Windows ‘Always On’ VPN Part 2 (NPS, RAS, and Clients)

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

Always-On-VPN-Network-Topology

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

  • UDP 1812 (RADIUS Authentication)
  • UDP 1813 (RADIUS Accounting)
  • UDP 1645 (RADIUS Authentication)
  • UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1823 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Instal NPS Server 2016

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

NPS Server Register in AD

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

NPS Create RADIUS Client

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

NPS VPN Dial Up

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

NPS VPN Dial Up Policy

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

NPS VPN Dial Up Certificate

Next > Next > Finish.

NAP Connection Policy

Your connection request policies should look like this.

NAP Connection Request Policy

Your network policies should look like this.

NAP Network Policy

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remove Access > Next.

Add Remote Acess Role

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

DirectAccess and VPN RAS

Open the Getting Started Wizard > Select VPN Only.

DirectAccess Setup

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

Configure RAS

VPN Access > Next > Finish > Start service.

Configure Windows RAS

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

RAS DHCP Settings

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Authentication provider, (below).

RAS RADIUS Settings

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

RAS Port Settings

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Windows 10 VPN

Add a VPN Connector.

Windows 10 Ad a VPN

  • VPN Provider: Windows (Built-in).
  • Connection Name: Connection-Template.
  • Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Windows Add a VPN Connection

Change Adapter options.

Change Adaptor Settings

Right click the VPN connection > Properties.

Change NIC Settings

Security Tab:

  • Type of VPN: IKEv2
  • Data Encryption: Maximum
  • Use Extensible Authentication Protocol (EAP)
  • Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
  • Tick your Root CA Cert for the domain.
  • Select ‘Don’t prompt user to authorise new servers or new authorities’.

NIC VPN Settings

Connect your VPN to test it.

Connect VPN

Make sure everything works.

VPN Connected

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

VPN Profile

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

eploy Always On VPN Profile

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.


Always On VPN Connected

That covers USER tunnels, you can also, (Post 1709 Windows 10 Builds,) have DEVICE tunnels. Which I would write a part three about, but I simply cannot get them to work, so I’m waiting for the bugs to be ironed out, and I will revisit it at some point in the future.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

3 Comments

  1. Thanks for your clear and detailed walk-though.
    Some questions on the network setup diagram. On the left side, the DMZ is on the same subnet as the internal LAN. Is that intentional or just a copy and paste type of error?

    The second similar question is about the diagram on the right side – the Authenticated DMZ is also on the same subnet as the internal LAN – is that intentional?

    Also on that diagram, is that meant to be a single firewall device, and the Authenticated and Unauthenticated DMZ interfaces on the RAS server are both connected to that same device?

    Post a Reply
    • Hi Ralph, thanks for spotting the typo! LAN is 192.168.110.0/24 (Image updated). Both deployments use a single firewall, On the left the RAS server is connected both LAN and DMZ. The second deployment (on the right) Is MY PREFERRED method, to have an un-authenticated and an authenticated DMZ with the RAS server connected to both.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *