To make a VPN connection with L2TP/IPSec, you must have a computer certificate on the VPN client computer and one on the VPN server. You can use CMAK to configure a profile that allows the VPN client computer to obtain and install a certificate with minimal user interaction. This section describes how to configure the example.com domain so that computers can automatically obtain these certificates over the network, how to configure the client computer to use these certificates, and how to create a VPN-only L2TP/IPSec Connection Manager profile that uses these certificates. To do this in the test lab, you must install IIS on DC1 because IIS1 cannot distribute or issue the certificates that you will create for this test lab. Version 2 certificates are not available on or distributable by Windows Server 2003, Standard Edition, but they are distributable by Windows Server 2003, Enterprise Edition or Datacenter.
Because this test lab does not actually connect to the Internet, you must use the dial-up profile to connect to the intranet segment so that the client computer can obtain a certificate from the certification authority that you will install on DC1. In a production environment, the profile could be configured to first dial an Internet service provider (ISP) for Internet access before making a VPN connection to the intranet (known as a double-dial profile), or the profile could be configured as a VPN-only profile.
This test lab scenario also requires manual installation of a certificate chain on CLIENT1.
To configure the test lab for L2TP/IPSec access, install IIS and Certificate Services on DC1, configure certificate settings, create a user for L2TP/IPSec access, and update Group Policy.
Use Add/Remove Windows Components to install IIS on DC1, as you did on IIS1 in the section “Configuring the Initial Test Lab.”
Install Certificate Services, and configure the certification authority
When IIS finishes installing, click Add/Remote Windows Components.
In Windows Components, select the Certificate Services check box. Click Yes when warned about not changing the name or domain membership of this computer. Click Next.
On the CA Type page, click Enterprise Root CA and click Next.
On the CA Identifying Information page, type Example CA in the Common Name For This CA text box and then click Next.
On the Certificate Database Settings page, click Next.
When asked whether to temporarily stop IIS, click Yes.
When asked whether to enable ASP pages, click Yes.
On the Completing The Windows Components Wizard page, click Finish.
Configure certificate templates
Click Start, click Run, and type certtmpl.msc to open Certificate Templates.
In the details pane, right-click the Authenticated Session template, and click Duplicate Template.
On the General tab, type Authenticated Session for WebEnroll in the Template Display Name text box.
On the Security tab, click Authenticated Users in Group Or User Names. In Permissions For Authenticated Users, the Read check box is selected by default. Select the Enroll and Autoenroll check boxes under Allow, and then click OK.
In the details pane, right-click the RAS And IAS Server template, and click Properties.
On the Security tab, click Authenticated Users in Group Or User Names, select the Enroll and Autoenroll check boxes under Allow, and then click OK.
Configure the certification authority to issue the new certificates
Click Start, point to Administrative Tools, and click Certification Authority.
Double-click Example CA to open it. Right-click Certificate Templates, point to New, and click Certificate Template To Issue.
In the Enable Certificate Templates dialog box, hold down the Ctrl key and click Authenticated Session For WebEnroll and RAS And IAS Server. Release the Ctrl key, and click OK.
Configure Active Directory for auto-enrollment of certificates
Open the Active Directory Users And Computers administrative tool.
In the console tree, right-click the example.com domain, and then click Properties.
On the Group Policy tab, click Default Domain Policy and then click Edit.
In the console tree for Group Policy Object Editor, open Computer Configuration, then Windows Settings, and then Security Settings. Click Public Key Policies.
In the details pane, right-click Autoenrollment Settings, and click Properties. Select Enroll Certificates Automatically, and select both check boxes. Click OK.
Close Group Policy Object Editor.
Create a user account
Open the Active Directory Users And Computers administrative tool, if not already open.
Create a user account named RemoteUser just as you did for VPNUser. Add RemoteUser to both the DialUsers group and the VPNUsers group.
Update Group Policy
At a command prompt, type gpupdate to update Group Policy on DC1.
To configure the test lab for L2TP access, install the appropriate certificate on VPN1, and create an L2TP/IPSec VPN profile.
Update Group Policy
To immediately update Group Policy and request a computer certificate, type gpupdate at a command prompt.
Create the L2TPCorp profile
Open the Connection Manager Administration Kit Wizard, and click Next.
On the Service Profile Selection page, click New Profile if necessary, and click Next.
On the Service And File Names page, type L2TP To CorpNet in the Service Name text box, type L2TPCorp in the File Name text box, and click Next.
On the Realm Name page, click Add A Realm Name To The User Name. If Suffix is not already clicked, click it. In the Realm Name text box, type @example.com and then click Next.
On the Merging Profile Information page, click Next.
In VPN Support, select the Phone Book From This Profile check box. In VPN Server Name Or IP Address, click Always Use The Same VPN Server, type 10.0.0.2, and click Next.
On the VPN Entries page, click the default entry and click Edit.
Click the Security tab. In the Security Settings drop-down list, click Use Advanced Security Settings and then click Configure.
In Authentication Methods, clear the Microsoft CHAP check box. In VPN Strategy, click Only Use Layer Two Tunneling Protocol (L2TP). Click OK twice, and then click Next.
On the Phone Book page, clear the Automatically Download Phone Book Updates check box, and click Next.
On the Dial-up Networking Entries page, click Next.
On the Routing Table Update page, click Next.
On the Automatic Proxy Configuration page, click Next.
On the Custom Actions page, click Next.
On the Logon Bitmap page, click Next.
On the Phone Book Bitmap page, click Next.
On the Icons page, click Next.
On the Notification Area Shortcut Menu page, click Next.
On the Help File page, click Next.
On the Support Information page, type For help connecting, contact the Support Desk. in the Support Information text box and then click Next.
On the Connection Manager Software page, click Next.
On the License Agreement page, click Next.
On the Additional Files page, click Next.
On the Ready To Build The Service Profile page, select the Advanced Customization check box and then click Next.
On the Advanced Customization page, in the Section Name drop-down list, click Connection Manager. In the Key Name drop-down list, click HideDomain. In the Value text box, type 1. Click Apply.
On the Advanced Customization page, in the Section Name drop-down list, click Connection Manager. In the Key Name drop-down list, click Dialup. In the Value text box, type 0. Click Apply.
Click Next, and wait for the profile to finish building.
When the Completing The Connection Manager Administration Kit Wizard page appears, click Finish.
Prepare the L2TPCorp profile for distribution
Browse to the \Program Files\Cmak\Profiles\L2TPCorp folder.
Copy L2TPCorp.exe to a floppy disk.
From a command prompt, type gpupdate to update Group Policy.
To set up the test lab for L2TP/IPSec access, configure CLIENT1 with the necessary certificates and install the L2TPCorp profile.
Get a certificate
Use the Dial-Up To CorpNet profile to connect to the network. Type RemoteUser in the User Name text box, and type the password for the RemoteUser account in the Password text box.
When connected, open a Web browser and type http://dc1.example.com
Click Request A Certificate.
Click Advanced Certificate Request.
Click Create And Submit A Request To This CA.
Click Authenticated Session For WebEnroll in the Certificate Template drop- down list, and select the Store Certificate In The Local Computer Certificate Store check box. Leave all the other settings as they are.
Click Yes to approve the request for a certificate.
When the request is finished processing, click Install This Certificate.
Click Yes to approve the installation of the certificate.
When the certificate has been installed, disconnect Dial-up To CorpNet.
In the Microsoft Management Console window, add the Certificates snap-in for the local computer. Add Example CA to the Trusted Root Certification Authorities folder.
Connect to CorpNet using the L2TPCorp profile
Install the L2TP To CorpNet profile on CLIENT1.
On the Connection Manager logon screen, type RemoteUser in the User Name text box and type the password for the account in the Password text box.
When the connection to the intranet segment has completed, open a Web browser.
In the Address text box, type http://IIS1.example.com/iisstart.htm. You should see a Web page titled “Under Construction.”
Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the files in the root folder on IIS1.
Right-click the connection icon in the notification area, and then click Disconnect.