At the end of this tutorial, the following network topology is created:
Steps:
1. A public and a private subnet need to already be defined on the Amazon Cloud.
Both are members of the following VPC: 10.0.0.0/16
Public subnet: 10.0.0.0/24
Private subnet: 10.0.1.0/24
Route tables contains the following rules:
Public subnet:
Destination - Target
10.0.0.0/16 - local
0.0.0.0/0 - igw-xxxxx (Internet Gateway)
172.19.3.0/24 eni-xxxxx / i-xxxxx (Eth1 Network Interface of the VPN NAT Server - 10.0.0.50)
Private subnet:
Destination - Target
10.0.0.0/16 - local
0.0.0.0/0 - eni-xxxxx / i-xxxxx (Eth2 Network Interface of the VPN NAT Server - 10.0.0.52)
172.19.3.0/24 - eni-xxxxx / i-xxxxx (Eth1 Network Interface of the VPN NAT Server - 10.0.0.50)
2. Launch a new Windows Server 2012 instance on the public subnet and assign 10.0.0.50 private IP.
An Elastic IP needs to also be assigned to the new instance. An additional network interface will be added to it in order to communicate with the private subnet. Private IP for this second network interface is 10.0.0.52.
Following security rules need to be enforced:
Type - Protocol - Port Range - Source
RDP - TCP - 3389 - x.x.x.x/32 (Public IP of the Server Administrator)
HTTP - TCP - 80 - 10.0.1.10/32 (Used by the NAT server to allow Internet access for the private instances)
HTTPS - TCP - 443 - 0.0.0.0/0 (Used to connect via SSTP VPN)
3. Additionally launch a new Windows instance on the private network for testing. Assign it a private IP (e.g. 10.0.1.10) and enforce following security rules:
Type - Protocol - Port Range - Source
RDP - TCP - 3389 - 0.0.0.0/0 (Enforce this even further if only certain IPs need to access via RDP)
All ICMP - All - N/A - 0.0.0.0/0 (Enable ping on this instance)
4. Connect to the public server (Windows 2012 SSTP VPN NAT Server) and check and Install updates.
5. Add new user and Allow Dial-in (Run->lusrmgr.msc)
6. Launch Server Manager and add Active Directory Domain Services Role. Add DNS Server as well(ignore warnings) and Promote server to a new domain forest.
A good step-by-step guide on this step is here:
http://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-your-first-domain-controller-step-by-step.aspx
7. Configure Certificates and SSTP VPN and NAT server.
Add Active Director Certificate Services Role. Launch Run->mmc, add Certificate Authority to the console (Ctrl+M) and create a new Certificate Template (Copy after IPSec).
Change the Template Display Name to "SSTP-VPN" under the General Tab.
Under Request Handling select "Allow private key to be exported".
Under Extensions Tab, Edit Application Policies and Add Server Authentication.
Issue the new certificate from Certificate Templates->Right Click->New->Certificate Template to Issue. Before checking SSTP-VPN Template, click More Information is required to enroll for this certificate link. Select Type as Common Name and add the Elastic IP as the Value (e.g. 54.122.23.45). Click Add.
Add Certificates(Local Computer) to the mmc Console (Ctrl+M). Under Personal Request new certificate.
Useful video on adding certificates is here:
https://www.youtube.com/watch?v=inRfk0r7Pgo
8. Next step is to add Remote Access role from Server Manager.
Launch Routing and Remote Access Manager (Run->rrasmgmt.msc) and Configure the server. Choose custom customization and select VPN and NAT.
9. Configure SSTP and NAT Server
Under Properties-> Security Tab click Authentication Methods and make sure only Microsoft encrypted authentication version 2 (MS-CHAP v2) is selected.
Under SSL Certificate Binding section select the newly added certificate (Elastic IP name).
Under IPv4 tab select Static address poll and add as many addresses starting from 172.19.3.0
Select the Adapter that has the 10.0.0.50 static IP (the one used to connect to Internet).
Check the Static Routes(Right Click-> Show IP Routing Table..) and make sure the following two are added:
10.0.0.0 255.255.255.0 10.0.0.1
0.0.0.0 255.255.255.0 10.0.0.1
Configure the NAT Server by adding all network interfaces (Internal, Ethernet and Ethernet 2). Ethernet is the Public Interface connected to the internet and has Enable NAT on this interface checked.
A good documentation with steps on configuring NAT is here:
http://followkman.com/?p=1251
10. In order to test on a client Windows Computer there is the need to first download the certificate from https://ElasticIP/certsrv
Login using Server User Credentials and Download the certificate from the above url.
Install the certificate from Run->mmc->Import Certificate. It needs to be added under Trusted Root Certification Authorities.
Under registry (Run->regedit) following registry key need to be set up:
Registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sstpsvc\Parameters
Registry entry: NoCertRevocationCheck
Data type: REG_DWORD
Value: 1
After installing the certificate new VPN SSTP connection needs to be created.
It should successfully connect to the AWS VPN. Going further, it should work to connect to the private instance and Internet is enabled on this instance (NAT).
I am following your blog from the beginning, it was so distinct & I had a chance to collect conglomeration of information that helps me a lot to improvise myself. I hope this will help many readers who are in need of this vital piece of information. Thanks for sharing & keep your blog updated.Regards aws jobs in hyderabad.
ReplyDeleteI recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog, I will keep visiting this blog very often.
ReplyDeletedoes it really work
Thanks a lot, Robert.
DeleteIt was really a nice post and I was really impressed by reading this
ReplyDeleteAWS Online Training