08 February 2012

Complete TMG VPN deployment guide Part III

Client Side Deployment steps : Windows
Continuing in the series of creating TMG based VPN to support multiple platforms I am going to cover the steps required to configure a SSTP VPN on Windows.  Manually and then via a CMAK installer.

Since Windows support the more secure SSTP portocol and has a higher chance of being able to connect through most firewalls, I will configure the connection to be SSTP but fall back to PPTP should SSTP fail.

Manual configuration
Create the VPN connection

  • Open Network and Sharing Centre
  • Setup a new Network connection or network
  • Connect to workplace
  • No, create a new connection
  • Use my Internet connection (VPN)
  • Internet address (For SSTP your host name must match the certificate name.)
  • Destination Name is the friendly name
  • Check Don't Connect now....
  • Don't Specify a username and password
  • Finish off the wizard.

Configure Security 
From the network and Sharing centre

  • Click Change adapter Settings (top left)
  • Open the VPN properties
  • Select the Security tab
  • Type of VPN : Automatic
  • Data Encryption:  Maximum strength encryption
  • Authentication Allow these protocols - only allow MS-CHAP v2

Configure Name resolution

  • Select the Networking tab
  • Select Internet Protocol Version4 (TCP/IPv4)
  • Properties
  • Advanced
  • Select DNS tab
  • Specify your domain in the DNS suffix for this connection

Enable Proxy server

  • Open Internet Explorer
  • Tools - Internet Options
  • Select the Connections tab
  • Select the VPN connection from the "Dial up and VPN setting" section
  • Settings
  • Check Automatically detect settings
  • Check use automatic configuration script specify http://proxy.domain.com/wpad.dat

Things to be aware of:
By specify the VPN type as automatic we allow the connection to attempt one VPN type after the other until one works or all fails.  It starts off with IKE, followed my SSTP and then PPTP.  If you know what work and would like to speed up the connection you can select the type explicitly.

Specifying the DNS suffix will ensure correct name resolution even if only the host name is used.  This is normally not a problem for domain joined machines, but for external parties this will make a difference.

Specifying the Proxy settings are limited to that specific VPN connection.  "Automatically detect settings" will trump "Use automatic configuration script"  but I include it as a fail over.

Configuration Manager Administration Kit
All of these setting can be preset in a CMAK package and distributed as a normal exe installation package.  This makes deployment simple and uniform.  It also allows for more advanced configuration options that maybe be beneficial.

Install CMAK
One thing to be aware of is that you need to use the right version of CMAK for the platform you want to deploy on. You need the x86 version available on Windows 7 or the x64 version available on Windows Server 2008 R2

Installing on Windows 7 x86
Go to Control panel - Programs - Turn windows features on  or off
Select RAS Connection Manager Administration Kit feature (CMAK)

Installing on Windows Server 2008 R2
Go to Server Manager - Features - Add feature
Select Connection Manager Administration Kit

Configuring a CMAK Package
Launch the CMAK from Administrative Tools
Follow the wizard and specify the same options as specified for your manual configuration.

  • Selecting the Windows 7 or Vista option enable the SSTP feature where as the XP option is limited to PPTP
  • Create a new profile
  • Specify a name that will be seen as the connection name
  • Speficy a filename
  • Do not add a realm name
  • There should be no profiles to merge yet
  • Choose Phonebook from this profile
  • Choose Always use the same VPN server - Specify the name that matches the SSTP listener certificate.
  • Edit the VPN entry

  • From the general tab enable on IPv4 addresses
  • From the IPv4 Select Server assigns addresses
  • Check Make this connection the client's default gateway
  • Check Use IP header compression
  • From the Security tab
  • Select Try Secure Sockets Tunneling Protocol first
  • Select Maximum strength encryption
  • Check only MS-CHAP v2 as Authentication Method
  • From the Advanced tab Specify your domain as the DNS suffix for this connection
  • Continue with the wizard
  • Uncheck Automatically download phone book entries

  • Edit the Dial-up network entry 

  • (This section is not used if you change the connection type in advanced customization )
  • Form the general tab select only IPv4 addresses
  • From the IPv4 Select Server assigns addresses
  • Check Make this connection the client's default gateway
  • Check Use IP header compression
  • From the Security tab
  • Select Maximum strength encryption
  • Check only MS-CHAP v2 as Authentication Method
  • From the Advanced tab Specify your domain as the DNS suffix for this connection
  • Continue the Wizard
  • Do not change the routing tables

  • Select Automatic configure proxy settings
  • Add the proxy settings file
  • Check Restore the users' previous proxy settings...

  • You will need to create the text file for this but it is very simple.
  • Create a text file and paste the text below

[Automatic Proxy]
AutoConfigScript= http://proxy.domain.com/wpad.dat

(This would match the config you specified in the manual VPN connection)
  • You should not have to make any changes to the Customs actions

It is always good to brand your CMAK connection with official corporate images so it looks more official.
Other than the phone book bitmap the users will see and interact with the other graphic screen and icons.
(You will need a 330x140 .bmp, a 16x16 .ico and a 32x32.ico)

  • Use the default Help File
  • Specify any additional text to be displayed on the logon screen
  • Specify a license agreement files (if you need one) or leave it blank

You can include additional file in the package if you want -this could be custom executable you might want to use with connection scripts
  • Select Advanced Customizations
  • Select the .cms filename
  • Select the section name - Connection manager
  • Select the Key - Connection Type
  • Specify a value of 1

(This instructs the package to use a direct internet connection as opposed to using a dialup connection first before starting the VPN - think old school dial up modem)

  • Finish off the wizard.

The CMAK files is now saved in C:\Program Files\CMAK\Profiles\Windows 7 and Windows Vista\
You will only need to distribute the .exe file.  Once the exe is installed the connection should be available form the Dial-up and VPN connections

Troubleshooting SSTP Certificate Issues
Your production SSTP VPN should always be using a public CA for issuing the certificate.  During testing or lab implementation one would typically be using a certificate issued by the internal PKI or a self signed certificate.

Revocation Check
The SSTP client will, by default, do a certificate revocation check during the initial negotiation phase.  If the CRL check cannot be completed successfully the connection is refused with the following error:

Error 0x80092013:  The revocation function was unable to check revocation because the revocation server was offline.

This is probably because your CRL is on internal server that you do not have access to yet.

You can disable this check by changing the following registry entry:

Registry subkey:

Registry entry: NoCertRevocationCheck
Data type: REG_DWORD

Change the value from 0 to 1 to disable the revocation checking.

Certificate Chain
If you are testing you SSTP client from a non domain joined machine and you are using an internal PKI certificate you might also run into the following problem.

Error 0x800B0109:  A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

To resolve the issue the PKI certificate(s) need to be exported and installed on the client machine.  It has to be installed in the computer store.

Complete TMG VPN deployment guide Part I - Planning

Complete TMG VPN deployment guide Part II - Server side deployment steps
Complete TMG VPN deployment guide Part III - Configuring VPN on Windows
Complete TMG VPN deployment guide Part IV - Configuring VPN on Mac OSX
Complete TMG VPN deployment guide Part V - Configuring VPN on iOS and Android

No comments:

Post a Comment