In the first two parts of this series on how to create an SSL VPN server on Windows Server 2008, we went over the basics of VPN networking and then dived into the configuration of the server. At this point we are ready to finish things up by performing some small configuration changes in the Active Directory and on the CA Web site. After making these changes, we will focus on the VPN client configuration and finish up by establishing the SSL VPN connection.
Configure the User Account to Allow Dial-up Connections
User accounts need permission for dial-up access before they can connect to a Windows VPN server that is a member of an Active Directory domain. The best way to do this is to use a Network Policy Server (NPS) and use the default user account permission which is to allow remote access based on NPS policy. However, we did not install an NPS server in this scenario, so we will have to manually configure the user’s dial-in permission.
I will write a future article on how you can use an NPS server and EAP User Certificate authentication to establish the SSL VPN server connection.
Perform the following steps to enable dial-in permission on the user account that you want to connect to the SSL VPN server. In this example we will enable dial-in access for the default domain administrator account:
- At the domain controller, open the Active Directory Users and Computers console from the Administrative Tools menu.
- In the left pane of the console, expand the domain name and click on the Users node. Double click on the Administrator account.
- Click on the Dial-in tab. The default setting is Control access through NPS Network Policy. Since we do not have an NPS server in this scenario, we will change the setting to Allow access, as seen in the figure below. Click OK.
Configure IIS on the Certificate Server to Allow HTTP Connections for the CRL Directory
For some reason, when the installation wizard installs the Certificate Services Web site, it configures the CRL directory to require an SSL connection. While this seems like a good idea from a security point of view, the problem is that the URI on the certificate is not configured to use SSL. I suppose you could create a custom CDP entry for the certificate so that it uses SSL, but you can bet dollars to donuts that Microsoft has not documented this problem anywhere. Since we are using the default settings for the CDP in this article, we need to turn off the SSL requirement on the CA’s Web site for the CRL directory path.
Perform the following steps to disable the SSL requirement for the CRL directory:
- From the Administrative Tools menu, open the Internet Information Services (IIS) Manager.
- In the left pane of the IIS console, expand the server name and then expand the Sites node. Expand the Default Web Site node and click on the CertEnroll node, as seen in the figure below.
Microsoft, WS2008, Windows Server 2008, Remote, Remote Access, SSL, VPN, VPN Server, Virtual Private Network, Guide, Walkthrough, Knowledgebase, Network, Policy, NPS, ADD, Active Directory Domain