Set up an NAP VPN in Windows Server 2012 R2

Donate Us : paypal.me/MicrosoftLab

Set up an NAP VPN in Windows Server 2012 R2

1. Prepare

- DC11 : Domain Controller (pns.vn), IP 10.0.0.11 | DC12 : Certificate Server, IP 10.0.0.12, Gateway 10.0.0.13

- DC13 : VPN Server, IP 10.0.0.13 and 10.0.2.13 | WIN71 : Client, IP 10.0.2.71, Gateway 10.0.2.13

2. Step by step : Set up an NAP VPN, WIN71 access to File Server using HiepIT account, test force turn on Firewall local

- DC13 : Request Certificate, set up NAP and routing

+ Start - MMC - File - Add/Remove Snap-in...- Certificates - Add - Computer account - Finish - Console Root - Certificates - Right-click Personal - All Tasks

- Request New Certificate... - Next to Request Certificates : Select Computer - Enroll - Finish

+ Server Manager - Manage - Add Roles and Features - Next to Server Roles : Select "Network Policy and Access Services" - Add Features - Next to Install

+ Server Manager - Tools - Network Policy Server - NPS (Local) :

+ Network Access Protection - System Health Validators - Windows Security Health Validator - Settings - Default Configuration

- Uncheck Antivirus Settings, Spyware Protection Settings and Automatic Update Settings

+ Policies - Right-click Health Policies - New - Policy name : Compliant, Client SHV checks : Client passes one or more SHV checks, Check "Windows Security Health…"

+ Policies - Right-click Health Policies - New - Policy name : Non-compliant, Client SHV checks : Client fails one or more SHV checks, Check "Windows Security Health…"

+ Policies - Network Policies - Disable "Connections to Microsoft Routing and Remote Access server" and "Connections to other access servers"

+ Right-click - Network Policies - New - Policy name : Full Access - Specify Conditions - Add... - Health Policies - Add... - Health policies : Compliant - OK - Next to Finish

+ Right-click - Network Policies - New - Policy name : Limit Access - Specify Conditions - Add... - Health Policies - Add...- Health policies : Non-compliant - OK - Next to Configure Settings :

+ NAP Enforcement : Choose "Allow limited access",

+ IP Filters : Input Filters… - New... - Destination network: IP address: 10.0.0.11 , Subnet mask: 255.255.255.255 Out Filters… - Source network: IP address: 10.0.0.11 - Finish

+ Policies - Connection Request Policies - Disable "Use Windows authentication for all users"

+ Right-click "Connection Request Policies" - New - Policy name: NAP VPN - Type of network access server : Select "Remote Access Server(VPN-Dial up)" - Specify Conditions

- Add... - Tunnel Type - Add... - Select L2TP, PPTP, SSTP - Specify Authentication Methods : Check "Override network policy authentication settings" - EAP Types :

+ Add... - Select "Microsoft: Protected EAP (PEAP)" - OK

+ Add... - Select "Microsoft:Secured password (EAP-MSCHAP v2)" - OK - Next to Finish

+ Server Manage - Manage - Add Roles and Features - Next to Server Roles : Select "Remote Access" - Next to Role Services - Select Routing - Add Features - Next to Install - Close

+ Tools - Routing and Remote Access - Right-click DC13 : Configure and Enable Routing and Remote Access - Choose "Custom configuration" - Select "VPN access ", NAT,"LAN routing" - Finish - Start service

+ Right-click DC13 - Properties - IPv4 tab - choose "Static address pool" - Add - Start 10.0.10.100 End 10.0.10.200 - OK

+ IPv4 - Right-click NAT - New Interface... - Internet (10.0.2.13) :

+ NAT tab - Choose "Public interface connected to the Internet" - Select "Enable NAT on this interface"

+ Services and Ports tab - Select "Web Server (HTTP)" - Private address : 10.0.0.12 - OK

+ Right-click DC13 - All Tasks - Restart

+ Tools - Network Policy Server - Policies - Connection Request Policies - Disable "Microsoft Routing and Remote Access Service Policy"