20411B-ENU-TrainerHandbook
.pdf
|
|
MCT |
|
L8-59 |
|
Module 8: Installing, Configuring, and Troubleshooting the |
|
|
Network Policy Server Role |
|
USE |
|
|
|
Lab: Installing and Configuring a Network
Policy Server
Exercise 1: Installing and Configuring NPS to Support RADIUS
1. |
Switch to LON-DC1. |
|
ONLY. |
|
2. |
Sign in as Adatum\Administrator with the password Pa$$w0rd. |
|||
3. |
If necessary, on the taskbar, click Server Manager. |
|
||
4. |
In the details pane, click Add roles and features. |
|
||
5. |
In the Add Roles and Features Wizard, click Next. |
|
|
|
6. |
On the Select installation type page, click Role-based or feature based installation, and then click |
|||
|
Next. |
|
|
|
7. |
On the Select destination server page, click Next. |
|
|
|
8. |
On the Select server roles page, select the Network Policy and Access Services check box. |
|
||
9. |
Click Add Features, and then click Next twice. |
|
|
|
10. |
On the Network Policy and Access Services page, click Next. |
|
||
11. |
On the Select role services page, verify that the Network Policy Server check box is selected, and |
|||
|
then click Next. |
|
STUDENT |
|
12. |
On the Confirm installation selections page, click |
Install. |
||
USE |
||||
13. |
Verify that the installation was successful, and then click Close. |
|||
14. |
Close the Server Manager window. |
|
||
15. |
Pause your mouse pointer in the lower-left of the taskbar, and then click Start. |
|||
16. |
Click Network Policy Server. |
|
||
|
|
|||
17. |
In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register |
|||
|
server in Active Directory. |
|
PROHIBITED |
|
18. |
In the Network Policy Server message box, click OK. |
|||
19. |
In the subsequent Network Policy Server dialog box, click OK. |
|||
20. |
Leave the Network Policy Server console window open. |
|||
1. |
In the Network Policy Server console, in the navigation pane, expand Templates Management. |
|||
2. |
In the navigation pane, right-click Shared Secrets, and then click New. |
|||
3. |
In the New RADIUS Shared Secret Template dialog box, in the Template name box, type |
|||
|
Adatum Secret. |
|
||
4. |
In the Shared secret and Confirm shared secret boxes, type Pa$$w0rd, and then click OK. |
|||
|
|
|
||
12.In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable MCT
Routing and Remote Access.
13.In the dialog box, click Yes.
14.In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure USE and Enable Routing and Remote Access.
15.Click Next, select Remote access (dial-up or VPN), and then click Next.
16.Select the VPN check box, and then click Next.
17.Click the network interface called Local Area Connection 2. Clear the Enable security on the ONLY selected interface by setting up static packet filters check box, and then click Next.
18.On the IP Address Assignment page, select From a specified range of addresses, and then click Next.
19.On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address
and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were . assigned for remote clients, and then click Next.
20.On the Managing Multiple Remote Access Servers page, click Yes, setup this server to work withSTUDENT a RADIUS server, and then click Next.
21.On the RADIUS Server Selection page, in the Primary RADIUS server box, type LON-DC1.
22.In the Shared secret box, type Pa$$w0rd, and then click Next.
23.Click Finish.
24.In the Routing and Remote Access dialog box, click OK.
25.If prompted again, click OK.
1.Switch to the LON-DC1 computer.
2.Switch to Network Policy Server. USE
3.In Network Policy Server, expand Policies, and then click Network Policies.
4.In the details pane, right-click the policy at the top of the list, and then click Disable.
5.In the details pane, right-click the policy at the bottom of the list, and then click Disable.
6.In the navigation pane, right-click Network Policies, and then click New. PROHIBITED
7.In the New Network Policy Wizard, in the Policy name box, type Adatum VPN Policy.
8.In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next.
9.On the Specify Conditions page, click Add.
10.In the Select condition dialog box, click NAS Port Type, and then click Add.
11.In the NAS Port Type dialog box, select the Virtual (VPN) check box, and then click OK.
12.Click Next, and on the Specify Access Permission page, click Access granted, and then click Next.
13.On the Configure Authentication Methods page, click Next.
14.On the Configure Constraints page, click Next.
L8-62 Installing, Configuring, and Troubleshooting the Network Policy Server Role |
MCT |
|
|
|
|
|
|
|
15.On the Configure Settings page, click Next.
16.On the Completing New Network Policy page, click Finish.
Task 3: Test the RADIUS configuration
1. |
|
Switch to LON-CL2. |
|
USE |
||
2. |
Sign in as Adatum\Administrator with the password of Pa$$w0rd. |
|||||
3. |
On the Start screen, type Control, and then in the |
Apps list, click Control Panel. |
||||
.ONLY |
||||||
4. |
In Control Panel, click Network and Internet. |
|
||||
5. |
|
Click Network and Sharing Center. |
|
|||
6. |
|
Click Set up a new connection or network. |
|
|||
7. |
|
On the Choose a connection option page, click Connect to a workplace, and then click Next. |
||||
8. |
|
On the How do you want to connect page, click Use my Internet connection (VPN). |
||||
9. |
|
Click I’ll set up an Internet connection later. |
|
|||
|
|
|
|
|||
10. |
On the Type the Internet address to connect to page, in the Internet address box, type 10.10.0.1. |
|||||
11. |
In the Destination name box, type Adatum VPN. |
|
STUDENT |
|||
12. |
Select the Allow other people to use this connection check box, and then click Create. |
|||||
13. |
In the Network And Sharing Center window, click Change adapter settings. |
|||||
14. |
Right-click the Adatum VPN connection, click Properties, and then click the Security tab. |
|||||
15. |
In the Type of VPN list, click Point to Point Tunneling Protocol (PPTP). |
|||||
16. |
Under Authentication, click Allow these protocols, and then click OK. |
|||||
17. |
In the Network Connections window, right-click the Adatum VPN connection, and then click |
|||||
|
|
Connect/Disconnect. |
|
|||
|
|
|
USE |
|||
18. |
In the Networks list on the right, click Adatum VPN, and then click Connect. |
|||||
19. |
In Network Authentication, in the User name box, type Adatum\Administrator. |
|||||
20. |
In the Password box, type Pa$$w0rd, and then click OK. |
|||||
21. |
Wait for the VPN connection to be made. Your connection is successful. |
|||||
|
|
|||||
|
|
|
||||
Results: After this exercise, you should have deployed a VPN server, and then configured it as a RADIUS |
|
|
||||
client. |
|
|
|
|||
|
|
|
|
|||
To prepare for the next module |
|
PROHIBITED |
||||
|
|
|
|
|||
When you are finished the lab, revert all virtual machines to their initial state. To do this, perform the following steps:
1.On the host computer, start Hyper-V Manager.
2.In the Virtual Machines list, right-click 20411B-LON-CL2, and then click Revert.
3.In the Revert Virtual Machines dialog box, click Revert.
4.Repeat steps 2 and 3 for 20411B-LON-RTR and 20411B-LON-DC1.
L9-63
Module 9: Implementing Network Access Protection |
MCT |
||
Lab: Implementing NAP |
|||
USE |
|||
Exercise 1: Configuring NAP Components |
|||
Task 1: Configure server and client certificate requirements |
|||
1. |
On LON-DC1, in Server Manager, click Tools, and then click Certification Authority. |
||
|
|||
2. |
In the certsrv management console, expand Adatum-LON-DC1-CA, right-click Certificate |
|
|
|
Templates, and then select Manage on the context menu. |
|
|
3. |
In the Certificate Templates Console details pane, right-click Computer, and then click Properties. |
|
|
4. |
Click the Security tab in the Computer Properties dialog box, and then select Authenticated Users. |
||
5. |
In the Permissions for Authenticated Users, select the Allow check box for the Enroll permission, |
||
|
and then click OK. |
ONLY. |
|
6. |
Close the Certificate Templates Console. |
|
|
7. |
In certsrv – [Certification Authority (Local)], right-click Adatum-LON-DC1-CA, point to All Tasks |
||
|
and then click Stop Service. |
STUDENT |
|
8. |
Right-click Adatum-LON-DC1-CA, point to All Tasks and then click Start Service. |
||
9. |
Close the certsrv management console. |
||
|
|
||
Task 2: Configure health policies
1.Switch to the LON-RTR computer.
2.Sign in as Adatum\Administrator with the password Pa$$w0rd.
3.Pause your mouse pointer in the lower-left of the taskbar, and then click Start.
4.On the Start screen, type mmc.exe, and then press Enter.
5.On the File menu, click Add/Remove Snap-in. USE
6.In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.
7.In the Add or Remove Snap-ins dialog box, click OK.
8.In the console tree, expand Certificates, right-click Personal, point to All Tasks, and then click PROHIBITED
Request New Certificate.
9.The Certificate Enrollment dialog box opens. Click Next.
10.On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and then click Next.
11.Select the Computer check box, and then click Enroll.
12.Verify the status of certificate installation as Succeeded, and then click Finish.
13.Close the Console1 window.
14.Click No when prompted to save console settings.
15.On LON-RTR, switch to Server Manager.
16.In Server Manager, in the details pane, click Add roles and features.
L9-64 Implementing
17. |
Click Next. |
MCT |
||
18. |
On the Select installation type page, click Next. |
|||
19. |
On the Select destination server page, click Next. |
USE |
||
20. |
On the Select server roles page, select the Network Policy and Access Services check box. |
|||
21. |
Click Add Features, and then click Next twice. |
|||
22. |
On the Network Policy and Access Services page, click Next. |
|||
23. |
On the Select Role Services page, click Next. |
.ONLY |
||
|
||||
24. |
Click Install. |
|
||
25. |
Verify that the installation was successful, and then click Close. |
|
||
26. |
Close the Server Manager window. |
|
||
27. |
Pause your mouse pointer in the lower-left of the taskbar, and then click Start. |
|
||
28. |
Click Network Policy Server. |
STUDENT |
||
29. |
|
|||
Expand Network Access Protection, expand System Health Validators, expand Windows Security |
||||
|
|
Health Validator, and then click Settings. |
|
|
30. |
In the right pane under Name, double-click Default Configuration. |
|
||
31. |
On the Windows 8/Windows 7/Windows Vista tab, clear all check boxes except the A firewall is |
|
||
|
|
enabled for all network connections check box, and then click OK. |
|
|
32. |
In the navigation pane, expand Policies. |
|
||
33. |
Right-click Health Policies and then click New. |
|
||
34. |
In the Create New Health Policy dialog box, under Policy name, type Compliant. |
|
||
35. |
Under Client SHV checks, verify that Client passes all SHV checks is selected. |
|
||
36. |
Under SHVs used in this health policy, select the Windows Security Health Validator check box. |
USE |
||
37. |
Click OK. |
|||
|
||||
38. |
Right-click Health Policies, and then click New. |
|
||
39. |
In the Create New Health Policy dialog box, under Policy Name, type Noncompliant. |
|
||
40. |
Under Client SHV checks, select Client fails one or more SHV checks. |
PROHIBITED |
||
4. |
On the Specify Conditions page, click Add. |
|||
41. |
Under SHVs used in this health policy, select the Windows Security Health Validator check box. |
|
||
42. |
Click OK. |
|
||
|
|
|
|
|
2. |
Right-click Network Policies, and then click New. |
|
||
3. |
On the Specify Network Policy Name and Connection Type page, under Policy name, type |
|
||
|
|
Compliant-Full-Access, and then click Next. |
|
|
|
Administering Windows Server® 2012 |
L9-65 |
|
|
5. In the Select condition dialog box, double-click Health Policies. |
MCT |
|||
6. |
In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. |
|||
7. On the Specify Conditions page, click Next. |
USE |
|||
8. On the Specify Access Permission page, click Next. |
||||
|
|
|||
9. |
On the Configure Authentication Methods page, clear all check boxes, select the Perform |
|
|
|
|
machine health check only check box, and then click Next. |
|
|
|
10. |
Click Next again. |
.ONLY |
||
11. |
|
|||
On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is |
||||
|
selected, and then click Next. |
|
|
|
12. |
On the Completing New Network Policy page, click Finish. |
|
|
|
13. |
Right-click Network Policies, and then click New. |
|
|
|
14. |
On the Specify Network Policy Name And Connection Type page, under Policy name, type |
|
|
|
|
Noncompliant-Restricted, and then click Next. |
STUDENT |
||
22. |
On the Configure Settings page, click NAP Enforcement. Click Allow limited access. |
|||
15. |
On the Specify Conditions page, click Add. |
|
|
|
16. |
In the Select condition dialog box, double-click Health Policies. |
|
|
|
17. |
In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. |
|||
18. |
On the Specify Conditions page, click Next. |
|
|
|
19. |
On the Specify Access Permission page, verify that Access granted is selected, and then click Next. |
|||
20. |
On the Configure Authentication Methods page, clear all check boxes, select the Perform |
|
|
|
|
machine health check only check box, and then click Next. |
|
|
|
21. |
Click Next again. |
|
|
|
23. |
Clear the Enable auto-remediation of client computers check box. |
USE |
||
24. |
In the Configure Settings window, click IP Filters. |
|||
|
|
|||
25. |
Under IPv4, click Input Filters, and then click New. |
|
|
|
26. |
In the Add IP Filter dialog box, select Destination network. |
PROHIBITED |
||
27. |
In the IP address box, type 172.16.0.10. |
|||
|
|
|||
28. |
In the Subnet mask box, type 255.255.255.255, and then click OK. |
|
|
|
29. |
Click Permit only the packets listed below, and then click OK. |
|
|
|
30. |
Under IPv4, click Output Filters, and then click New. |
|
|
|
31. |
In the Add IP Filter dialog box, select Source network. |
|
|
|
32. |
In the IP address box, type 172.16.0.10. |
|
|
|
33. |
In the Subnet mask box, type 255.255.255.255, and then click OK. |
|
|
|
34. |
Click Permit only the packets listed below, and then click OK. |
|
|
|
35. |
On the Configure Settings page, click Next. |
|
|
|
36. |
On the Completing New Network Policy page, click Finish. |
|
|
|
L9-66 Implementing Network Access Protection
Task 4: Configure connection request polices for VPN |
MCT |
|
1. |
Click Connection Request Policies. |
|
2. |
Disable both the default Connection Request policies that are found under Policy Name by right- |
|
|
clicking each of the policies, and then clicking Disable. |
|
3. |
Right-click Connection Request Policies, and then click New. |
|
4. |
On the Specify Connection Request Policy Name And Connection Type page, in the Policy name |
|
|
box, type VPN connections. |
USE |
|
.ONLY |
|
5. |
Under Type of network access server, select Remote Access Server (VPN-Dial up), and then |
|
|
click Next. |
|
6. |
On the Specify Conditions page, click Add. |
|
7. |
In the Select Condition dialog box, double-click Tunnel Type, and then select PPTP, SSTP, and |
|
|
L2TP. Click OK, and then click Next. |
|
8. |
On the Specify Connection Request Forwarding page, verify that Authenticate requests on this |
|
|
server is selected, and then click Next. |
|
9. |
On the Specify Authentication Methods page, select the Override network policy authentication |
|
|
|
USESTUDENT |
settings check box.
10. Under EAP Types, click Add.
11. In the Add EAP dialog box, under Authentication methods, click Microsoft: Protected EAP (PEAP), and then click OK.
12. Under EAP Types, click Add. In the Add EAP dialog box, under Authentication methods, click
Microsoft: Secured password (EAP-MSCHAP v2), and then click OK.
13. Under EAP Types, click Microsoft: Protected EAP (PEAP), and then click Edit. 14. Verify that Enforce Network Access Protection is selected, and then click OK. 15. Click Next twice, and then click Finish.
Results: After this exercise, you should have installed and configured the required NAP components, created the health and network policies, and created the connection request policies.
Exercise 2: Configuring VPN Access
Task 1: Configure a VPN Server
1. |
On LON-RTR, pause your mouse pointer in the lower-left of the taskbar, and then click Start. |
PROHIBITED |
|
2. |
Click Routing and Remote Access. If prompted, at the Enable DirectAccess Wizard dialog box, |
||
|
|||
|
click Cancel and then click OK. |
|
|
3. |
In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable |
|
|
|
Routing and Remote Access. |
|
|
4. |
In the dialog box, click Yes. |
|
|
5. |
In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure |
|
|
|
and Enable Routing and Remote Access. |
|
|
6. |
Click Next, select Remote access (dial-up or VPN), and then click Next. |
|
7. |
Select the VPN check box, and then click Next. |
MCT |
||
8. |
Click the network interface called Local Area Connection 2. Clear the Enable security on the |
|||
|
|
selected interface by setting up static packet filters check box, and then click Next. |
USE |
|
9. |
On the IP Address Assignment page, select From a specified range of addresses, and then click |
|||
|
||||
|
|
Next. |
|
|
10. |
On the Address Range Assignment page, click New. Type 172.16.0.100 next to Start IP address |
|
||
|
|
and 172.16.0.110 next to End IP address, and then click OK. Verify that 11 IP addresses were |
.ONLY |
|
|
|
assigned for remote clients, and then click Next. |
||
11. |
On the Managing Multiple Remote Access Servers page, ensure that No, use Routing and |
|||
|
||||
|
|
Remote Access to authenticate connection requests is selected, and then click Next. |
|
|
12. |
Click Finish. |
|
||
13. |
Click OK twice, and then wait for the Routing and Remote Access Service to start. |
|
||
14. |
Switch to Network Policy Server. |
|
||
15. |
In the Network Policy Server, click Connection Request Policies, and in the results pane, verify that |
|||
|
|
the Microsoft Routing and Remote Access Service Policy, is Disabled. |
STUDENT |
|
|
|
|
||
|
|
|||
|
|
|
|
|
Service |
|
|||
16. |
|
|
||
17. |
|
|
||
1. |
On LON-RTR, pause your mouse pointer in the lower-left of the taskbar, and then click Start. |
|
||
2. |
Click Administrative Tools, and then double-click Windows Firewall with Advanced Security. |
USE |
||
3. |
Click Inbound Rules, right-click Inbound Rules, and then click New Rule. |
|||
|
||||
4. |
Select Custom, and then click Next. |
|
||
5. |
Select All programs, and then click Next. |
|
||
6. |
Next to Protocol type, select ICMPv4, and then click Customize. |
PROHIBITED |
||
7. |
Select Specific ICMP types, select the Echo Request check box, click OK, and then click Next. |
|||
|
||||
8. |
Click Next to accept the default scope. |
|
||
9. |
In the Action window, verify that Allow the connection is selected, and then click Next. |
|
||
10. Click Next to accept the default profile.
11. In the Name window, under Name, type ICMPv4 echo request, and then click Finish. 12. Close the Windows Firewall with Advanced Security console.
Results: After this exercise, you should have created a VPN server and configured inbound communications.
