Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab Microsoft Corporation Published: April 2003 Abstract This white paper describes how to create and test Connection Manager profiles for connections that use dial-up over a modem, virtual private networking (VPN) with Point-to-Point Tunneling Protocol (PPTP), VPN with Layer Two Tunneling Protocol and Internet Protocol Security (L2TP/IPSec), and VPN with Extensible Authentication Protocol (EAP) in a test lab using five computers. This white paper offers only step-by-step procedures, not a conceptual overview. It is intended for enterprise-level administrators who have experience managing remote access connections, administering the Active Directory® directory service, and operating a test lab. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred. © 2003 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents Contents 3 Introduction 1 Configuring the Initial Test Lab 2 DC1 3 Perform basic installation and configuration 3 Configure the computer as a domain controller 3 Install and configure DHCP 3 Add computers to the domain 4 IAS1 4 Perform basic installation and configuration 4 Install and configure Internet Authentication Service 4 IIS1 5 Perform basic installation and configuration 5 Install and configure IIS 5 Configure a shared folder 5 VPN1 5 Perform basic installation and configuration 6 Configure Routing and Remote Access 6 Configure DHCP Relay Agent 7 CLIENT1 8 Configuring and Testing a Dial-Up Profile 9 DC1 9 Create a user account for dial-up connections 9 Create a group for dial-up connections 9 IAS1 9 Create a remote access policy for dial-up connections 9 IIS1 10 Install Connection Point Services (CPS) 10 Configure a user account and permissions for posting phone book data 11 VPN1 14 Install Connection Manager Administration Kit (CMAK) 14 Install Phone Book Administrator 14 Create a phone book 15 Post the phone book 17 Create the DialCorp profile with Connection Manager Administration Kit 18 Prepare to distribute the DialCorp profile 24 Add more POPs for testing phone book updates 24 CLIENT1 24 Install the DialCorp profile 24 Connect to CorpNet using the DialCorp profile 25 Test connectivity and automatic phone book updates 27 Configuring and Testing a PPTP Profile 29 DC1 29 Create a user account for VPN connections 29 Create a group for VPN connections 29 Update Group Policy 29 IAS1 29 Create a remote access policy for VPN connections 29 IIS1 30 Configure share permissions 30 VPN1 30 Create the PPTPCorp profile 30 Prepare the PPTPCorp profile for distribution 36 CLIENT1 36 Connect to CorpNet and install the PPTPCorp profile 37 Connect to CorpNet using the PPTPCorp profile 37 Test connectivity and permissions 38 Configuring and Testing an L2TP/IPSec Profile 39 DC1 39 Install IIS 39 Install Certificate Services and configure the certification authority 39 Configure certificate templates 40 Configure the certification authority to issue the new certificates 42 Configure Active Directory for autoenrollment of certificates 42 Create a user account 43 Update Group Policy 43 VPN1 43 Update Group Policy 43 Create the L2TPCorp profile 43 Prepare the L2TPCorp profile for distribution 45 IAS1 45 CLIENT1 45 Get a certificate 45 Connect to CorpNet using the L2TPCorp profile 46 Test connectivity 46 Configuring and Testing an EAP Profile 47 DC1 47 Configure a User certificate 47 Configure the certification authority to issue the new certificate 47 Configure Active Directory for autoenrollment of user certificates 47 Configure group membership and update Group Policy 48 IAS1 48 Update Group Policy 48 Edit the VPN remote access policy 48 VPN1 48 Update Group Policy 48 Create the EAPCorp profile 49 Prepare the EAPCorp profile for distribution 51 CLIENT1 51 Get a certificate 51 Connect to CorpNet using the EAPCorp profile 52 Test connectivity 52 Summary 54 Related Links 55 Introduction This white paper provides detailed information about how you can use five computers to create a test lab in which you can create and test Connection Manager profiles. These instructions also take you step-by-step through creating and installing Connection Manager profiles for dial-up remote access, VPN remote access with PPTP, VPN remote access with L2TP/IPSec, and VPN remote access with EAP-TLS authentication. As you complete this test lab, you will also test two methods of distributing profiles to client computers: from a floppy disk and over an intranet connection. This white paper is intended for enterprise-level administrators who have experience managing remote access connections, administering Active Directory, and operating a test lab. It does not provide a conceptual overview of any of the technologies that you implement in the lab or of general test lab operations. For links to conceptual information, general deployment information, and product details, see Related Links at the end of this paper. The instructions in this white paper are cumulative. To reproduce the test lab configurations detailed in this white paper, you must complete each section in the sequence in which it appears, and you must follow the steps in each section in sequence. Note: The following instructions describe configuring a test lab to test the relevant scenarios. To clearly separate the services provided on the network and to show the desired functionality, you need a minimum of four servers. In addition, these test lab configurations reflect neither best practices nor a desired or recommended configuration for a production environment. For example, the test lab uses the same computer as a domain controller, a Domain Name System (DNS) server, and a Dynamic Host Configuration Protocol (DHCP) server. In a production environment, you should not run other services on a domain controller. These test lab configurations, including IP addresses and all other configuration parameters, are designed to work only on a test lab network. Windows Server 2003 White Paper 1 Configuring the Initial Test Lab To follow the steps in this white paper, you will need to configure five computers in a specific topology. Each computer in the lab has specific hardware and operating system requirements, which are specified in the subsections below. To set up this test lab, you will need the following hardware and software: • Four computers that are capable of running members of the Windows Server 2003 family o One server must have two network adapters and a modem. o One server must have a floppy disk drive. • One computer that is capable of running Microsoft Windows XP Professional and that has a modem and a floppy disk drive • Two network hubs or Layer 2 switches • One operating system disc for Windows Server 2003, Enterprise Edition • Three operating system discs for Windows Server 2003, Standard Edition • One operating system disc for Windows XP Professional Figure 1 shows the network topology for this lab. As shown in Figure 1, one segment of the test lab network represents a corporate intranet, and another segment represents the Internet. Connect all computers on the intranet segment to a common hub or Layer 2 switch. Connect all computers on the Internet segment to a separate common hub or Layer 2 switch. Windows Server 2003 White Paper 2 The following subsections describe how you will set up the basic infrastructure. To reconstruct this test lab, configure the computers in the order presented. Additional sections of this paper describe the specific configuration steps required for testing dial-up, PPTP, L2TP/IPSec, and EAP-TLS connections. DC1 As part of setting up the basic infrastructure for the test lab, configure DC1 as the domain controller, the DNS server, and the DHCP server for a domain that is named example.com. Perform basic installation and configuration 1. Install Windows Server 2003, Enterprise Edition, and configure the computer as a stand-alone server named DC1. 2. Configure the connection to the intranet segment with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0. Configure the computer as a domain controller 1. Click Start, click Run, type dcpromo.exe, and click OK to start the Active Directory Installation Wizard. 2. Follow the instructions in the wizard to create a domain named example.com in a new forest. Install the DNS service when prompted to do so. 3. Raise the functional level of the example.com domain to a native Windows Server 2003 domain. Install and configure DHCP 1. Install DHCP as a subcomponent of the Networking Services component. 2. Click Start, point to Administrative Tools, and click DHCP. 3. In the console tree, click dc1.example.com. On the Action menu, and then click Authorize to authorize the DHCP service. 4. In the console tree, right-click dc1.example.com, and then click New Scope. 5. On the Welcome page of the New Scope Wizard, click Next. 6. On the Scope Name page, type CorpNet in Name, and click Next. 7. On the IP Address Range page, type 172.16.0.10 in Start IP address, type 172.16.0.100 in End IP address, type 24 in Length, and click Next. 8. On the Add Exclusions page, click Next. 9. On the Lease Duration page, click Next. 10. On the Configure DHCP Options page, click Yes, I want to configure these options now, and click Next. 11. On the Router (Default Gateway) page, click Next. 12. On the Domain Name and DNS Servers page, type example.com in Parent domain. Type 172.16.0.1 in Windows Server 2003 White Paper 3 IP address, click Add, and click Next. 13. On the WINS Servers page, click Next. 14. On the Activate Scope page, click Yes, I want to activate this scope now, and click Next. 15. On the Completing the New Scope Wizard page, click Finish. Add computers to the domain 1. Open Active Directory Users and Computers. 2. In the console tree, double-click example.com. 3. Right-click Users, point to New, and then click Computer. 4. In the New Object – Computer dialog box, type IAS1 in Computer name, and click Next. 5. In the Managed dialog box, click Next. 6. In the New Object – Computer dialog box, click Finish. 7. Follow steps 3-6 to create additional computer accounts for IIS1 and VPN1. IAS1 As part of setting up the basic infrastructure for the test lab, configure IAS1 as the RADIUS server that provides authentication, authorization, and accounting for VPN1. Perform basic installation and configuration 1. Install Windows Server 2003, Standard Edition, and configure the computer as a member server named IAS1 in the example.com domain. 2. Configure the connection to the intranet segment with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. Install and configure Internet Authentication Service 1. Install Internet Authentication Service as a subcomponent of the Networking Services component. 2. Click Start, point to Administrative Tools, and click Internet Authentication Service. 3. Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server in Active Directory dialog box appears, click OK. When the Server registered dialog box appears, click OK. 4. In the console tree, right-click RADIUS Clients, and then click New RADIUS Client. 5. On the Name and Address page of the New RADIUS Client wizard, type VPN1 in Friendly name, type 172.16.0.4 in Client address (IP or DNS), and then click Next. 6. On the Additional Information page, type the same shared secret for VPN1 in both Shared secret and in Confirm shared secret. 7. Click Finish. Windows Server 2003 White Paper 4 IIS1 As part of setting up the basic infrastructure for the test lab, configure IIS1 as a Web server and a file server for the example.com domain. Perform basic installation and configuration 1. Install Windows Server 2003, Standard Edition, and configure the computer as a member server named IIS1 in the example.com domain. 2. Configure the connection to the intranet segment with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. Install and configure IIS 1. Install Internet Information Services (IIS) as a subcomponent of the Application Server component. 2. Create a file in Notepad that contains the text shown in the following figure. 3. Save the file as C:\inetpub\wwwroot\test.html, where C is the drive on which the operating system is installed. 4. Start Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet access through a LAN connection. In Internet Explorer, type http://IIS1.example.com/test.html in Address. You should see the text that you specified in the body of your text file: This is test text. Configure a shared folder 1. On IIS1, use Windows Explorer to share the root folder of the drive on which you installed the operating system. Name the share ROOT, and retain the default permissions. 2. To determine whether file sharing is working correctly, on IAS, click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the files in the root folder on IIS1. VPN1 As part of setting up the basic infrastructure for the test lab, configure VPN1 as a remote access server. VPN1 must have two network adapters and a modem. Windows Server 2003 White Paper 5 [...]... Servers page, click Yes, set up this server to work with a RADIUS server, and click Next On the RADIUS Server Selection page, type 172.16.0.2 in Primary RADIUS server, type the shared secret in Shared secret, and click Next 10 On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish 11 12 When a message about configuring the DHCP Relay Agent appears, click OK Windows Server. .. appears when you clear the check box, click Yes Click OK Windows Server 2003 White Paper 12 9 In the console tree, double-click Default FTP Site, right-click PBSData, and then click Properties On the 10 Virtual Directory tab, select the Write check box (as shown in the figure below) Click OK for 11 the server to register the changes Windows Server 2003 White Paper 13 VPN1 To configure the test lab for... shown in the following figure), and install CMAK Install Phone Book Administrator 1 Open Windows Explorer, and browse the installation disc for Windows Server 2003, Standard Edition 2 Install PBA from the valueadd\msft\mgmt\pba folder by double-clicking pbainst.exe, as shown in the following figure Windows Server 2003 White Paper 14 3 Click Yes 4 When installation finishes, click OK Create a phone book... the following figure 27 Windows Server 2003 White Paper 22 Click Apply, and then click Next A command prompt window will open and close as the profile is created When the Completing the Connection Manager Administration Kit Wizard page appears (as shown in the following figure), click Finish 28 Windows Server 2003 White Paper 23 Prepare to distribute the DialCorp profile In Windows Explorer, open Program... 2003 White Paper 6 Configure DHCP Relay Agent 1 In the console tree, double-click VPN1, double-click IP Routing, and right-click DHCP Relay Agent, as shown in the following figure 2 Click Properties 3 In the DHCP Relay Agent Properties dialog box, type 172.16.0.1 in Server address, and click Add The server address will be added to the list, as shown in the following figure Click OK Windows Server 2003. .. configuration 1 Install Windows Server 2003, Standard Edition, and configure the computer as a member server named VPN1 in the example.com domain 2 Rename the connection to the intranet segment as CorpNet, and rename the connection to the Internet segment as Internet 3 Configure the CorpNet connection with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of... CLIENT1 must have a modem 1 Install Windows XP Professional, and configure the computer as a standalone computer named CLIENT1 2 Configure the connection to the Internet segment with the IP address of 10.0.0.1 and the subnet mask of 255.255.255.0 3 If Windows does not configure the modem automatically, start the Add Hardware wizard, and configure the modem Windows Server 2003 White Paper 8 Configuring and... Finish IIS1 To configure the test lab for dial-up access, configure IIS1 as a phone book server Install Connection Point Services (CPS) 1 Click Start, point to Control Panel, and click Add or Remove Programs 2 Click Add/Remove Windows Components, click Management and Monitoring Tools, and click Details Windows Server 2003 White Paper 10 3 Select the Connection Point Services check box (as shown in the... the Settings tab In Dial-Up Networking entry, type Dial-up to CorpNet (as shown in the following figure), and then click OK Windows Server 2003 White Paper 16 Post the phone book 1 On the Tools menu, click Options 2 In the Options - DialCorp dialog box, type IIS1.example.com in Server address, Post in User name, and the password for the Post account in Password, as shown in the following figure Click... in the following figure Click Next 9 On the Phone Book Updates page, type iis1.example.com in Connection Point Services server (as shown in the following figure), and then click Next 10 On the Dial-up Networking Entries page (shown in the following figure), click Edit Windows Server 2003 White Paper 19 In the Edit Dial-up Networking Entry dialog box, click the Security tab In Security settings, click . operating system disc for Windows Server 2003, Enterprise Edition • Three operating system discs for Windows Server 2003, Standard Edition • One operating system disc for Windows XP Professional Figure. remote access server. VPN1 must have two network adapters and a modem. Windows Server 2003 White Paper 5 Perform basic installation and configuration 1. Install Windows Server 2003, Standard. of the Windows Server 2003 family o One server must have two network adapters and a modem. o One server must have a floppy disk drive. • One computer that is capable of running Microsoft Windows