Setting up the IAS test lab infrastructure

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Setting up the infrastructure

The infrastructure for the IAS test lab network consists of five computers performing the following services:

  • A computer running Windows Server 2003, Standard Edition that is used as both a domain controller and a Domain Name System (DNS) server. This computer is named DC1.

  • A computer running Windows Server 2003, Standard Edition that is used as a Remote Authentication Dial-in User Service (RADIUS) server. This computer is named IAS1.

  • A computer running Windows Server 2003, Standard Edition that is used as a RADIUS proxy. This computer is named IAS2.

  • A computer running Windows Server 2003, Standard Edition that is used as a VPN server. This computer is named VPN1.

  • A computer running Windows XP Professional that is used as a VPN client. This computer is named CLIENT1.

The following illustration shows the configuration of the IAS test lab.

Configuration of the IAS test lab

There are separate network segments representing a corporate intranet and the Internet. All computers on the corporate intranet are connected to a common hub or Layer 2 switch. All computers on the Internet are connected to a separate common hub or Layer 2 switch. Private addresses are used throughout the test lab configuration. The private network ID 172.16.0.0/24 is used for the intranet, and the private network ID 10.0.0.0/24 is used for the simulated Internet.

Each computer is manually configured with the appropriate IP address, subnet mask, and DNS server. There are no Dynamic Host Configuration protocol (DHCP) or Windows Internet Name Service (WINS) servers present.

The following sections describe how each of the computers in the test lab are configured. To reconstruct this test lab, please configure the computers in the order presented.

Note

  • The following instructions are for configuring a test lab using a minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

DC1

DC1 is a computer running Windows Server 2003, Standard Edition. It is providing the following services:

  • A domain controller for the testlab.microsoft.com domain.

  • A DNS server for the testlab.microsoft.com DNS domain.

  • A certification authority for the testlab.microsoft.com domain.

Note

  • The domain name testlab.microsoft.com is used here for example purposes only. You can use any domain name in your test lab configuration.

To configure DC1 to perform these services, perform the following steps:

  1. Install Windows Server 2003, Standard Edition as a standalone server.

  2. After restarting, log on using the local Administrator account.

  3. Configure the TCP/IP protocol with the IP address of 172.16.0.1 and the subnet mask of 255.255.255.0. For more information, see Configure TCP/IP for static addressing.

  4. At the command prompt, run dcpromo for a new domain named testlab.microsoft.com in a new forest. Install the DNS service when prompted.

  5. After restarting, log on using the Administrator account to the testlab.microsoft.com domain.

  6. Install Certificate Services as an enterprise root certification authority. For more information, see Install an enterprise root certification authority.

  7. Configure the testlab.microsoft.com domain for automatic enrollment of computer certificates. For more information, see Configure automatic certificate allocation from an enterprise CA.

IAS1

IAS1 is a computer running Windows Server 2003, Standard Edition. It is providing RADIUS authentication, authorization, and accounting for VPN1, the VPN server computer.

To configure IAS1 as a RADIUS server, perform the following steps:

  1. On DC1, add a computer account for IAS1. For more information, see Create a new computer account.

  2. Install Windows Server 2003, Standard Edition as a standalone server.

  3. After restarting, log on using the local Administrator account.

  4. Configure the TCP/IP protocol with the IP address of 172.16.0.2, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.

  5. Join IAS1 to the testlab.microsoft.com domain. For more information, see Join a domain.

  6. After restarting, log on using the Administrator account to the testlab.microsoft.com domain.

  7. Install the Internet Authentication Service. For more information, see Install IAS.

  8. Configure the IAS server to access user account properties in the testlab.microsoft.com domain. For more information, see Enable the IAS server to read user accounts in Active Directory.

  9. Install Network Monitor. For more information, see Install Network Monitor.

IAS2

IAS2 is a computer running Windows Server 2003, Standard Edition. IAS2 is a RADIUS proxy for VPN1, the VPN server computer.

To configure IAS2 as a RADIUS proxy, perform the following steps:

  1. Install Windows Server 2003, Standard Edition as a standalone server.

  2. After restarting, log on using the local Administrator account.

  3. Configure the TCP/IP protocol with the IP address of 172.16.0.3, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.

  4. Install the Internet Authentication Service. For more information, see Install IAS.

VPN1

VPN1 is a computer running Windows Server 2003, Standard Edition. It is providing VPN server services for VPN clients. To configure VPN1 as a VPN server, perform the following steps:

  1. From DC1, add a computer account for the VPN1 computer. For more information, see Create a new computer account.

  2. Install Windows Server 2003, Standard Edition as a standalone server.

  3. After restarting, log on using the local Administrator account.

  4. For the intranet local area connection, configure the TCP/IP protocol with the IP address of 172.16.0.4, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.

  5. For the Internet local area connection, configure the TCP/IP protocol with the IP address of 10.0.0.2 and the subnet mask of 255.255.255.0. For more information, see Configure TCP/IP for static addressing.

  6. Join the VPN1 computer to the testlab.microsoft.com domain. For more information, see Join a domain.

  7. After restarting, log on using the Administrator account in the testlab.microsoft.com domain.

  8. Configure and enable the Routing and Remote Access service. For more information, see Enable the Routing and Remote Access service. In the Routing and Remote Access server Setup Wizard, select Virtual private network (VPN) server from the Common Configurations dialog box. When prompted for IP address assignment, select From a specified range of addresses, and then configure the range 172.16.0.248 through 172.16.0.255. Do not configure RADIUS authentication.

CLIENT1

CLIENT1 is a computer running Windows XP Professional. It is used as a VPN client to gain remote access to intranet resources across the simulated Internet. To configure CLIENT1 as a VPN client, perform the following steps:

  1. On DC1, add a computer account for CLIENT1. For more information, see Create a new computer account.

  2. Connect CLIENT1 to the intranet network segment.

  3. On CLIENT1, install Windows XP Professional as a workgroup computer.

  4. After restarting, log on using the local Administrator account.

  5. Type gpupdate /target:computer at a command prompt to ensure that a computer certificate is installed on CLIENT1.

  6. Configure the TCP/IP protocol with the IP address of 172.16.0.5, the subnet mask of 255.255.255.0, and the DNS server IP address of 172.16.0.1. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.

  7. Join CLIENT1 to the testlab.microsoft.com domain. For more information, see Join a domain.

  8. After restarting, log on using the Administrator account in the testlab.microsoft.com domain.

  9. Configure the TCP/IP protocol with the IP address of 10.0.0.1 and the subnet mask of 255.255.255.0. Do not configure a DNS server IP address. For more information, see Configure TCP/IP for static addressing and Configure TCP/IP to use DNS.

  10. Shut down CLIENT1, disconnect it from the intranet network segment, and then connect it to the simulated Internet network segment.

  11. Restart CLIENT1.

  12. After restarting, log on using the local Administrator account.