Configuring CLIENT1

Applies To: Windows 7, Windows Server 2008 R2

CLIENT1 is a computer running Windows 7 that functions as a remote access VPN client for the Contoso.com domain.CLIENT1 configuration consists of the following steps:

  • Install the operating system

  • Configure TCP/IP

  • Configure the VPN client with the root certificate

Note

When configuring the client, a trusted root certificate is not required when using EAP based authentication. However, the trusted root certificate is required when computer-certificate-based authentication is used.

Install the operating system

CLIENT1 must run Windows 7.

To install Windows 7

  1. On CLIENT1, start your computer using the Windows 7 product disc. Follow the instructions that appear on your screen.

  2. When prompted for the installation type, choose Custom Installation.

  3. When prompted for the user name, type user1.

  4. When prompted for the computer name, type CLIENT1.

  5. When prompted for the computer location, choose Home.

Configure TCP/IP

Configure TCP/IP properties so that CLIENT1 has a static IP address of 131.107.0.3 for the public (Internet) connection.

To configure TCP/IP properties

  1. On CLIENT1, click Start, and then click Control Panel.

  2. Under Network and Internet, click View network status and tasks.

  3. In Network and Sharing Center, click Change adapter settings.

  4. In Network Connections, right-click Local Area Connection, and then click Properties.

  5. In the Local Area Connection Properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  6. In the Intenet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. In IP address type 131.107.0.3, and in Subnet mask type 255.255.0.0 for the subnet mask.

  7. Click OK, and then click Close.

Configure the hosts file to have a record for VPN1. This simulates a real-world scenario in which the corporate VPN server would have a publicly resolvable host name.

To configure the hosts file

  1. On CLIENT1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. In the User Account Control dialog box, click Continue.

  3. In the Administrator: Command Prompt window, type the following and then press ENTER:notepad %windir%\system32\drivers\etc\hosts.

  4. Add the following text in a new line at the end of the document:

    131.107.0.2 vpn1.contoso.com

  5. Save and close the hosts file.

Use Windows Firewall with Advanced Security to ensure that the appropriate firewall rules are enabled.

To ensure that appropriate firewall rules in Windows Firewall with Advanced Security are enabled and configured to allow connections

  1. On VPN1, click Start, type wf.msc and the press ENTER.

  2. In the navigation tree, click Inbound Rules.

  3. In the details pane, double-click File and Printer Sharing (Echo Request - ICMPv4-In) for the Private and Public profiles.

  4. In the rule properties dialog box, under General select Enabled, under Action select Allow the connection, and then click OK.

  5. Close the Windows Firewall with Advanced Security window.

For the purposes of this test lab, a successful ping response from vpn1.contoso.com to CLIENT1 signifies that the remote user can connect to the office VPN server over the public Internet.

To use ping to verify connection to vpn1.contoso.com

  1. On CLIENT1, in the Administrator: Command Prompt window, type ping vpn1.contoso.com, and then press ENTER.

  2. Verify that you can successfully ping VPN1.

  3. Close the Command Prompt window.

Configure the VPN client with the root certificate

Install the root certificate for the CA that issued the server authentication certificate. This is required for the client computer to trust the server authentication certificate and complete the VPN connection.

To install the root certificate on the client

  1. On CLIENT1, click Start, type mmc, and then press ENTER.

  2. In the Console1 window, click File, and then click Add/Remove snap-in.

  3. Under Available snap-ins, select Certificates, and then click Add.

  4. In the Certificates snap-in dialog box, select Computer account, and then click Next.

  5. In the Select Computer dialog box, click Finish to accept the default selection of Local computer.

  6. Click OK to close the Add/Remove snap-ins dialog box.

  7. In the navigation pane, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, click All Tasks, and then click Import

  8. On the Certificate Import Wizard welcome page, click Next.

  9. On the File to Import page, click Browse.

  10. In the File name text box, type \\vpn1.contoso.com\c$\users\administrator.contoso\desktop, and then press ENTER.

Note

This works in our lab scenario, because VPN1 has file share enabled, and the firewall is not blocking file sharing on the external network adapter. In a production environment, you would need to provide the root certificate to your client computers by using some other secure method.

  1. When asked for credentials, type contoso\administrator and Pass@word1.

Note

Because you logged in as the local administrator before you joined VPN1 to the domain, adding the domain administrator account created a separate profile that is named Administrator with the name of the domain appended.

  1. Select RootCACert from the file list, and then Click Open.

  2. With the path to certificate now complete, click Next.

  3. On the Certificate Store page, click Next to select the default value of placing the certificate in the Trusted Root Certification Authorities store.

  4. On the completion page, click Finish, and then on the successful import notice, click OK.