Canberra, Australia
To be provided
To be provided

Always On VPN – Configure the Server Infrastructure – Create Security Groups

Harmik Batth Tech Blog

Always On VPN – Configure the Server Infrastructure – Create Security Groups

With this step, you can add a new Active Directory group that contains the users allowed to use the VPN to connect to your network. This group serves two purposes:

  • It defines which users are allowed to auto-enroll for the user certificates the VPN requires.
  • It defines which users the NPS authorizes for VPN access.

By using a custom group, if you ever want to revoke a user’s VPN access, you can simply remove that user from the group.

You will also add a group containing VPN servers and another group containing NPS servers. You use these groups to restrict certificate requests to their members.

To configure the VPN Users group

  1. On a domain controller, open Active Directory Users and Computers.
  2. Right-click a container or Organizational unit, click New and click Group.
  3. In Group name, type VPN Users, and click OK.
  4. Right-click VPN Users, and click Properties.
  5. On the Members tab of the VPN Users Properties dialog box, click Add.
  6. On the Select Users dialog box, add all the users who need VPN access and click OK.
  7. Close Active Directory Users and Computers.

To configure the VPN Servers and NPS Servers groups

  1. On a domain controller, open Active Directory Users and Computers.
  2. Right-click a container or Organizational unit, click New and click Group.
  3. In Group name, type VPN Servers, and click OK.
  4. Right-click VPN Servers, and click Properties.
  5. On the Members tab of the VPN Servers Properties dialog box, click Add.
  6. Click Object Types, select the Computers check box, and click OK.
  7. In Enter the object names to select, type the names of your VPN servers, and click OK.
  8. Click OK to close the VPN Servers Properties dialog box.
  9. Repeat the previous steps for the NPS Servers group.
  10. Close Active Directory Users and Computers.

You can use this section to configure a custom client–server authentication template.

This template is required because you want to improve the certificate’s overall security by selecting upgraded compatibility levels and choosing the Microsoft Platform Crypto Provider. Microsoft Platform Crypto Provider lets you use the Trusted Platform Module (TPM) on client computers to secure the certificate.

To configure the User Authentication template

  1. On the CA, open Certification Authority.
  2. In the navigation pane, right-click Certificate Templates, and click Manage.
  3. In the Certificate Templates console, right-click User, and click Duplicate Template.
  4. On the Properties of New Template dialog box, on the General tab, complete the following steps:
    1. In Template display name, type VPN User Authentication.
    1. Clear the Publish certificate in Active Directory check box.
  5. Security tab, complete the following steps:
    1. Click Add.
    1. On the Select Users, Computers, Service Accounts, or Groups dialog box, type VPN Users, and click OK.
    1. In Group or user names, click VPN Users.
    1. In Permissions for VPN Users, select the Enroll and Autoenroll check boxes in the Allow column.
    1. In Group or user names, click Domain Users, and click Remove.
  6. Compatibility tab, complete the following steps:
    1. In Certification Authority, click Windows Server 2012 R2.
    1. On the Resulting changes dialog box, click OK.
    1. In Certificate recipient, click Windows 8.1/Windows Server 2012 R2.
    1. On the Resulting changes dialog box, click OK.
  7. Request Handling tab, clear the Allow private key to be exported check box.
  8. Cryptography tab, complete the following steps:
    1. In Provider Category, click Key Storage Provider.
    1. Click Requests must use one of the following providers.
    1. Select the Microsoft Platform Crypto Provider check box.
  9. Subject Name tab, if you don’t have an email address listed on all user accounts, clear the Include e-mail name in subject name and E-mail name check boxes.
  10. OK to save the VPN User Authentication certificate template.
  11. Certificate Templates, click New, and click Certificate Template to Issue.
  12. VPN User Authentication, and click OK.

With this step you can configure a new Server Authentication template for your VPN server.

Adding the IP Security (IPsec) IKE Intermediate application policy allows the server to filter certificates if more than one certificate is available with the Server Authentication extended key usage.

Important

Because VPN clients access this server from the public Internet, the subject and alternative names are different than the internal server name. As a result, you cannot autoenroll this certificate on VPN servers.

To configure the VPN Server Authentication template

  1. On the CA, open Certification Authority.
  2. In the navigation pane, right-click Certificate Templates, and click Manage.
  3. In the Certificate Templates console, right-click RAS and IAS Server, and click Duplicate Template.
  4. On the Properties of New Template dialog box, on the General tab, in Template display name, type VPN Server Authentication.
  5. On the Extensions tab, complete the following steps:
    1. Click Application Policies, and click Edit.
    2. On the Edit Application Policies Extension dialog box, click Add.
    3. On the Add Application Policy dialog box, click IP security IKE intermediate, and click OK.
    4. Click OK to return to the Properties of New Template dialog box.
  6. Security tab, complete the following steps:
    1. Click Add.
    2. On the Select Users, Computers, Service Accounts, or Groups dialog box, type VPN Servers, and click OK.
    3. In Group or user names, click VPN Servers.
    4. In Permissions for VPN Servers, select the Enroll checkbox in the Allow column.
    5. In Group or user names, click RAS and IAS Servers, and click Remove.
  7. Subject Name tab, complete the following steps:
    1. Click Supply in the Request.
    2. On the Certificate Templates warning dialog box, click OK.
  8. OK to save the VPN Server certificate template.
  9. Certificate Templates, click New and click Certificate Template to Issue.
  10. VPN Server Authentication, and click OK.

The third and last certificate template to create is the NPS Server Authentication template. The NPS Server Authentication template is a simple copy of the RAS and IAS Server template secured to the NPS Server group that you created earlier in this section.

You will configure this certificate for autoenrollment.

To configure the NPS Server Authentication template

  1. On the CA, open Certification Authority.
  2. In the navigation pane, right-click Certificate Templates, and click Manage.
  3. In the Certificate Templates console, right-click RAS and IAS Server, and click Duplicate Template.
  4. On the Properties of New Template dialog box, on the General tab, in Template display name, type NPS Server Authentication.
  5. On the Security tab, complete the following steps:
    1. Click Add.
    2. On the Select Users, Computers, Service Accounts, or Groups dialog box, type NPS Servers, and click OK.
    3. In Group or user names, click NPS Servers.
    4. In Permissions for NPS Servers, select the Enroll and Autoenroll check boxes in the Allow column.
    5. In Group or user names, click RAS and IAS Servers, and click Remove.
  6. OK to save the NPS Server certificate template.
  7. Certificate Templates, click New and click Certificate Template to Issue.
  8. NPS Server Authentication, and click OK.

Previous Post – Certificate Autoenrollment

Next Post – Enroll Certificates

No Comments

Add your comment