CYBEROAM SSL VPN CLIENT SERVER 2012 INSTALL
Windows 2012 Server Install and Configure RRAS for SSTPĢ3. Make sure that any user who wants to access the SSTP VPN has had their Dial-in set to ‘allow access’. On this server I’m simply going to disable the firewall > Start > Run > firewall.cpl > Turn Windows Firewall on or off > Set as appropriate.Ģ2. You may want to access certificate services via HTTPS instead in a corporate environment.Ģ1. You will see later I’m also going to use TCP 80 (normal HTTP) to access my certificate services remotely, so I’ve got that open as well. If your server does not have its own public IP address, then you may need to setup port forwarding instead. My server will ultimately have a public IP address that resolves to its public name () so I just need to allow the ports in. If yours is internet facing then you may simply want to add an exception/rules for allowing https/ TCP443.
In this example my server is behind a corporate firewall. Locate the SSTP-VPN entry > OK > Close the MMC. From the Certificate templates Folder > New > Certificate Template Issue.Ģ0. Add > Locate the ‘Server Authentication’ policy > OK > OK > Apply > OK > Close the Certificate Template console.ġ9. Extensions Tab > Select the Application Policies entry > Edit.ġ8. Subject Name tab > Tick ‘Supply the request’ > Click OK when prompted.ġ7. Request Handling tab > Tick ‘Allow private key to be exported’.ġ6. From the list that appears locate IPsec > Right Click > Duplicate Template. Drill down to Certificate Templates > Manage.ġ3. File > Add Remove Snap-in > Certificate Authority > Add > Local computer > Finish > OK.ġ2. Next > Next > Next > Next > Next > Next > Next > Configure > Close > Close Server Manager.ġ1. Select both Certificate Authority and Certificate Authority Web Enrolment > Next.ĩ. Add Features > Next > Next > Next > Install > Close > From the warning (top right) > Configure Active Directory Certificate Services on this server.Ĩ. Add Features > Next > Next > Next > Tick ‘Certificate Authority Web Enrolment’.Ħ. From Server Manager (ServerManager.exe) > Add Roles and Features > Next > Next > Next > Select > Active Directory Certificate Services.ĥ. I’m going to use a ‘self signed’ certificate, if you have purchased one, then skip this section.Ĥ. Windows Server 2012 Add Certificate Services NIC2 as you can see, does not even need a default gateway. Make sure the Internet facing NIC has good comms, and works OK.ģ. On the server I have two network cards installed, the first (NIC1) is the normal network connection for the server, the second (NIC2) will be the one that the remote clients get connected to (once they have authenticated to NIC1).Ģ. In addition my remote VPN clients will get an IP address from my normal corporate LAN.ġ. You don’t have to have the same server running SSTP/ RRAS but in this lab environment that’s what I’m doing. I’ve got a Windows 2012 Server already setup, it’s a domain controller, and is running DNS.
Anyway, it’s there, I’ve been asked to do a walkthrough, so read on, Solution
(If you think ‘that would never happen!’ Try running an Exchange Server through a Cisco firewall with SMTP inspection turned on). I can’t help feeling that the more traffic we push over ports 80 and 443, sooner or later security/firewall vendors are going to statefully inspect/block traffic that isn’t supposed to be on that port. This is not a new approach, (Microsoft did it before with RPC over HTTP). Thoughts: While I can see why this is a good idea, Microsoft has basically changed some existing protocols so they work on a port that wont be blocked by most firewalls. Traditional VPN connections require ports and protocols to be open for them to work, which makes a solution that runs over TCP port 443 attractive. This port is usually open for normal secure web traffic. SSTP gives you the ability to connect to your corporate network from any location that has an internet connection, and is not filtering https.
0 kommentar(er)
