Friday, 8 June 2012

Setting up Remote Access

Now I don't want to be doing this whole build via the v-Sphere client, remote desktop direct to the target machine will provide a much better experience.  That calls for a VPN. The pfSense firewall I deployed actually has FOUR different VPN servers that can be configured and deployed, unfortunately none appear to be compatible with the native Windows client (at least for now).  Although it does support site-to-site VPN which would open up some interesting possibilities if anyone wanted to replicate a similar config as this lab but for production use by duplicating the setup at two locations making it HA.
Anyway, I've decided to try out the VPN server capabilities which come as part of the Routing and Remote Access role in Windows 2008.  I therefore deployed another machine from the template naming it RSMSGRAS1.  I'll avoid going over the deployment from template and initial configuration tasks - they are no different from the DC's.  So with a prepared system I fired up the add roles wizard and selected Network Policy and Access Services.
For now I'll just be looking at installing the remote access service.  I may look at some of the more advanced functionality, such as Network Policies and Health Registration at a later point, but for now just the Remote Access Service will suffice.
From there a simple next and finish and the installer completes.
Once installed, you need to fire up the setup wizard from within Server Manager.
Although I'll just be using the VPN features, the wizard insists on two NIC's if you just select VPN, so I'll be choosing custom.
The following screen lets you select just the VPN components.
From there it's a next and finish and the wizard completes. After that, I right clicked the routing and remote access node in server manager, choosing properties then going to the IPv4 tab.  From there, as I'm not running DHCP, I configured IPv4 addresses to be assigned to clients from a static pool at the end of the 10.0.0.x range.
Now, because I don't want to be connecting over the VPN using the default Administrator account I logged onto one of the DC's, opened up dsa.msc and created a new user account.
Once the user was created I went into properties and changed the Network Access Permission to Allow access.
Next, I needed to run tthe command "netsh ras add registeredserver" from the command prompt on RSMSGRAS1.
This makes the computer account a member of the RAS and IAS Servers group in Active Directory.
Finally I needed to configure the firewall.  I configured two NAT rules against a single public IP. One for TCP port 1723, the second for GRE protocol traffic.
Then, I set up the VPN connection on my home machine.  Although the VPN connection would work fine with the option to use default gateway on remote network enabled, I wanted to ensure I could continue to access the ESXi host from my home machine with the VPN up, so disabled it. aside from that all default client settings were kept.
With the VPN connected, I tested connectivity by pinging the internal IP of the firewall ( and establishing a remote desktop connection directly to RSMSGDC01. Both tests came back fine.

No comments:

Post a Comment