VPN Server with Windows Server: Installation and Configuration


Windows Server 2019

In this tutorial, I will explain how to set up a VPN server on Windows Server with the role of remote access and configure access with NPS.

When setting up a VPN server with Windows, 3 types of VPN service are installed:

  • PPTP
  • L2TP
  • SSTP

In this tutorial we will see how to use PPTP and SSTP. When configuring the VPN client on Windows it is configured automatically and will test the connections on different ports to find the type of VPN service.

In order to limit the right of connection to the VPN, the policy will be configured to allow users belonging to the Active Directory group GRP_SRV_VPN_ALLOW.

The IP addresses will be distributed by a DHCP server.

When configuring the VPN client on Windows, the type of VPN is configured automatically, when connecting it will test the different types to establish the connection. There are several methods to force a type:

  • Configuration on the VPN client.
  • Port configuration at the firewalls level.
  • Configuration on NPS in the policy.

Installing the Remote Access role

From the server manager, click Add Roles and Features 1 .

Add features

When launching the wizard, click Next 1 .

Wizard add features

Choose role-based installation or 1 feature and click Next 2 .

Install type

Select server 1 and click Next 2 .

Select server

Check the Remote Access role cache 1 and click Next 2 .

Select Remote Access

Skip the list of features by clicking Next 1 .

pass the features

A Remote Access role summary explaining the different services available such as Direct Access, VPN Server, WAF, Routing …. Click Next 1 to move to service selection.

Aperçu des rôles dont Serveur VPN / Overview of roles including VPN Server

Check DirectAccess and VPN (remote access) 1 which is the service that allows the setting up of a VPN server.

Choisir DirectAccess et VPN pour le serveur VPN / Choose DirectAccess and VPN for the VPN server

Click the Add Features 1 button to install the management consoles and dependent roles.

Dépendances pour le serveur VPN / Dependencies for the VPN server

The DirectAcces and VPN service is selected, click Next 1 .

Services sélectionnés pour le serveur vpn / Services selected for the vpn server

The IIS role must be installed, a summary of it is displayed, click Next 1 .

Overview Web Server IIS

Leave IIS services default, click Next 1 .

IIS features

A summary of the installation is displayed, confirm by clicking Install 1 .

Démarrer l'installation du serveur VPN / Start the VPN server installation

Wait during the installation of the roles necessary to set up the VPN server …

When the installation is complete, click Close 1 to exit the wizard.

Installation completed

Now that the features necessary to install a VPN server are installed, we will go to the configuration.

VPN Server Configuration

From the server manager, click the notification icon 1 and then click Open Startup Assistant 2 .

Ouvrir l'assistant de configuration du serveur VPN / Open the VPN Server Configuration Wizard

Click Deploy VPN only 1 , this action will open the Routing and Remote Access console.

Assistant de configuration / Configuration Wizard

Once the console is open, right click on server 1 and click Configure and enable routing and remote access 2 .

Start configuration

A new assistant will launch, click Next 1 .

Wizard configuration

Select Custom Configuration 1 then click Next 2 .

Custom configuration

Select the VPN Access 1 service to configure the VPN server and click Next 2 .

Accès VPN pour configurer un serveur VPN / VPN access to configure a VPN server

Click Finish 1 .

Configuration completed

Click on Start Service 1 .

Démarrer le service pour rendre accessible le serveur VPN / Start the service to make the VPN server accessible

The VPN server is now operational, by default access to the VPN service is granted through the user’s properties in the Active Directory at the Remote Access tab. In a large environment this way of working quickly becomes heavy to administrator, we will now use the Network Policy Server (NPS) features to give the connection rights to an Active Directory group.

Launch the NPS Server Console on the server.

Serveur NPS

Unroll Strategies node 1 then right click on Network Strategies 2 and click on New 3 .

Création d'une stratégie d'accès au serveur VPN / Creating a VPN server access policy

Name the strategy 1 and choose the type Remote Access Server (VPN-Dial-up) 2 then click Next 3 .

Name and type policy

It is here that we will configure the conditions of access to the service, it is possible to add several conditions including access hours. Click the Add button 1 .

Ajouter de conditions d'accès au serveur VPN / Adding access conditions to the VPN server

Choose User Groups 1 and click Add 2 .

Select Users Groups

A new window opens, click on Add 1 to choose the group, once this 2 select click OK 3 .

Sélection du groupe autorisé à se connecter au serveur VPN / Selecting the group allowed to connect to the VPN server

Once conditions are added, click on Next 1 .

Conditions accès au serveur VPN ajoutées / VPN server access conditions added

Configure authorization to see if the policy is a 1 granted access policy or denied and click Next 2 to validate.

Type d'autorisation d'accès au serveur VPN / Type of access authorization to the VPN server

This part of the configuration is important for the future, including the configuration of the VPN client and the security level. The addition of an EAP protocol type is not mandatory but strongly recommended, click on the button Add 1 .

Configuration de l'authentification sur le serveur VPN / Configuring authentication on the VPN server

Select Microsoft: Secure Password (EAP-MSCHAP Version 2) 1 and click OK 2 .

Select EAP

Once you have selected the authentication types and methods, click Next 1 .

Configuration de l'authentification sur le serveur VPN / Configuring authentication on the VPN server

If a message appears about the authentication methods, click No to not open help.

In the strategy, no opposite will be configured, but it is possible to add as hours of access or force a type of VPN (NAS). Click Next 1 .

Configuration des contraintes d'accès au serveur VPN / Configuring access constraints to the VPN server

A summary of the strategy is displayed, click Finish 1 to confirm the creation.

Stratégie configurée pour l'accès au serveur VPN / Policy configured for VPN server access

The strategy has been added 1 . They are treated as on a firewall, they are read from top to bottom. If you have multiple policies, one of which does not apply, check that the traffic does not go into a strategy above.

Stratégies d'accès au serveur VPN / VPN server access policies

Before you can use the VPN server, you must register the NPS server in the Active Directory for access permissions to be processed by it, right-click on NPS (Local) 1 and click Register a server in Active Directory 2 .

Inscription du serveur NPS dans l'AD pour la gestion des accès au serveur VPN / Register the NPS server in the AD for VPN server access management

Click OK on the two confirmation messages that appear.

Before you proceed with the client configuration, look in the Remote Access Management console tools and click on it to open it. This console allows you to view the status of VPN server services and view connections in progress …

Services du serveur VPN / VPN server services

Configure the VPN connection on Windows 10

The VPN server is configured and accessible from the Internet, to configure the VPN on Windows 10, open the settings and go to Network and Internet. Click on Configure a new connection 1 .

Add VPN connection in Windows 10

Choose the connection option: Connect to your workspace 1 and click Next 2 .

Connection type

Click on Use my Internet Connection (VPN) 1 .

Select VPN

Enter the IP address or DNS name 1 for the VPN connection, name the connection 2 and click Create 3 .

Adresse du serveur VPN / VPN server address

The connection is added 1 in the VPN part 2 .

Connexion VPN ajoutée / VPN connection added

Click on the connection 1 and click on Connect 2 .

Se connecter / Connect to

Enter the credentials of a member account of the group configured in the policy.

Credential

The connection is established.

Connecté au serveur VPN / Connected to the VPN server

The VPN connection is also available at the network card level in Windows.

Connexions réseau / Network Connections

Quick access is also available through the notification area by clicking on the network icon.

Connexions réseau / Network Connections

On the remote access management console, it is possible to track the connected clients.

If you have not configured an EAP protocol, you must change the properties of the VPN connection through the Control Panel / Network Center and share / Change the card settings, right-click on the VPN network card and go to the Properties. Go to the 1 Security tab, choose Allow these 2 protocols and check the 3 authentication protocol (s) to be used then validate by clicking on OK 4 .

Sécurité de la connexion VPN / VPN connection security

VPN in PPTP

In this part, we will see how to force the PPTP VPN in the client configuration and on the NPS console to force this type of tunnel.

VPN client

VPN client…

Client force PPTP

NPS

On the NPS console, go to the Network Policy node 1 , right click on the VPN Access Policy 2 and click Properties 3 .

Edit policy

Go to the 1 Conditions tab and click on Add 2 .

Ajouter une condition au serveur VPN / Add a condition to the VPN server

Select Tunnel Type 1 and click Add 2 .

Ajouter une condition au serveur VPN / Add a condition to the VPN server

Check the Point-to-Point Tunneling Protocol (PPTP) 1 and click OK 2 .

Select PPTP

The condition of the PPTP tunnel type has been added.

condition ajoutée au serveur VPN / condition added to the VPN server

VPN in SSTP

The SSTP tunnel is based on port 443 (HTTPS) which can be used in most WIFI connections.

Setting up the VPN SSTP requires configuring the certificate used for the connection. This must be installed in the personal store of the computer.

To work, the certificate authority must be known to the clients.

It is possible to use a self-signed certificate on the server, in which case the certificate must be installed on the clients in the Trusted Root Certification Authority store. If you are using a standalone or enterprise CA, you just need to deploy the authority certificate.

VPN Service Configuration – Routing and Remote Access

On the VPN server from the Routing and Remote Access console, open the server properties, on the Security tab 1 in the SSL certificate link section, choose the certificate 2 and validate by clicking Apply. 3 and OK 4 .

Select certificate

The changes require a restart of the service, confirm by clicking Yes 1 .

Restart service

Customer configuration

The login host name in the General tab must be a DNS name 1 present in the certificate.

Connection host name

As for the PPTP VPN tunnel, it is possible to force the type in the Security tab 1 by selecting SSTP 2 .

SSTP type

NPS

As for the PPTP tunnel, it is possible to force the SSTP tunnel into the network strategy.

Type de serveur VPN : SSTP / VPN server type: SSTP

Error: The revocation function could not verify the revocation because the revocation server was disconnected

If you are using a self-signed certificate or from a private CA that does not publish the revocation list on the Internet, you must add a registry key to the client to bypass this verification.

Open the registry editor and go to the location : HLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters and add the key (DWORD) NoCertRevocationCheck by assigning it the value 1.

NoCertRevocationCheck



Leave a Comment