In part two of the Always On VPN guide, we will configure Active Directory, Group Policy, and server certificates.

The server components of the Always On VPN technology consist of three sections: Certificate Services, Network Policy Server (NPS), and Remote Access. If you do not have a certificate authority, Network Policy Server, and/or a remote access server in your environment, use the generic setup link in the server configuration section. We will only get to the certificate authority setup in this part.

This guide assumes you already have these three services deployed in your environment and you just need to modify the Always On VPN Remote access technology. This guide has also undergone testing against Windows Server 2012 R2 and Windows Server 2016.

Always On VPN Active Directory preparation ^

Create three new security groups in Active Directory named something like:

  • NPS Servers
  • VPN Servers
  • VPN Users

Store these groups in a protected organizational unit (OU) or container. The default Users container works well for this. The first two groups should contain all of your NPS servers and VPN servers respectively. If you only have one of each, still add them to the group. We'll tie our configurations to groups, and configuring failover will be much easier for you later.

The third group (VPN Users) will control which users can establish a remote connection. This group, along with some later settings, will override the dial-in properties tab you can set individually on user accounts. Add a test user or your account to the VPN Users group now. Be sure to log off and log back in for that security group change to apply.

Group Policy for Always On VPN ^

In the Group Policy Management Console (GPMC), create and link a new Group Policy Object (GPO) to the root of your domain. Name this GPO Certificate Enrollment and do not change the security scope from Authenticated Users. Edit the GPO and navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and select Properties. Change Configuration Model to Enabled and check the next two boxes. Click OK.

Certificate Auto Enrollment Properties

Certificate Auto Enrollment Properties

Repeat these same steps under User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies. Close the GPMC after finishing. Restart any client computer and log into it. Run gpresult /h Report.htm and open the resulting Report.htm file. Ensure you see the computer and user configurations you made.

Configuring Certificate Services for Remote Access ^

Active Directory Certificate Services (AD CS) provides the authentication mechanism for your Always On VPN setup. It issues users or devices a certificate, and they do not have to enter an identity or password to connect to your network. If you haven't deployed AD CS in your environment already, begin with this guide, and then come back for the remaining Remote Access steps.

We will be creating three certificates in this section. Remote into your certificate authority (CA) and open the Certification Authority MMC. Expand your Certification Authority name. Then right-click on Certificate Templates and click Manage. The Certificate Templates console will open.

VPN user certificate

Right-click on the User template and select Duplicate Template. Select the General tab and name the certificate VPN Users. Uncheck Publish Certificate in Active Directory.

On the Security tab, add the VPN Users group you created earlier, and give it the Enroll and Autoenroll permissions. Remove Domain Users from the security tab.

On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2.

Changing Certificate Compatibility settings

Changing Certificate Compatibility settings

On the Request Handling tab, uncheck Allow private key to be exported.

On the Cryptography tab, change the Provider Category to Key Storage Provider. Click Requests must use one of the following providers, and place a check next to Microsoft Platform Crypto Provider.

Configuring the Microsoft Platform Crypto Provider

Configuring the Microsoft Platform Crypto Provider

Click OK and close the Certificate Templates console. Close the Certification Authority console as well. Restart the Active Directory Certificate Services service.

Reopen the Certification Authority console. Right-click on Certificate Templates and select New – Certificate Template to Issue. Choose VPN Users and click OK.

Earlier, you should have added a test user or your account to the VPN Users security group. Run a gpupdate as that user. Open certmgr.msc to view the certificates issued to that user (Current User). Expand Personal\Certificates. You should now see a user certificate containing the full name of the user generated from the VPN User Certificate Template. If you do not see it, restart once.

Issuing the VPN User certificate

Issuing the VPN User certificate

NPS and VPN server certificates

Open the Certification Authority console on your CA again. Right-click on Certificate Templates and select Manage to open the Certificate Templates console. Right click on the RAS and IAS Server template and select Duplicate Template.

On the General tab, change the template Display name to NPS Servers.

On the Security tab, add the NPS Servers security group you created earlier and give this group the Enroll and Autoenroll permissions. Remove the RAS and IAS Servers group from the permissions list.

On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2. Click OK. Ensure your NPS server(s) is a member of the security group you created earlier.

Before we issue the NPS Servers certificate, we will also create the VPN Server certificate. In the Certificate Templates console, right-click on the RAS and IAS Server template again. Select Duplicate Template.

On the General tab, change the template display name to VPN Servers.

On the Extensions tab, select Application Policies and click Edit. Click Add and select IP Security IKE intermediate. Click OK.

Enabling the IP Security IKE extension

Enabling the IP Security IKE extension

On the Security tab, add the VPN Servers security group you created earlier. Only give this group the Enroll permission. Do not give this group any other permissions. Remove the RAS and IAS Servers group from the Security tab.

On the Subject Name tab, select the supply in the request option and click OK to the warning message. Your VPN server may use a different certificate subject name than the fully qualified domain name (FQDN) of the machine. This is why we can't let the VPN server autoenroll itself.

On the Compatibility tab, change the first drop-down box to Windows Server 2012 R2. Change the second drop-down box to Windows 8.1 / Windows Server 2012 R2. Click OK and close the Certification Templates console. Close the Certification Authority console as well. Restart the Active Directory Certificate Services service.

Open the Certification Authority console. Right-click on Certificate Templates and select New – Certificate Template to Issue. Select your NPS Servers certificate. Do the same thing for your VPN Servers certificate.

Enrolling the NPS and VPN server certificates

Restart the server in the NPS Servers security group. Launch certlm.msc on the NPS Server, and check the Personal certificate store for the NPS Server certificate you issued.

The NPS Server certification template issued to NPS

The NPS Server certification template issued to NPS

Restart the VPN server once. On the VPN server, you will need to enroll the certificate manually. Launch certlm.msc. Under Personal, right-click on Certificates and select Request new Certificate.

Click Next until you see the Request Certificates page, and then check the VPN Servers certificate box. Click the More information is required link to enter the certificate Subject name. Set the Type to Common Name and enter the external DNS name clients would use to connect to your VPN server. For example, you could use vpn.yourdomain.com.

Below the Subject name, set the Alternative Name type to DNS and enter the Subject value. Finish the Request New Certificate wizard. You should now see the certificate listed in the Personal certificate store. The intended purpose of the certificate should list the IP security Internet Key Exchange (IKE), and the Certificate template should match your VPN Servers template name.

Subscribe to 4sysops newsletter!

The VPN Server certificate issued to the Always On server

The VPN Server certificate issued to the Always On server

This wraps up the initial Active Directory and Group Policy work required for an Always On VPN setup. We also finished the entire internal certificate authority configuration. In our next post, we will configure the NPS rules and the Remote Access setup.