Melbourne, Australia
To be provided
Use Contact to message

Always On VPN – Configure the Server Infrastructure – Create Security Groups

Harmik Batth Tech's Blog

Always On VPN – Configure the Server Infrastructure – Create Security Groups

With this step, you can add a new Active Directory group that contains the users allowed to use the VPN to connect to your network. This group serves two purposes:

  • It defines which users are allowed to auto-enroll for the user certificates the VPN requires.
  • It defines which users the NPS authorizes for VPN access.

By using a custom
group, if you ever want to revoke a user’s VPN access, you can simply remove
that user from the group.

You will also add a
group containing VPN servers and another group containing NPS servers. You use
these groups to restrict certificate requests to their members.

To configure the VPN
Users group

  1. On a domain controller, open Active Directory Users and Computers.
  2. Right-click a container or Organizational unit, click New and click Group.
  3. In Group name, type VPN Users, and click OK.
  4. Right-click VPN Users, and click Properties.
  5. On the Members tab of the VPN Users Properties dialog box, click Add.
  6. On the Select Users dialog box, add all the users who need VPN access and click OK.
  7. Close Active Directory Users and Computers.

To configure the VPN
Servers and NPS Servers groups

  1. On a domain controller, open Active Directory Users and Computers.
  2. Right-click a container or Organizational unit, click New and click Group.
  3. In Group name, type VPN Servers, and click OK.
  4. Right-click VPN Servers, and click Properties.
  5. On the Members tab of the VPN Servers Properties dialog box, click Add.
  6. Click Object Types, select the Computers check box, and click OK.
  7. In Enter the object names to select, type the names of your VPN servers, and click OK.
  8. Click OK to close the VPN Servers Properties dialog box.
  9. Repeat the previous steps for the NPS Servers group.
  10. Close Active Directory Users and Computers.

You can use this
section to configure a custom client–server authentication template.

This template is
required because you want to improve the certificate’s overall security by
selecting upgraded compatibility levels and choosing the Microsoft Platform
Crypto Provider. Microsoft Platform Crypto Provider lets you use the Trusted
Platform Module (TPM) on client computers to secure the certificate.

To configure the User
Authentication template

  1. On the CA, open Certification Authority.
  2. In the navigation pane, right-click Certificate Templates, and click Manage.
  3. In the Certificate Templates console,
    right-click User, and click Duplicate Template.
  4. On the Properties of New Template dialog box,
    on the General tab, complete the following steps:

    1. In Template display name, type VPN User Authentication.
    1. Clear the Publish certificate in Active Directory check box.
  5. Security tab, complete the following steps:
    1. Click Add.
    1. On the Select Users,
      Computers, Service Accounts, or Groups dialog box, type VPN Users, and click OK.
    1. In Group or user names, click VPN Users.
    1. In Permissions for VPN Users, select the Enroll and Autoenroll check
      boxes in the Allow column.
    1. In Group or user names, click Domain Users,
      and click Remove.
  6. Compatibility tab, complete the following steps:
    1. In Certification Authority, click Windows Server 2012 R2.
    1. On the Resulting changes dialog box, click OK.
    1. In Certificate recipient, click Windows 8.1/Windows Server 2012 R2.
    1. On the Resulting changes dialog box, click OK.
  7. Request Handling tab, clear the Allow private key to be exported check box.
  8. Cryptography tab, complete the following steps:
    1. In Provider Category, click Key Storage Provider.
    1. Click Requests must use one of the following
      providers
      .
    1. Select the Microsoft Platform Crypto Provider check box.
  9. Subject Name tab, if you don’t have an email address listed on all user
    accounts, clear the Include
    e-mail name in subject name
     and E-mail name check boxes.
  10. OK to save the VPN User Authentication certificate template.
  11. Certificate Templates, click New, and click Certificate Template to Issue.
  12. VPN User Authentication, and click OK.

With this step you can
configure a new Server Authentication template for your VPN server.

Adding the IP Security
(IPsec) IKE Intermediate application policy allows the server to filter certificates
if more than one certificate is available with the Server Authentication
extended key usage.

Important

Because VPN clients access this server from
the public Internet, the subject and alternative names are different than the
internal server name. As a result, you cannot autoenroll this certificate on
VPN servers.

To configure the VPN
Server Authentication template

  1. On the CA, open Certification Authority.
  2. In the navigation pane, right-click Certificate Templates, and click Manage.
  3. In the Certificate Templates console, right-click RAS and IAS Server, and click Duplicate Template.
  4. On the Properties of New Template dialog box, on the General tab, in Template display name, type VPN Server Authentication.
  5. On the Extensions tab, complete the following steps:
    1. Click Application Policies, and click Edit.
    2. On the Edit Application Policies Extension dialog box, click Add.
    3. On the Add Application Policy dialog box, click IP security IKE intermediate, and click OK.
    4. Click OK to return to the Properties of New Template dialog box.
  6. Security tab, complete the following steps:
    1. Click Add.
    2. On the Select Users, Computers, Service Accounts, or Groups dialog box, type VPN Servers, and click OK.
    3. In Group or user names, click VPN Servers.
    4. In Permissions for VPN Servers, select the Enroll checkbox in the Allow column.
    5. In Group or user names, click RAS and IAS Servers, and click Remove.
  7. Subject Name tab, complete the following steps:
    1. Click Supply in the Request.
    2. On the Certificate Templates warning dialog box, click OK.
  8. OK to save the VPN Server certificate template.
  9. Certificate Templates, click New and click Certificate Template to Issue.
  10. VPN Server Authentication, and click OK.

The third and last
certificate template to create is the NPS Server Authentication template. The
NPS Server Authentication template is a simple copy of the RAS and IAS Server
template secured to the NPS Server group that you created earlier in this
section.

You will configure
this certificate for autoenrollment.

To configure the NPS
Server Authentication template

  1. On the CA, open Certification Authority.
  2. In the navigation pane, right-click Certificate Templates, and click Manage.
  3. In the Certificate Templates console, right-click RAS and IAS Server, and click Duplicate Template.
  4. On the Properties of New Template dialog box, on the General tab, in Template display name, type NPS Server Authentication.
  5. On the Security tab, complete the following steps:
    1. Click Add.
    2. On the Select Users, Computers, Service Accounts, or Groups dialog box, type NPS Servers, and click OK.
    3. In Group or user names, click NPS Servers.
    4. In Permissions for NPS Servers, select the Enroll and Autoenroll check boxes in the Allow column.
    5. In Group or user names, click RAS and IAS Servers, and click Remove.
  6. OK to save the NPS Server certificate template.
  7. Certificate Templates, click New and click Certificate Template to Issue.
  8. NPS Server Authentication, and click OK.

Previous Post – Certificate Autoenrollment

Next Post – Enroll Certificates

No Comments

Add your comment