Configuring and Testing a Dial-Up ProfileThis section describes how to configure the test lab for dial-up access and phone book distribution, create a Connection Manager profile for dial
Trang 1Step-by-Step Guide for Creating and Testing Connection
Manager Profiles in a Test Lab
Trang 2The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of
publication Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This White Paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation
Microsoft may have patents, patent applications, trademarks, copyrights,
or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place
or event is intended or should be inferred.
© 2003 Microsoft Corporation All rights reserved.
Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Trang 3Contents 3
Introduction 1
Configuring the Initial Test Lab 2
DC1 3
Perform basic installation and configuration 3
Configure the computer as a domain controller 3
Install and configure DHCP 3
Add computers to the domain 4
IAS1 4
Perform basic installation and configuration 4
Install and configure Internet Authentication Service 4
IIS1 5
Perform basic installation and configuration 5
Install and configure IIS 5
Configure a shared folder 5
VPN1 5
Perform basic installation and configuration 6
Configure Routing and Remote Access 6
Configure DHCP Relay Agent 7
CLIENT1 8
Configuring and Testing a Dial-Up Profile 9
DC1 9
Create a user account for dial-up connections 9
Trang 4Install Connection Manager Administration Kit (CMAK) 14
Install Phone Book Administrator 14
Create a phone book 15
Post the phone book 17
Create the DialCorp profile with Connection Manager Administration Kit 18
Prepare to distribute the DialCorp profile 24
Add more POPs for testing phone book updates 24
CLIENT1 24
Install the DialCorp profile 24
Connect to CorpNet using the DialCorp profile 25
Test connectivity and automatic phone book updates 27
Configuring and Testing a PPTP Profile 29
DC1 29
Create a user account for VPN connections 29
Create a group for VPN connections 29
Update Group Policy 29
IAS1 29
Create a remote access policy for VPN connections 29
IIS1 30
Configure share permissions 30
VPN1 30
Create the PPTPCorp profile 30
Prepare the PPTPCorp profile for distribution 36
CLIENT1 36
Connect to CorpNet and install the PPTPCorp profile 37
Connect to CorpNet using the PPTPCorp profile 37
Test connectivity and permissions 38
Configuring and Testing an L2TP/IPSec Profile 39
DC1 39
Install IIS 39
Install Certificate Services and configure the certification authority 39
Configure certificate templates 40
Trang 5Configure the certification authority to issue the new certificates 42
Configure Active Directory for autoenrollment of certificates 42
Create a user account 43
Update Group Policy 43
VPN1 43
Update Group Policy 43
Create the L2TPCorp profile 43
Prepare the L2TPCorp profile for distribution 45
IAS1 45
CLIENT1 45
Get a certificate 45
Connect to CorpNet using the L2TPCorp profile 46
Test connectivity 46
Configuring and Testing an EAP Profile 47
DC1 47
Configure a User certificate 47
Configure the certification authority to issue the new certificate 47
Configure Active Directory for autoenrollment of user certificates 47
Configure group membership and update Group Policy 48
IAS1 48
Update Group Policy 48
Edit the VPN remote access policy 48
VPN1 48
Update Group Policy 48
Create the EAPCorp profile 49
Trang 6This white paper provides detailed information about how you can use five computers to create a test lab in which you can create and test Connection Manager profiles These instructions also take you
step-by-step through creating and installing Connection Manager profiles for dial-up remote access,
VPN remote access with PPTP, VPN remote access with L2TP/IPSec, and VPN remote access with EAP-TLS authentication As you complete this test lab, you will also test two methods of distributing
profiles to client computers: from a floppy disk and over an intranet connection
This white paper is intended for enterprise-level administrators who have experience managing remote access connections, administering Active Directory, and operating a test lab It does not provide a
conceptual overview of any of the technologies that you implement in the lab or of general test lab
operations For links to conceptual information, general deployment information, and product details, see Related Links at the end of this paper
The instructions in this white paper are cumulative To reproduce the test lab configurations detailed in this white paper, you must complete each section in the sequence in which it appears, and you must follow the steps in each section in sequence
Note: The following instructions describe configuring a test lab to test the relevant scenarios To clearly
separate the services provided on the network and to show the desired functionality, you need a minimum
of four servers
In addition, these test lab configurations reflect neither best practices nor a desired or recommended configuration for a production environment For example, the test lab uses the same computer as a domain controller, a Domain Name System (DNS) server, and a Dynamic Host Configuration Protocol (DHCP) server In a production environment, you should not run other services on a domain controller These test lab configurations, including IP addresses and all other configuration parameters, are designed to work only
on a test lab network
Trang 7Configuring the Initial Test Lab
To follow the steps in this white paper, you will need to configure five computers in a specific topology Each computer in the lab has specific hardware and operating system requirements, which are
specified in the subsections below
To set up this test lab, you will need the following hardware and software:
• Four computers that are capable of running members of the Windows Server 2003 family
o One server must have two network adapters and a modem
o One server must have a floppy disk drive
• One computer that is capable of running Microsoft Windows XP Professional and that has a modem and a floppy disk drive
• Two network hubs or Layer 2 switches
• One operating system disc for Windows Server 2003, Enterprise Edition
• Three operating system discs for Windows Server 2003, Standard Edition
• One operating system disc for Windows XP Professional
Figure 1 shows the network topology for this lab
Trang 8The following subsections describe how you will set up the basic infrastructure To reconstruct this test lab, configure the computers in the order presented Additional sections of this paper describe the specific configuration steps required for testing dial-up, PPTP, L2TP/IPSec, and EAP-TLS connections.
DC1
As part of setting up the basic infrastructure for the test lab, configure DC1 as the domain controller, the DNS server, and the DHCP server for a domain that is named example.com
Perform basic installation and configuration
1.Install Windows Server 2003, Enterprise Edition, and configure the computer as a stand-alone
server named DC1.
2.Configure the connection to the intranet segment with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0
Configure the computer as a domain controller
1.Click Start, click Run, type dcpromo.exe, and click OK to start the Active Directory Installation
Wizard
2.Follow the instructions in the wizard to create a domain named example.com in a new forest
Install the DNS service when prompted to do so
3.Raise the functional level of the example.com domain to a native Windows Server 2003 domain
Install and configure DHCP
1.Install DHCP as a subcomponent of the Networking Services component
2.Click Start, point to Administrative Tools, and click DHCP.
3.In the console tree, click dc1.example.com On the Action menu, and then click Authorize to
authorize the DHCP service
4.In the console tree, right-click dc1.example.com, and then click New Scope.
5.On the Welcome page of the New Scope Wizard, click Next.
6.On the Scope Name page, type CorpNet in Name, and click Next.
7.On the IP Address Range page, type 172.16.0.10 in Start IP address, type 172.16.0.100 in End
IP address, type 24 in Length, and click Next.
8.On the Add Exclusions page, click Next.
9.On the Lease Duration page, click Next.
Trang 9IP address, click Add, and click Next.
Completing the New Scope Wizard page, click Finish.
Add computers to the domain
1. Open Active Directory Users and Computers.
2. In the console tree, double-click example.com.
3. Right-click Users, point to New, and then click Computer.
4. In the New Object – Computer dialog box, type IAS1 in Computer name, and click Next.
5.In the Managed dialog box, click Next.
6.In the New Object – Computer dialog box, click Finish.
7.Follow steps 3-6 to create additional computer accounts for IIS1 and VPN1
IAS1
As part of setting up the basic infrastructure for the test lab, configure IAS1 as the RADIUS server that provides authentication, authorization, and accounting for VPN1
Perform basic installation and configuration
1.Install Windows Server 2003, Standard Edition, and configure the computer as a member server named IAS1 in the example.com domain
2.Configure the connection to the intranet segment with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1
Install and configure Internet Authentication Service
1.Install Internet Authentication Service as a subcomponent of the Networking Services component
2.Click Start, point to Administrative Tools, and click Internet Authentication Service.
Trang 10As part of setting up the basic infrastructure for the test lab, configure IIS1 as a Web server and a file server for the example.com domain
Perform basic installation and configuration
1.Install Windows Server 2003, Standard Edition, and configure the computer as a member server named IIS1 in the example.com domain
2.Configure the connection to the intranet segment with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1
Install and configure IIS
1.Install Internet Information Services (IIS) as a subcomponent of the Application Server component
2.Create a file in Notepad that contains the text shown in the following figure
3.Save the file as C:\inetpub\wwwroot\test.html, where C is the drive on which the operating system
is installed
4.Start Internet Explorer on IAS1 If the Internet Connection Wizard prompts you, configure Internet
access through a LAN connection In Internet Explorer, type http://IIS1.example.com/test.html in Address You should see the text that you specified in the body of your text file: This is test text.Configure a shared folder
1.On IIS1, use Windows Explorer to share the root folder of the drive on which you installed the operating system Name the share ROOT, and retain the default permissions
2.To determine whether file sharing is working correctly, on IAS, click Start, click Run, type
\\IIS1\ROOT, and then click OK You should see the files in the root folder on IIS1.
VPN1
As part of setting up the basic infrastructure for the test lab, configure VPN1 as a remote access server VPN1 must have two network adapters and a modem
Trang 11Perform basic installation and configuration
1.Install Windows Server 2003, Standard Edition, and configure the computer as a member server named VPN1 in the example.com domain
2.Rename the connection to the intranet segment as CorpNet, and rename the connection to the Internet segment as Internet
3.Configure the CorpNet connection with the IP address of 172.16.0.4, the subnet mask of
255.255.255.0, and the DNS server IP address of 172.16.0.1
4.Configure the Internet connection with the IP address of 10.0.0.2 and the subnet mask of
255.255.255.0
5.If Windows does not configure the modem automatically, start the Add Hardware wizard, and configure the modem
Configure Routing and Remote Access
1.Click Start, point to Administrative Tools, and click Routing and Remote Access.
2.In the console tree, right-click VPN1, and click Configure and Enable Routing and Remote Access.
3.On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.
4.On the Configuration page, Remote access (dial-up or VPN) is selected by default Click Next.
5.On the Remote Access page, select both the VPN and Dial-up check boxes, and click Next.
6.On the VPN Connection page, click the Internet interface in Network interfaces, and click Next.
7. On the Network Selection page, click the CorpNet interface in Network Interfaces, and click Next.
8.On the IP Address Assignment page, Automatically is selected by default Click Next.
9.On the Managing Multiple Remote Access Servers page, click Yes, set up this server to work with a RADIUS server, and click Next.
RADIUS Server Selection page, type 172.16.0.2 in Primary RADIUS server, type the shared secret in Shared secret, and click Next.
Trang 12Configure DHCP Relay Agent
1.In the console tree, double-click VPN1, double-click IP Routing, and right-click DHCP Relay Agent, as shown in the following figure.
2.Click Properties.
3.In the DHCP Relay Agent Properties dialog box, type 172.16.0.1 in Server address, and click Add The server address will be added to the list, as shown in the following figure Click OK.
Trang 13As part of setting up the basic infrastructure for the test lab, configure CLIENT1 as a standalone
computer on a separate network segment CLIENT1 must have a modem
1.Install Windows XP Professional, and configure the computer as a standalone computer named CLIENT1
2.Configure the connection to the Internet segment with the IP address of 10.0.0.1 and the subnet mask of 255.255.255.0
3.If Windows does not configure the modem automatically, start the Add Hardware wizard, and configure the modem
Trang 14Configuring and Testing a Dial-Up Profile
This section describes how to configure the test lab for dial-up access and phone book distribution, create a Connection Manager profile for dial-up access, and install and test this profile on the client computer
DC1
To configure the test lab for dial-up access, create an appropriate user account and an appropriate group on DC1
Create a user account for dial-up connections
1.Open Active Directory Users and Computers
2.In the console tree under the example.com domain, right-click Users, point to New, and then click User.
3.In the New Object – User dialog box, type DialUser in First name, type DialUser in User logon name, and click Next.
4.In the New Object – User dialog box, type a password of your choice in Password and Confirm password Clear the User must change password at next logon check box, select the
Password never expires check box, and click Next.
5. In the New Object – User dialog box, click Finish.
Create a group for dial-up connections
1. In the console tree, right-click Users, point to New, and then click Group.
2. In the New Object – Group dialog box, type DialUsers in Group name, and then click OK.
3. In the details pane, double-click DialUsers.
4. In the DialUsers Properties dialog box, click the Members tab, and then click Add.
5. In the Select Users, Contacts, Users, or Groups dialog box, type DialUser in Enter the object names to select, and click OK.
6.In the Multiple Names Found dialog box, click OK.
7.Click OK to save changes to the DialUsers group.
IAS1
To configure the test lab for dial-up access, configure IAS1 with an appropriate remote access policy for dial-up access
Create a remote access policy for dial-up connections
1.Open Internet Authentication Service
2.In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.
Trang 153.On the Welcome to the New Remote Access Policy Wizard page, click Next.
4.On the Policy Configuration Method page, type Dial-up remote access to intranet in Policy name, and click Next.
5. On the Access Method page, select Dial-up, and click Next.
6.On the User or Group Access page, click Group, and click Add.
7. In the Select Groups dialog box, type DialUsers in Enter the object names to select Specify the location as example.com, not IAS1 Click OK The DialUsers group in the example.com
domain is added to the list of groups on the User or Group Access page Click Next.
8.On the Authentication Methods page, the MS-CHAP v2 authentication protocol is selected by default Click Next.
9.On the Policy Encryption Level page, clear the Basic encryption and Strong encryption check boxes, and click Next.
Completing the New Remote Access Policy Wizard page, click Finish.
IIS1
To configure the test lab for dial-up access, configure IIS1 as a phone book server
Install Connection Point Services (CPS)
1.Click Start, point to Control Panel, and click Add or Remove Programs.
2.Click Add/Remove Windows Components, click Management and Monitoring Tools, and click Details.
Trang 163.Select the Connection Point Services check box (as shown in the following figure), and install
CPS
4. When asked whether to enable PBS requests (as shown in the following figure), click Yes.
Configure a user account and permissions for posting phone book data
1.Create a local user account, called Post, for posting phone book data, and clear the User must change password at next logon check box Make this account a member of the Guests group
Do not make this a domain user account
Trang 172.Open Windows Explorer, double-click Program Files, right-click Phone Book Service, and click
Properties.
3.In the Phone Book Service Properties dialog box, click the Security tab, and click Advanced.
4.Clear the Allow inheritable permissions from the parent to propagate to this object and all child objects check box Remove all users from Group or User Names by clicking Remove Click OK.
5.Click Add, add the Post user account with Read & Execute and Write permissions, as shown in the figure below Click OK.
6. Open Internet Information Services (IIS) Manager
7.In the console tree, double-click IIS1, double-click FTP Sites, right-click Default FTP Site, and then click Properties.
8.In the Default FTP Sites Properties dialog box, click the Security Accounts tab, and ensure that the Allow anonymous connections check box is cleared (as shown in the figure below) If a
warning message appears when you clear the check box, click Yes Click OK.
Trang 189. In the console tree, double-click Default FTP Site, right-click PBSData, and then click Properties.
Trang 19To configure the test lab for dial-up access, install Connection Manager Administration Kit and Phone Book Administrator on VPN1 Additionally, create a phone book and post it to the phone book server, and create a dial-up Connection Manager profile
Install Connection Manager Administration Kit (CMAK)
1. Click Start, point to Control Panel, and click Add or Remove Programs
2. Click Add/Remove Windows Components, click Management and Monitoring Tools, and click
Details
3. Select the Connection Manager Administration Kit check box (as shown in the following figure),
and install CMAK
Install Phone Book Administrator
1.Open Windows Explorer, and browse the installation disc for Windows Server 2003, Standard Edition
2. Install PBA from the valueadd\msft\mgmt\pba folder by double-clicking pbainst.exe, as shown in
the following figure
Trang 203.Click Yes.
4.When installation finishes, click OK.
Create a phone book
1.Click Start, point to All Programs, point to Administrative Tools, and then click Phone Book Administrator.
2.On the File menu, click New Phone Book.
3.In the Add New Phone Book dialog box, type DialCorp in New phone book name, as shown in
the following figure
4.Click OK to add the DialCorp phone book, as shown in the following figure.
Trang 215.Click Add.
6.In the Add POP - DialCorp dialog box, on the Access Information tab, type Local Dial to
CorpNet in POP name In Country/Dependency, choose the country or dependency in which
your test lab is located If the phone number for the modem on VPN1 requires an area code, type it
in Area code; otherwise, type a space in Area code Type the phone number for the modem that
is installed on VPN1 in Access number In Status, click In Service, as shown in the following
figure
Trang 22Post the phone book
1.On the Tools menu, click Options.
2.In the Options - DialCorp dialog box, type IIS1.example.com in Server address, Post in User name, and the password for the Post account in Password, as shown in the following figure Click OK.
3.On the Tools menu, click Publish Phone Book to open the Publish Phone Book - DialCorp
dialog box, as shown in the following figure
4.Click Create.
Trang 235.When the phone book has been created, the Post button is activated, as shown in the following
figure
6.Click Post to post the phone book, and wait for the phone book to post.
7.Click Close, and then close PBA.
Create the DialCorp profile with Connection Manager Administration Kit
1.Click Start, point to Administrative Tools, and click Connection Manager Administration Kit.
2.On the Welcome to the Connection Manager Administration Kit Wizard page, click Next.
3.On the Service Profile Selection page, ensure that New profile is clicked, and then click Next.
4.On the Service and File Names page, type Dial-up to CorpNet in Service name and DialCorp in File name (as shown in the following figure), and then click Next.
Trang 246.On the Merging Profile Information page, click Next.
7.On the VPN Support page, click Next.
8.On the Phone Book page, click Browse, and browse to DialCorp.pbk This file will be under
Program Files\PBA Click the file, and click Open The name of the file will appear in Phone book file, as shown in the following figure Click Next.
9.On the Phone Book Updates page, type iis1.example.com in Connection Point Services
server (as shown in the following figure), and then click Next.
10. On the Dial-up Networking Entries page (shown in the following figure), click Edit.
Trang 2511. In the Edit Dial-up Networking Entry dialog box, click the Security tab In Security settings, click Use advanced security settings (as shown in the following figure), and then click
Configure.
Trang 2613. Click OK twice to return to the Dial-up Networking Entries page, and then click Next.
14. On the Routing Table Update page, click Next.
15. On the Automatic Proxy Configuration page, click Next.
16. On the Custom Actions page, click Next.
17. On the Logon Bitmap page, click Next.
Trang 27Additional Files page, click Next.
26. On the Ready to Build the Service Profile page, select the Advanced Customization check box (as shown in the following figure), and then click Next.
Trang 2828. Click Apply, and then click Next A command prompt window will open and close as the profile
is created When the Completing the Connection Manager Administration Kit Wizard page appears (as shown in the following figure), click Finish.
Trang 29Prepare to distribute the DialCorp profile
1. In Windows Explorer, open Program Files, CMAK, Profiles, and DialCorp, as shown in the
following figure
2.Copy DialCorp.exe to a floppy disk.
Add more POPs for testing phone book updates
1.Open PBA, and add several more POPs to the DialCorp phone book
2.Post the phone book again
CLIENT1
To configure the test lab for dial-up access, install the DialCorp profile on CLIENT1
Install the DialCorp profile
1. Insert the floppy disk on which you saved the DialCorp profile into the floppy disk drive of
CLIENT1
2.Open Windows Explorer, and browse to the floppy drive, as shown in the following figure
Trang 303. Double-click DialCorp.exe When asked whether you want to install the profile (as shown in the following figure), click Yes.
4.When prompted for whom to make this connection available, ensure that My use only is clicked (as shown in the following figure), and then click OK.
Connect to CorpNet using the DialCorp profile
1. On the Dial-up to CorpNet logon screen, type in DialUser in User Name, the password for the DialUser account in Password, and EXAMPLE in Logon domain (as shown in the following
figure), and then click Properties.