Articles from Plain Tutorials

Install and configure Routing and Remote Access on Windows Server 2008 R2
2012-07-24 10:07:56 Hao Nguyen

Configure Network Policies

The last step of configuring a VPN server on Windows Server 2008 R2 is to define a dial-in group. This is a normal Global-Security Windows Group. Members of this group are allowed to connect to the VPN server. This method is to simplify the process of controlling remote access users. You only need to add the user account to this group, and he has remote access permission. 1. I will create a global security group on my domain and name it as VPN Users. Some quick screenshot for this stepRight click on the appropriate container, select New --> Group.

Type in the Group Name as VPN Users, group scope as Global and Group type as Security.

Click OKto finish this step. Add accounts to this group as members. I will add my account haomnguyen and Administrator to this group. Here is the screenshot of my VPN Users group.

2. Next step is to configure the Remote Access Policy for the RRAS server. In Windows 2008 R2, Remote Access is controlled by Network Policy Service (NPS). Right click on Remote Access Logging & Policies, select Launch NPS.

3. Network Policy Server console appears, select Network Policies section on the left hand side. You should see two default policies, just don't touch it. We need to create a new policy that allows our group VPN Users to access to dial-in. 4. Right click on Network Policies, select New

5. Type in the policy name, anything works. I typed in Allow VPN Users group. Leave the rest as default

6. Click Next 7. Click Add on the Specify Conditions dialog to add new condition. There are plenty of conditions that NPS supports, but I just need Windows Groups (support both users and computers account as members) condition in this case. 8. Select Windows Groups and click Add...

9. Click Add Groups and browse to select VPN Usersgroup that you just

created. 10. Click OK to back to Specify Conditions main screen. One condition works fine for me in this case. 11. Click Next to define the action for those clients/users that match the previous conditions. Select Access grantedbecause I want those members of VPN Users group to have VPN access.

12. Click Next to select Authentication Method step 13. Leave everything as default

14. Click Next to configure Constraints. 15. You might want to configure some options here, such as Idle Timeout and Session Timeout. I won't enable these settings on my server, just leave it as default.

16. Click Next 17. Leave default settings for IP settings and encryption. Your VPN server works well with all of these default configurations.

18. Click Next 19. Click Finish And now, you're back to the NPS main screen. You should see a new network policy named Allow VPN Users group with a green check mark. To this step, your VPN is

working, and it will allow any members of VPN Users group to dial-in. Those connected VPN Clients will have the IP in the range 192.168.200.0/24.