Jan 20, 2017

How To Set Up VPN Server on Windows Server 2016


This article will guide you through the steps to set up VPN Server on Windows Server 2016. 





VPN server leveraging IPsec Tunnel Mode with Internet Key Exchange version 2 (IKEv2) with the functionality provided by the IKEv2 Mobility and Multihoming protocol (MOBIKE). This tunneling protocol offers inherent advantages in scenarios where the client moves from one IP network to another (for example, from WLAN to WWAN). 

The scenario permits a user with an active IKEv2 VPN tunnel to disconnect a laptop from a wired connection, walk down the hall to a conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automatically reconnected with no noticeable interruption to the user.

Installing Certificates on VPN Server and VPN Client  

First you need to create certificate templates. Open up Certification Authority Console and from CA console, right click Certificate Templates > Manage > Right Click IPSec > Duplicate template


On Request Handling tab click Allow private key to be exported


Click Extension tab > Application Policies > Edit


Remove IP Security IKE intermediate > then click Add



and choose Server Authentication > OK

 

Click Key Usage > Edit
 

Make sure that Digital signature is selected. If it is, click Cancel. If it is not, select it, and then click OK.


In the Security tab click Object Types > Computers > Add Domain Computers


Make sure Read, Enroll and Autoenroll is selected


In General tab provide a name to template


Now, right click Certification Template > New > Certificate Template to Issue


Choose newly created template, click OK


Enrolling Certificate on VPN Server

Now, on your VPN Server, open up Run  and type mmc > Add/remove snap-in


Click Certificates > Add > Computer Account


Right click Personal > All tasks > Request New Certificate


Check Certificate templates > Properties


Click Subject tab > Subject Name > Common name (from drop-down menu) choose FQDN for VPN Server > Click Add

In the Alternative Name, choose DNS, set FQDN for VPN Server, Click Add


New certificate should be created as shown in image below.


This certificate should be exported and then imported to client machine.

To export certificate, Right-click certificate > All tasks > Export


Export private key, Set password and specify file in which certificate should be saved. Copy file to client computer



To import file on client machine, certificate should be imported into Trusted Root Certification Authority on client.

Open up Run, type mmc > Add > Certificate snap-in-local computer

Right-click Trusted Root Certification Authorities > All task > import

Browse to copied file and enter password to import it.




Installing Roles

You need to add Network Policy Server and Remote Access roles on your VPN Server. Open up Server Manager > Add Roles and Features and select the following to install.


Open up Routing and Remote Access console, right-click on Server > Configure and Enable Routing and Remote Access


Select Remote access (dial-up or VPN)


Check VPN


Select internet facing interface accordingly


Define VPN address pool according to your environment



We’ll use NPS instead of RADIUS


Right click Remote Access Logging > Launch NPS



Click Network Access Policies



Right click Connections to Microsoft Routing and Remote Access Server > Properties


Check Grant access


Click Constraints > Select Microsoft:Secured password (EAP-MSCHAP v2)


If it’s not selected Add it




Enable user VPN access

In ADUS right click Dial-in > Allow access



Client Setting

Open in notepad Windows/System32/Drivers/etc/hosts file and add entry for VPN server (name must be equal to one specified in SSL certificate)


Creating VPN client connection



Use my internet connection (VPN)


I’ll set up an internet connection later


In Internet address type your VPN Server name


Specify username/password


In Security tab,for Type of VPN select IKEv2 > Data encryption > Require encryption > Authentication:Microsoft:Secured password (EAP-MSCHAP v2)


We can see that IKEv2 is used,client got address from our VPN pool (10.10.10.3)






Here you can see one client is connected to VPN Server with user Administrator.


We have successfully completed VPN Server deployment on Windows Server 2016. I hope this article will be helpful to deploy VPN Server in your environment.

6 comments:

  1. Natalia SantanderFebruary 12, 2017

    NPS far better than old RADIUS

    ReplyDelete
  2. Joshua WortzFebruary 12, 2017

    What if i don't want to use DHCP pool for ip addresses instead using static?

    ReplyDelete
  3. Alexander LayshaFebruary 12, 2017

    very detailed and helpful indeed

    ReplyDelete
  4. Trevor SullivanFebruary 12, 2017

    I don't like Windows as VPN Server.

    ReplyDelete
  5. Thomas MaurerFebruary 12, 2017

    Windows VPN is Easy and effortless solution rather buying a Juniper or Cisco device

    ReplyDelete
  6. wow not easier then Juniper or Cisco

    ReplyDelete

 
TECH SUPPORT © 2012-2017