In part 1 of this series we started by identifying the VPN role and why/When it should be used and we started by installing the VPN role on Windows Server 2016 and enabled the service.
For more details please check Part 1 https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access.html
In this part we will continue configuring the VPN role and integrating it with RADIUS server for authentication (Optional)
Configuring VPN on Windows Server 2016
- We will start now where we stopped on our last post after the services are enabled. Go to Server Manager – Tools – Routing and Remote Access. You will notice that the Server name under the Server status has green indicator which means its enabled and with running services. Right Click on the Server – Properties
- On the Security Tab we need to make few decisions: Authentication Provider: You have 2 options whether Windows Authentication (If you don’t have RADIUS server on your network) which will work great by connecting to your Domain Active Directory or LDAP service and if the Server is domain joined will even make it simpler. However for our case we will go for RADIUS Authentication. Accounting Provider: Again you have option between Windows Accounting and RADIUS accounting. With Radius accounting you will be sending connection accounting logs to the RADIUS server while Windows Accounting will save them on a file on the VPN server. I will go with Windows Accounting to keep all VPN logs in one place.
- For the Authentication Methods, Ensure that EAP and MS-CHAP V 2 (First 2 options are selected)
- In the Authentication Provider (After Picking RADIUS Authentication) – Click on Configure – Add – Add RADIUS Server. Add your Current Network RADIUS server name and a shared secret (This is the same shared secret/password that will be used also on the RADIUS server to validate/authenticate each other). Increase the Time out to 60 (This will be very beneficial with our MFA implementation – Wait time till you get the call or SMS on the mobile and confirm your VPN authentication)
- Now on the RADIUS server we will create a new client and add the VPN server as a client. RADIUS Clients – New – Enable the RADIUS client and enter the name and IP address of your VPN server as well as the shared secret that we added in the VPN server (Previous step)
- Back to our VPN server and we are still on the security Tab, we will add a certificate in the SSL Certificate binding option at the bottom of the page. In our Scenario we will be using SSTP connection (HTTPS) to limit ports open on the VPN server. You can use your company Wildcard certificate or create a commercial normal SSL certificate and give it a simple name as VPN.company.com. Install the Certificate on the Server and pick it from this location.
- That’s it for the Security and we will move to IPv4 Tab. We need to decide which IPs and how the clients will get their addresses. We have 2 options, whether to assign the IP addresses to the VPN clients using the DHCP or using Static Pool. If you will pick the DHCP option it will assign IPs from the same pool as your Server LAN interface. Most probably you have Server IPs / VLAN and you won’t prefer to assign addresses to VPN client from this pool (You can use it only for testing). So in our case we will pick the second option which is assigning IPs to the client VPN devices from a static pool. We will add a new pool from 10.10.10.1 – 10.10.10.254. This pool is different that the Server Internal NIC pool and is not in its routing table. When users connect to the VPN server they will get an IP from this pool however they won’t be able to ping or reach any of your corporate resources, this static pool will require a simple network configuration. The problem is that the VPN clients may be able to go (Half way) to your resources but the resources doesn’t know how to get back to the VPN client. We need to add a route for this Pool that points to your Local VPN Server IP address (Internal NIC) Let us assume that your VPN server Internal (Domain Facing) NIC has an IP address of 192.168.100.10 and as per the below screen shot your Static Pool is 10.10.10.1 – 10.10.10.254. You need to add a route on your Inter-Routing devices on your network which is most possibly your internal core switch or your Internal Router that routes and points any traffic going to 10.10.10.0 Network (VPN Pool) to 192.168.100.10. This should do the trick and allows you to access and reach your internal resources. As discussed in Part 1, this VPN server internal NIC doesn’t have a Gateway (Multi-Home NIC) so it should has its own static Routes to other subnets in your corporate Network.
- We will move to the Logging TAB and ensure the log all events and additional Routing and Remote Access information are checked as shown below.
- This Scenario is using only SSTP so you need only yo enable HTTPS traffic to your VPN server. No more ports or protocols are needed.
- Make sure the Network Access Permission is allowed for each user Dial-In properties in Active Directory. You can only allow this option for users using VPN.