340 | PART IV Appendixes • A computer running Windows Server 2003, Standard Edition, named IIS1 that is acting as a Web and file server. • A computer running Windows XP Professional named CLIENT1 that is acting as a VPN client. Figure D-1 shows the configuration of the VPN test lab. VPN1 IIS1 DC1 IAS1 Hub Hub Client1 172.16.0.2 172.16.0.1 10.0.0.2 172.16.0.4 10.0.0.1 Internet network segment Intranet network segment Figure D-1. Configuration of the VPN test lab. There is a network segment representing a corporate intranet and a network segment representing the Internet. All computers on the corporate intranet are connected to a common hub or Layer 2 switch. All computers on the Internet are connected to a separate common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network of 172.16.0.0/24 is used for the intranet. The private network of 10.0.0.0/24 is used for the simulated Internet. IIS1 obtains its IP address configuration using DHCP. CLIENT1 uses DHCP for its IP address configuration; however, it is also configured with an alternate IP configura- tion so that it can be placed on either the intranet network segment or the simu- lated Internet. All other computers have a manual IP address configuration. There are no Windows Internet Name Service (WINS) servers present. The following sections describe the configuration required for each computer in the test lab to set up the basic infrastructure and to do a PPTP-based remote access Appendix D Setting Up Remote Access VPN Connections in a Test Lab | 341 connection. PPTP is typically used when there is no public key infrastructure (PKI) to issue computer certificates that are required for L2TP/IPSec connections. To reconstruct this test lab, configure the computers in the order presented. Later sections of this appendix describe L2TP/IPSec and EAP-TLS-based remote access connections. DC1 DC1 is a computer running Windows Server 2003, Enterprise Edition, that is provid- ing the following services: • A domain controller for the example.com Active Directory directory service domain • A DNS server for the example.com DNS domain • A DHCP server for the intranet network segment • The enterprise root certification authority (CA) for the example.com domain Note Windows Server 2003, Enterprise Edition, is used so that auto-enrollment of user certificates for EAP-TLS authentication can be configured. This is described in the “EAP-TLS-Based Remote Access VPN Connections” section of this appendix. To configure DC1 for these services, perform the following steps. 1. Install Windows Server 2003, Enterprise Edition, as a standalone server. 2. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the sub- net mask of 255.255.255.0. 3. Run the Active Directory Installation Wizard (dcpromo.exe) for a new domain named example.com in a new forest. Install the DNS service when prompted. 4. Using the Active Directory Users And Computers snap-in, right-click the example.com domain and then click Raise Domain Functional Level. 5. Select Windows Server 2003, and then click Raise. 6. Install Dynamic Host Configuration Protocol (DHCP) as a Networking Ser- vices component by using Control Panel>Add Or Remove Programs>Add/ Remove Windows Components. 7. Open the DHCP snap-in from the Administrative Tools folder. 8. Select the DHCP server, click Action, and then click Authorize to authorize the DHCP service. 9. In the console tree, right-click dc1.example.com and then click New Scope. 342 | PART IV Appendixes 10. On the Welcome page of the New Scope Wizard, click Next. 11. On the Scope Name page, type CorpNet in the Name text box. 12. Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP Address, 172.16.0.100 in End IP Address, and 24 in Length. This is shown in the following figure. 13. Click Next. On the Add Exclusions page, click Next. 14. On the Lease Duration page, click Next. 15. On the Configure DHCP Options page, click Yes, I Want To Configure These Options Now. 16. Click Next. On the Router (Default Gateway) page, click Next. 17. On the Domain Name And DNS Servers page, type example.com in the Parent Domain text box. Type 172.16.0.1 in IP Address, and then click Add. This is shown in the following figure. Appendix D Setting Up Remote Access VPN Connections in a Test Lab | 343 18. Click Next. On the WINS Servers page, click Next. 19. On the Activate Scope page, click Yes, I Want To Activate This Scope Now. 20. Click Next. On the Completing The New Scope Wizard page, click Finish. 21. Install the Certificate Services component as an enterprise root CA with the name Example CA by using Control Panel>Add Or Remove Programs>Add/ Remove Windows Components. 22. Open the Active Directory Users And Computers snap-in. 23. In the console tree, open example.com. 24. Right-click Users, click NEW, and then click Computer. 25. In the New Object – Computer dialog box, type IAS1 in the Computer Name text box. 26. Click Next. In the Managed dialog box, click Next. In the New Object – Computer dialog box, click Finish. 27. Use steps 24 through 26 to create additional computer accounts with the fol- lowing names: IIS1, VPN1, and CLIENT1. 28. In the console tree, right-click Users, click New, and then click User. 29. In the New Object – User dialog box, type VPNUser1 in the First Name text box and type VPNUser1 in the User Logon Name text box. 30. Click Next. 31. In the New Object – User dialog box, type a password of your choice in the Password and Confirm Password text boxes. Clear the User Must Change 344 | PART IV Appendixes Password At Next Logon check box, and select the Password Never Expires check box. This is shown in the following figure. 32. In the New Object – User dialog box, click Next, and then click Finish. 33. In the console tree, right-click Users, click Next, and then click Group. 34. In the New Object – Group dialog box, type VPNUsers in the Group Name text box and then click OK. This is shown in the following figure. 35. In the details pane, double-click VPNUsers. 36. Click the Members tab, and then click Add. 37. In the Select Users, Contacts, Users, Or Groups dialog box, type vpnuser1 in the Enter The Object Names To Select text box. Appendix D Setting Up Remote Access VPN Connections in a Test Lab | 345 38. Click OK. The VPNUser1 user account is added to the VPNUsers group. 39. Click OK to save changes to the VPNUsers group. IAS1 IAS1 is a computer running Windows Server 2003, Standard Edition, that is provid- ing RADIUS authentication, authorization, and accounting for VPN1. To configure IAS1 as a RADIUS server, perform the following steps: 1. Install Windows Server 2003, Standard Edition, as a member server named IAS1 in the example.com domain. 2. For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. 3. Install Internet Authentication Service (IAS) as a Networking Services com- ponent in Control Panel>Add Or Remove Programs>Add/Remove Windows Components. 4. Open the Internet Authentication Service snap-in from the Administrative Tools folder. 5. Right-click Internet Authentication Service, and then click Register Server In Active Directory. When the Register Internet Authentication Server In Active Directory dialog box appears, click OK. 6. In the console tree, right-click RADIUS Clients and then click New RADIUS Client. 7. On the Name And Address page of the New RADIUS Client wizard, for Friendly Name, type VPN1. In the Client Address (IP Or DNS) text box, type 172.16.0.3. This is shown in the following figure. 346 | PART IV Appendixes 8. Click Next. On the Additional Information page of the New RADIUS Client Wizard, for Shared Secret, type a shared secret for VPN1 and then type it again in the Confirm Shared Secret text box. This is shown in the following figure. 9. Click Finish. 10. In the console tree, right-click Remote Access Policies and then click New Remote Access Policy. 11. On the Welcome To The New Remote Access Policy Wizard page, click Next. Appendix D Setting Up Remote Access VPN Connections in a Test Lab | 347 12. On the Policy Configuration Method page, type VPN remote access to intranet in the Policy Name text box. 13. Click Next. On the Access Method page, select VPN. 14. Click Next. On the User Or Group Access page, select Group. 15. Click Add. In the Select Groups dialog box, type vpnusers in the Enter The Object Names To Select text box. 16. Click OK. The VPNUsers group in the example.com domain is added to the list of groups on the User Or Group Access page. This is shown in the fol- lowing figure. 17. Click Next. On the Authentication Methods page, the MS-CHAP v2 authenti- cation protocol is selected by default. 18. Click Next. On the Policy Encryption Level page, clear the Basic Encryption and Strong Encryption check boxes. This is shown in the following figure. 348 | PART IV Appendixes 19. Click Next. On the Completing The New Remote Access Policy Wizard page, click Finish. IIS1 IIS1 is a computer running Windows Server 2003, Standard Edition, and Internet Information Services (IIS). It is providing Web and file server services for intranet clients. To configure IIS1 as a Web and file server, perform the following steps: 1. Install Windows Server 2003, Standard Edition, as a member server named IIS1 in the example.com domain. 2. Install Internet Information Services (IIS) as a subcomponent of the Applica- tion Server component in the Windows Components Wizard of Control Panel>Add Or Remove Programs. 3. On IIS1, use Windows Explorer to create a new share for the root folder of the C: drive using the share name ROOT with the default permissions. 4. To determine whether the Web server is working correctly, run Microsoft Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet connectivity for a LAN connection. In Internet Explorer, in the Address text box, type http://IIS1.example.com/iisstart.htm. You should see a Web page titled “Under Construction.” 5. To determine whether file sharing is working correctly, on IAS, click Start, Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the root folder of the C: drive on IIS1. Appendix D Setting Up Remote Access VPN Connections in a Test Lab | 349 VPN1 VPN1 is a computer running Windows Server 2003, Standard Edition, that is provid- ing VPN server services for Internet-based VPN clients. To configure VPN1 as a VPN server, perform the following steps: 1. Install Windows Server 2003, Standard Edition, as a member server named VPN1 in the example.com domain. 2. Open the Control Panel>Network Connections folder. 3. For the intranet local area connection, rename the connection to CorpNet. For the Internet local area connection, rename the connection to Internet. 4. Configure the TCP/IP protocol for the CorpNet connection with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. 5. Configure the TCP/IP protocol for the Internet connection with the IP address of 10.0.0.2 and the subnet mask of 255.255.255.0. 6. Run the Routing And Remote Access snap-in from the Administrative Tools folder. 7. In the console tree, right-click VPN1 and click Configure And Enable Rout- ing And Remote Access. 8. On the Welcome To The Routing And Remote Access Server Setup Wizard page, click Next. 9. On the Configuration page, Remote Access (Dial-Up Or VPN) is selected by default. 10. Click Next. On the Remote Access page, select VPN. 11. Click Next. On the VPN Connection page, click the interface named Internet in Network Interfaces list. 12. Click Next. On the IP Address Assignment page, Automatically is selected by default. 13. Click Next. On the Managing Multiple Remote Access Servers page, click Yes, Set Up This Server To Work With A RADIUS Server. 14. Click Next. On the RADIUS Server Selection page, type 172.16.0.2 in the Primary RADIUS Server text box and type the shared secret in the Shared Secret text box. This is shown in the following figure. [...]... capable of running members of the Windows Server 2003 family • One server must have two network adapters and a modem • One server must have a floppy disk drive • One computer that is capable of running Microsoft Windows XP Professional and that has a modem and a floppy disk drive • Two network hubs or Layer 2 switches • One operating system compact disc for Windows Server 2003, Enterprise Edition • Three... configure IIS1 as a Web server and a file server for the example.com domain � Perform basic installation and configuration 1 Install Windows Server 2003, Standard Edition, and configure the computer as a member server named IIS1 in the example.com domain 2 Configure the connection to the intranet segment with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of... (RADIUS) server that provides authenti­ cation, authorization, and accounting for VPN1 � Perform basic installation and configuration 1 Install Windows Server 2003, Standard Edition, and configure the computer as a member server named IAS1 in the example.com domain 2 Configure the connection to the intranet segment with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server. .. the test lab, configure DC1 as the domain controller, the DNS server, and the DHCP server for a domain that is named example.com � Perform basic installation and configuration 1 Install Windows Server 2003, Enterprise Edition, and configure the computer as a standalone server named DC1 2 Configure the connection to the intranet segment with the Internet Protocol (IP) address of 172.16.0.1 and the subnet... click Next 8 On the IP Address Assignment page, Automatically is selected by default Click Next 9 On the Managing Multiple Remote Access Servers page, click Yes, Set Up This Server To Work With A RADIUS Server, and click Next 10 On the RADIUS Server Selection page, type 172.16.0.2 in the Primary RADIUS Server text box, type the shared secret in the Shared Secret text box, and click Next Appendix E... by step through creating and installing Connection Manager profiles for dial-up remote access, virtual private network (VPN) remote access with Point-to-Point Tunneling Protocol (PPTP), VPN remote access with Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/ IPSec), and VPN remote access with Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication As you... IIS1 VPN1 As part of setting up the basic infrastructure for the test lab, configure VPN1 as a remote access server VPN1 must have two network adapters and a modem � Perform basic installation and configuration 1 Install Windows Server 2003, Standard Edition, and configure the computer as a member server named VPN1 in the example.com domain 2 In Internet Connections, rename the connection to the intranet... Routing And Remote Access Server Setup Wizard page, click Finish 16 You are prompted with a message describing the need to configure the DHCP Relay Agent 17 Click OK 18 In the console tree, open VPN1 (local), IP Routing, and then DHCP Relay Agent Right-click DHCP Relay Agent, and then click Properties 19 In the DHCP Relay Agent Properties dialog box, type 172.16.0.1 in the Server Address text box This... At My Workplace 16 Click Next On the Network Connection page, click Virtual Private Network Connection 17 Click Next On the Connection Name page, type PPTPtoCorpnet in the Company Name text box 18 Click Next On the Public Network page, make sure that Do Not Dial The Initial Connection is the selected option 19 Click Next On the VPN Server Selection page, type 10.0.0.2 in the Host Name Or IP Address... • Two network hubs or Layer 2 switches • One operating system compact disc for Windows Server 2003, Enterprise Edition • Three operating system compact discs for Windows Server 2003, Standard Edition • One operating system compact disc for Windows XP Professional Figure E-1 shows the network topology for this lab IAS1 IIS1 Intranet network segment 172.16.0.3 172.16.0.2 Hub 172.16.0.4 Modem Client1 Modem . and file server services for intranet clients. To configure IIS1 as a Web and file server, perform the following steps: 1. Install Windows Server 2003, Standard Edition, as a member server named. Lab | 3 49 VPN1 VPN1 is a computer running Windows Server 2003, Standard Edition, that is provid- ing VPN server services for Internet-based VPN clients. To configure VPN1 as a VPN server, . Remote Access Servers page, click Yes, Set Up This Server To Work With A RADIUS Server. 14. Click Next. On the RADIUS Server Selection page, type 172.16.0.2 in the Primary RADIUS Server text