Host name or IP address.
This is shown in the following figure.
|
| 14. |
Click Next. On the Public Network page,
click Do not dial the initial connection. This is
shown in the following figure.
|
| 15. |
Click Next. On the Connection Availability
page, click Next. |
| 16. |
On the Completing the New Connection Wizard page,
click Finish. The Connect L2TPtoCorpnet dialog
box is displayed. This is shown in the following figure.
|
| 17. |
Click Properties, and then click the
Networking tab. |
| 18. |
On the Networking tab, in Type of VPN,
click L2TP IPSec VPN. This is shown in the following
figure.
|
| 19. |
Click OK to save changes to the L2TPtoCorpnet
connection. The Connect L2TPtoCorpnet dialog box is
displayed. |
| 20. |
In User name, type example/VPNUser. In
Password, type the password you chose for the VPNUser
account. This is shown in the following figure.
|
| 21. |
Click Connect. |
| 22. |
When the connection is complete, run the Web browser. |
| 23. |
In Address, type
http://IIS1.example.com/winxp.gif. You should see a
Windows XP graphic. |
| 24. |
Click Start, click Run, type
\\IIS1\ROOT, and then click OK. You should see
the contents of the Local Drive (C:) on IIS1. |
| 25. |
Right-click the L2TPtoCorpnet connection, and
then click Disconnect. |
EAP-TLS-based Remote Access VPN Connections
EAP-TLS-based remote access VPN connections require a user
certificate on the VPN client and a computer certificate on the IAS
server. EAP-TLS is used when you want to authenticate your VPN
connection with the most secure user-level authentication protocol.
Locally installed user certificates in the following steps are used
to make it easier to set up in a test lab. In a production
environment, it is recommended that you use smart cards, rather than
locally installed user certificates, for EAP-TLS authentication.
DC1
To configure DC1 for autoenrollment of user certificates, perform
the following steps:
| 1. |
Click Start, click Run, type mmc,
and then click OK. |
| 2. |
On the File menu, click Add/Remove Snap-in,
and then click Add. |
| 3. |
Under Snap-in, double-click Certificate
Templates, click Close, and then click OK. |
| 4. |
In the console tree, click Certificate Templates.
All of the certificate templates will be displayed in the
details pane. This is shown in the following figure.
|
| 5. |
In the details pane, click the User template. |
| 6. |
On the Action menu, click Duplicate Template. |
| 7. |
In the Display Name field, type VPNUser. |
| 8. |
Ensure that the Publish Certificate in Active
Directory check box is selected. This is shown in the
following figure.
|
| 9. |
Click the Security tab. |
| 10. |
In the Group or user names field, click Domain
Users. |
| 11. |
In the Permissions for Domain Users list, select
the Enroll and Autoenroll permission check
boxes. This is shown in the following figure.
|
| 12. |
Click OK. |
| 13. |
Open the Certification Authority snap-in. |
| 14. |
In the console tree, open Certification Authority,
then Example CA, then Certificate Templates.
This is shown in the following figure.
|
| 15. |
On the Action menu, point to New, and then
click Certificate to Issue. |
| 16. |
Click VPNUser. This is shown in the following
figure.
|
| 17. |
Click OK. |
| 18. |
Open the Active Directory Users and Computers snap-in. |
| 19. |
In the console tree, double-click Active Directory
Users and Computers, right-click the example.com domain,
and then click Properties. |
| 20. |
On the Group Policy tab, click Default Domain
Policy, and then click Edit. |
| 21. |
In the console tree, open User Configuration,
then Windows Settings, then Security Settings,
then Public Key Policies. This is shown in the
following figure.
|
| 22. |
In the details pane, double-click Autoenrollment
Settings. |
| 23. |
Click Enroll certificates automatically. Select
the Renew expired certificates, update pending
certificates, and remove revoked certificates check box.
Select the Update certificates that use certificate
templates check box. This is shown in the following
figure.
|
| 24. |
Click OK. |
IAS1
To configure IAS1 with a computer certificate and for EAP-TLS
authentication, perform the following steps:
| 1. |
To ensure that IAS1 has autoenrolled a computer
certificate, type gpupdate at a command prompt. |
| 2. |
Open the Internet Authentication Service snap-in. |
| 3. |
In the console tree, click Remote Access Policies. |
| 4. |
In the details pane, double-click VPN remote access
to intranet. The VPN remote access to intranet
Properties dialog box is displayed. This is shown in the
following figure.
|
| 5. |
Click Edit Profile, and then click the
Authentication tab. This is shown in the following
figure.
|
| 6. |
On the Authentication tab, click EAP Methods.
The Select EAP Providers dialog box is displayed.
This is shown in the following figure.
|
| 7. |
Click Add. The Add EAP dialog box is
displayed. This is shown in the following figure.
 |
| 8. |
Click Smart Card or other certificate, and then
click OK. |
| 9. |
Click Edit. The Smart Card or other
Certificate Properties dialog box is displayed. This is
shown in the following figure.
|
| 10. |
The properties of the computer certificate issued to the
IAS1 computer are displayed. This step verifies that IAS has
an acceptable computer certificate installed to perform
EAP-TLS authentication. Click OK. |
| 11. |
Click OK to save changes to EAP providers. Click
OK to save changes to the profile settings. |
| 12. |
When prompted to view help topics, click No.
Click OK to save changes to the remote access policy. |
These configuration changes will allow the VPN remote access
to intranet remote access policy to authorize VPN connections
using the EAP-TLS authentication method.
CLIENT1
To obtain a user certificate on CLIENT1 and then configure an
EAP-TLS-based remote access VPN connection, perform the following
steps:
| 1. |
Shut down CLIENT1. |
| 2. |
Disconnect the CLIENT1 computer from the simulated
Internet network segment, and connect it to the intranet
network segment. |
| 3. |
Restart the CLIENT1 computer and log on using the
VPNUser account. Computer and user group policy is
automatically updated. |
| 4. |
Shut down the CLIENT1 computer. |
| 5. |
Disconnect the CLIENT1 computer from the intranet
network segment, and connect it to the simulated Internet
network segment. |
| 6. |
Restart the CLIENT1 computer and log on using the
VPNUser account. |
| 7. |
On CLIENT1, open the Network Connections folder from
Control Panel. |
| 8. |
In Network Tasks, click Create a new
connection. |
| 9. |
On the Welcome to the New Connection Wizard page
of the New Connection Wizard, click Next. |
| 10. |
On the Network Connection Type page, click
Connect to the network at my workplace. |
| 11. |
Click Next. On the Network Connection
page, click Virtual Private Network connection. |
| 12. |
Click Next. On the Connection Name page,
type EAPTLStoCorpnet in Company Name. |
| 13. |
Click Next. On the VPN Server Selection
page, type 10.0.0.2 in Host name or IP address. |
| 14. |
Click Next. On the Public Network page,
click Do not dial the initial connection. |
| 15. |
Click Next. On the Connection Availability
page, click Next. |
| 16. |
On the Completing the New Connection Wizard page,
click Finish. The Connect EAPTLStoCorpnet
dialog box is displayed. This is shown in the following
figure.
|
| 17. |
Click Properties, and then click the Security
tab. |
| 18. |
On the Security tab, click Advanced, and
then click Settings. The Advanced Security
Settings dialog box is displayed. |
| 19. |
On the Advanced Security Settings dialog box,
click Use Extensible Authentication Protocol (EAP).
This is shown in the following figure.
|
| 20. |
Click Properties. On the Smart Card or other
Certificate Properties dialog box, click Use a
certificate on this computer. This is shown in the
following figure.
|
| 21. |
Click OK to save changes to the Smart Card or
Other Certificate EAP type. Click OK to save changes
to the Advanced Security Settings. Click OK to save
changes to the Security tab. The connection is immediately
initiated using the installed user certificate. |
| 22. |
When the connection is complete, run the Web browser. |
| 23. |
In Address, type http://IIS1.example.com/winxp.gif.
You should see a Windows XP graphic. |
| 24. |
Click Start, click Run, type
\\IIS1\ROOT, and then click OK. You should see
the contents of the Local Drive (C:) on IIS1. |
| 25. |
Right-click the EAPTLStoCorpnet connection, and
then click Disconnect. |
Summary
This paper described in detail the steps required to configure
secure VPN remote access using PPTP, L2TP/IPSec, and EAP-TLS in a
test lab with five computers simulating an organization intranet and
the Internet.
Related Links
Conference. |
