Configure Active Directory account

First we need to make sure the user will be able to connect to the SSTP VPN gateway. I have a test user called Sally Sales, and yes she works in the Sales department. So I use ADUC (Active Directory Users and Computers) to modify her account. She needs to have permissions to use Dial In even if she really isn’t dialing in.

So select the users properties and on the Dial In tab change Network Access Permission from Control access trough NPS Network Policy to Allow Access. We can’t use NPS Network policies since we don’t have an Network Access Protection server, for the moment anyway. Once your done just click ok. Sally Sales is now minutes away from connecting with VPN.

Configure Vista SSTP VPN client

Next we need to take care of Sally’s laptop. Normally she could fix this herself since the vpngw.nixadmins.net is already on a public network. But in our test lab we are using the HOST file to point her the right way.

Open the command prompt on your Vista workstation using Administrative privileges. In the prompt enter

notepad.exe C:\Windows\System32\Drivers\etc\hosts

Because we don’t have a DNS on our “public” network we have to use the host file. So at the end of the file add a line 10.0.0.1 vpngw.nixadmins.net (in my case, yours might differ).

Save the file.

Create the new VPN Network connection

Now we need ( using Sally’s credentials ) to create the new network connection.  So right click on the network icon in the system tray and select Connect to a network.

Select Setup a connection or network. Select Connect to a workplace.

Click next and select Use my Internet connection (VPN).  Because this is a virtual machine with a local only network the system asks us if we want to set up a Internet connection. We already have one so we choose I’ll set up an Internet connection later.

Next are the settings for the VPN gateway. So the internet address should be your public name of the server, in my case vpngw.nixadmins.net and let’s give Destination name an clear name saying Corporate VPN connection.

We aren’t using a smartcard and for now we don’t want to share this connection either. So just click next. I also won’t type the username and password here. I’ll rather provide them at login. That’s it. The connection is now ready to use.

But at the moment it will use PPTP and we want to use SSTP. So let’s continue. Go to your network connections and select properties on the Corporate VPN Connection. Select the tab Networking and change the Type of VPN to Secure Socket Tunneling Protocoll (SSTP).

Testing the SSTP VPN connection

Now we can test our new SSTP connection. So in the system tray right click on your network icon and select connect to a network. Select the Corporate VPN Connection and supply your user credentials. ssales in my case.

Then just click connect and wait a moment for the tunnel to connect.

That’s it. Your client is now connected to your corporate headquarters.  As I have shown you in these two short articles. Supplying your users with a secure offsite connection to the corporate network isn’t a great deal of work. Anyway, these are just the basics. So I encourage you to study more about securing Windows Server and take a look at Microsoft’s documentation on the Routing and Remote Access documentation. This is a server connected on the public Internet so caution is always a good thing.

Some extra reading can be found here

• Windows Server 2003 Routing and Remote Access
• New in Windows Server 2008 Routing and Remote Access
• Securing Windows Server 2008
• Routing and remote access blog on how SSTP based VPN works

That’s it for this time. Hope to see you soon when we take a look at Windows Server 2008’s capabilities in providing Network Access Protection (NAP). But that’s a story for another day.

Feel free to comment and provide me with feedback if you find this two part guide useful.

• Windows Server 2008 Enterprise running HEL-DC1
  • AD DS
  • DHCP
  • DNS
  • AD CS ( Certificate Services Enterprise CA)
• Windows Server 2008 Enterprise running HEL-NAT
  • 2 network interfaces – External and internal
• Windows Vista Business Edition
  • Service Pack 2

If you don’t have access to Microsoft Volume Licensing, a Technet Subscription or a MSDN Subscription you can download the trial versions of the systems above, they are free and you can use them for 180 days. So you’ll have more than enough time to complete this lab. Our setup will look as figure 1 shows.

Figure 1

As you can see we are using private IP:s only and we have not deployed a DNS server on our private little internet because the easier way in a small lab like this is to use the Windows host file.

The ip addresses assigned are as follows,

• hel-dc1 192.168.0.1/24
• hel-cli1 10.0.0.150/8
• vpngw
• Internal Network 192.168.0.254/24
• External Network 10.0.0.1/8

All machines are part of the domain. So before you move the hel-cli1 “laptop” out of the 192.168.0.0 network remember it has to be joined to the domain.

Setting up the VPN Gateway Server

So I’m depending on you to have a working Active Directory from this point on and the Domain Controller should have the Active Directory Certificate Services installed and it should be a Enterprise Certification Authority not a Standalone. Well then, let’s move on.

First of all we need to install the correct roles on our VPN Gateway server. So start up your Server Manager and select Add Roles.

Install Webb server role

To get SSTP-VPN working we need the Web server role. And we will use the IIS management console to get a certificate from the Enterprise Certification Authority (HEL-DC1 in my case). In server manager click Web Server (IIS) and add the required features.

When done select next next.

Role Services

For some reason we need to select every role service under security to be enable to get a certificate from the Enterprise CA. So select every role service under Security.

That’s it. Select next and at the Confirm Installation Selections click install and sit back and relax for a minute. Maybe even grab a cup of coffee if your system is slow enough .

Getting the web server certificate from the Enterprise CA

Next we need to get a certificate to encrypt our sessions and to identify the server. So we want the certificate name to be the same as the external DNS name of the server. In my case it’s the same as the internal DNS name. Open the Server manager again and go to Roles, Web Server, Internet Information Services Manager. Select the server name, VPNGW and select Server Certificates. In the right side Action Pane select  Create Domain Certificate. The most important field is the Common name, this is the field that identifies the server to the clients accessing it from the outside. So be sure to set the Common name to whatever your external server name is. In this case, vpngw.nixadmins.net. As I said in the beginning I’m running this in Virtual PC so I’ll use the host file to set it on the client but in a real world case this is important. Nagged enough? Ok, let’s move on.

After  clicking next you are presented with a dialog to select your Online certification Authority. Since we have our AD CS ( Active Directory Certificate Services ) running on our domain controller we just hit select and pick our Enterprise CA, the HEL-DC1.

Set the friendly name to something descriptive like SSTP Certificate since that’s what we will be using it for. Click finish and you should se the certificate in the list of server certificates.

Setting up Routing and Remote Access

The server also needs to be able to route the requests from the external to the internal network so we need the Routing and Remote Access role. In my case it also works as a router for the internal clients so they can access the external networks. Once again in Server Manager select add role and select Network Policy and Access Services.

Click next until Role Services. We won’t be using NAP quite yet, maybe in a later post if there is an demand for it, so just select the Routing and Remote Access Services.

Confirm the installation and sit back and wait.

Configuring Routing and Remote Access

We now need to activate the Routing and Remote access. In Server manger roles you’ll find the Network Policy and Access, Routing and Remote Access. As you can se it hasn’t yet been activated.

Right click Routing and Remote Access and select Configure and Enable Routing and Remote Access. I’m using this server for NAT so the internal clients use it as a gateway so I need to select Virtual Private Network (VPN) access and NAT. Click next and select your external network interface.

Set the IP Address Assignment to Automatically. This way it will use the internal DHCP server to relay the addresses.

Select No, use Routing and Remote Access to authenticate connection requests on the next page.

Finish the setup and wait for it to complete.

That’s it. Once the wizard is done you have Remote Access setup. Tomorrow we’ll go trough how to allow the client to access the network using our new SSTP VPNGW and we will set up our Windows Vista client to connect to our corporate network. Until then, I’ll answer your questions and if you have any requests on special subjects don’t be afraid to ask, I’ll do my best to create them. Se you tomorrow.