• Home
• About
• Advertise
• Contact
• Search

Setting up SSL-VPN in an Windows Server 2008 environment

In this 2 part series we will look at setting up SSL-VPN using Windows Server 2008. At the end on the next part you will be able to configure a Windows Vista or Windows 7 client to connect to the corporate network using SSL-VPN ( SSTP ). To test this scenario you need some previous knowledge of Windows Server System and Active Directory in particular. We will be using Active Directory to logon to VPN and control user access using it. If you, like me, don’t feel like testing in an production environment you can set this lab up in an Virtual PC or Virtual Server environment. I will not be going trough setting up Windows Server 2008 AD DS in this article. I expect you to have your domain up and running. To run this lab you will need the following

• Windows Server 2008 Enterprise running HEL-DC1
  • AD DS
  • DHCP
  • DNS
  • AD CS ( Certificate Services Enterprise CA)
• Windows Server 2008 Enterprise running HEL-NAT
  • 2 network interfaces – External and internal
• Windows Vista Business Edition
  • Service Pack 2

If you don’t have access to Microsoft Volume Licensing, a Technet Subscription or a MSDN Subscription you can download the trial versions of the systems above, they are free and you can use them for 180 days. So you’ll have more than enough time to complete this lab. Our setup will look as figure 1 shows.

Figure 1

As you can see we are using private IP:s only and we have not deployed a DNS server on our private little internet because the easier way in a small lab like this is to use the Windows host file.

The ip addresses assigned are as follows,

• hel-dc1 192.168.0.1/24
• hel-cli1 10.0.0.150/8
• vpngw
• Internal Network 192.168.0.254/24
• External Network 10.0.0.1/8

All machines are part of the domain. So before you move the hel-cli1 “laptop” out of the 192.168.0.0 network remember it has to be joined to the domain.

Setting up the VPN Gateway Server

So I’m depending on you to have a working Active Directory from this point on and the Domain Controller should have the Active Directory Certificate Services installed and it should be a Enterprise Certification Authority not a Standalone. Well then, let’s move on.

First of all we need to install the correct roles on our VPN Gateway server. So start up your Server Manager and select Add Roles.

Install Webb server role

To get SSTP-VPN working we need the Web server role. And we will use the IIS management console to get a certificate from the Enterprise Certification Authority (HEL-DC1 in my case). In server manager click Web Server (IIS) and add the required features.

When done select next next.

Role Services

For some reason we need to select every role service under security to be enable to get a certificate from the Enterprise CA. So select every role service under Security.

That’s it. Select next and at the Confirm Installation Selections click install and sit back and relax for a minute. Maybe even grab a cup of coffee if your system is slow enough .

Getting the web server certificate from the Enterprise CA

Next we need to get a certificate to encrypt our sessions and to identify the server. So we want the certificate name to be the same as the external DNS name of the server. In my case it’s the same as the internal DNS name. Open the Server manager again and go to Roles, Web Server, Internet Information Services Manager. Select the server name, VPNGW and select Server Certificates. In the right side Action Pane select  Create Domain Certificate. The most important field is the Common name, this is the field that identifies the server to the clients accessing it from the outside. So be sure to set the Common name to whatever your external server name is. In this case, vpngw.nixadmins.net. As I said in the beginning I’m running this in Virtual PC so I’ll use the host file to set it on the client but in a real world case this is important. Nagged enough? Ok, let’s move on.

After  clicking next you are presented with a dialog to select your Online certification Authority. Since we have our AD CS ( Active Directory Certificate Services ) running on our domain controller we just hit select and pick our Enterprise CA, the HEL-DC1.

Set the friendly name to something descriptive like SSTP Certificate since that’s what we will be using it for. Click finish and you should se the certificate in the list of server certificates.

Setting up Routing and Remote Access

The server also needs to be able to route the requests from the external to the internal network so we need the Routing and Remote Access role. In my case it also works as a router for the internal clients so they can access the external networks. Once again in Server Manager select add role and select Network Policy and Access Services.

Click next until Role Services. We won’t be using NAP quite yet, maybe in a later post if there is an demand for it, so just select the Routing and Remote Access Services.

Confirm the installation and sit back and wait.

Configuring Routing and Remote Access

We now need to activate the Routing and Remote access. In Server manger roles you’ll find the Network Policy and Access, Routing and Remote Access. As you can se it hasn’t yet been activated.

Right click Routing and Remote Access and select Configure and Enable Routing and Remote Access. I’m using this server for NAT so the internal clients use it as a gateway so I need to select Virtual Private Network (VPN) access and NAT. Click next and select your external network interface.

Set the IP Address Assignment to Automatically. This way it will use the internal DHCP server to relay the addresses.

Select No, use Routing and Remote Access to authenticate connection requests on the next page.

Finish the setup and wait for it to complete.

That’s it. Once the wizard is done you have Remote Access setup. Tomorrow we’ll go trough how to allow the client to access the network using our new SSTP VPNGW and we will set up our Windows Vista client to connect to our corporate network. Until then, I’ll answer your questions and if you have any requests on special subjects don’t be afraid to ask, I’ll do my best to create them. Se you tomorrow.

Related posts:

1. Setting up SSL-VPN in an Windows Server 2008 environment part 2 Yesterday we setup our server to be able to handle...

Advertising

Recent Posts

• Unable to use Active Sync / direct push on Exchange 2010
• Affordable SAN(UCC) certificates for Exchange Server
• Prepare a Virtual Environment for testing
• New theme
• Systems Center Configuration Manager 2007, Secondary site Pending

Archives

May 2010

April 2010

January 2010

December 2009

November 2009

October 2009

July 2009

April 2009

March 2009

February 2009

January 2009

December 2008

Login

Register

Log in

Browse by tags

Acrobat Active Directory Apple ASP.NET CentOS Defragmentation Domain Drivers Free Software Group policy Install Linux MSI Nixadmins OSX programs Redhat Security Service Pack 3 SSL VPN SSTP VPN tools Virtual PC VPN Windows 7 Windows Deployment Services Windows Server Windows Vista Windows XP WinPE

Ads

Ads