Tutorial: Deploy Always On VPN - Set up infrastructure for Always On VPN

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows 11

In this tutorial, you'll learn how to deploy Always On VPN connections for remote domain-joined Windows client computers. You'll create a sample infrastructure that shows you how to implement an Always On VPN connection process. The process is composed of the following steps:

  1. The Windows VPN client uses a public DNS server to perform a name resolution query for the IP address of the VPN gateway.

  2. The VPN client uses the IP address returned by DNS to send a connection request to the VPN gateway.

  3. The VPN server is also configured as a Remote Authentication Dial-In User Service (RADIUS) Client; the VPN RADIUS Client sends the connection request to the NPS server for connection request processing.

  4. The NPS server processes the connection request, including performing authorization and authentication, and determines whether to allow or deny the connection request.

  5. The NPS server forwards an Access-Accept or Access-Deny response to the VPN server.

  6. The connection is initiated or terminated based on the response that the VPN server received from the NPS server.

Prerequisites

To complete the steps in this tutorial,

  • You'll need access to four physical computers or virtual machines (VMs).

  • Ensure that your user account on all machines is a member of Administrators, or equivalent.

Important

Using Remote Access in Microsoft Azure is not supported, including both Remote Access VPN and DirectAccess. For more information, see Microsoft server software support for Microsoft Azure virtual machines.

Create the domain controller

  1. Install Windows Server on the machine that will run the domain controller.

  2. Install Active Directory Domain Services (AD DS). For detailed information on how to install AD DS, see Install Active Directory Domain Services.

  3. Promote the Windows Server to domain controller. For this tutorial, you'll create a new forest and the domain to that new forest. For detailed information on how to install the domain controller, see AD DS Installation.

  4. Install and configure the Certificate Authority (CA) on the domain controller. For detailed information on how to install CA, see Install the Certification Authority.

Create an Active Directory Group Policy

In this section, you'll create a Group Policy on the domain controller so that domain members automatically request user and computer certificates. This configuration lets VPN users request and retrieve user certificates that automatically authenticate VPN connections. This policy also allows the NPS server to request server authentication certificates automatically.

  1. On the domain controller, open Group Policy Management.

  2. In the left pane, right-click your domain (for example, corp.contoso.com). Select Create a GPO in this domain, and Link it here.

  3. On the New GPO dialog box, for Name, enter Autoenrollment Policy. Select OK.

  4. In the left pane, right-click Autoenrollment Policy. Select Edit to open the Group Policy Management Editor.

  5. In the Group Policy Management Editor, complete the following steps to configure computer certificate autoenrollment:

    1. In the left pane, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

    2. In the details pane, right-click Certificate Services Client – Auto-Enrollment. Select Properties.

    3. On the Certificate Services Client – Auto-Enrollment Properties dialog box, for Configuration Model, select Enabled.

    4. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.

    5. Select OK.

  6. In the Group Policy Management Editor, complete the following steps to Configure user certificate autoenrollment:

    1. In the left pane, go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

    2. In the details pane, right-click Certificate Services Client – Auto-Enrollment and select Properties.

    3. On the Certificate Services Client – Auto-Enrollment Properties dialog box, in Configuration Model, select Enabled.

    4. Select Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.

    5. Select OK.

    6. Close the Group Policy Management Editor.

  7. Close Group Policy Management.

Create the NPS server

  1. Install Windows Server on the machine that will run the NPS server.

  2. On the NPS server, install the Network Policy and Access Services (NPS) role. For detailed information on how to install NSP, see Install Network Policy Server.

  3. Register the NPS Server in Active Directory. For information on how to register NPS Server in Active Directory, see Register an NPS in an Active Directory Domain.

  4. Make sure that your firewalls allow the traffic that is necessary for both VPN and RADIUS communications to function correctly. For more information, see Configure Firewalls for RADIUS Traffic.

  5. Create the NPS Servers group:

    1. On the domain controller, open Active Directory Users and Computers.

    2. Under your domain, right-click Computers. Select New, then select Group.

    3. In Group name, enter NPS Servers, then select OK.

    4. Right-click NPS Servers and select Properties.

    5. On the Members tab of the NPS Servers Properties dialog box, select Add.

    6. select Object Types, select the Computers check box, then select OK.

    7. In Enter the object names to select, enter the computer name of the NPS server. Select OK.

    8. Close Active Directory Users and Computers.

Create the VPN server

  1. Install Windows Server on the machine that will run the VPN Server. Ensure that the machine has two physical network adapters installed: one to connect to the internet, and one to connect to the network where the domain controller is located.

  2. Identify which network adapter connects to the internet and which network adapter connects to the domain. Configure the network adapter facing the internet with a public IP address, while the adapter facing the intranet can use an IP address from the local network.

  3. For the network adapter connecting to the domain, set the DNS preferred IP address to the IP address of the domain controller.

  4. Join the VPN server to the domain. For information on how to join a server to a domain, see To join a server to a domain.

  5. Open your firewall rules to allow UDP ports 500 and 4500 inbound to the external IP address applied to the public interface on the VPN server.

  6. On the network adapter connecting to the domain, enable the following ports: UDP1812, UDP1813, UDP1645, and UDP1646.

  7. Create the VPN Servers group:

    1. On the domain controller, open Active Directory Users and Computers.

    2. Under your domain, right-click Computers. Select New, then select Group.

    3. In Group name, enter VPN Servers, then select OK.

    4. Right-click VPN Servers and select Properties.

    5. On the Members tab of the VPN Servers Properties dialog box, select Add.

    6. select Object Types, select the Computers check box, then select OK.

    7. In Enter the object names to select, enter the computer name of the VPN server. Select OK.

    8. Close Active Directory Users and Computers.

  8. Follow the steps in Install Remote Access as a VPN server to install the VPN server.

  9. Open the Routing and Remote Access tool from Server Manager.

  10. Right-click the VPN server, and then select Properties.

  11. In Properties, select the Security tab and then:

    1. Select Authentication provider and select RADIUS Authentication.

    2. Select Configure to open the RADIUS Authentication dialog.

    3. Select Add to open the Add RADIUS Server dialog.

      1. In Server name, enter the Fully Qualified Domain Name (FQDN) of the NPS server. In this tutorial, the NPS server is the domain controller server. For example, if the NetBIOS name of your NPS and domain controller server is dc1 and your domain name is corp.contoso.com, enter dc1.corp.contoso.com.

      2. In Shared secret, select Change to open the Change Secret dialog box.

      3. In New secret, enter a text string.

      4. In Confirm new secret, enter the same text string, then select OK.

      5. Save this secret. You'll need it when you add this VPN server as a RADIUS client later in this tutorial.

    4. Select OK to close the Add RADIUS Server dialog.

    5. Select OK to close the Radius Authentication dialog.

  12. On the VPN server Properties dialog, select Authentication Methods....

  13. Select Allow machine certificate authentication for IKEv2.

  14. Select OK.

  15. For Accounting provider, select Windows Accounting.

  16. Select OK to close the Properties dialog.

  17. A dialog will prompt you to restart the server. Select Yes.

Create VPN Windows client

  1. Install Windows 10 or later on the machine that will be your VPN client.

  2. Join the VPN client to your domain. For information on how to join a computer to a domain, see To join a computer to a domain.

Create VPN User and Group

  1. Create a VPN User by taking the following steps:

    1. On the domain controller, open Active Directory Users and Computers.

    2. Under your domain, right-click Users. Select New. For User logon name, enter any logon name. Select Next.

    3. Choose a password for the user.

    4. Deselect User must change password at next logon. Select Password never expires.

    5. Select Finish. Keep Active Directory Users and Computers open.

  2. Create a VPN User group by taking the following steps:

    1. Under your domain, right-click Users. Select New, then select Group.

    2. In Group name, enter VPN Users, then select OK.

    3. Right-click VPN Users and select Properties.

    4. On the Members tab of the VPN Users Properties dialog box, select Add.

    5. On the Select Users dialog box, add the VPN user that you created and select OK.

Configure VPN server as a RADIUS client

  1. On the NPS server, open your firewall rules to allow UDP ports 1812, 1813, 1645, and 1646 inbound.

  2. In the NPS console, double-click RADIUS Clients and Servers.

  3. Right-click RADIUS Clients and select New to open the New RADIUS Client dialog box.

  4. Verify that the Enable this RADIUS client check box is selected.

  5. In Friendly name, enter a display name for the VPN server.

  6. In Address (IP or DNS), enter the IP address or FQDN of the VPN server.

    If you enter the FQDN, select Verify if you want to verify that the name is correct and maps to a valid IP address.

  7. In Shared secret:

    1. Ensure that Manual is selected.

    2. Enter the secret that you created in the Create the VPN server section.

    3. For Confirm shared secret, re-enter the shared secret.

  8. Select OK. The VPN Server should appear in the list of RADIUS clients configured on the NPS server.

Configure NPS server as a RADIUS server

Note

In this tutorial, the NPS server is installed on the domain controller with the CA role; and we don't need to register a separate NPS server certificate. However, in an environment where the NPS server is installed on a separate server, an NPS server certificate must be enrolled before you can preform these steps.

  1. In the NPS console, select NPS(Local).

  2. In Standard Configuration, ensure that RADIUS server for Dial-Up or VPN Connections is selected.

  3. Select Configure VPN or Dial-Up to open the Configure VPN or Dial-Up wizard.

  4. Select Virtual Private Network (VPN) Connections, and select Next.

  5. In Specify Dial-Up or VPN Server, in RADIUS clients, select the name of the VPN server.

  6. Select Next.

  7. In Configure Authentication Methods, complete the following steps:

    1. Clear Microsoft Encrypted Authentication version 2 (MS-CHAPv2) .

    2. Select Extensible Authentication Protocol.

    3. For Type, select Microsoft: Protected EAP (PEAP). Then select Configure to open the Edit Protected EAP Properties dialog box.

    4. Select Remove to remove the Secured Password (EAP-MSCHAP v2) EAP type.

    5. Select Add. The Add EAP dialog box opens.

    6. Select Smart Card or other certificate, then select OK.

    7. Select OK to close Edit Protected EAP Properties.

  8. Select Next.

  9. In Specify User Groups, complete the following steps:

    1. Select Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens.

    2. Enter VPN Users, then select OK.

    3. Select Next.

  10. On Specify IP Filters, select Next.

  11. On Specify Encryption Settings, select Next. Do not make any changes.

  12. On Specify a Realm Name, select Next.

  13. Select Finish to close the wizard.

Next steps

Now you've created your sample infrastructure you are ready to being configuring your Certificate Authority.