e May BKNP-WRK-O1: lam VPN Client la Windows Hướng dẫn thực hiện: *Cai dat RRAS va Network Policy Server Tại máy BKNP-SRV08-01: - Chọn Start > Program > Administrative Tools > Server
Trang 1Cài đặt và cấu hình NPS cho VPN Client Cài đặt và cấu hình NPS cho VPN Client
Mô hình lab:
><
soi
BKNP-SRV08-02
IP: 131.107.1.1/24 IP: 192.168.1.4/24
GW: 192.168.1.1 File Server: Bknpower
BKNP-SRV08-01 VPN Server
NPS cho VPN Client
=
—
IP: 192.168.1.1 |
F
Client 2 Client3 _& VPN Client
: IP: 131.107.1.100
Yéu cau chuan bi:
« May BKNP-SRVO8-01: Co 2 card mang: Card 1 Ung Internal, Card 2 tng External
e May BKNP-SRVO08-02: dat trong Internal dé chia sé dif liéu
e May BKNP-WRK-O1: lam VPN Client la Windows
Hướng dẫn thực hiện:
*Cai dat RRAS va Network Policy Server
Tại máy BKNP-SRV08-01:
- Chọn Start > Program > Administrative Tools > Server Manager > Roles > chuột phải chọn Add Role và
chọn Network Policy and Access Services rồi nhấn Next để tiếp tục.
Trang 2Add Roles 44ưzar‹<
`
Confirmation Progress Results
a
'À Select Server Roles
Select one or more roles to install on this server
LJ Active Drectory Certificate oars provides Network Policy Server (NPS),
|_] Active Directory Domain Services Routing and Remote Access, Health
|_| Active Directory Federation Services Registration Authority (HRA), and
|_| Active Directory Lightweight Directory Services Host Credential Authorization Protocol
| | Active Directory Rights Management Services (HCAP), which help safeguard the
F] Application Server health and security of your network
|| DHCP Server
|_| DNS Server
|_| Fax Server
| | File Services
lý) Network Policy
L ] Print Services
| | Terminal Services
|_] UDDI Services
| | Web Server (IIS)
|_| Windows Deployment Services
| | Windows Server Update Services
More about server roles
< Previous Next > Insta Cancel
- Tai ctra S6 Select Role Services, |Wa chon Network Policy Server va Routing and Remote Access
Servicesrồi nhấn Next để bắt đầu quá trình cài đặt
Add Roles 44ưzar‹<
`
a
'À Select Role Services
Select the role services to install for Network Policy and Access Services:
Role services: Description:
|v) Network Policy Server
++ ` "1
x8 ' POtTe ACCESS SPT
\/ Remote Access Service
|v) Routing
|_| Health Registration Authority
| | Host Credential Authorization Protocol
<Previous |
provides remote users access to resources on your private network over virtual private network (VPN) or dial-up connections Servers configured with the Routing and
Remote Access service can provide
LAN and WAN routing services used to connect network segments within a small office or to connect two private networks over the internet
Next > insta
*Tạo người dùng va nhom VPN
- M6 Computer Management tao mdi tai khoan VPN và thuộc nhóm VPN-group
Trang 3
New set
[| User cannot char ge password
is '“B$SÿINDTG fEPVET PEI OD
- Thém user vpn vao nhom VPN-group
New Group
Trang 4*Cấu hình Routing and Remote Access
- Nhấn chuột phải lên BKNP-SRVO8-01 chọn Configure and Enable Routing and Remote Access
Routinc and F.*:aote Access -: =ẳ|n| xi
Ể _ i A
bo ting and Remote Access BKNP-SRVO8-01 (local)
Í >) OKNP-SRV08-0 1.0
= Configure and Enable Routing and Remote Access Remote Access
Disable Routing and Remote Access ides secure remote access to
Delete ) gateway
AT)
Properties
To add a Routing and Remote Access server, on the Action menu, click Add Server
For more information about setting up Routing and Remote Access server, deployment scenarios, and troubleshooting, see Help
‘Configures Routing and Remote Access for the selected server |
- Tại cửa sổ cài đặt đầu tiên, nhấn Next để tiếp tục
Routing ard Rer ote Access Server Setup Wizard
Welcome to the Routing and Remote Access Server Setup Wizard
This wizard helps you set up your server so that you can connect to other networks and allow connections from remote clients
To continue, click Next
< Back Next > | Cancel |
- LWa chon Remote Access (Dial-up or VPN)
Trang 5
Routing ard Rer ote Access Server Setup Wizard
OX enable any of the following combinations of services, or you can dstomize this server
Allow remote clients to connect to this server through either a dial-up connection or a secure virtual private network (VPN) intemet connection
Network address translation (NAT)
Allow intemal clients to connect to the intemet using one public IP address
( Virtual private network (VPN) access and NAT
Allow remote clients to connect to this server through the Intemet and local clients to connect to the Intemet using a single public IP address
C Secure connection between two private networks
Connect this network to a remote network, such as a branch office
™ Custom configuration
Select any combination of the features available in Routing and Remote Access
For more information
< Back Next > Cancel |
- Tai cửa số Remote Access, lựa chon VPN
Routing ard Rer ote Access Server Setup Wizard
»
C A
SX set up this server to receive both dialup and VPN connections
[Z VPN
A VPN server (also called a VPN gateway) can receive connections from remote clients through the Intemet
[ Dialup
A dial-up remote access server can receive connections directly from remote clients through dial-up media, such as a modem
< Back Next > Cancel |
- Tai clfa SO VPN Connection Iva chon card mạng kết nối ra Internet
Routing ard Rer ote Access Server Setup Wizard
wast be connected to the Intemet
Sees te network eteface that connects the servert the tere
Intel(R) PRO/1000 MT 131.107.1.1
Network interfaces
Name | Description | IP Address
Etemal
intemal Intel(R) PRO/1000 MT 19216811
[¥ Enable security on the selected interface by setting up static packet filters
Static packet filters allow only VPN traffic to gain access to this server through the selected interface
< Back Next > Cancel |
- Tai clfa SO IP Address Assignment lua chon From a specified range of Addresses
Trang 6
Routing ard Rer ote Access Server Setup Wizard
+7? sc S_ select the method for assigning IP addresses to remote clients
ee
ZZ How do you want IP addresses to be assigned to remote clients?
(ˆ' “s“cng
f you use a DHCP server to assign addresses confirm that it is configured properly
you do not use a DHCP server, this server will generate the addresses
(© From a specified range of addresses
< Back Next > Cancel |
- Chỉ định dải IP cấp phát cho kết nối VPN
Routing ap 4 Rer.e Access Server Setup Wtœard
= New IPv4 Address Range
Ad Type a starting IP address and either an ending IP address or the number of addresses in the range
Start IP address: [ 192 168 5 50
End IP address: [ 192 168 5 100
Number of addresses:
<Back | Nevi> | Cancel |
- Tiếp theo, lựa chọn xac thuc thé6ng qua Routing and Remote Access
Routing ard Rer ote Access Server Setup Wizard
ple Remote Access Servers
on requests can be authenticated locally or forwarded to a Remote ication Dial-In User Service (RADIUS) server for authentication
Za Although Routing and Remote Access can authenticate connection requests large networks that include multiple remote access servers often use a RADIUS server for
you are using a RADIUS server on your network, you can set up this server to forward authentication requests to the RADIUS server
Do you want to set up this server to work with a RADIUS server?
(© No use Routing and Remote Access to authenticate connection requests
Yes set up this server to work with a RADIUS server
- Nhấn Finish để kết thúc quá trình cài đặt
Trang 7Routing an Rem.»*e Access Server Setup Wtfard
Completing the Routing and Remote Access Server Setup Wizard
You have successfully completed the Routing and Remote Access Server Setup Wizard
Summary:
(VPN clients connect to the following public interface: ^^
Extemal
VPN clients are assigned the following network for addressing: intemal
Client connections are accepted and authenticated
using: remote access policies for this server i
Before clients can connect user accounts must be added locally or through Active Directory For more information about
user accounts, see Routing and Remote Access Help
To close this wizard click Finish
< Back Finish | Cancel |
*Cau hinh dich vu NPS:
- Start > Programs > Administrative Tools > Network Policy Server
b Network el Mee ae =ễinl xị
[xa
# RADIUS Clents and Servers tems Reet
l fz Polices Network Policy Server (NPS) allows you to create and enforce organization-wide network access policies for
Network Access Protection cient health, connection request authentication, and connection request authorization
Accounting
Select a configuration scenario from the list and then click the link below to open the scenario wizard
Network Access Protection (NAP) When you configure NPS as a NAP policy server you create health policies that allow NPS to validate the
configuration of NAP-capable client computers before they connect to your network Clients that are not compliant with health policy can be placed on a restncted network and automatically updated to bring them into compliance
- Vô hiệu hóa các chính sách hiện có trong Network Policies và tạo mới Policy: nhấn phải chuột vào Network
Policies chọn New
Trang 8Tò Networ% Pol# y Server
¬L on TRE: TÔI : * Network policies allow you to designate who is authorized to connect to the network and the circumstances
| nh under which they can or cannot connect
_ Connection Request Polici
4 i to Microsoft Routing and Remote Access server Disabil 999998 Deny Access LU _
(4) MMB Network Access ions to other access servers Disabl 999999 Deny Access U
B= Accounting
ai
Conditions - if the following conditions are met:
Day and time restrictions Sunday 00:00-24:00 Monday 00:00-24:00 Tuesday 00:00-24:00 Wednesday 00:00-
Settings - Then the following settings are applied:
Setting |_ Value a
Access Permission Deny Access
Authentication Method MS-CHAP v1 OR MS-CHAP v1 (User can change password after it has expired —
«| { ojjst — L5
- Tại cửa sổ New Network Policy nhập tên cho chính sách và kiểu truy cập
(li a1, /U/ !: 09)
Specify Network Policy Name and Connection Type
You can specify a name for your network policy and the type of connections to which the policy is applied,
Policy name:
|NPS VPN Client
Network connection method Select the type of network access server that sends the connection request to NPS You can select either the network access server
type or Vendor specific
( Type of network access server:
© Vendor specific:
- Tai cửa sổ Specify Conditions nhan Add
Trang 9
iNew Netwerk Potw,
< 8” Specify Conditions
Specify the conditions that determine whether this network policy is evaluated for a connection request A minimum
of one condition is required
OM FIEIII0VE
- Lua chon User Groups
hd SỬ Specify Conditions
Specify the conditions that determine whether this network policy is evaluated for a connection request A minimum
of one condition is required
Select condition
Groups Windows Groups The Windows Groups condition specifies that the connecting user or computer must belong to one of the selected Machine Groups
The Machine Groups condition specifies that the connecting computer must belong to one of the selected groups
User Groups
| Te
HCAP Location Groups The HCAP Location Groups condition specifies the Host Credential Authorization Protocol (HCAP) location groups
network access servers (NASs) See your NAS documentation before using this condition
HCAP User Groups
- Lựa chọn nhóm VPN-group da tao ở trên
Trang 10F1ETTIOWE
- Nhấn Next để tiếp tục
| lew Netwerk Polo,
Specify the conditions that determine whether this network policy is evaluated for a connection request A minimum
of one condition is required
—=—
- Tai cửa sổ Specify Access Permission chọn Access Granted
Trang 11
New Netwerk Potw,
Specify Access Permission
Configure whether you want to grant network access or deny network access if the connection request matches this policy
( Access granted
Grant access if client connection attempts match the conditions of this policy
Access denied Deny access if client connection attempts match the conditions of this policy
[” Access is determined by User Dial4n properties (which override NPS policy)
Grant or deny access according to user dial4n properties if client connection attempts match the conditions of this policy
Configure one or more authentication methods required forthe connection request to match this policy For EAP
authentication, you must configure an EAP type If you deploy NAP with 802.1X or VPN, you must configure
Protected EAP in connection request policy, which overrides network policy authentication settings
EAP types are negotiated between NPS and the client in the order in which they are listed
EAP Types:
Microsoft: Secured password (EAP-MSCHAP v2) Move Up |
Move Dawn
Add | Edit Remove Less secure authentication methods:
¥ Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)
IV User can change password after t has expired I¥ Microsoft Encrypted Authentication (MS-CHAP) I¥ User can change password after t has expired
[~ Encrypted authentication (CHAP) [~ Unencrypted authentication (PAP, SPAP) [— Allow clients to connect without negotiating an authentication method
- Tai clrfa s6 Configure constraints nhấn Next
Trang 12
| New Netwecek Pof+,
ae Constraints are additional parameters of the network policy that are required to match the connection request If a
constraint is not matched by the connection request, NPS automatically rejects the request Constraints are optional; if you do not want to configure constraints, click Next
Specify the maximum time in minutes that the server can remain idle before the connection
is disconnected
I~ Disconnect after the maamum idle time
3 Session Timeout
iS} Called Station ID
® Day and time on
%' NASPort Type
- Tai cửa sổ Configure Settings giữ nguyên tùy chọn rồi nhấn Next
iNew Netwerk Potc,
⁄4 cả Configure Settings
NPS ` to the connection request if all of the network policy conditions and constraints forthe policy are matched
To send additional attributes to RADIUS clients, select a RADIUS standard attribute, and then click Edit If you do not configure an attribute, it is not sent to RADIUS clients See your RADIUS client documentation for required attributes
RADIUS Attributes
- Nhan Finish để kết thúc quá trình cấu hình