Always On VPN Technology Overviews
When performing the steps in this blog series, following technologies will be installed and configured in Windows Server 2016.
Following are brief overviews of these technologies and links to additional documentation.
In Windows Server 2016, the Remote Access server role is a multifaceted gateway and router that provides centralized administration, configuration, and monitoring of Virtual Private Network (VPN) remote access services.
You can manage Remote Access Service (RAS) Gateways by using Windows PowerShell commands and the Remote Access Microsoft Management Console (MMC).
For more information, see Remote Access.
Windows 10 VPN Clients
Remote client computers must be running the Windows 10 Anniversary Update (version 1803) or later operating system, and must be joined to your Active Directory domain.
For detailed feature descriptions and a full list of the VPN capabilities in Windows 10, see the Windows 10 VPN Technical Document.
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and Organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and account properties that are required by Protected Extensible Authentication Protocol (PEAP) to authenticate user credentials and to evaluate authorization for VPN connection requests.
For information about deploying AD DS, see the Windows Server 2016 Core Network Document.
Active Directory Users and Computers
Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members.
Group Policy Management
Group Policy Management enables directory-based change and configuration management of user and computer settings, including security and user information. You use Group Policy to define configurations for groups of users and computers.
With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers — sites, domains, and OUs — you can apply the GPO’s settings to the users and computers in those Active Directory containers. To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).
DNS is a name resolution protocol for TCP/IP networks, such as the Internet or your network. A DNS server hosts the information that enables client computers and services to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.
For more overview information about DNS, see Domain Name System (DNS).
For information about deploying AD DS with DNS, see the Windows Server 2016 Core Network Document.
AD CS in Windows Server 2016 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. You can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Certificate templates can greatly simplify the task of administering a certification authority (CA) by allowing you to issue certificates that are preconfigured for selected tasks. The Certificate Templates MMC snap-in allows you to perform the following tasks.
- View properties for each certificate template.
- Copy and modify certificate templates.
- Control which users and computers can read templates and enroll for certificates.
- Perform other administrative tasks relating to certificate templates.
Certificate templates are an integral part of an enterprise certification authority (CA). They are an important element of the certificate policy for an environment, which is the set of rules and formats for certificate enrollment, use, and management.
For more information, see Certificate Templates.
Digital Server Certificates
This document provides instructions for using Active Directory Certificate Services (AD CS) to both enroll and automatically enroll certificates to Remote Access and NPS infrastructure servers. AD CS allows you to build public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities.
When you use digital server certificates for authentication between computers on your network, the certificates provide:
- Confidentiality through encryption.
- Integrity through digital signatures.
- Authentication by associating certificate keys with computer, user, or device accounts on a computer network.
For more information, see AD CS Step by Step Document: Two Tier PKI Hierarchy Deployment.
NPS allows you to create and enforce Organization-wide network access policies for connection request authentication and authorization. When you use NPS as a Remote Authentication Dial-In User Service (RADIUS) server, you configure network access servers, such as VPN servers, as RADIUS clients in NPS.
You also configure network policies that NPS uses to authorize connection requests, and you can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database.+
For more information, see Network Policy Server (NPS).
Previous Post – Always On VPN – Design
Next Post – RRAS overview