Archive for 2013

20 ideas to make money online



A cash cow for the enterprising, the Internet is littered with opportunities to make a fast buck. While it rarely qualifies as a solitary source of income, the Net can easily help you supplement it. However, the amount you earn depends on the time and effort invested. Go through these 20 options and find out which ones work for you.

Blogging
If you're a passionate closet writer who wants to be published but can't find a way to do so, make each keystroke your way to wealth by penning your own blog. Starting a blog doesn't require extensive technical skills but it's important that you have expertise in the field you are writing on. This will attract visitors to your site. Building a large following will enable you to earn profit by luring advertisers, writing paid reviews or getting commissions for promoting other people's products.

Paid Writing
If maintaining a blog is difficult for you but you still want to indulge your passion for writing, you can jot down articles for other blogs or sites such as Weblogs, Helium or PayPerPost. Writing an e-book can also be a good option. E-books are investment free, with no cost for printing and shipping. If you have a strong command over languages, you can become a copy editor, where Webmasters will pay you to read articles and correct grammatical errors, sentence fragments, etc.

e-tuitions/Webinars
The demand for tutors is high and growing. So, if you like helping others learn, e-teaching could be the earning ticket for you. All you need to become an online tutor is expertise in your subject and a few spare hours per week. TutorVista, e-tutor, SmartThinking and Tutor.com are some of the sites you can enroll with. If you gain a good reputation as a coach, you could even conduct Webinars-lectures or seminars transmitted over the Net. College and university students are willing to pay to gain entry to a well-respected Webinar.

Affilliate/Reseller
For those who have the knack of selling, one of the best ways to make money online is to become an affiliate/reseller. An affiliate is a person who gets a commission for selling every product that he promotes, whether on his Website or through any other avenue such as eBay. You don't have to own the product. You only need to sign up for an affiliate program with a company and start selling its products under your referral link. Firms such as Commission Junction or Click Bank have a large pool of products.

Buying/Selling domains
Buying and selling domain names is another way to make money from home and requires very little investment or time. You can buy domains at their registration prices or even cheaper and trade them at a profit. However, always research on sites such as sedo.co.uk, afternic.com, ebay.com or other domain auction sites to get an estimate of the hottest selling names. The best way to find good ones is to use terminated domain lists, which contain several expired names that are back in the pool.

Freelancing for Professionals
Freelancing is a great option for professionals who are experts in their respective trades and know how to ensure customer satisfaction. Various freelancing and project-oriented sites allow companies that need help to describe their projects. Freelancers and small businesses offer bids, ideas or proposals, from which the buyers can choose what they find most suitable. Websites such as Elance cover everything from programming and writing to data entry and design, while RentACoder focuses on software programming.

Advertising
You can sell space on your Website or blog for advertisements and you earn when these ads are clicked by visitors to your site. The sorting and placing of ads is free. The profitability of pay-per-click advertising depends on the traffic level of the Website and, most importantly, on the clickthrough rate and cost per click. Google AdSense is the most popular option, while others are BidVertiser, Text Link Ads and Blogads. Direct banner and RSS feed are some other forms of online advertising.

GPT Programme
GPT or Get-paid-to sites are becoming increasingly popular among teens. You get paid for signing up for free Websites, newsletters, playing games and filling out online surveys. These are suitable for people who don't have a skill set but want to earn extra money. Taking online surveys is simple- register with a few legitimate, paid survey sites and answer questions. The topics range from shopping to politics. This might not help you make a living, but you can earn good pocket money. Contests2win is one of the trusted GPT Websites.

Online Marketing
Once a Website is created and optimised for search engine (SEO), the SEM or Search Engine Marketing begins. A treasure trove lies hidden here. An SEO/SEM expert, who is responsible for marketing a Website, can promote it in various ways. These include article marketing, writing press releases, forum posting, blog posting, submitting your site to directories and search engines, social bookmarking, etc. Most companies don't do this in-house and pay you to conduct the SEM for them.

Making themes
As more and more people seek an online presence, the demand for Website templates and WordPress (Blog) themes will keep increasing. If you are good at Web designing and coding, you can earn a lot from designing Web themes. In this segment, there are mainstream Websites, such as TemplateMonster and ThemeForest, which act as a marketplace where you can sell your themes. Templates are sold and priced depending on the rights and features that are bundled with them.

Selling photos
If you enjoy photography and are good with a camera, you could be sitting on a huge reserve of revenue. There are people who will be interested in your collection of images. Nowadays, it's easy to take your photos to the public, providing a convenient way to build a secondary income stream. Many stock photo agencies, such as Fotolia, Dreamstime and Shutterstock, offer incentives for people to earn from their photos.

Support & service
Providing coding or fixing other Webmasters' issues is another great way to earn extra bucks. There are simple jobs ranging from adding a script to setting up sites, but knowledge of Web coding is essential. One can offer support for Web CMS (content management systems) like Drupal or Joomla. After you are comfortable with your own installation, you can help other people to set these up and configure them.

Stock/forex trading
Joining the stock/forex market may seem a bit risky. However, you can start small and continue researching till you gain experience in this area. Once you do, it will be easy to earn from exchanging foreign currencies and/or stocks. Their rates fluctuate depending on supply and demand, and economic and political influences in the world. The aim of any trader is to spot which currency/stock is likely to rise or fall in value against another. The more time you put in, the more you will earn.

Selling your own brand
If you have a flair for designing cool images, don't bother about creating your own inventory. As long as your design can be printed on a product, you can pocket some money. You can upload designs on various Websites such as CafePress, and if somebody orders these designs, the company will print them and distribute the products. It could be designs for T-shirts, hats, bags, books, posters, calendars, greeting cards, etc. You will receive a commission for each sale. Other such sites include Lulu and Zazzle.

Virtual Assistant
Small businesses always need help in running their processes, but may not be willing to hire a full-time employee. As a virtual assistant, you are expected to perform practically any administrative task that a traditional secretary or assistant would, such as make travel reservations, handle expense reimbursements or pay bills. You can do it from the comfort of your home, interacting with clients either online or by phone. Your expertise will decide how much moolah you rake in.

Inbound call centre
Many companies, who are facing space constraints, especially those in metro cities, prefer to hire workers outside their offices or outsource certain processes. You can set up an inbound call centre at home to handle such jobs. Research different companies that are outsourcing their work as they may have opportunities for inbound call centre agents. You can work for more than one company. This can be either a part-time or fulltime engagement, depending on your need.

You Tube
If there's a dramatic performer hidden inside you who craves applause and adulation, upload yourself on YouTube. You can be a filmmaker, musician or comedian who wants a wider audience. Your earnings will come from ads displayed on your video page. This process is similar to the pay-per-click advertising program common to other Websites and blogs. Sites such as Flixya and Mediaflix can be helpful in this regard.

Researching for others
Don't be morose if you can't write, design or code. Lack of talent cannot stop you from making money online. If you're willing to work hard for a few hours a week, you can take up simple research jobs for other people who don't have the time to do it themselves. You could search for opportunities in organisations that provide funding for research and offer to assist them through online investigation.

Building Applications
With smartphones gaining popularity, the demand for their applications, or apps as they are popularly known, has also shot up. There are over 3 million apps for the iPhone and over a million apps in Google's Android market. Most of these are selling like hot cakes. Developing and selling your own smartphone app is becoming a lucrative way to make money on the Internet. Apps cost virtually nothing to develop and entail no storage or shipping costs. So they enjoy the best profit margins.

Transcription
Medical transcription involves making written copies of oral material dictated by doctors or other medical experts. These may include history and physical reports, clinical notes, consultation notes, reports, letters, psychiatric evaluation and so on. The dictated material needs to be transcribed swiftly and accurately, which is the most challenging aspect of the job. To become a medical transcriptionist, you need to have a good knowledge of medical terminology and a high typing speed along with accuracy.
Saturday, December 28, 2013
0 Comments
Tag :

Top Ten Penetration Testing Linux Distributions



1. The mamma or best known of Linux pentesting distros. BackTrack has a very cool strapline: “The quieter you become, the more you are able to hear.” That just sounds cool….

BackTrack is based on the ever-popular Ubuntu. The pentesting distro used to be only available within a KDE environment but Gnome become was added as an option with the release of BackTrack v5. For those working in Information Security or intrusion detection, BackTrack is one of the most popular pentesting distros that can run on a live CD or flash drive. The distribution is ideal for wireless cracking, exploiting, web application assessment, learning, or social-engineering a client.
Here is a list of some of the awesome tools available in BackTrack 5r3 (the latest release).
To identify Live Hosts:
dnmap – Distributed NMap
address6 – (which acts as a IPV6 address conversion)
Information Gathering Analysis (Social Engineering)
Jigsaw – Grabs information about company employees
Uberharvest – Email harvester
sslcaudit – SSL Cert audit
VoIP honey – VoIP Honeypot
urlcrazy – Detects URL typos used in typo squatting, url hijacking, phishing
Web Crawlers
Apache_users – Apache username enumerator
Deblaze – Performs enumeration and interrogation against Flash remote end points
Database Analysis
Tnscmd10g – Allows you to inject commands into Oracle
BBQSQL – Blind SQL injection toolkit
* If you are interested in Database Security see our Hacker Halted summary here.
Bluetooth Analysis
Blueranger – Uses link quality to locate Bluetooth devices
Vulnerability Assessment
Lynis – Scans systems & software for security issues
DotDotPwn – Directory Traversal fuzzer
Exploitation Tools
Netgear-telnetable – Enables Telnet console on Netgear devices
Terminator – Smart Meter tester
Htexploit – Tool to bypass standard directory protection
Jboss-Autopwn – Deploys JSP shell on target JBoss servers
Websploit – Scans & analyses remote systems for vulnerabilities
Wireless Exploitation Tools
Bluepot – Bluetooth honeypot
Spooftooph – Spoofs or clones Bluetooth devices
Smartphone-Pentest-Framework
Fern-Wifi-cracker – Gui for testing Wireless encryption strength
Wi-fihoney – Creates fake APs using all encryption and monitors with Airodump
Wifite – Automated wireless auditor
Password Tools
Creddump
Johnny
Manglefizz
Ophcrack
Phrasendresher
Rainbowcrack
Acccheck
smbexec

2. Like BackTrack, NodeZero is an Ubuntu based distro used for penetration testing using repositories so every time Ubuntu releases a patch for its bugs, you also are notified for system updates or upgrades. Node Zero used to be famous for its inclusion of THC IPV6 Attack Toolkit which includes tools like alive6, detect-new-ip6, dnsdict6, etc, but I think that these days BackTrack 5r3 also includes these tools.

Whereas BackTrack is touted as being a “run-everywhere” distro, i.e. running it live, NodeZero Linux (which can also be run live) state that the distros real strength comes from a hard install. NodeZero, in their own words, believe that a penetration tester “requires a strong and efficient system [achieved by using] a distribution that is a permanent installation, that benefits from a strong selection of tools, integrated with a stable Linux environment. Sounds cool. Ever tried it? Let us know in the comments below.

3. BackBox is getting more popular by the day. Like BackTrack and NodeZero, BackBox Linux is an Ubuntu-based distribution developed to perform penetration tests and security assessments. The developers state that the intention with BackBox is to create a pentesting distro that is fast and easy to use. BackBox does have a pretty concise looking desktop environment and seems to work very well. Like the other distros BackBox is always updated to the latest stable versions of the most often used and best-known ethical hacking tools through repositories.
BackBox has all the usual suspect for Forensic Analysis, Documentation & Reporting and Reverse Engineering with tools like ettercap, john, metasploit, nmap, Social Engineering Toolkit, sleuthkit, w3af, wireshark, etc.

4. Yes, as the name clearly suggests, this is yet another distro that is based on Ubuntu. Here is a list of Security and Penetration Testing tools – or rather categories available within the Blackbuntu package, (each category has many sub categories) but this gives you a general idea of what comes with this pentesting distro: Information Gathering, Network Mapping, Vulnerability Identification, Penetration, Privilege Escalation, Maintaining Access, Radio Network Analysis, VoIP Analysis, Digital Forensic, Reverse Engineering and a Miscellaneous section. This list is hardly revolutionary but the tools contained within might be different to the other distros.

5. This is a live Linux distro that has been pre-configured with some of the best of open source and free tools that focus on testing and attacking websites. (The difference with Samurai Web Testing Framework is that it focuses on attacking (and therefore being able to defend) websites. The developers outline four steps of a web pen-test. These steps are incorporated within the distro and contain the necessary tools to complete the task.
Step 1: Reconnaissance – Tools include Fierce domain scanner and Maltego.
Step 2: Mapping – Tools include WebScarab and ratproxy.
Step 3: Discovery – Tools include w3af and burp.
Step 4: Exploitation – Tools include BeEF, AJAXShell and much more.

Of interest as well, the Live CD also includes a pre-configured wiki, set up to be a central information store during your pen-test.
The Samurai Web Testing Framework is a live Linux distro that focuses on web application vulnerability research and web pentesting within a “safe environment” – i.e. so you can ethical hack without violating any laws. This is a pentesting distro recommended for penetration testers who wants to combine network and web app techniques.

6. This distro is based on Debian and originated in Germany. The architecture is i486 and runs from the following desktops: GNOME, KDE, LXDE and also Openbox. Knoppix has been around for a long time now – in fact I think it was one of the original live distros.
Knoppix is primarily designed to be used as a Live CD, it can also be installed on a hard disk. The STD in the Knoppix name stands for Security Tools Distribution. The Cryptography section is particularly well-known in Knoppix.


7. Pentoo is a security-focused live CD based on Gentoo. In their own words “Pentoo is Gentoo with the pentoo overlay.” So, if you are into Pentoo then this is the distro for you. Their homepage lists some of their customized tools and kernel, including: a Hardened Kernel with aufs patches, Backported Wifi stack from latest stable kernel release, Module loading support ala slax, XFCE4 wm and Cuda/OPENCL cracking support with development tools.


8. This penetration distribution is built from Debian Squeeze and uses Fluxbox for its’ desktop environment. This pentesting distro is particularly well adjusted for WiFi hacking since it contains many Wireless tools. Here is a quick summary of WEAKERTH4N’s tool categories: Wifi attacks, SQL Hacking, Cisco Exploitation, Password Cracking, Web Hacking, Bluetooth, VoIP Hacking, Social Engineering, Information Gathering, Fuzzing, Android Hacking, Networking and Shells.



9. This linux distro is, I believe, is the first security distribution based directly on Debian, (after WEAKERTH4N?) if I am wrong please comment below! There are 300 security tools to work, called “arsenals”. The arsenals allow for penetration testing, ethical hacking, system and network administration, security testing, vulnerability analysis, cyber forensics investigations,  exploiting, cracking and data recovery. The last category, data recovery, doesn’t seem to be prevalent in the other distros.


10. The latest version is DEFT 7 which is based on the new Linux Kernel 3 and the DART (Digital Advanced Response Toolkit). This distro is more orientated towards Computer Forensics and uses LXDE as desktop environment and WINE for executing Windows tools under Linux. The developers, (based in Italy) hope that their distro will be used by the Military, Police, Investigators, IT Auditors and professional penetration testers. DEFT is an abbreviation for “Digital Evidence & Forensic Toolkit”


11. A reader to our blog suggested to add CAINE which we duly have. CAINE Stands for Computer Aided Investigative Environment, and like many information security products and tools – it is Italian GNU/Linux live distribution. CAINE offers a comprehensive forensic environment that is organized to integrate existing software tools that are composed as software modules, all displayed within a friendly graphical interface. CAINE states to have three objectives. These are, to ensure that the distro works in an interoperable environment that supports the digital investigator during the four phases of the digital investigation. Secondly that the distro has a user friendly graphical interface and finally that it provides a semi-automated compilation of the final forensic report. As you would likely expect, CAINE is fully open-source.

12. Bugtraq is another reader submitted pentesting distro. Based on the 26.6.38 kernel, this distro offers a really wide range of penetration and forensic tools. Like most of the others in this list, Bugtraq can hard-install of obviously run as a Live DVD or from a USB drive. Bugtraq claims to have recently configured and updated the kernel for better performance but also importantly so that it can recognize more hardware, including wireless injection patches pentesting. The team at Bugtraq seem solid because they are clearly making an effort to get the kernel to work with more hardware – something which the other distributions don’t always place enough importance.

Some of the special features included with Bugtraq include (as stated) an expanded range of recognition for injection wireless drivers, (i.e. not just the usual Alfa rtl8187), a patched 2.6.38 kernel and solid installation of the usual suspects: Nessus, OpenVAS, Greenbone, Nod32, Hashcat, Avira etc.
Unique to Bugtraq (as claimed on their site) is the ability to, or better said, ease, of deleting tracks and backdoors. Just by having read about Bugtraq I’m really glad that I can add this to the list because it just sounds like a job well done. If you are interested in any of the following pentesting and forensic categories, then do go and check out Buqtraq: Malware, Penetration Shield, Web audit, Brute force attack, Communication and Forensics Analytics, Sniffers, Virtualizations, Anonymity and Tracking, Mapping and Vulnerability detection.
Quick Summary: You can’t go wrong with any Ubuntu based distro. BackTrack does the job well but I guess, of course, it’s all personal – i.e. does the distro do the job for you? Every penetration tester needs a lean towards a particular tool or tool-set. Frankly they are all good, and it would be prudent to use several of these pentesting distros as live versions. For WiFi hacking then WEAKERTH4N is likely your better friend, whilst to stay within the law, use Samurai.
Bugtraq looks really good – the team behind it seems to have taken considerable time to tick all the boxes. Once we test it I’ll update the post.
Here is a list of other distros (which we think are still alive and kicking – please correct us if we are wrong).
Other Distro’s
Damn Vulnerable Linux (reader comment: more of an operating system for attacking purposes)
Hakin9 (an educational and training distro that you can use to play-along with when subscribing to the Hacking Magazine Hak9)
Helix
nUbuntu
Network Security Toolkit (NST)
OWASP Labrat
Frenzy
grml
Ophcrack
FCCU
OSWA Assistant
Russix
Chaox-NG
GnackTrack
Katana
Securix-NSM
Auditor
And here is a list of distros that, regrettably, have passed on to Linux Heaven.
KCPentrix
Protech
FIRE
Arudius
INSERT
Local Area Security (LAS)
NavynOS
Operator
PHLAK
PLAC
SENTINIX
Talos
ThePacketMaster
Trinux
WarLinux
Whoppix
WHAX
HeX
Stagos FSE
SNARL
0 Comments
Tag :

Specifications for CAT5, CAT6 and CAT6e Cables

Category 5, 5e, 6, and 6e are progressively enhanced specifications for the Ethernet over twisted-pair cables. These networking cables contain several pairs of wires twisted together in order to reduce signal interference. Ethernet cables typically use an 8P8C (eight positions, eight contacts) modular connector and a common wiring schematic referenced by the Telecommunications Industry Association.

  1. Category 5

    • Category 5 transmits at 100MHz frequencies, providing a rated line speed of up to 100Mbit/s and a max cable segment length of 100 meters. Most Category 5 cables, designed for early networks, only used two twisted pairs. Older Category 5 cables continue to make up the bulk of the world’s network infrastructure.

    Category 5e

    • An improved specification to Category 5 was later introduced. By reducing noise and signal interference, Category 5e was capable of increasing rated transfer speeds to 350 Mbit/s over 100 meters. The new standard also required all cables to include four twisted pairs (all eight contacts). An optimized encoding scheme allows up to 50-meter lengths of Category 5e cable to perform at, or near, Gigabit Ethernet (1000BASE-T) speeds.

    Category 6

    • The mainstream adoption of Gigabit Ethernet (1000BASE-T) required new industry-standard cables capable of transmitting at a higher frequency of 250 MHz. Category 6 cable uses thicker-gauge wire, increased shielding, and more pair twists per inch to reduce signal noise and interference. The tighter specifications guarantee that 100-meter runs of Category 6 are capable of 1000 Mbit/s transfer speeds. 10-Gigabit Ethernet speeds are achievable when reducing cable lengths to less than 50 meters.

    Category 6e

    • Category 6 Enhanced (6e) is an augmented specification designed to double transmission frequency to 500 MHz. By wrapping Category 6e in grounded foil shielding, full 10-Gigabit Ethernet speeds can be reached without sacrificing the max cable length of 100 meters.

    Ethernet Cable Wiring Specification

    • All Ethernet cables use either the T568A or T568B wiring standard. Mixing multiple cables is permitted, but using a different wiring standard on each end of a single cable will result in an Ethernet crossover cable.
      T568A
      Pin 1 – White/Green – Pair 3, tip
      Pin 2 – Green– Pair 3, ring
      Pin 3 – White/Orange – Pair 2, tip
      Pin 4 – Blue – Pair 1, ring
      Pin 5 – White/Blue – Pair 1, tip
      Pin 6 – Orange – Pair 2, ring
      Pin 7 – White/Brown – Pair 4, tip
      Pin 8 – Brown – Pair 4, ring
      T568B
      Pin 1 – White/Orange – Pair 2, tip
      Pin 2 – Orange – Pair 2, ring
      Pin 3 – White/Green – Pair 3, tip
      Pin 4 – Blue – Pair 1, ring
      Pin 5 – White/Blue – Pair 1, tip
      Pin 6 – Green – Pair 3, ring
      Pin 7 – White/Brown – Pair 4, tip
      Pin 8 – Brown – Pair 4, ring
Wednesday, December 18, 2013
0 Comments
Tag :

Chassis

Chassis
Alternatively referred to as the computer case and sometimes referred to as the system unit or base unit, the chassis is the housing that helps protect and organize all the components that make up your computer. In the picture to the right, is an empty computer chassis.

Why do we need a computer case?
Most people overlook the computer case as just a box, but it does provide the below important features.

·         Structure - The case is what holds everything together in a compact and organized fashion.
·         Protection - Without the case, each of the sensitive components within the computer would be vulnerable to dirt, foreign objects, kids, animals, as well as electrical interference.
·         Cooling - The case helps keep the air properly flowing over all components, which keeps everything cool and running properly.
·         Noise - Many computers and components have fans that generate noise. Having those components within a confined case reduces the overall noise.
·         Aesthetics - Although some may disagree, most people would rather look at the case instead of all the circuit boards, wires, and all the components of a computer.


Monday, December 16, 2013
0 Comments
Tag :
1U - 7U
The 1U, 2U, 3U, 4U, 5U, 6U and 7U are all different sized rackmount servers; the U following the number is short for unit. The number indicates the size of the rackmount, 1U being the smallest rackmount and 7U being the biggest rackmount. Below is a listing of each of the different units and their dimensions, although theWidth and Height of a rackmount may be standard, the depth of a rackmount may change, as can be seen below. If your rackmount server is going to be placed in a constrained area, it's best to verify with the manufacturer of the rackmount what the exact dimensions are. In the picture to the right, is a picture Courtesy of Dell Inc. of some of the DellPowerEdge servers and examples of different rackmount units.

Unit
Dimension (W x H x D)
1U
19" x 1.75" x 17.7"
19" x 1.75" x 19.7"
19" x 1.75" x 21.5"
2U
19" x 3.5" x 17.7"
19" x 3.5" x 20.9"
19" x 3.5" x 24"
3U
17.1" x 5.1" x 25.5"
4U
19" x 7" x 17.8"
19" x 7" x 26.4"
5U
19" x 8.34" x 19.67"
19.1" x 8.75" x 26.4"
6U
19" x 10.5" x 19.5"
7U
17" x 12.2" x 19.8"
Most collocations and ISPs accept 1U, 2U or 5U chassis; however, it is still a good idea to check with whomever is planning to host your server to verify what they support and at what cost.


0 Comments
Tag :

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This guide provides detailed information about how you can use five computers to create a test lab with which to configure and test virtual private network (VPN) remote access with the Microsoft® Windows® XP Professional operating system with Service Pack 2 (SP2) and the 32-bit versions of the Microsoft Windows Server™ 2003 operating system with Service Pack 1 (SP1). These instructions are designed to take you step-by-step through the configuration required for a Point-to-Point Tunneling Protocol (PPTP) connection, a Layer Two Tunneling Protocol (L2TP) with Internet Protocol security (L2TP/IPsec) connection, and a VPN connection that uses certificate-based Extensible Authentication Protocol-Transport Level Security (EAP-TLS) authentication.
noteNote
The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to show the desired functionality clearly. This configuration is designed to reflect neither best practices nor a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network.

Setting Up the Test Lab for PPTP, L2TP/IPsec, and EAP-TLS Remote Access VPN Connections

The infrastructure for the VPN test lab network consists of five computers performing the following services:
  • A computer running Windows Server 2003 with SP1, Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a certification authority (CA).
  • A computer running Windows Server 2003 with SP1, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.
  • A computer running Windows Server 2003 with SP1, Standard Edition, named IIS1 that is acting as a Web and file server.
  • A computer running Windows Server 2003 with SP1, Standard Edition, named VPN1 that is acting as a VPN server. VPN1 has two network adapters installed.
  • A computer running Windows XP Professional with SP2 named CLIENT1 that is acting as a VPN client.
The following diagram shows the configuration of the VPN test lab.
VPN-based Remote Access Test Lab Configuration There is a network segment representing a corporate intranet and a network segment representing the Internet. All computers on the corporate intranet are connected to a common hub or Layer 2 switch. All computers on the Internet are connected to a separate common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network of 172.16.0.0/24 is used for the intranet. The private network of 10.0.0.0/24 is used for the simulated Internet. Windows Firewall is set up and configured on the RADIUS server (IAS1), the Web and file server (IIS1), and the client computer (CLIENT1). Windows Firewall should not be turned on or configured on either the domain controller (DC1) or the VPN server (VPN1). In addition, the Windows Firewall/Internet Connection Sharing (ICS) service should be disabled on VPN1.
IIS1 obtains its IP address configuration using DHCP. CLIENT1 uses DHCP for its IP address configuration; however, it is also configured with an alternate IP configuration so that it can be placed on either the intranet network segment or the simulated Internet. All other computers have a manual IP address configuration. There are no Windows Internet Name Service (WINS) servers present.
To reconstruct this test lab, configure the computers in the order presented, beginning with the PPTP-based remote access VPN connection. Additional sections of this guide describe L2TP/IPsec-based and EAP-TLS-based remote access VPN connections.

PPTP-based Remote Access VPN Connections

The following sections describe how to set up and configure each of the computers in the test lab for a PPTP-based remote access VPN connection. PPTP is typically used when there is no public key infrastructure (PKI) to issue computer certificates that are required for L2TP/IPsec connections.

DC1

DC1 is a computer running Windows Server 2003 with SP1, Enterprise Edition, that is providing the following services:
  • A domain controller for the example.com Active Directory® domain.
  • A DNS server for the example.com DNS domain.
  • A DHCP server for the intranet network segment
  • The enterprise root certification authority (CA) for the example.com domain.
noteNote
Windows Server 2003 with SP1, Enterprise Edition, is used so that autoenrollment of user certificates for EAP-TLS authentication can be configured. This is described in the "EAP-TLS-based Remote Access VPN Connections" section of this guide.

Configure DC1
  1. Install Windows Server 2003 with SP1, Enterprise Edition, as a stand-alone server.
  2. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0.
Configure DC1 as a domain controller
  1. To start the Active Directory Installation Wizard, click Start, click Run, type dcpromo, and then click OK.
  2. In the Welcome to the Active Directory Installation Wizard dialog box, click Next.
  3. In the Operating System Compatibility dialog box, click Next.
  4. Verify that Domain controller for a new domain option is selected, and then click Next.
  5. Verify that Domain in a new forest is selected, and then click Next.
  6. Verify that No, just install and configure DNS on this computer is selected, and then click Next.
  7. On the New Domain Name page, type example.com, and then click Next.
  8. On the NetBIOS Domain Name page, confirm that the Domain NetBIOS name is EXAMPLE, and then click Next.
  9. Accept the default Database and Log Folders directories, as shown in the following figure, and then click Next.
    Active Directory Database and Log Folders
  10. In the Shared System Volume dialog box, shown in the following figure, verify that the default folder location is correct. Click Next.
    Active Directory Shared System Volume
  11. On the Permissions page, verify that the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems check box is selected, as shown in the following figure. Click Next.
    Active Directory Setup Permissions
  12. On the Directory Services Restore Mode Administration Password page, leave the passwords blank, and then click Next.
  13. Review the information that appears on the Summary page, and then click Next.
    Active Directory Setup Summary
  14. On the Completing the Active Directory Installation Wizard page, click Finish.
  15. When prompted to restart the computer, click Restart Now.
Raise the domain functional level
  1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder, and then right-click the domain computer dc1.example.com.
  2. Click Raise Domain Functional Level, select Windows Server 2003 on the Raise Domain Functional Level page, and then click Raise, as shown in the following figure.
    Raise Domain Functional Level dialog box
Install and configure DHCP
  1. In Control Panel, double-click Add or Remove Programs, and then install DHCP as a Networking Services component.
  2. Open the DHCP snap-in from the Administrative Tools folder.
  3. Click Action, and then click Authorize to authorize the DHCP service.
  4. In the console tree, right-click dc1.example.com, and then click New Scope.
  5. On the Welcome page of the New Scope Wizard, click Next.
  6. On the Scope Name page, type CorpNet in Name. This is shown in the following figure.
    Scope Name
  7. Click Next. On the IP Address Range page, type 172.16.0.10 in Start IP address, 172.16.0.100 in End IP address, and 24 in Length. This is shown in the following figure.
    IP Address Range
  8. Click Next. On the Add Exclusions page, click Next.
  9. On the Lease Duration page, click Next.
  10. On the Configure DHCP Options page, click Yes, I want to configure DHCP options now. This is shown in the following figure.
    Configure DHCP Options
  11. Click Next. On the Router (Default Gateway) page, click Next.
  12. On the Domain Name and DNS Servers page, type example.com in Parent domain. Type 172.16.0.1 in IP address, and then click Add. This is shown in the following figure.
    Domain Name and DNS Servers
  13. Click Next. On the WINS Servers page, click Next.
  14. On the Activate Scope page, click Yes, I want to activate this scope now. This is shown in the following figure.
    Activate Scope
  15. Click Next. On the Completing the New Scope Wizard page, click Finish.
Install Certificate Services
  1. In Control Panel, double-click Add or Remove Programs, and then install the Certificate Services component as an enterprise root CA with the name Example CA.
  2. Select Enterprise root CA, as shown in the following figure, and then click Next.
    CA Type
  3. Type Example CA for the Common name for this CA, as shown in the following figure, and then click Next.
    CA Identifying Information
  4. Click Next to accept the default Certificate Database Settings shown in the following figure.
    Certificate Database Settings
  5. Click Finish.
Add computers, users, and groups to the domain
  1. Open the Active Directory Users and Computers snap-in.
  2. In the console tree, open example.com.
  3. Right-click Users, point to New, and then click Computer.
  4. In the New Object - Computer dialog box, type IAS1 in Computer name. This is shown in the following figure.
    New Object - Computer
  5. Click Next. In the Managed dialog box, click Next. In the New Object - Computer dialog box, click Finish.
  6. Use steps 3 through 5 to create additional computer accounts with the following names: IIS1, VPN1, and CLIENT1.
  7. In the console tree, right-click Users, point to New, and then click User.
  8. In the New Object - User dialog box, type VPNUser in First name, and type VPNUser in User logon name. This is shown in the following figure.
    New Object - User
  9. Click Next.
  10. In the New Object - User dialog box, type a password of your choice in Password and Confirm password. Clear the User must change password at next logon check box and select the Password never expires check box. This is shown in the following figure.
    New Object - User password
  11. In the New Object - User dialog box, click Finish.
  12. In the console tree, right-click Users, point to New, and then click Group.
  13. In the New Object - Group dialog box, type VPNUsers in Group name, and then click OK. This is shown in the following figure.
    New Object - Group name
  14. In the details pane, double-click VPNUsers.
  15. Click the Members tab, and then click Add.
  16. In the Select Users, Contacts, Users, or Groups dialog box, type vpnuser in Enter the object names to select. This is shown in the following figure.
    Select Users, Contacts, Computers, or Groups
  17. Click OK. In the Multiple Names Found dialog box, click OK. The VPNUser user account is added to the VPNUsers group. This is shown in the following figure.
    VPN Users Properties
  18. Click OK to save changes to the VPNUsers group.

IAS1

IAS1 is a computer running Windows Server 2003 with SP1, Standard Edition, that is providing RADIUS authentication, authorization, and accounting for VPN1.
Configure IAS1 as a RADIUS server
  1. Install Windows Server 2003 with SP1, Standard Edition, as a member server named IAS1 in the example.com domain.
  2. For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
  3. In Control Panel, double-click Add or Remove Programs, and then install Internet Authentication Service as a Networking Services component.
  4. Open the Internet Authentication Service snap-in from the Administrative Tools folder.
  5. Right-click Internet Authentication Service, and then click Register Server in Active Directory. When the Register Internet Authentication Server in Active Directory dialog box appears, click OK. This is shown in the following figure.
    Register IA Service in Active Directory
  6. In the console tree, right-click RADIUS Clients, and then click New RADIUS Client.
  7. On the Name and Address page of the New RADIUS Client wizard, for Friendly name, type VPN1. In Client address (IP or DNS), type 172.16.0.4. This is shown in the following figure.
    New RADIUS Client
  8. Click Next. On the Additional Information page of the New RADIUS Client wizard, for Shared secret, type a shared secret for VPN1, and then type it again in Confirm shared secret. This is shown in the following figure.
    New RADIUS Client - Additional Information
  9. Click Finish.
  10. In the console tree, right-click Remote Access Policies, and then click New Remote Access Policy.
  11. On the Welcome to the New Remote Access Policy Wizard page, click Next.
  12. On the Policy Configuration Method page, type VPN remote access to intranet in Policy name. This is shown in the following figure.
    Policy Configuration Method
  13. Click Next. On the Access Method page, select VPN. This is shown in the following figure.
    Access Method
  14. Click Next. On the User or Group Access page, click Group. This is shown in the following figure.
    User or Group Access
  15. Click Add. In the Select Groups dialog box, click Locations, select example.com as the location, and then click OK.
  16. Type vpnusers in Enter the object names to select. This is shown in the following figure.
    Select Groups - Object Names
  17. Click OK. The VPNUsers group in the example.com domain is added to the list of groups on the User or Group Access page. This is shown in the following figure.
    User or Group Access - Group
  18. Click Next. On the Authentication Methods page, the Microsoft Encrypted Authentication version 2 (MS-CHAPv2) authentication protocol is selected by default. This is shown in the following figure.
    Authentication Methods
  19. Click Next. On the Policy Encryption Level page, clear the Basic encryption and Strong encryption check boxes, leaving only Strongest encryption selected. This is shown in the following figure.
    Policy Encryption Level
  20. Click Next. On the Completing the New Remote Access Policy page, click Finish.
Configure Windows Firewall on IAS1
  1. In Control Panel, double-click Windows Firewall.
  2. In the Windows Firewall dialog box, click the Exceptions tab.
  3. Click Add Port, and in the Add a Port dialog box add the following port exceptions:
    noteNote
    You must click Add Port on the Exceptions tab for each port exception.

     

    Name Port Number Protocol
    Legacy RADIUS
    		 1645
    		 UDP
    Legacy RADIUS
    		 1646
    		 UDP
    RADIUS Accounting
    		 1812
    		 UDP
    RADIUS Authentication
    		 1813
    		 UDP
  4. Verify that the four port exceptions that you added are selected on the Exceptions tab, as shown in the following example.
    IAS Firewall exceptions
  5. Click the Advanced tab, and then click Settings for Security Logging.
  6. In the Log Setting dialog box, select Log dropped packets and Log successful connections. Note the path and file name in Name.
    The log file allows you to see where connection errors occur, as well as which source and destination ports the errors occurred on. This log file should provide you with the information needed in case you need to add more ports to the exception list.
  7. Click OK twice to close Windows Firewall.

IIS1

IIS1 is a computer running Windows Server 2003 with SP1, Standard Edition, and Internet Information Services (IIS). It is providing Web and file server services for intranet clients. To configure IIS1 as a Web and file server and to configure Windows Firewall on IIS1, perform the following steps.
Configure IIS1 as a Web and file server
  1. Install Windows Server 2003 with SP1, Standard Edition, as a member server named IIS1 in the example.com domain.
  2. In Control Panel, double-click Add or Remove Programs, and then install Internet Information Services (IIS) as a subcomponent of the Application Server component in the Windows Components Wizard.
  3. On IIS1, use Windows Explorer to create a new share for the root folder of drive C using the share name ROOT with the default permissions.
  4. To determine whether the Web server is working correctly, run Internet Explorer on IAS1. If the Internet Connection Wizard prompts you, configure Internet connectivity for a LAN connection. In Internet Explorer, in Address, type http://IIS1.example.com/iisstart.htm. You should see a message saying the Web site is under construction.
  5. To determine whether file sharing is working correctly, on IAS1, click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the root folder of drive C on IIS1.
Configure Windows Firewall on IIS1
  1. In Control Panel, double-click Windows Firewall.
  2. In the Windows Firewall dialog box, click the Exceptions tab.
  3. Select File and Print Sharing, and then click Add Program.
  4. In the Add a Program dialog box, select Internet Explorer, and then click OK.
  5. Click Add a Port.
  6. In the Add a Port dialog box, type World Wide Web Publishing Service for the Name, type 80 for the Port number, select TCP as the type of traffic processed by the port, and then click OK.
  7. Verify that File and Print Sharing, Internet Explorer, and World Wide Web Publishing Service are all selected in the Exceptions dialog box, and then click the Advanced tab.
  8. Click Settings for Security Logging.
  9. In the Log Setting dialog box, select Log dropped packets and Log successful connections. Note the path and file name in Name.
  10. Click OK twice to close Windows Firewall.

VPN1

VPN1 is a computer running Windows Server 2003 with SP1, Standard Edition, that is providing VPN server services for Internet-based VPN clients.
Configure the VPN server
  1. Install Windows Server 2003 with SP1, Standard Edition, as a member server named VPN1 in the example.com domain.
  2. Open the Network Connections folder.
  3. For the intranet local area connection, rename the connection to CorpNet. For the Internet local area connection, rename the connection to Internet. This is shown in the following figure.
    Network Connections
  4. Configure the TCP/IP protocol for the CorpNet connection with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1.
  5. Configure the TCP/IP protocol for the Internet connection with the IP address of 10.0.0.2 and the subnet mask of 255.255.255.0.
Windows Firewall and Routing and Remote Access cannot run simultaneously on VPN1. If Windows Firewall is turned on, you will need to turn it off; if the Windows Firewall/Internet Connection Sharing (ICS) service has started or is set to automatic before you configure Routing and Remote Access, you must disable it.
Disable the Windows Firewall/Internet Connection Sharing (ICS) service
  1. Click Administrative Tools, and then click Services.
  2. In the Services details pane, right-click Windows Firewall/Internet Connection Sharing (ICS) service, and then click Properties.
  3. If the service Startup Type is either Automatic or Manual, change it to Disabled.
  4. Click OK to close the Windows Firewall/Internet Connection Sharing (ICS) dialog box, and then close the Services page.
Configure Routing and Remote Access
  1. Run the Routing and Remote Access snap-in from the Administrative Tools folder.
  2. In the console tree, right-click VPN1, then and click Configure and Enable Routing and Remote Access.
  3. On the Welcome to the Routing and Remote Access Server Setup Wizard page, click Next.
  4. On the Configuration page, Remote access (dial-up or VPN) is selected by default. This is shown in the following figure.
    Configuration
  5. Click Next. On the Remote Access page, select VPN. This is shown in the following figure.
    Art Image
  6. Click Next. On the VPN Connection page, click the Internet interface in Network interfaces. This is shown in the following figure.
    VPN Connection
  7. Click Next. On the IP Address Assignment page, Automatically is selected by default. This is shown in the following figure.
    IP Address Assignment
  8. Click Next. On the Managing Multiple Remote Access Servers page, click Yes, set up this server to work with a RADIUS server. This is shown in the following figure.
    Managing Multiple Remote Access Servers
  9. Click Next. On the RADIUS Server Selection page, type 172.16.0.2 in Primary RADIUS server and the shared secret in Shared secret. This is shown in the following figure.
    RADIUS Server Selection
  10. Click Next. On the Completing the Routing and Remote Access Server Setup Wizard page, click Finish.
  11. You are prompted with a message describing the need to configure the DHCP Relay Agent. This is shown in the following figure.
    Routing and Remote Access dialog box
  12. Click OK.
  13. In the console tree, open VPN1 (local), then IP Routing, and then DHCP Relay Agent. Right-click DHCP Relay Agent, and then click Properties.
  14. In the DHCP Relay Agent Properties dialog box, type 172.16.0.1 in Server address. This is shown in the following figure.
    DHCP Relay Agent Properties
  15. Click Add, and then click OK.

CLIENT1

CLIENT1 is a computer running Windows XP Professional with SP2 that is acting as a VPN client and gaining remote access to intranet resources across the simulated Internet.
Configure Client1 as a VPN client for a PPTP connection
  1. Connect CLIENT1 to the intranet network segment.
  2. On CLIENT1, install Windows XP Professional with SP2 as a member computer named CLIENT1 of the example.com domain.
    noteNote
    Installing Windows XP Professional with SP2 also installs and automatically turns on Windows Firewall. Leave Windows Firewall turned on for this scenario. You will not need to configure any port or program exceptions.

  3. Add the VPNUser account in the example.com domain to the local Administrators group.
  4. Log off and then log on using the VPNUser account in the example.com domain.
  5. In Control Panel, open the Network Connections folder, obtain properties on the Local Area Network connection, and then obtain properties on the Internet protocol (TCP/IP).
  6. Click the Alternate Configuration tab, and then click User configured.
  7. In IP address, type 10.0.0.1. In Subnet mask, type 255.255.255.0. This is shown in the following figure.
    Internet Protocol (TCP/IP) Properties
  8. Click OK to save changes to the TCP/IP properties. Click OK to save changes to the Local Area Network connection.
  9. Shut down the CLIENT1 computer.
  10. Disconnect CLIENT1 from the intranet network segment, and connect it to the simulated Internet network segment.
  11. Restart CLIENT1 and log on using the VPNUser account.
  12. On CLIENT1, in Control Panel, open the Network Connections folder.
  13. In Network Tasks, click Create a new connection.
  14. On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next.
  15. On the Network Connection Type page, click Connect to the network at my workplace. This is shown in the following figure.
    Network Connection Type
  16. Click Next. On the Network Connection page, click Virtual Private Network connection. This is shown in the following figure.
    Network Connection
  17. Click Next. On the Connection Name page, type PPTPtoCorpnet in Company Name. This is shown in the following figure.
    Connection Name
  18. Click Next. On the VPN Server Selection page, type 10.0.0.2 in Host name or IP address. This is shown in the following figure.
    VPN Server Selection
  19. Click Next. On the Connection Availability page, click Next.
  20. On the Completing the New Connection Wizard page, click Finish. The Connect PPTPtoCorpnet dialog box appears. This is shown in the following figure.
    Connect PPTPtoCorpnet
  21. Click Properties, and then click the Networking tab.
  22. On the Networking tab, in Type of VPN, click PPTP VPN. This is shown in the following figure.
    PPTPtoCorpnet Properties
  23. Click OK to save changes to the PPTPtoCorpnet connection. The Connect PPTPtoCorpnet dialog box appears.
  24. In User name, type example\VPNUser. In Password, type the password you chose for the VPNUser account.
  25. Click Connect.
  26. When the connection is complete, run Internet Explorer.
  27. If prompted by the Internet Connection Wizard, configure it for a LAN connection. In Address, type http://IIS1.example.com/iisstart.htm. You should see a message saying the Web page is under construction.
  28. Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the local drive (drive C) on IIS1.
  29. Right-click the PPTPtoCorpnet connection, and then click Disconnect.

L2TP/IPsec-based Remote Access VPN Connections

L2TP/IPsec-based remote access VPN connections require computer certificates on the VPN client and the VPN server. L2TP/IPsec is typically used when there are stronger requirements for security and a public key infrastructure (PKI) is in place to issue computer certificates to VPN clients and servers.

DC1

Configure DC1 for autoenrollment of computer certificates
  1. Open the Active Directory Users and Computers snap-in.
  2. In the console tree, double-click Active Directory Users and Computers, right-click the example.com domain, and then click Properties.
  3. On the Group Policy tab, click Default Domain Policy, and then click Edit.
  4. In the console tree, open Computer Configuration, open Windows Settings, open Security Settings, open Public Key Policies, and then open Automatic Certificate Request Settings. This is shown in the following figure.
    Group Policy Object Editor
  5. Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
  6. On the Welcome to the Automatic Certificate Request Setup Wizard page, click Next.
  7. On the Certificate Template page, click Computer. This is shown in the following figure.
    Certificate Template
  8. Click Next. On the Completing the Automatic Certificate Request Setup Wizard page, click Finish. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in. This is shown in the following figure.
    Group Policy Editor
  9. Type gpupdate at a command prompt to update Group Policy on DC1.

VPN1

Update Group Policy on VPN1
  • To immediately update Group Policy and request a computer certificate, type gpupdate at a command prompt.
After updating VPN1 with the new certificates you need to stop and restart the IPsec Policy Agent and Routing and Remote Access services.
Restart IPsec Policy Agent and Routing and Remote Access
  1. Click Start, point to Administrative Tools, and then click Services.
  2. In the details pane, point to IPSEC Services, point to Action, and then click Restart.
  3. In the details pane, point to Routing and Remote Access, point to Action, and then click Restart.

CLIENT1

To obtain a computer certificate on CLIENT1 and then configure an L2TP/IPsec-based remote access VPN connection, perform the following steps.
Obtain a computer certificate and configure an L2TP/IPsec-based remote access VPN connection
  1. Shut down the CLIENT1 computer.
  2. Disconnect CLIENT1 from the simulated Internet network segment, and connect it to the intranet network segment.
  3. Restart CLIENT1 and log on using the VPNUser account. The computer and user Group Policy is automatically updated.
  4. Shut down CLIENT1.
  5. Disconnect CLIENT1 from the intranet network segment, and connect it to the simulated Internet network segment.
  6. Restart CLIENT1 and log on using the VPNUser account.
  7. On CLIENT1, in Control Panel, open the Network Connections folder.
  8. In Network Tasks, click Create a new connection.
  9. On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next.
  10. On the Network Connection Type page, click Connect to the network at my workplace. This is shown in the following figure.
    Group Policy Object Editor
  11. Click Next. On the Network Connection page, click Virtual Private Network connection. This is shown in the following figure.
    Network Connection
  12. Click Next. On the Connection Name page, type L2TPtoCorpnet in Company Name. This is shown in the following figure.
    Connection Name
  13. Click Next. On the Public Network page, click Do not dial the initial connection. This is shown in the following figure.
    Public Network
  14. Click Next. On the VPN Server Selection page, type 10.0.0.2 in Host name or IP address. This is shown in the following figure.
    VPN Server Selection
  15. Click Next. On the Connection Availability page, click Next.
  16. On the Completing the New Connection Wizard page, click Finish. The Connect L2TPtoCorpnet dialog box appears. This is shown in the following figure.
    Connect L2TPtoCorpnet
  17. Click Properties, and then click the Networking tab.
  18. On the Networking tab, in Type of VPN, click L2TP IPSec VPN. This is shown in the following figure.
    L2TPtoCorpnet Properties
  19. Click OK to save changes to the L2TPtoCorpnet connection. The Connect L2TPtoCorpnet dialog box appears.
  20. In User name, type example\VPNUser. In Password, type the password you chose for the VPNUser account.
  21. Click Connect.
  22. When the connection is established, run the Web browser.
  23. In Address, type http://IIS1.example.com/iisstart.htm. You should see a message saying the Web site is under construction.
  24. Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the local drive (drive C) on IIS1.
  25. Right-click the L2TPtoCorpnet connection, and then click Disconnect.

EAP-TLS-based Remote Access VPN Connections

EAP-TLS-based remote access VPN connections require a user certificate on the VPN client and a computer certificate on the IAS server. EAP-TLS is for authenticating your VPN connection with the most secure user-level authentication protocol. Locally installed user certificates, enabled in the following steps, make it easier to set up a test lab. In a production environment, it is recommended that you use smart cards, rather than locally installed user certificates, for EAP-TLS authentication.

DC1

Configure DC1 for autoenrollment of user certificates
  1. Click Start, click Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. Under Snap-in, double-click Certificate Templates, click Close, and then click OK.
  4. In the console tree, click Certificate Templates. All of the certificate templates will be displayed in the details pane. This is shown in the following figure.
    Console1 Certificate Templates
  5. In the details pane, click the User template.
  6. On the Action menu, click Duplicate Template.
  7. In the Template display name box, type VPNUser.
  8. Verify that the Publish Certificate in Active Directory check box is selected. This is shown in the following figure.
    Properties of New Template - General
  9. Click the Security tab.
  10. In the Group or user names list, click Domain Users.
  11. In the Permissions for Domain Users list, select the Read, Enroll, and Autoenroll check boxes so that these permissions are allowed. This is shown in the following figure.
    Properties of New Template - Security
  12. Click the Subject Name tab.
  13. Clear the Include E-mail name in subject name and E-mail name check boxes. Because you did not configure an e-mail name for the VPNUser user account, you must clear these check boxes to allow a user certificate to be issued. This is shown in the following figure.
    Art Image
  14. Click OK.
  15. Open the Certification Authority snap-in from the Administrative Tools folder.
  16. In the console tree, open Certification Authority, open Example CA, and then open Certificate Templates. This is shown in the following figure.
    Certificate Templates
  17. On the Action menu, point to New, and then click Certificate Template to Issue.
  18. Click VPNUser. This is shown in the following figure.
    Enable Certificate Templates VPNUser
  19. Click OK.
  20. Open the Active Directory Users and Computers snap-in.
  21. In the console tree, double-click Active Directory Users and Computers, right-click the example.com domain, and then click Properties.
  22. On the Group Policy tab, click Default Domain Policy, and then click Edit.
  23. In the console tree, open User Configuration, open Windows Settings, open Security Settings, and then open Public Key Policies. This is shown in the following figure.
    Public Key Policies
  24. In the details pane, double-click Autoenrollment Settings.
  25. Click Enroll certificates automatically. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box. Select the Update certificates that use certificate templates check box. This is shown in the following figure.
    Autoenrollment Settings Properties
  26. Click OK.

IAS1

Configure IAS1 with a computer certificate for EAP-TLS authentication
  1. Restart IAS1 to ensure that IAS1 has autoenrolled a computer certificate.
  2. Open the Internet Authentication Service snap-in.
  3. In the console tree, click Remote Access Policies.
  4. In the details pane, double-click VPN remote access to intranet. The VPN remote access to intranet Properties dialog box appears. This is shown in the following figure.
    VPN remote access to intranet Properties
  5. Click Edit Profile, and then click the Authentication tab. This is shown in the following figure.
    Edit Dial-in Profile
  6. On the Authentication tab, click EAP Methods. The Select EAP Providers dialog box appears. This is shown in the following figure.
    Select EAP Providers
  7. Click Add. The Add EAP dialog box appears. This is shown in the following figure.
    Add EAP
  8. Click Smart Card or other certificate, and then click OK.
  9. Click Edit. The Smart Card or other Certificate Properties dialog box appears. This is shown in the following figure.
    Smart Card or other Certificate Properties
  10. The properties of the computer certificate issued to the IAS1 computer are displayed. This step verifies that IAS1 has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.
  11. Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.
  12. When prompted to view help topics, click No. Click OK to save changes to the remote access policy.
These configuration changes will allow the VPN remote access to intranet remote access policy to authorize VPN connections using the EAP-TLS authentication method.

CLIENT1

Obtain a user certificate on CLIENT1, and then configure an EAP-TLS-based remote access VPN connection
  1. Shut down the CLIENT1 computer.
  2. Disconnect CLIENT1 from the simulated Internet network segment, and connect it to the intranet network segment.
  3. Restart CLIENT1 and log on using the VPNUser account. The computer and user Group Policy is automatically updated.
  4. Shut down CLIENT1.
  5. Disconnect CLIENT1 from the intranet network segment, and connect it to the simulated Internet network segment.
  6. Restart CLIENT1 and log on using the VPNUser account.
  7. On CLIENT1, in Control Panel, open the Network Connections folder.
  8. In Network Tasks, click Create a new connection.
  9. On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next.
  10. On the Network Connection Type page, click Connect to the network at my workplace.
  11. Click Next. On the Network Connection page, click Virtual Private Network connection.
  12. Click Next. On the Connection Name page, type EAPTLStoCorpnet in Company Name.
  13. Click Next. On the Public Network page, click Do not dial the initial connection.
  14. Click Next. On the VPN Server Selection page, type 10.0.0.2 in Host name or IP address.
  15. Click Next. On the Connection Availability page, click Next.
  16. On the Completing the New Connection Wizard page, click Finish. The Connect EAPTLStoCorpnet dialog box appears. This is shown in the following figure.
    Connect EAPTLStoCorpnet
  17. Click Properties, and then click the Security tab.
  18. On the Security tab, click Advanced, and then click Settings. The Advanced Security Settings dialog box appears.
  19. In the Advanced Security Settings dialog box, click Use Extensible Authentication Protocol (EAP). This is shown in the following figure.
    Advanced Security Settings
  20. Click Properties. In the Smart Card or other Certificate Properties dialog box, click Use a certificate on this computer. This is shown in the following figure.
    Use a certificate on this computer
  21. Click OK to save changes to the Smart Card or Other Certificate dialog box. Click OK to save changes to the Advanced Security Settings. Click OK to save changes to the Security tab. The connection is immediately initiated using the installed user certificate. The first time you try to connect, it may take several attempts to successfully make a connection.
  22. When the connection is successful, run the Web browser.
  23. In Address, type http://IIS1.example.com/iisstart.htm. You should see a message saying the Web site is under construction.
  24. Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the local drive (drive C) on IIS1.
  25. Right-click the EAPTLStoCorpnet connection, and then click Disconnect.
Thursday, November 7, 2013
0 Comments
Tag :

Pageviews

Followers

Powered by Blogger.

- Copyright © 2013 Selva Sharing -Selvasharing- Powered by Blogger - Designed by @ Access -