Melbourne, Australia
To be provided
Use Contact to message

Remote Access Always-On VPN Deployment Overview

Harmik Batth Tech's Blog

Remote Access Always-On VPN Deployment Overview

This blog series is used to deploy Always On Virtual Private Network (VPN) connections for remote computers that are running Windows 10.

For this deployment, a pair of new Remote Access server that is running Windows Server 2016 is configured, as well as modified some of your existing infrastructure for the deployment.

The following illustration shows the infrastructure that is required to deploy Always-On VPN.

The connection process depicted in this illustration is
comprised of the following steps.

  1. Using public DNS servers, the Windows 10 VPN client performs a name resolution query for the IP address of the VPN gateway.
  2. Using the IP address returned by DNS, the VPN client sends a connection request to the VPN gateway.
  3. The VPN gateway is also configured as a Remote Authentication Dial-In User Service (RADIUS) Client; the VPN RADIUS Client sends the connection request to your NPS server for connection request processing.
  4. The NPS server processes the connection request, including performing authorization and authentication, and determines whether to allow or deny the connection request.
  5. The NPS server forwards an Access-Accept or Access-Deny response to the VPN gateway.
  6. The connection is initiated or terminated based on the response that the VPN server received from the NPS server.

For more information on each infrastructure component depicted
in the illustration above, see the following sections.

The VPN Server is a new virtual machine (VM) that is installed
to complete the steps in this document. The server is running Windows Server
2016. In addition, in the process of completing the steps in this document,
following actions are performed with the VPN Server.

  • Install two Ethernet network adapters in the physical server.
  • Install the server on your perimeter network between your edge and internal firewalls, with one network adapter connected to the External Perimeter Network, and one network adapter connected to the Internal Perimeter Network.
  • Install and configure Remote Access as a single tenant VPN RAS Gateway for point-to-site VPN connections from remote computers.
  • Configure Remote Access as a RADIUS Client so that it can send connection requests to your NPS server for processing.
  • Enroll and validate the VPN server certificate from your certification authority (CA).

The NPS Server is installed on your network.

NPS server is configured as a RADIUS server that receives
connection requests from the VPN server. The NPS server processes the
connection requests, performing authorization and authentication, and sends
either an Access-Accept or Access-Reject message to the VPN Server.

The Active Directory Domain Services (AD DS) server is an
on-premises Active Directory domain, which hosts on-premises user accounts.

During completion of the steps in this document, following items
will be configured on the domain controller.

  • Enable certificate autoenrollment in Group Policy for computers
    and users
  • Create the VPN Users Group
  • Create the VPN Servers Group
  • Create the NPS Servers Group

The Certification Authority (CA) Server is a certification
authority that is running Active Directory Certificate Services. The VPN
configuration requires an Active Directory–based public key infrastructure
(PKI).

The CA enrolls certificates that are used for PEAP client–server
authentication. The CA creates certificates based on certificate templates.
During completion of the steps in this document, you will configure the
following certificate templates on the CA.

  • The User Authentication certificate template
  • The VPN Server Authentication certificate template
  • The NPS Server Authentication certificate template

Both internal and external Domain Name System (DNS) zones are
required, which assumes that the internal zone is a delegated subdomain of the
external zone.

In addition to the server components, client computers are
configured to use VPN are running Windows 10 Anniversary Update (version 1803)
or later.

The Windows 10 VPN client is highly configurable and offers many
options. To better illustrate the specific features this scenario uses, Table 1
identifies the VPN feature categories and specific configurations that this
document references. You’ll configure the individual settings for these
features by using the VPNv2 configuration service provider (CSP) discussed
later in this document.

Table 1. VPN Features and Configurations Discussed in This Document

VPN
feature
Deployment
scenario configuration
Connection type Native IKEv2
Routing Force tunneling
Name resolution Domain Name Information List and DNS suffix
Triggering Always On and Trusted Network Detection
Authentication PEAP-TLS with TPM\–protected user certificates

Note

PEAP-TLS and TPM are “Protected Extensible Authentication
Protocol with Transport Layer Security” and “Trusted Platform
Module,” respectively.

Firewalls are configured to allow the traffic that is necessary
for both VPN and RADIUS communications to function correctly.

For more information, see Configure Firewalls for
RADIUS Traffic
.

The remote users that are allowed to connect to your network must have a user account in AD DS.

User accounts in Active Directory Users and Computers have
dial-in properties that NPS evaluates during the authorization process – unless
the Network Access Permission property of the
user account is set to Control access through NPS Network Policy.

This is the default setting for all user accounts. In some
cases, however, this setting might have a different configuration that blocks
the user from connecting using VPN.

Next Post – RRAS Deployment

No Comments

Add your comment