Always on VPN - Install and Configure VPN and Network Policy Server

Today most of the companies has users who works from Home and the main reason is the Covid-19. Remote Work will be stay.

IT Pro must be ensure that has the appropriate security Apply when users connect in the internal network of the comapany.

The most common way is the VPN. But not all Companies has the budget to buy VPN Licenses from the Firewall Vendors that use.

Windows Server give the Remote Access Role that can be use to setup a VPN Server and users connect with VPN inside the network of the company.

So let's start to explain how can install and configure Remote Access Role and Network Policy Server before use the VPN Connection.

 

How to Install the Remote Access Role

The first step is to install the Remote Access Role in your Server.

  • Click on Server Manager -- Manage -- Add Roles

  • Click Next in the first screen as usual.

 

  • Leave the Role-based or featured-based installation and click Next

 

  • Verify your Server and click Next

 

  • Check the Remote Access.

 

  • In the Features don't change anything and click Next.

 

  • Once again click Next

 

  • Click in Direct Access and VPN(RAS) and when will appear a new Window just click Add Features to add required Features or Roles that needed.

 

  • Once again just click Next

 

  • In the Role Services don't change anything and click Next

 

  • Click Install and wait until finish the Installation.

 

 

 

How to Install the Network Policy Server Role

  • Click on Server Manager -- Manage -- Add Roles

  • Click Next in the first screen as usual.

  • Leave the Role-based or featured-based installation and click Next
  • Verify your Server and click Next

 

  • Check the Network Policy and Access Services and when will appear a new Window just click Add Features to add required Features or Roles that needed.

 

  • In the Features don't change anything and click Next.

 

  • In the Network Policy and Access Services click Next

 

  • Click Install and wait until finish the installation.

 

 

Very easy!!

 

How to configure the Remote Access Server

 

After finish with the installation it's time to do the configuration in order to works properly the VPN

  • Open the Server Manager
  • You will see a yellow flag. Click on it
  • Click in Open the Getting Started Wizard

 

  • Click on Deploy VPN Only

 

  • Right click in the Server and select Configure and Enable Routing and Remote Access

 

  • Click Next in the first Step

 

  • Check the VPN Access

 

  • Click Finish

 

  • Click Start Service

 

  • Now right click in the Server Name and select Properties
  • Go in the Tab Security
  • Change the Authentication Provider with RADIUS Authentication
  • Click in Configure

 

  • Click Add

 

  • Type the Server Name of the RADIUS Server
  • In Shared Secret click Change 
  • Write down a strong shared secret and keep it in safe place.

 

  • Click OK and OK
  • Now click on Tab IPv4
  • Check the Static Address Pool 
  • Click Add to give a range of the IP Addresses that you would like to use for the VPN Users

 

  • If you have a DHCP Server don't forget to exclude these IP Addresses from the Range that you have configure in the DHCP Server
  • Next step is to configure the Ports that will use in the VPN Server
  • Right click on Ports and select Properties
    • For the WAN Miniport(SSTP) uncheck the Remote access connections (inbound only) and Demand dialup routing connection (inbound and outbound)
    • For the other Ports configure the Maximum Ports that you would like to use. For example i change from 128 to 20 ports because i don't have so many users that will connect with the VPN. Decide base on your requirements.

 

How to Configure the Network Policy Server

 

Except from the RRAS Server you must configure the Network Policy Server

  • Open the Network Policy Server Console
  • Click on RADIUS Client
  • Check the Enable this RADIUS Client
  • Type the Server Name of the VPN Server
  • Write down the Shared Secret that created above.
  • Click OK

 

  • Now click on NPS(Local) 
  • In the Standard Configuration select RADIUS Server for Dial up or VPN Connections.
  • Click on Configure VPN or Dial up

 

  • Select Virtual Private Networks (VPN) Connections. Click Next

 

  • Click Add to add the Computer Name of the VPN Server

 

  • Check only the Extensible Authentication Protocol
  • Change to Microsoft Protected EAP (PEAP)
  • Click Configure

 

  • Select the Certificate that you must issue from any Certificate Provider
  • In the Eap Types Click remove to remove the Default Option.
  • Click Add and select the Smart Card or other certificate. Click OK

 

  • Click Next 
  • Add the Group that you must allow to connect with the VPN.
  • The Group must be created in the Active Directory.

 

  • Click Next and again Next without change anything.

 

  • In the Encryption Settings don't change anything and click Next

 

  • Type a Realm Name. Click Next and Finish

 

  • Now if you expand the Policies and click in Network Policies you will see the Policy as Virtual Private Network(VPN) Connections which is the Policy that created above.
  • You can do any change that you want in the future.

 

It's a lot of steps but it's not so difficult.

We don't have finish yet but we cover a lot of tasks that must be done.

Have a nice weekend and continue next week with the next steps.

Tags
Table of content
Disqus Comments