Windows Server - Setup SSTP OR IKEV2 VPN ON Server VIDEO TUTORIAL
This video follows on from our last video on how to setup a root CA with OCSP. In this video we show you how to use your self-signed ROOT CA and then your VPN certificate to setup a maximum encryption SSTP or IKEv2 Virtual Private Network (VPN) on Windows Server 2016. This should also work on earlier versions of Windows Server.
Transcript (machine generated so it contains errors)
In our last video we showed you how to set up our certificate authority with the OCSP service that basically checks to ensure that certificates issued by your CA certificate authority are still valid, et cetera, and that was a lengthy process that was there are so basically, if you're just run are some of your VPN with SSTP or IP version 2 et cetera and you just this video we suggest that you actually go to step one, which the previous video and in the description. We should have the link for the previous year okay. Please watch that follow that first set up your CA so that the OCSP and band. Now it's quite simple. Okay, so with all the previous having been done, what would you do is create a VPN.
Okay, so as a virtual private network. Okay, where you are able to connect one PC or a lot of PCs to your server okay in a corporate environment under a secure encrypted system, so you could be working from home. For example, connecting into your works server during all the work that you need to do, and it's all done by an encrypted Internet connection using this VPN service. Now if I could quite simple to set up once you've got your previous certificate thing so that we need to do is will have ServerManager here that basically get one you get to just click on the server manager. But we also need to now create that VPN certificate, so I'll show you how MMC entering their and then we add okay certificate templates. We need that one okay certificates will be that one and make sure's computer account. Click next man finish, and then it certificate authority. We are that one in their local computer is fine, click finish. Click okay. Now we need to create that VPN certificate is cold that I can and we got certificate templates, double-click on that and it literally is this certificate with a little bit extra so rather than modifying this template letter a copy of it for a certificate template and will give it a name.
Let's has that go general, let's call it VPN cert. I don't make sense inevitability period. You can change that. That's fine if you want added into active directory box, but for what we're doing right now it's all get compatibility. If you want the certificates to be readable, usable by older machines. You can have that you can have it all going for the latest version backwards compatibility gives you a greater number of machines that can connect simple as that. Okay general than request handling. We want to allow private keys to be exported. We have a cryptography that is fine as you see is that the CSP is basically all sorted arm key attestation, nothing to add in their issuance requirements. Okay, you could click over their CA certificate manager needs to approve the et cetera before it issued but which keep it as simple and straightforward as possible so server looking to add their subject name.
This is actually because one of create search terms certificates with their all special names were actually gonna change the setting rather than active directory, generating all the data for us automatically, which may be only one, maybe not want were actually in our supply the data ourselves so supply in the request and cure… The then decided to place over their extensions. This is the most important, we are gonna add in here server authentication, which is very important server authentication. Okay, were also can add alliance authentication so add those two and were now we could make the extensions critical will. Click okay will clear a day on that and now we have a VPN cert template created our way. Now we need to just go into assessment show everything running the way we want okay in our certificate templates in the certificate authority, but make a you can see it's not here so we need to bring in let's click no certificate template to issue find our VPN cert. Click okay to now, that's part of our certificates that we can issue can minimise that for now and in personal okay go here, you'll see that from our previous video a few things are being created our root certificate was also created somewhere down nearly over their arm.
This wine is actually an extra one that we don't really need with discover that okay, and now back to personal let's create our certificate, which is sorry that go all tasks request new certificate. Click next and you will see that we can now issue that one, but because we take that box where we need to add our own little bits of information you getting this thing and you click on that which gives us the chance to enter it now get a common name and this part is basically this server or whichever server is your VPN server. You can have the IP address of it, you can add the fully qualified domain name is entirely up to you. I'm an ad in both okay in this case one and 2.1 68.0 x 5 zero years will obviously be different, click add and were also, add a VPN server, windows 10, but conduct click add. Click okay, and now you'll see it's ready to be enrolled, and now this has been enrolled nice and happy. We can finish that again minimises windows closes. Windows is entirely up to you and now will show you what we need to do on our say windows 10 clients similar system for a windows server and NRA windows eight online et cetera client also. So we are now in our windows 10 client and just to show that you'll see everything is different.
Okay, you have ServerManager et cetera, all we need to do is go to settings getting network. You can do it this way as well, but we won't and this is the easier way possible find it. Click on VPN given it to start up there we go add a VPN connection arm windows built in and given a name. It can be anything okay, the the and let's call it work like a VPN work can be anything server name or IP address. We could use both okay bar if were outside the are workplace environment were at home, we would want to enter the fully qualified domain name which is a publicly accessible name so were then add in VPN server are windows 10.Ninja okay and secure socket tunnelling protocol, which makes sure that the entire thing is encrypted. If you just left dad Point-to-Point or automatic.
It will have basically your login and encrypted. But then all the data is not okay, so choosing the other ones ensures that the data is also then username and password. All good username this I actually talk to you about because the username that is set up in our active directory server needs a little kick for one setting to allow it to actually allow connections in, but will just for now, but that there add in the password carry click save. It will not connect because one we have not imported our certificates. Sorry my mistake as the opener HTTP car web programming and HTTP//and VPN server are windows 10.jar/Certs S RV, click enter it will ask for a login ID hopefully that Kansas gone. The Bacchus it did. There we go are right, we shall give our VPN and user and password for that click click okay to keep annual come up with this window. This window basically allows you to import the CA certificate. If we had some other things you could create certificates et cetera via the system, but all we need to do is bring in the CA. Click install the CA certificate it downloads. It doesn't really install it a couple of clicks to get install part sorted out, click open. Click install certificate local machine.
Click next. Click yes and place it in our trusted root authorities then click next. Click finish. Import successful click close down again minimises this once we have created our VPN system over here we brought in our CA certificate. What we need to now do is basically a couple more steps on our other servers that add about those first part of the show you what still needs to be done back on our VPN server okay, we need to install next next next. The remote access role which is very important and this should have been done first. But that's fine. Okay, click next. Click next word using the direct activists VPN and were also clicking routing. You could take the last one as well, but for now, that's fine, click install. Okay once it has installed. We do need to set it up. Okay, so open the getting started wizard may be hiding the signal there is where are deploying VPN and as you'll see, even though the law our next to it. It hasn't been configured and that's why this configuration, and installing this role you will never be able to connect up to the VPN server. Again, this role was added on the VPN server itself.
So, configure and enable click next custom configuration. If you click the first one, you need to have two Nick card setup, we got an account, but we haven't set the other one up on this is just for demo purposes. Okay custom configuration next. Now, you could just stick VPN access to viewing generously go the whole way down okay. Click next. Click finish that NAT ability gives you the chance to use IP addresses that are already being used elsewhere because that will do an internal configuration, you should get a little pop up in minutes. That will basically the ask the start all the services girls start service. And because we have a quality of them. It can take a little bit longer than normal. Basically, let's now set up our IPv4 were actually if you have a DHCP server setup to issue automatic addresses then usually the first box set. If that is not the case, you need to create a few IP addresses to give out to those windows 10 clients, et cetera client computers okay to add and will just use 119 168.11 and will give 50 of them. So, 192.16 8.0 point 150 baht 50 and now we click over here. If you'll see it's got windows authentication accounting if you wan are set up a passphrase for LT2P L2TP, et cetera that's fine. We need to select our certificate number use to connect okay ones. The root certificate in the work.
This one should work as well because the one we created right now, let's click apply, it will now restart the service and you'll see no errors happen if you want to add IPv6 axis as well. It's a fairly similar thing in acrylic prefix and then the routing and all that but for now we just given IPv4 access switches. The most popular one is being used right now and will click okay bring that down. I did mention on our active directory server for the user that we are giving permission to connect up into the VPN server. We need to take a box of this quickly over to our active directory server and show you that the law setting in the users set. Okay, so now were on our active directory server will open the server manager tools active directory users and computers is all basic are servers. I will set up for the purpose of the in our users we had created, you can create a separate organisational unit for a department et cetera and then put the user within that and all nice and neat, but for simplicity, we just added the user in the main uses block and property that we need again. We call them VPN user that says login ID as well. We need to take this dialogue allow access is the only thing you really need to do after you've created a user. If you don't adequately user will just show you very quickly and some new user give a name okay for example, Bob and then give a login username click next. Give a password. Okay, then the user must change at next logon or password never expires.
Okay if you ever need to stop a user accessing services. You just click on a user, and click account is disabled, the properties which was only those two steps and then you come over here and then disable account. Now back to our windows 10 client. Okay, and were back here in our settings VPN VPN that we set up earlier and all we really need to do is us can, as you can see the normal network that we had before has no Internet access and everything goes through our VPN settings VPN connection is a little test to make sure everything is working fine with us. Click here and go to Google for example www.Google.co.uk.com whatever, that's fine. And there we go. As you can see with our Internet access. Everything is passing through our encrypted system and this entire traffic is encrypted. If you need to use any services, et cetera on your work servers. You can access them via the way they're set up, et cetera okay, so that's our VPN okay. We just thought, which show you how to modify the settings and also use IT version 2.
Okay, so the first thing is you know how we got there right click on your networking icon at the bottom open network and sharing click on your ethernet okay. We have not connected so you will not to the original system and sorry my mistake change adapter settings. This is your VPN adapter that we have set up. It's like a virtual adapter arm change settings on this connection, go to security basic when we set it up. It's like the secure SSTP tunnelling protocol, and it has no encryption. If the server doesn't have encryption will connect anyway. We suggest you click max strength okay clay oh K and then click on VPN, click connect. Given the a few seconds and it's connected. If you need to use. I KE version 2, you just click the same thing security, but instead of SSTP chain to I KE the two. Click okay. Click connect there we go. That's all done, so I hope this video felt it shown you how to set up the VPN certificate out of the Derby remote access service how to then configure all the settings and is also shown you how to ensure that you get maximum encryption and has shown you to use either SSTP or IDE. The two hopefully this video felt have a great day and watching
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.