Configure the certification authority to issue the new certificates 42
Configure Active Directory for autoenrollment of certificates 42
Create a user account 43
Update Group Policy 43
VPN1 43
Update Group Policy 43
Create the L2TPCorp profile 43
Prepare the L2TPCorp profile for distribution 45
IAS1 45
CLIENT1 45
Get a certificate 45
Connect to CorpNet using the L2TPCorp profile 46
Test connectivity 46
Configuring and Testing an EAP Profile 47
DC1 47
Configure a User certificate 47
Configure the certification authority to issue the new certificate 47
Configure Active Directory for autoenrollment of user certificates 47
Configure group membership and update Group Policy 48
IAS1 48
Update Group Policy 48
Edit the VPN remote access policy 48
VPN1 48
Update Group Policy 48
Create the EAPCorp profile 49
Prepare the EAPCorp profile for distribution 51
CLIENT1 51
Get a certificate 51
Connect to CorpNet using the EAPCorp profile 52
Test connectivity 52
Summary 54
Related Links 55
Introduction
This white paper provides detailed information about how you can use five computers to create a test
lab in which you can create and test Connection Manager profiles. These instructions also take you
step-by-step through creating and installing Connection Manager profiles for dial-up remote access,
VPN remote access with PPTP, VPN remote access with L2TP/IPSec, and VPN remote access with
EAP-TLS authentication. As you complete this test lab, you will also test two methods of distributing
profiles to client computers: from a floppy disk and over an intranet connection.
This white paper is intended for enterprise-level administrators who have experience managing remote
access connections, administering Active Directory, and operating a test lab. It does not provide a
conceptual overview of any of the technologies that you implement in the lab or of general test lab
operations. For links to conceptual information, general deployment information, and product details,
see Related Links at the end of this paper.
The instructions in this white paper are cumulative. To reproduce the test lab configurations detailed in
this white paper, you must complete each section in the sequence in which it appears, and you must
follow the steps in each section in sequence.
Note: The following instructions describe configuring a test lab to test the relevant scenarios. To clearly
separate the services provided on the network and to show the desired functionality, you need a minimum
of four servers.
In addition, these test lab configurations reflect neither best practices nor a desired or recommended
configuration for a production environment. For example, the test lab uses the same computer as a domain
controller, a Domain Name System (DNS) server, and a Dynamic Host Configuration Protocol (DHCP)
server. In a production environment, you should not run other services on a domain controller. These test
lab configurations, including IP addresses and all other configuration parameters, are designed to work only
on a test lab network.
Windows Server 2003 White Paper 1
Configuring the Initial Test Lab
To follow the steps in this white paper, you will need to configure five computers in a specific topology.
Each computer in the lab has specific hardware and operating system requirements, which are
specified in the subsections below.
To set up this test lab, you will need the following hardware and software:
• Four computers that are capable of running members of the Windows Server 2003 family
o One server must have two network adapters and a modem.
o One server must have a floppy disk drive.
• One computer that is capable of running Microsoft Windows XP Professional and that has a
modem and a floppy disk drive
• Two network hubs or Layer 2 switches
• One operating system disc for Windows Server 2003, Enterprise Edition
• Three operating system discs for Windows Server 2003, Standard Edition
• One operating system disc for Windows XP Professional
Figure 1 shows the network topology for this lab.
As shown in Figure 1, one segment of the test lab network represents a corporate intranet, and another
segment represents the Internet. Connect all computers on the intranet segment to a common hub or
Layer 2 switch. Connect all computers on the Internet segment to a separate common hub or Layer 2
switch.
Windows Server 2003 White Paper 2
The following subsections describe how you will set up the basic infrastructure. To reconstruct this test
lab, configure the computers in the order presented. Additional sections of this paper describe the
specific configuration steps required for testing dial-up, PPTP, L2TP/IPSec, and EAP-TLS connections.
DC1
As part of setting up the basic infrastructure for the test lab, configure DC1 as the domain controller, the
DNS server, and the DHCP server for a domain that is named example.com.
Perform basic installation and configuration
1. Install Windows Server 2003, Enterprise Edition, and configure the computer as a stand-alone
server named DC1.
2. Configure the connection to the intranet segment with the IP address of 172.16.0.1 and the subnet
mask of 255.255.255.0.
Configure the computer as a domain controller
1. Click Start, click Run, type dcpromo.exe, and click OK to start the Active Directory Installation
Wizard.
2. Follow the instructions in the wizard to create a domain named example.com in a new forest.
Install the DNS service when prompted to do so.
3. Raise the functional level of the example.com domain to a native Windows Server 2003 domain.
Install and configure DHCP
1. Install DHCP as a subcomponent of the Networking Services component.
2. Click Start, point to Administrative Tools, and click DHCP.
3. In the console tree, click dc1.example.com. On the Action menu, and then click Authorize to
authorize the DHCP service.
4. In the console tree, right-click dc1.example.com, and then click New Scope.
5. On the Welcome page of the New Scope Wizard, click Next.
6. On the Scope Name page, type CorpNet in Name, and click Next.
7. On the IP Address Range page, type 172.16.0.10 in Start IP address, type 172.16.0.100 in End
IP address, type 24 in Length, and click Next.
8. On the Add Exclusions page, click Next.
9. On the Lease Duration page, click Next.
10. On the
Configure DHCP Options page, click Yes, I want to configure these options now, and click
Next.
11. On the
Router (Default Gateway) page, click Next.
12. On the
Domain Name and DNS Servers page, type example.com in Parent domain. Type 172.16.0.1 in
Windows Server 2003 White Paper 3
IP address, click Add, and click Next.
13. On the WINS
Servers page, click Next.
14. On the
Activate Scope page, click Yes, I want to activate this scope now, and click Next.
15. On the
Completing the New Scope Wizard page, click Finish.
Add computers to the domain
1. Open Active Directory Users and Computers.
2. In the console tree, double-click example.com.
3. Right-click Users, point to New, and then click Computer.
4. In the New Object – Computer dialog box, type IAS1 in Computer name, and click Next.
5. In the Managed dialog box, click Next.
6. In the New Object – Computer dialog box, click Finish.
7. Follow steps 3-6 to create additional computer accounts for IIS1 and VPN1.
IAS1
As part of setting up the basic infrastructure for the test lab, configure IAS1 as the RADIUS server that
provides authentication, authorization, and accounting for VPN1.
Perform basic installation and configuration
1. Install Windows Server 2003, Standard Edition, and configure the computer as a member server
named IAS1 in the example.com domain.
2. Configure the connection to the intranet segment with the IP address of 172.16.0.2, the subnet
mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
Install and configure Internet Authentication Service
1. Install Internet Authentication Service as a subcomponent of the Networking Services component.
2. Click Start, point to Administrative Tools, and click Internet Authentication Service.
3. Right-click Internet Authentication Service, and then click Register Server in Active Directory.
When the Register Internet Authentication Server in Active Directory dialog box appears, click
OK. When the Server registered dialog box appears, click OK.
4. In the console tree, right-click RADIUS Clients, and then click New RADIUS Client.
5. On the Name and Address page of the New RADIUS Client wizard, type VPN1 in Friendly name,
type 172.16.0.4 in Client address (IP or DNS), and then click Next.
6. On the Additional Information page, type the same shared secret for VPN1 in both Shared
secret and in Confirm shared secret.
7. Click Finish.
Windows Server 2003 White Paper 4
IIS1
As part of setting up the basic infrastructure for the test lab, configure IIS1 as a Web server and a file
server for the example.com domain.
Perform basic installation and configuration
1. Install Windows Server 2003, Standard Edition, and configure the computer as a member server
named IIS1 in the example.com domain.
2. Configure the connection to the intranet segment with the IP address of 172.16.0.3, the subnet
mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
Install and configure IIS
1. Install Internet Information Services (IIS) as a subcomponent of the Application Server component.
2. Create a file in Notepad that contains the text shown in the following figure.
3. Save the file as C:\inetpub\wwwroot\test.html, where C is the drive on which the operating system
is installed.
4. Start Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet
access through a LAN connection. In Internet Explorer, type http://IIS1.example.com/test.html in
Address. You should see the text that you specified in the body of your text file: This is test text.
Configure a shared folder
1. On IIS1, use Windows Explorer to share the root folder of the drive on which you installed the
operating system. Name the share ROOT, and retain the default permissions.
2. To determine whether file sharing is working correctly, on IAS, click Start, click Run, type
\\IIS1\ROOT, and then click OK. You should see the files in the root folder on IIS1.
VPN1
As part of setting up the basic infrastructure for the test lab, configure VPN1 as a remote access server.
VPN1 must have two network adapters and a modem.
Windows Server 2003 White Paper 5
Perform basic installation and configuration
1. Install Windows Server 2003, Standard Edition, and configure the computer as a member server
named VPN1 in the example.com domain.
2. Rename the connection to the intranet segment as CorpNet, and rename the connection to the
Internet segment as Internet.
3. Configure the CorpNet connection with the IP address of 172.16.0.4, the subnet mask of
255.255.255.0, and the DNS server IP address of 172.16.0.1.
4. Configure the Internet connection with the IP address of 10.0.0.2 and the subnet mask of
255.255.255.0.
5. If Windows does not configure the modem automatically, start the Add Hardware wizard, and
configure the modem.
Configure Routing and Remote Access
1. Click Start, point to Administrative Tools, and click Routing and Remote Access.
2. In the console tree, right-click VPN1, and click Configure and Enable Routing and Remote
Access.
3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.
4. On the Configuration page, Remote access (dial-up or VPN) is selected by default. Click Next.
5. On the Remote Access page, select both the VPN and Dial-up check boxes, and click Next.
6. On the VPN Connection page, click the Internet interface in Network interfaces, and click Next.
7. On the Network Selection page, click the CorpNet interface in Network Interfaces, and click
Next.
8. On the IP Address Assignment page, Automatically is selected by default. Click Next.
9. On the Managing Multiple Remote Access Servers page, click Yes, set up this server to work
with a RADIUS server, and click Next.
10. On the
RADIUS Server Selection page, type 172.16.0.2 in Primary RADIUS server, type the shared
secret in Shared secret, and click Next.
11. On the
Completing the Routing and Remote Access Server Setup Wizard page, click Finish.
12. When a message about configuring the DHCP Relay Agent appears, click OK.
Windows Server 2003 White Paper 6
Configure DHCP Relay Agent
1. In the console tree, double-click VPN1, double-click IP Routing, and right-click DHCP Relay
Agent, as shown in the following figure.
2. Click Properties.
3. In the DHCP Relay Agent Properties dialog box, type 172.16.0.1 in Server address, and click
Add. The server address will be added to the list, as shown in the following figure. Click OK.
Windows Server 2003 White Paper 7
CLIENT1
As part of setting up the basic infrastructure for the test lab, configure CLIENT1 as a standalone
computer on a separate network segment. CLIENT1 must have a modem.
1. Install Windows XP Professional, and configure the computer as a standalone computer named
CLIENT1.
2. Configure the connection to the Internet segment with the IP address of 10.0.0.1 and the subnet
mask of 255.255.255.0.
3. If Windows does not configure the modem automatically, start the Add Hardware wizard, and
configure the modem.
Windows Server 2003 White Paper 8
Configuring and Testing a Dial-Up Profile
This section describes how to configure the test lab for dial-up access and phone book distribution,
create a Connection Manager profile for dial-up access, and install and test this profile on the client
computer.
DC1
To configure the test lab for dial-up access, create an appropriate user account and an appropriate
group on DC1.
Create a user account for dial-up connections
1. Open Active Directory Users and Computers.
2. In the console tree under the example.com domain, right-click Users, point to New, and then click
User.
3. In the New Object – User dialog box, type DialUser in First name, type DialUser in User logon
name, and click Next.
4. In the New Object – User dialog box, type a password of your choice in Password and Confirm
password. Clear the User must change password at next logon check box, select the
Password never expires check box, and click Next.
5. In the New Object – User dialog box, click Finish.
Create a group for dial-up connections
1. In the console tree, right-click Users, point to New, and then click Group.
2. In the New Object – Group dialog box, type DialUsers in Group name, and then click OK.
3. In the details pane, double-click DialUsers.
4. In the DialUsers Properties dialog box, click the Members tab, and then click Add.
5. In the Select Users, Contacts, Users, or Groups dialog box, type DialUser in Enter the object
names to select, and click OK.
6. In the Multiple Names Found dialog box, click OK.
7. Click OK to save changes to the DialUsers group.
IAS1
To configure the test lab for dial-up access, configure IAS1 with an appropriate remote access policy for
dial-up access.
Create a remote access policy for dial-up connections
1. Open Internet Authentication Service.
2. In the console tree, right-click Remote Access Policies, and then click New Remote Access
Policy.
Windows Server 2003 White Paper 9
Không có nhận xét nào:
Đăng nhận xét