Installing a VPN RRAS role with NPS (RADIUS) on WIndows Sever 2008/2012/2016

Overview

Windows Routing and Remote Access (RRAS) has not changed much since it's inception. However the deployment method has changed to include Direct Access VPN and does require NPS to enable group based access control.

I have put together a guide on how to get VPN up and running on any server along with RADIUS (NPS) to secure it based on security groups.


Installing the RRAS Role with NPS (RADIUS)
 


  1. Open Server Manager.  Go to Manage->Add Roles and Features (in 2012 or 2016). In 2008 go to Roles then select Add Roles from the right hand side|


  2. Click next several times and select the following two roles:
        1. Routing and Remote Access (Remote Access in later versions)
        2. Network Policy and Access Services

  3. Click Add features to any required dependencies.
  4. Select only DirectAccess and VPN and then click next. Routing will not be required in this article

  5. Restart the server
  6. Open Server Manager Again. You will now see Remote Access listed in the left hand pane. Upon right clicking you also also see Remote Access Management.

Configuring RRAS Role

  1. Go to Administrative Tools -> Routing and Remote Access
  2. You will see the RRAS service stopped. Right click and select Configure and enable Remote Access
  3. Select custom configuration and click next
  4. Select VPN access and click next.
  5. You will get a warning about RRAS creating a default connection request policy in NPS (RADIUS) click OK to continue. Click OK to any prompts about starting the service and click finish. 
  6. Depending on what protocols are required, these can be configured under Ports->Properties and also under Properties (of the server) and in the Security Tab. For this example we will leave the defaults so PPTP will work. A later post will guide you through on installing an SSL certificate and configuring SSTP VPN.

Configuring NPS role


  1. Start Network Policy Server from Administrative Tools
  2. Go to Policies->Network Policies
  3. In the overview tab, select Grant access and tick ignore user account dial-in properties.
  4. Go to the Conditions Tab. Click Add, select Windows Groups and select Add Group. Choose the group you wish to use to secure VPN. In this example we created a security group called VPN Access. Click OK
  5. Leave everything else as default for now

Putting it all together and testing

For testing we will allow port 1723 (PPTP) and GRE through the firewall to this server. It is recommended for simplicity and security that port 443 (SSTP) be used which will be covered later.
  1. Create a test user and make it a member of the VPN Access group that was selected earlier.
  2. Have a machine on an external network ready to be used

Configuration of VPN clients

Windows 7

  1. Click Start and type VPN and select 'Setup a private network (VPN) connection
  2. Under internet address, enter the I,P address or external FQDN used to access. Under connection name call it My VPN Connection
  3. Click don't connect now and hit next
  4. enter the username of the user that was created and enter the windows domain. Leave password blank
  5. Click create and click close
  6. Go to Network and Sharing Center
  7. Click change adapter properties
  8. Right click My VPN Connection and go to Properties
  9. Go to the security tab and ensure MS-Chap V2 is ticked and PPTP is selected as the type.
  10. Click ok

Windows 10

  1. Go to Settings->Network and Internet->VPN
  2. Select +Add a VPN connection
  3. Select Windows Built-in as the VPN provider. Enter external I.P or FQDN used to access. Under connection name call it My VPN Connection. Leave all others default.
  4. Proceed to Step 6. of Windows 7


Comments

Post a Comment