This supplemental video is to be used while studying the CompTIA Security+ SY0-301 Cert Guide (2nd Edition)

In this lab, you configure an L2TP-based VPN with a Windows Server 2003 and Windows client. This is an in-depth lab that will take some time to complete. Also, it’s easy to make a mistake or forget a small detail. In some cases, the entire lab will need to be restarted to work properly.
The steps are as follows:

Step 1. Install a Certificate Authority on the server.
Even if your client is already set up to make L2TP connections (see step 4 for more), and you have a basic VPN server working, you would get a 781 error when attempting to connect. This is because your client requires an encryption certificate. The client must get that certificate from the server (or some other authority). Let’s install and configure the Certificate Authority on the Windows Server 2003 computer now so that it can dispense certificates to clients:
A. Go to the Windows Server 2003 computer.
B. Click the Start button and select Control Panel.
C. Launch Add/Remove Programs.
D. Select Add/Remove Windows Components.
E. Click the Certificate Services check box to select it. A pop-up window opens; click Yes.
F. Click Next.
G. When asked what type of Certificate Authority you will be installing, choose the default option, Enterprise root CA. Then click Next.
H. In the Common Name for This CA field, type test. Leave the rest of the information as is, and click Next.
I. Leave the Certificate Database Settings window as is and click Next.
J. A pop-up window might ask you about IIS, which needs to be stopped during the installation of the CA. Click OK. The installation of the CA will begin.
K. If you are asked for the CD, you can get the necessary information from X:\i386 (where X is the letter of your disc drive). This could be from the Windows Server 2003 disc, the Service Pack disc, or the Server 2003 disc with slipstreamed service pack, it depends on your setup.
NOTE: If IIS is not yet installed, Server 2003 will warn you that Certificate Services Web Enrollment Support will not work until IIS is installed. Click OK for this message and be sure to install IIS before continuing with this lab. This can be done from Add/Remove Windows Components > Application Server > Internet Information Services (IIS). IIS can be installed simultaneously with Certificate Services.
L. Click Finish. The Certificate Authority is now installed. You should see it within your Administrative Tools. A restart is not normally necessary, but might be a good idea, especially if you have a lot of other services running on the server.

Step 2. Configure the Certificate Authority (CA) on the server.
Now you need to set up the CA to hand out certificates automatically and turn on the IP Security policy:
A. First, though, set up an MMC if you have not already and add the Certificate Authority snap-in (for the local computer) and the Default Domain Policy. (Select the Group Policy Object editor snap-in, Browse, and then Default Domain Policy.)
B. Set up the server to hand out certificates automatically:
i. In the MMC, click the Default Domain Policy entry, select Computer Configuration, choose Windows Settings, click Security Settings, select Public Key Policies, and choose Automatic Certificate Request Settings.
ii. Right-click the Automatic Certificate Request Settings entry, select New, and then select Automatic Certificate Request.
iii. A wizard is launched. Click Next.
iv. When asked what type of auto certificate template you want to install, select Computer. Then click Next.
v. Click Finish. You should see a certificate template called Computer on the right side window pane in the MMC.
vi. Save the MMC.
C. Turn on the IP Security Policy.
i. Within the MMC expand the following options in the left window pane: Default Domain Policy > Computer Configuration > Windows Settings > Security Settings. Click once on IP Security Policies on Active Directory.
ii. This should bring up three policies on the right side. None of these are yet assigned.
iii. Right-click the Secure Server (require Security) option and select Assign. This should assign the security policy allowing clients to connect.
iv. Save the MMC and close it.

Step 3. Configure MS-CHAP on the client.
Let’s configure your client to connect to the VPN server using a more complex level of authentication[md]username and password verification. This will be MS-CHAP II:
A. Go to the Windows XP computer.
B. Right-click My Network Places and select Properties to find your VPN adapter. If it is not there, create a new one, and point it toward your existing VPN server.
C. Right-click the VPN adapter and select Properties.
D. Click the Security tab and select Advanced (Custom Settings).
E. Click the Settings button. This opens the Advanced Security Settings dialog box.
F. Make sure that Require encryption is selected in the Data encryption drop-down list and that the Microsoft CHAP (MS-CHAP) and Microsoft CHAP Version 2 (MS-CHAP v2) checkboxes are selected. MS-CHAPII is already accepted by the server. MS-CHAPII will now be your challenge authentication scheme; it will work automatically.

Step 4. Configure L2TP and IPsec on the client:
Connect through L2TP as opposed to PPTP. L2TP is a more secure way of connecting than PPTP when L2TP is used with IPsec:
A. Click OK to close the Advanced Security Settings dialog box.
B. In the VPN Properties window, click the Networking tab.
C. Open the Type of VPN: Drop-Down List and choose L2TP IPsec VPN.
D. Click OK to close the VPN Properties window.

Step 5. Install a certificate on the client.
In some cases, you have to connect through a custom-made MMC, but in this scenario you retain your certificate within the browser:
A. Go to the Windows XP computer.
B. Open Internet Explorer and, in the address bar, type http://servername/certsrv (where servername is the actual hostname of your server). A web page with information opens.
C. Click the Request a Certificate link.
NOTE: You might need to configure the client so that it has the server’s IP address as the DNS settings within IP properties. In addition, it might be necessary to connect the client to the domain that the Certificate Authority server is a member of. How your client is configured will all depend on the setup of your particular network. Also, make sure that all your computers have the latest service packs installed.
D. On the next screen, click User Certificate.
E. On the User Certificate [nd] Identifying Information screen click Submit.
F. Click Yes in the pop-up window(s) that appears.
G. The browser should talk to the server and retrieve a certificate. Choose to install it now by clicking the Install this Certificate link.
H. Click Yes in the pop-up window that appears to add the certificate to the store. You’ll be informed that the certificate has been installed.

Step 6. Make the new VPN connection.
Now you can connect from your client to the server through the VPN connection using L2TP and MS-CHAP II. Connect to the VPN the way you normally would by double-clicking the VPN adapter and logging in with your username and password. There you have it!

NOTE: This is an in-depth lab, and as such, there are a lot of things that can go wrong. You might decide to run the various necessary services on separate servers, for example a Domain Controller, a VPN server, and a Certificate server. In addition, when it comes to certificates, there is a lot to talk about! Depending on the order of services you installed, you might have to install a certificate on the server as well. Be ready for many different variables when performing this lab.

There are a lot of errors you might encounter as well. For example, Error 789 is common, but it can be caused by a bunch of different reasons: key issue, PSK or IPsec settings, IPsec services might need to be restarted, server settings could be incorrect, firewall NAT settings could be wrong. Plus, security updates and network adapter drivers could affect the connection adversely.
Here's an article that might help some of the common issues you'll encounter:


This supplemental video is to be used while studying the CompTIA Security+ SY0-301 Cert Guide (2nd Edition)

About Dave Testimonials FAQ Site Map Contact
Copyright © David L. Prowse – Official Website - All Rights Reserved