Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Configuring VPN Server 2016 and Integration with RADIUS - Part 2

Posted by Ahmed Nabil | 8 comments»
In part 1 of this series we started by identifying the VPN role and why/When it should be used and we started by installing the VPN role on Windows Server 2016 and enabled the service.

For more details please check Part 1 https://itcalls.blogspot.com.eg/2016/10/implementing-microsoft-remote-access.html

In this part we will continue configuring the VPN role and integrating it with RADIUS server for authentication (Optional)

Configuring VPN on Windows Server 2016


  1. We will start now where we stopped on our last post after the services are enabled. Go to Server Manager - Tools - Routing and Remote Access. You will notice that the Server name under the Server status has green indicator which means its enabled and with running services.                                                                                                                                                    Right Click on the Server  - Properties                                                                                                                                                 

                                           
                                                                                     
                                                                          
  2. On the Security Tab we need to make few decisions:                                                                                                                                                                                                                         Authentication Provider: You have 2 options whether Windows Authentication (If you don't have RADIUS server on your network) which will work great by connecting to your Domain Active Directory or LDAP service and if the Server is domain joined will even make it simpler. However for our case we will go for RADIUS Authentication.                                                                                                                                                                                                               Accounting Provider: Again you have option between Windows Accounting and RADIUS accounting. With Radius accounting you will be sending connection accounting logs to the RADIUS server while Windows Accounting will save them on a file on the VPN server. I will go with Windows Accounting to keep all VPN logs in one place.                                                                                                                                                                                               
                                                                                                                                                             
  3. For the Authentication Methods, Ensure that EAP and MS-CHAP V 2 (First 2 options are selected)                                                                                                                                                                                                          
                                                                                                                                            
  4. In the Authentication Provider (After Picking RADIUS Authentication) - Click on Configure - Add - Add RADIUS Server. Add your Current Network RADIUS server name and a shared secret (This is the same shared secret/password that will be used also on the RADIUS server to validate/authenticate each other). Increase the Time out to 60 (This will be very beneficial with our MFA implementation - Wait time till you get the call or SMS on the mobile and confirm your VPN authentication)                                                                                                                                                                                                      
                                                                                                                       
  5. Now on the RADIUS server  we will create a new client and add the VPN server as a client. RADIUS Clients - New - Enable the RADIUS client and enter the name and IP address of your VPN server as well as the shared secret that we added in the VPN server (Previous step)                                                                                                                                                                                                            
                                                                           
                                                                             
  6. Back to our VPN server and we are still on the security Tab, we will add a certificate in the SSL Certificate binding option at the bottom of the page. In our Scenario we will be using SSTP connection (HTTPS) to limit ports open on the VPN server. You can use your company Wildcard certificate or create a commercial normal SSL certificate and give it a simple name as VPN.company.com. Install the Certificate on the Server and pick it from this location.                                                                                                                                                                                                              
                                                                                                                                   
  7. That's it for the Security and we will move to IPv4 Tab. We need to decide which IPs and how the clients will get their addresses. We have 2 options, whether to assign the IP addresses to the VPN clients using the DHCP or using Static Pool. If you will pick the DHCP option it will assign IPs from the same pool as your Server LAN interface. Most probably you have Server IPs / VLAN and you won't prefer to assign addresses to VPN client from this pool (You can use it only for testing).                                                                                                                                                                                                                                         So in our case we will pick the second option which is assigning IPs to the client VPN devices from a static pool. We will add a new pool from 10.10.10.1 - 10.10.10.254. This pool is different that the Server Internal NIC pool and is not in its routing table.                                                                                                                                                                                                                                                                                                                                   When users connect to the VPN server they will get an IP from this pool however they won't be able to ping or reach any of your corporate resources, this static pool will require a simple network configuration. The problem is that the VPN clients may be able to go (Half way) to your resources but the resources doesn't know how to get back to the VPN client. We need to add a route for this Pool that points to your Local VPN Server IP address (Internal NIC)                                                                                                                                                                                                                                                                                                          Let us assume that your VPN server Internal (Domain Facing) NIC has an IP address of 192.168.100.10 and as per the below screen shot your Static Pool is 10.10.10.1 - 10.10.10.254. You need to add a route on your Inter-Routing devices on your network which is most possibly your internal core switch or your Internal Router that routes and points any traffic going to 10.10.10.0 Network (VPN Pool) to 192.168.100.10. This should do the trick and allows you to access and reach your internal resources. As discussed in Part 1, this VPN server internal NIC doesn't have a Gateway (Multi-Home NIC) so it should has its own static Routes to other subnets in your corporate Network.                                                                                                                                                  
                                                                     
                                                                                      
  8. We will move to the Logging TAB and ensure the log all events and additional Routing and Remote Access information are checked as shown below.                                                                                                                                                                                                                              
                                                                                                             

Now your VPN is properly configured and you are almost ready for your users to connect to your Remote Access / VPN server. Two more items to be checked are:

  • This Scenario is using only SSTP so you need only yo enable HTTPS traffic to your VPN server. No more ports or protocols are needed.                                                                                           
  • Make sure the Network Access Permission is allowed for each user Dial-In properties in Active Directory. You can only allow this option for users using VPN.                                                              



We are all set now and on the next part of this series we will go through the Client VPN setup/configuration and common client scenarios. Hopefully you enjoyed this part and stay tuned for the next post.

















Implementing Microsoft Remote Access Server / VPN Server End to End Solution: Installing VPN on Windows Server 2016 - Part 1

Posted by Ahmed Nabil In | 5 comments»
In this four part series I will be going through implementing Microsoft Remote Access Server /VPN only solution on Windows Server 2016 and integrating it with RADIUS / NPS server for Authentication then add on it Azure MFA implementation for second/Multi Factor authentication for VPN Users as sending message or getting a call on your cell phone.

So Why VPN solution ? Microsoft have a very nice solution for Enterprise customers named DirectAccess (Will have a series of articles on its implementation in Server 2016) however it has some requirements on top of them to be corporate domain joined and its not available for all windows Versions (Only Enterprise ones).

Traditional VPN fills this gap by targeting any windows version as Home and Professional and at the same time you can launch it from your home computer, tablet or mobile to connect to your corporate network. This will be very helpful especially nowadays more and more companies are supporting the idea of Bringing Your Own Device (BYOD) which of course can be any version of Windows and its not member in your domain.

Another question will be can I have one server with both VPN and DirectAccess roles co-existing together ? The Answer is Yes however one draw back is that you will loose the Null encryption and you will have to pay the penalty of the DirectAccess IP-HTTPS double encryption. In our Scenario I will go with installing the VPN role on a single server without other roles.

In Part 1 of this series, we will install the VPN Server, configure it and Enable it.

Part 2 of this Series will continue with configuring the VPN properties, integrating it with RADIUS server for authentication.

Part 3 of this series We will configure the VPN on the client machine and deal with common issues and frequent questions as accessing your Shares, DFS root from your VPN client.

In Part 4 of this series we will configure Azure MFA to add second level of authentication for VPN users connecting to our VPN server.


So let us get started by installing our VPN Server on our Windows Server 2016. This Server is 2 NIC server with 1 NIC in our Local Network and the second NIC in the DMZ

For 2 NIC server (Multi-homed server)we need to make sure of the following configuration:


  • You have only one Gateway which will be on the Second NIC (The one on DMZ or External Network), the Internal NIC will have no Gateway.                                                                                      
  • DNS servers will be specified on your internal NIC (This will be your internal DNS servers)                                                               
  • If you have multiple VLANs on your network, you won't be able to reach them from your VPN server since there is no Gateway on your internal NIC. You need to create static routes on the VPN server to these VLANs, For example if you have specific Servers subnet or other subnets as Printers or specific group then you need to create persistent route to this subnet (ROUTE ADD)


Implementing and Configuring VPN on Windows Server 2016 Standard.

  1. Open the Server Manager on your Windows 2016 VPN server and click Add Roles and Features.                                                                                                                                                                                                      
                                                                                                 
  2. Click Next and pick Role based or Feature based installation                                                                                                                                                              
                                                                                                                                                             
  3. Ensure Select a server is your option and your server name is displayed and highlighted in the Server Pool below area                                                                                                                                                                                      
                                                                                                                                               
  4. Select the Remote Access Role                                                                                                                                                      
                                                                                                                                                             
  5. Click Next - Add features and then select the first option Direct Access and VPN (RAS) as per the below screen shots                                                                                                                                                                                              
                                                                 
                                                                           
                       
                                                                                          
  6.  Click Next for the Web Server (IIS) role installation (This is mainly needed for your Direct Access implementation - Don't forget we picked the role that allow us to install both options, VPN and Direct Access). Click Next on the next screen for the IIS roles services.                                                                                                                                                                                                                   
                                                                                     
                                                    
  7. Confirm all your settings and check the Restart the destination server if required and go ahead for Install - It will take few minutes for the installation.                                                                                                                                                                                                                  
                                                                                                                                              
  8. After Installation is done you will get the option to configure the server with the warning sign displayed in your server manager as shown below. I would highly recommend not doing it this way so you can have better and full control on your configuration                                                                                                                                                                                                                                                                                                          
                                                                                                    
  9.        Instead from Tools, open Remote Access Management - Direct Access and VPN  - Pick the second option Run Remote access setup wizard and choose to deploy VPN only                                                                                                                                                                                                                                                                                                                                                                   
                                                                                                                                                      
                                                                           
                                                       
                                                                       
      
  10. Right Click on your server name - Configure and Enable Routing and Remote Access - Choose Custom Configuration - VPN access and click Finish (Check below screen shots)                                                                                                                                                                                                                
                                                                               

                                                                         
                                                                                                     
  11.  Your services will restart and the Remote access Service is up and running now and ready for configuration and Usage.                                                                                                                                                                                          
                                                                                                                                                              

                                                                                                                                                                    So in Part 1 of this series we installed and enabled the VPN only role on our Windows server 2016 box. In the next part we will start configuring the VPN properties and integrate it with our RADIUS server. Hopefully you enjoyed this part and see you on the next part.


Part 2 of this series http://itcalls.blogspot.com/2016/10/implementing-microsoft-remote-access_30.html

Part 3 of this series http://itcalls.blogspot.com/2016/11/implementing-microsoft-remote-access.html

Part 4 of this series http://itcalls.blogspot.com/2016/11/implementing-microsoft-remote-access_5.html