DHCPv6 Stateful Mode

 

IPv6 has two modes with regards to auto configuration, stateless mode and stateful mode.

In stateless mode, clients obtain their IP address using router advertisement (RA) messages. While this is working correctly, it doesn’t provide the client with a DNS server, this still has to come from a DHCP server. In stateless mode, all the DHCP server does is assign the client with a DNS server and a domain search list.

Stateful mode is more like the old DHCPv4 way of doing things. It uses a DHCP server to get IP address, and some other options like DNS server and domain search list. The default gateway is assigned using RA messages.

The documentation on setting up a DHCPv6 server using Windows Server 2008R2 is virtually non-existing, that’s why I wanted to post about it.

Stateful mode is more appropriate for large network environments, where more control is needed to auto configure clients.

To install the DHCP(v6) server on Windows 2008R2, you just need to fire up server manager, and add the DHCP role. Go to roles, add roles, next,  select DHCP server,

dhpc1

next, next, select the network connections that the DHCP server is going to bind to, press next,

dhpc4

 

Now you should specify IPv4 specific server settings, like parent domain and preferred DNS servers, I am leaving the defaults here and press next, WINS is not required (and doesn’t even work with IPv6, next, I am not defining a DHCP scope, press next, which will bring you to the DHCPv6 stateless mode screen, here you need disable stateless mode for this server, this allows for clients to actually use the DHCP server to obtain an address,

dhcp5

in addition to the other options that are assigned in stateless mode. Press next and you will arrive a the authorize DHCP server screen, I accepted the defaults, press next, finally press install and the DHCP role will be installed.

Now before we can actually use the DHCP server, we should assign the server a fixed IPv6 address. Using the server manager’s main page, select view network connections, right click Local Area Network connection, properties, double click the IP 6 settings and set the IPv6 address to fc00:0:0:1::1 and the preferred DNS server to either ::1 (localhost) or fec0:0:0:1::1 (in my example the DNS server is also located on this server). and press ok.

We should now have a Global IPv6 address. This is the IPv6 equivalent of the IPv4 Global address and is directly reachable. Other types of addresses are the site local address (FEC0) which is equivalent to the IPv4 private address, this is used for NAT in IPv4, but the site local address has somehow been dropped. We should already have a link local address (starting with FE80) this address is assigned by the operating system and is equivalent to the IPv4 APIPA address, which is non routable. You can see the adapter’s IP address in the ipconfig/all output below.

dhcp2

Now that we actually have a fixed IPv6 address, we can create a scope for the DHCP server, so in server manager go to roles, DHCP server, server, and IPv6, right click and choose New scope. Press next, enter a name and a description for the scope, next,

dhcp6

and enter the Prefix, I used fc00:0:0:1:: as the prefix, press next,

which will bring you to the add exclusions screen, where I added the server IP address fc00:0:0:1 as both the start and end IPv6 address, (enter :1 for both fields and press add, and then next,

dhcp7

I left the defaults for the scope lease and press next, finally press next on the activate scope screen and the scope should be active and ready to hand out IP addresses to clients.

We also need to set scope options, at least the DNS and domain search list should be set, so on our new scope, go to scope options, right click and choose configure options, Tick option 00023 DNS recursive Name Server IPV6 address, set it to fc00:0:0:1::1 and press add, The program will validate that a DNS server exists on that address, if you get an error, you need to ensure that the DNS server is binding to the fc00:0:0:1::1 address.

dhc8

Finally tick option 00024 Domain Search list and enter the domain (in my test server the domain is adatum.com) and press add, finally press Ok and the DHCP scope setup is completed.

dhcp8

As you can see in below screenshot, the server successfully handed out IP addresses:

dhcp11

On the client VAN-EX1 we did get an IP address and the DNS server and domain search list option:

dhcp10

The only problem is that we actually cannot ping the server from the client, or the client from the server:

dhcp12

The reason is that there is no route on the client, so it cannot ping the server. Normally we would have an IPv6 capable router that would publish these routes to the network, but in this test setup there are only two computers and no router.

To fix this issue run a command prompt on the server and enter netsh interface ipv6 show route and press enter. This shows us the existing routes, if they are published and the interface on which they are published. It also shows the interface identifier (IDX) which we need to actually add the route, in my case the IDX for Local Area Connection is 11.

Now that we know the Idx we enter the following command:

netsh interface ipv6 set interface 11 advertise=enabled man=en other=en

and finally we need to advertise (publish) the route:

netsh interface ipv6 add route fc00:0:0:1::/64 11 publish=yes

Now if we issue another netsh interface ipv6 show route we will see that the route is now published.

dhcp12a

a ping on the server to the client:

dhcp16

and a ping –6 fc00:0:0:1::1 on van-ex1 correctly reaches the server van-dc:

dhcp15

Now there is still one small problem with this approach, as you can see on VAN-EX1, it now has two IPv6 global addresses:

dhcp17

One obtained from the DHCP server and one obtained from… router advertisements 🙂 This is default behavior on the client. We can switch off the client’s auto configuration, so that it will not set an IP address obtained through router advertisements.

To make sure that the client only gets the IP address handed out by the DHCP server enter the following netsh command on a command prompt at the client:

first to get the Idx:

netsh interface ipv6 show interfaces (or show routes as that will also get you the idx);

 dhcp18

Finally enter:

netsh interface ipv6 set 11 advertise=enable managed=enable

this will allow the client to ONLY get an ip address from the dhcp server. ipconfig/all now displays one global IPv6 address on the client:

image

You might want to create a IPv6 reverse lookup zone on the DNS server so that dynamic updates initiated from the clients will work.

Now this approach will work correctly the following clients:

Windows Server 2008
Windows Server 2008R2
Windows Vista
Windows 7

For other operating systems you might need to install some software if the OS doesn’t handle stateful DHCP by default. I tested various Linux distributions (CentOS 5.5, Ubuntu 10.10 and OpenSuse 11.3) and Windows XP SP3 with a program called Dibbler which can be obtained from the following link:

http://klub.com.pl/dhcpv6/

Install Active Directory

Another day, another subject, after the installation of Server 2008 we are left with an empty server. No roles, no features, just the operating system.

So it’s time to add some roles to the server. One of the most important roles on the Windows server platform is Active Directory. It’s the base for your network, it provides user authentication and rights assignment. And many other applications use it’s database, Microsoft Exchange for instance, requires the use of Active Directory.

So we just start where I left off yesterday, I have set a workstation name and other settings in that initial configuration tasks screen, rebooted the server and after reboot and logon I’m again presented with the Server Manager, from where I will add the Active Directory role to the server.

So  go to Roles on the right side of the server manager.

empty

then on the left side click add roles and you will be presented with a wizard, you can actually disable this wizard, as it will show each time when you add a role. Just tick the skip this page by default box and press next.

Now you will see all the roles that are available on this version of Server 2008 (Enterprise), this list can be expanded when you add out of band roles (like for instance Windows streaming Media services).

server roles

From this page, we will select Active Directory Domain Services, when we press next, we are presented with an information screen, where we can get an overview of AD DS, get more information on installing AD DS and we can view common configurations of AD DS.

We just press next here and get it over with 🙂

Now we get a confirm screen, where we just press install.

ad install

Installation is in progress.

It takes a while, but it’s actually pretty fast. Of course this procedure only copies the binaries to the system, it doesn’t actually configure Active Directory, for that we need good old Dcpromo.exe Which Windows tells us about in the next screen:

ad install finished

So we just press close (we don’t really have any choice in the matter anyway).

By doing the above, we end up in the server manager again, for where we can actually start Dcpromo.exe.

Please note that on the left side of the server manager, we now have a new option (since we added the AD DS role), so let’s go there and we will see the following screen, where we can initiate dcpromo.exe:

dcpromo

When we click on the dcpromo.exe link, the wizard is started, at the first screen we choose advanced mode installation  (we might want to customize some things), and then press next, when we are presented with a screen that deals with tighter security on Server 2008 and the impact it might have on “legacy” systems like Windows NT. And the higher SMB security that might influence such systems as well, we just press next. In the next screen we select create a new domain in a new forest and press next again (don’t we just all like those wizards). In the next screen we need to name the domain, I entered testcompany.nl (yeah I know not very original, but hey I’m a techie not a writer with imagination) and pressed next.

The wizard is now checking whether this domain name is already in use on the network, after this check, we will need to enter the netbios name of the domain, the suggestion is testcompany (without the .nl !) which suits me fine and is the normal way of setting this value anyway.

The next screen deals with forest functional level, which I set to Server 2003, the screen explains the consequences of each choice. After this screen the domain functional level is set (again Windows 2003 in my case).

dns

Then we get a screen where we can select to install a dns server, it’s already selected and with good reason, as your domain will not function without a dns server, of course if you happen to have one already, you might not want to install another one, but we are building a network from scratch so we make the obvious choice to install the Dns server on this server (which is merely another role that will be added to the server).

After I press next, I get a warning message about dynamically assigned IP addresses, I did actually set the server’s IP V4 address to 192.168.0.200, but left the IP V6 address at dynamically assigned,  I could have set a fixed IP address for this as well, but my test network doesn’t run IP V6, so I did not bother to set it. Of course I could have unbinded the IP V6 stack, but left it.

After I confirmed the previous warning screen,  the wizards is panicking about not being able to create a delegation for this DNS server, which is obvious as we don’t have any dns servers yet, so no need to panic really. I want to continue, and are presented with a screen where I can set the location of the database, log and syslog folder, I  just leave them at the default values and press next. Now we have to set the DS restore mode admin password, which needs to follow the same rules as the administrator password (providing you didn’t change the local security policy, set the password and press next. Finally we are presented with a summary page, on which our selections and settings are summarized, press next and the wizard will actually install and configure Active Directory.

ad progress

After a while, the installation will finish, and we are presented with the final screen where we can press finish, of course the system suggests us to reboot (which is quite obvious, and I followed that suggestion.

After the reboot, we now have Active Directory and a DNS server added as roles to our server.

Our base infrastructure is complete, which enables us to add more roles. As I wrote in the install server 2008 post, one of interest is SSTP, for which I kind of laid the groundwork (even though not strictly necessary).

To be continued (to use yet another cliche).

The beginning: Install Windows Server 2008

I’m going to publish some articles describing the new functionality found inside Microsoft’s newest OS. Windows Server 2008 aka Windows Longhorn.

Of course the first thing to do is to install this os.

For this blog I used Microsoft Virtual Server 2005 R2, yes you read that right, no Vmware Server, Workstation, or Hyper-V. Why, now let’s just say that running Windows Server 2008 as the host system, will leave you with some choices, Vmware workstation V6 actually works on Server 2008, but auto starting VM’s can be done, but it’s not nice (it boils down to starting them as a service in the 0 session of Windows, or use the startup folder (which requires the user to actually log-on to windows, not nice). No Vmware workstation for me that is. Vmware server looked promising, but the beta 2 version did not play nice with my intel load balancing team (two intel nic’s that form one nic, for loadbalancing and fault tolerance).

Vmware server was in short out of the door as well. Leaves the Microsoft solutions for virtualisation, Hyper-V of course would be the most logical choice, but at time of writing, there is still only an RC1, not a final release, and altough I was very impressed with the beta, the RC0 left me with doubts, also I’m running Asterisk (pbx in a flash) and Sipx both running under centos, and Hyper-V seemed to have some issues.

Finally my choice (for now !) is Virtual Server 2005 R2, it does auto start VM’s, works nicely with my load balancing team, and it performs pretty well.

Let’s get started and install Server 2008, now I have installed this baby using WDS (windows deployment services) which simply boils down to boot from the network, press F12 and Windows setup will load, of course you could also use the actual DVD, or an image. One downside to using Virtual Server 2005 is that it doesn’t support 64 bit, that’s why my choice for Virtual server 2005 is a temporary one.

Anyway, when booted I’m presented with this screen:

Yep all the images on the DVD

Here you can select the version of your choice, I have selected Windows Server 2008 Enterprise (Full Installation) of course the architecture I’m presented with is X86 (32 bit). Press next.

Accept the license terms and press next, which will lead you to the installation type screen, since this is an empty system, the only choice is custom.

Now it’s time to partition the harddrive in the following screen:

I’m accepting the defaults for now, but this screen will let you properly partition the harddrive, by choosing Drive options. I merely pressed next.

That’s it, now the install program is copying files and basically install the operation system without any user intervention.

This screen shows the progress during installation:

Longhorn installation progress

After the install program has done it’s work, the computer is rebooted and we are presented with the following screen:

Finally proper password enforcement

Yes ! you MUST set a password here, and it needs to follow the following rules that are defaulted in the local security policy:

  • Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
  • At least six characters
  • Contains characters from at least three of the following four categories:
  1. English upppercase
  2. English lowercase
  3. Base 10 digits
  4. non alphabetic characters like (! # $ %)

Good move.

Once booted and logged on, we are presented with the Initial configuration tasks screen, where we can set the time zone, configure networking, Provide computer name and domain, set auto update options, and add roles and features. Also we can enable remote desktop and configure the firewall. Nice screen to do those initial tasks.

Initial task screen

I have used this screen to quickly perform some of those initial tasks.

After these initial task I’m presented with a real gem, the Server Manager. It’s kind of a central program to manage your server, almost all relevant mmc’s are gathered here (depending on the roles and role services you have installed, it also gives you access to options formerly found under computer management.

Server Manager

This concludes the install procedure, in the near future, I want to add some roles and take this first post further. The next instalment will cover SSTP which is an exciting new feature in Server 2008.

Come back for more 🙂

SSTP Remote Access

As mentioned before, I want to write an article about SSTP VPN (secured socket tunnelling protocol) which is one of the great new features of Windows Server 2008. Server 2003 has support for PPTP and L2TP/IPsec VPN connections. I myself used PPTP and was very satisfied with it. For added security I used EAP-TLS with user certificates. The only downside to this type of VPN is that you need to have some ports open (outbound) on the client side (and of course on the server side, but that’s something you can control). But there are some networks that for instance block port 1723, if you happen to be connected to such a network, and then want to make a PPTP connection back to your own network, you are out of luck.

And these network do exists. The answer, create a PPP VPN tunnel using the SSL channel (port 443), now I don’t know many networks that block port 443 outbound (that would basically mean that you cannot even buy products through the Internet, as credit card transactions are processed using SSL (hopefully !). So this is a very practical way of providing users with VPN access, as the chance that it wouldn’t work due to client ports being blocked is almost nil.

Now I know that Microsoft actually published a step by step guide, that explains how to implement SSTP, but having followed (more or less) that guide, I felt  that the guide needed to provide more details, hence this post.

In that step by step guide (I have provided a link to this and other step by step guides on the main page of  this blog). Microsoft takes us to a lab, where they have three computers, one is a domain controller with DNS server, one VPN computer with Certificate services and remote access installed and one client computer. They don’t really dig deep into things that can go wrong (and believe me they probably will).

Let’s just talk a little bit about things that can go wrong, or things you need to be aware of. First of all, the client needs to be able to perform a certificate revocation check on the server certificate. Unless you use a commercial certificate, this means that your CA (certificate authority) needs to provide access to the CRL (Certificate revocation list) from the Internet. A CRL is basically a list that contains revoked certificates, the client needs to check if the certificate of the VPN server is not revoked. And since the client needs to check this BEFORE the VPN connection is established, we need to somehow provide access to the CRL from the Internet as opposed to the Intranet or local network only.

Another likely problem is the way the SSTP server uses certificates. If the VPN server is not going to be used as an SSL webserver, there would not  be a problem, but some people (myself included) want to utilize the server in more ways, and using a SSL webserver on the same computer, might run you into problems with SSTP , which we will simulate and also fix.

While we are doing all that, I will also introduce another new feature of Server 2008 (apart from a greatly improved IIS7) that deals with server CRL’s onto the Internet (the Online Responder or OCSP).

Let’s get started, first I’m not going to use two servers, I will just use one server (the same one I installed in the previous two articles, where I first installed the operating system and then added Active Directory as role. After this article, I will use the system to introduce another cool new feature of Server 2008, Network Policy Server (the new IAS) and Network Access Protection (NAP).

Anyway, I find myself again in the Server Manager (this program by default is started each time when start your server, (you can disable it by ticking the Do not show me this console at logon). As I pointed out earlier, the SSTP client needs to verify the server certificate, of course you could buy a commercial certificate and then the client can easily do the CRL check on the Internet, but Server 2008 does have a nice role to do all this without extra costs. So I’m going to add the Active Directory Certificate Services as a role to my server. In server manager go to roles, add roles and select the Active Directory Certificate Services (ADCS). Then press next, you get a introduction screen to ADCS, and some more information is provided, I merely press next.

certificate services

And I get this screen, where there are more role services that I can add, for now I’m also going to select the online responder, as that one will  serve to enable the client to do that revocation check.

The minute I click online responder, the Server Manager deals with dependencies, and tells me that I need additional role services for the online responder and suggest me to add them now (the webserver IIS). I of course do just that. (not that I have a choice in the matter by the way).

dependencies

When I click on add role services, I’m back to the initial screen, when I press next here, the configuration screens for the ADCS is displayed, offering me the choice of an enterprise CA or an stand alone CA, since I have active directory anyway, and since it integrates nicely into ADCS, I choose for Enterprise CA. The next screen is an obvious choice as we don’t have a root CA yet, We create a new key, just accept the defaults, name the CA, again I accepted the defaults, set the validity of the root certificate (5 years is the default), database location (default once again) and then we have to enter through some screens related to the webserver (IIS). Again I accepted the defaults for now, pressed next and finally the install runs.

progress ca

Finally the install finished and we are back into the server manager, now I basically forgot to install the remote access role, but no worries we will do so now (some additional steps, but hey, it’s not a big deal).

So again we add a role, and this time we choose for Network policy and access services. Of course when using VPN, you might also consider using a proper radius server, but for now I’m skipping that part, so the only role service that I choose in the next screen is Remote Access Service:

remote access service

This time no pre configuration, just next and next again will start the install.

After another install, a click on close I  once again find myself in the server manager.

 

Now we basically have installed everything we need for SSTP to work on the server side, we have the remote access service, we have the online responder (for certificate revocation) and we have the Certificate Authority, which will provide us with a server certificate and which will provide revocation information to the online responder and through the latter to the client.

Now first thing we need is a server authentication certificate for our VPN server. But before we submit a request for a new certificate, we just submit a command using run, cmd netsh http show SSL, this command will be a nice tool later on, when we will mess up the SSTP server by messing with SSL certificates in IIS7.

show ssl 1

When you click on the image to the left, you will see that this command renders zero result,  which  kind of makes sense, as we haven’t even requested a SSL certificate for our server yet.

Before we can request a new certificate for our VPN server, we need to setup our CA to issue them. Close the cmd window (exit,enter) the server manager should still be open, but since we have added new roles and role services to the server, we need to close it and re-open it again (sometimes F5 might do the trick, but in this case it didn’t, it did not add the CA mmc’s into server manager, of course you could also start that mmc by going to start, and then administrative tools, but I kind of like the server manager.

Once back in the server manager, we can expand roles, then Certificate services, and we should see a few mmc’s there.

certificate service mmc

We now see 4 mmc’s. The online responder, Enterprise PKI (a tool to see the revocation points), the certificate templates mmc and the CA mmc (which is indicated by it’s name). We first go to the certificate templates mmc.

We need to be able to request a certificate for our vpn server, we basically need a server authentication certificate (so we can use any certificate that supports this intended purpose, further down this article, we are also going to request a web server certificate so we need to give our vpn computer the right to request the web server certificate

(I know we could have installed the CA web enrollment role service and request a certificate using our admin user id (which by default has that right), but it’s not necessary. We will just give our computer the right to request this certificates. this will also enable us to set the common name for the certificate, which will be the name that HAS TO BE USED by the client, if the name on the certificate doesn’t match the name set in the client, the connection will fail !

web server certificate rights So double click the Web server certificate,  go to security, add our computer (test) to the ACL and assign read and enrol rights. Go to the CA mmc. Here we go to certificate templates and we note that web server is already in this list, so no need to add this template.

Let’s request our certificate, run, mmc and then file, add snap in, select certificates, add, select computer account and press next, local computer and then finish. Ok, and we are in the certificates mmc, we go to certificates (local computer), Personal and certificates and we see already two certificates present there.

certificates mmc

One is the domain controller  certificate (for the local computer and this one also has the server authentication purpose) and the other is our CA root certificate. This root certificate is important for our client, as for non domain clients, this needs to be imported into the local computer certificate store of the client, to trust the root certificate. First we are going to request a certificate which we are going to use with the SSTP vpn server, so we click the right mouse button, select all tasks, and request  new certificate. Another wizard (server 2008 seems to be full of them).  next will lead us to this screen:

request certificates

We see that for the web server to be issued, we need to set some values, so follow the suggestion and click here to configure settings, now the most important setting is the common name, this is the name that will be on the certificate and that will need to match with whatever you enter into the client. Also we need to consider that this computer name should be resolved on the Internet, so it might not be a very good idea to use the host name as the common name, let’s just set the name to vpn.test.nl.

common nameSo select the common name property under the subject name and set this value to vpn.testcompany.nl. We can set other values here, but that’s not necessary. There are other tabs here as well, but I’m leaving them alone. Just press add, and ok and we are back to the enroll screen , now tick the webserver certificate and press enroll, and our certificate will be requested. Finally press finish and we should have a third certificate in our store.

Now we need to configure the remote access role. Go to server manager, select Network policy and access services, and select routing and remote access. Right mouse button and configure and enable routing and remote access, which will lead us to yet another wizard, next, custom configuration, next and tick vpn access, next and finish, then we get another dialog, choose start service,  this should start routing and remote access, press finish to close the wizard.

Let’s just check the certificate binding by using cmd, and netsh http show SSL:

netsh show ssl

Now we do have some information here. For clarification I have copied the content of this screen:

 

 

 

 

SSL Certificate bindings:
————————-

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : f8fd5164a2e0026abf97db0c72dd38904823c556
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

    IP:port                 : [::]:443
    Certificate Hash        : f8fd5164a2e0026abf97db0c72dd38904823c556
    Application ID          : {ba195980-cd49-458b-9e23-c84ee0adcd75}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          :
    Ctl Store Name          :
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled

We see two bindings, the first (0.0.0.0:443) is the IPv4 binding and the second is the IPV6 binding. The application ID is the SSTP server, and the certificate hash we see here related to the certificate that is used, it is important that both bindings have the same certificate, otherwise SSTP won’t work. Later on we use this command to trouble shoot SSTP (because the minute we bind a certificate to IIS, it will automatically also be binded to SSTP, this can lead to problems in certain scenarios, which we will cover later on.

Just to be sure that SSTP was bound to the right certificate, we could open mmc, add the local computer account certificate snap in, and verify the certificate hash, (open the certificate, go to details  and look for the thumbprint). There are two certificates that support server authentication, and by checking the thumbprint of each certificate (test.testcompany.nl and vpn.testcompany.nl) it becomes apparent that SSTP used the test.testcompany.nl certificate, not something we want, as we want to use vpn.testcompany.nl. No problem, we can use netsh to change the certificate and make sure our vpn server uses the certificate with common name vpn.testcompany.nl.

Open cmd and enter:

netsh http delete ssl 0.0.0.0:443 (to remove the binding from IPv4
netsh http delete ssl [::]:443 (remove binding to IPv6)
reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f

This will remove the two bindings, when we issue a  netsh http show ssl, we will get an empty screen.
Then copy the certificate hash (thumbprint) of the vpn.testcompany.nl certificate and use that in the following two commands, the hash is
c45d4573030951cd39ebb933daafa5bdf19b8582 which I merely copied from the certificate mmc and removed the blanks.

netsh http add sslcert ipport=0.0.0.0:443 certhash=c45d4573030951cd39ebb933daafa5bdf19b8582 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

IPv4 binding to vpn.testcompany.nl

netsh http add sslcert ipport=[::]:443 certhash=c45d4573030951cd39ebb933daafa5bdf19b8582 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

IPv6 binding to vpn.testcompany.nl

When we issue a netsh http show ssl, we will now have the correct certificate used by both IPv4 and IPv6.

Finally we stop and start the RRAS service:

net stop sstpsvc /y
net start remote access

We haven’t configured remote access completely, so let’s do that now, go to server manager, network policy and access services and then routing and remote access, right click and properties.

On the security tab, we select our authentication, (in future articles we will use NPS for this, as it’s a full blown radius server). For now we will use windows authentication for both our authentication and accounting provider. Select authentication methods, and ensure that only Ms chap V2 is  selected. Later on when we include NPS, we can enhance our authentication. Press ok and go to the ipv4 tab, here we have to set the DHCP options, which for now we will set as follows:

set static address pool and add the range 192.168.0.210 to 192.168.0.220. Of course we could use a DHCP server, but we simply haven’t got one at the moment. Press ok to close.

Finally we need to setup a user, so go to server manager (again !) or launch the mmc from admin tools,  and go to active directory domain services, active directory users and computers, expand the domain and add a user and pwd which we will use on the client, I named mine test (how original).

user

Set the password to never expire and don’t require the user to change it with next login.

Set the dial-in property to allow.

 

 

We are ready to test all of this on the local network at least, I’m using a non domain client, so I need to do some more things, first of all, I don’t know how to resolve to vpn.testcompany.nl on my test PC, which doesn’t use our DNS server (we might want to at least add vpn.testcompany.nl in our local DNS server). Also we have the revocation problem, but we will get to that later. Of course our client needs to be running Vista SP1 at the least, no XP I’m afraid.

So on my test client, I will add two entries in c:\windows\system32\drivers\etc\hosts for vpn.testcompany.nl (which is 192.168.0.200). and for test.testcompany.nl (the VPN server hostname).

hosts

 

 

 

 

After this we are ready to set up the connection: (not really but I want to show the errors that will follow) 🙂

So we go to network and sharing center, set up a connection or network, connect to a workplace, use my Internet connection, Internet address would be vpn.testcompany.nl (but we will  use test.testcompany.nl, to get the first error message. )
Name the connection, and press next, now you are presented with the user credentials  screen, use the test user, the password you have set and domain testcompany (the netbios name!) and press connect.

Windows will create the connection and then might come up with an error message (I don’t like the way they have done this). Anyway select set up the connection anyway, and from the network and sharing center go to manage network connections, edit the connection we just created. Right mouse, properties, on the security tab, make sure only Microsoft Chap Version 2 is selected and press ok, finally we have to go to networking and set the type of vpn to SSTP. Of course to verify that we have set everything up correctly we could try and set the type to PPTP and make a connection, in my case the connection succeeded. After this set the vpn type to SSTP and try to connect again.

and then we get:

error 1

0x800B0109 It processed the certificate chain, but terminated in a root certificate which is not trusted by the trust provider.

That was expected, we need to import the root certificate (the CA certificate) to the client’s local computer store in the trusted certificate authority

So we need to export our CA certificate to a file and import it into the client (again web enrollment would be handy here, but hey nobody’s perfect)

run, mmc, add snap-in certificates, computer account, local computer, add, certificates, trusted root certification authority, certificates, and export the testcompany-test-ca certificate to a file. by right mouse click, all tasks and export, another wizard, next, next, enter a file  name, and set the save location (like an USB stick or a network share) Now on the client, you will have to import the certificate into the computer store, so you again do the mmc, certificates, computer, local computer, go to the trusted root certificate authorities and right click, import, import the certificate you just exported. This should clear up our first error message 🙂

Now on to the second, it’s obvious but when we try to connect again we get:

error 2

0x800B010F the certificate’s CN name does not match the passed value. I did that on purpose, as we choose to set the hostname to test.testcompany.nl on the client, but the certificate’s CN is vpn.testcompany.nl, so just change it on the client and re-connect.

 

Yes ! the next error:

error 3

0x80092013 There we have the revocation error. What a surprise. We will address this in a next post (very soon after this one). For now let’s just look at our vpn server certificate (the one we requested earlier, with the CN vpn.testcompany.nl We can do that by again going to mmc on the server and open up the vpn.testcompany.nl certificate.

Let’s go to the details tab and look under CRL distribution points, you will see the following values:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=testcompany-TEST-CA,CN=Test,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testcompany,DC=nl?certificateRevocationList?base?objectClass=cRLDistributionPoint
               URL=http://test.testcompany.nl/CertEnroll/testcompany-TEST-CA.crl

 

The client needs to contact one of those CRL distribution points to do the revocation check. I cheated a bit, by not adding the client to the domain, and I also didn’t include the web enrollment role service, Otherwise the client would have been able to do the revocation check as it would be able to resolve http://test.testcompany.nl/certenroll/testcompay-test-ca.clr, now the last URL isn’t even there, as I did not include the web enrollment role service, as that one would have created the virtual directory in IIS.

But more about the whole revocation business in my next article.

Stay tuned 🙂

SSTP Remote Access Continued..

So let’s just start were we left off in the previous post. We succeeded in establishing a PPTP connection, but when using SSTP we had a few errors, and we left that post with error 0x80092013 The revocation function was unable to check revocation because the revocation server was offline.

error 3

Let’s just explain the revocation check, the client needs to check if the server certificate that it receives when connecting to vpn.testcompany.nl is not revoked. In order to do that, the client needs to obtain that information based upon the CRL (certificate revocation list) distribution points that are saved in the certificate. To see that information we would open up the mmc, add snap in certificates, local computer, then go to the personal certificates for the computer and open up the vpn.testcompany.nl certificate, select details and go to the crl distribution points.

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=testcompany-TEST-CA,CN=Test,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testcompany,DC=nl?certificateRevocationList?base?objectClass=cRLDistributionPoint
               URL=http://test.testcompany.nl/CertEnroll/testcompany-TEST-CA.crl

I have included the two distribution points again. The first one is an ldap distribution point, but since our client isn’t part of the testcompany.nl domain, this is not going to work. The second distribution point is actually the other standard distribution point, that should be installed automatically when you select the web enrollment role service (which we didn’t !) Also the client would be able to resolve that address, as I have added it to the hosts file (normally DNS should handle this, but again the client doesn’t use our dns server either).

Now just to check if we can resolve this by adding the certenroll virtual directory we are going to add it using the IIS manager.

Use the server manager, or start the IIS manager from the administrative tools menu. We go to the default website, and add a new virtual directory.

iis

Right mouse on default website and choose add virtual directory. Alias is certenroll, and the physical path is c:\windows\system32\certsrv\certenroll

Once we have done this, we can actually connect !

 

connection

Here we see the details of our connection, the device name is wan  miniport SSTP, type VPN, server type PPP as we see the authentication is ms chap V2 and our IP address (192.168.0.212) is assigned from the RRAS service (192.168.0.210)

Now this of course works because I have fiddled with the host file, and our client is actually inside the same network.

Now we need to consider that our clients will actually be outside of our network. So we need to do several things:

VPN.testcompany.nl needs to be resolved using the public DNS.
We need to open our firewall to allow traffic over 443 to local IP address 192.168.0.200
We need to enable the client to do this revocation check.

Now the first two items on the list are easy, the third needs some additional effort.

We have several options, we could make sure that test.testcompany.nl will be resolvable  by clients on the Internet by adding the host into the public DNS, and in addition opening up port 80 on our firewall to allow traffic into 192.168.0.200 and we would be ready for SSTP connections by clients outside of our network. Because then clients would be able to reach that second CRL distribution point:

URL=http://test.testcompany.nl/CertEnroll/testcompany-TEST-CA.crl

But you might not want to expose local hostnames to the Internet by adding it into DNS, also you might want to use a different port, because you might already run a webserver somewhere (or maybe even on the same host). And remember I talked about OCSP or the online responder, another new feature in Server 2008. The advantage of OCSP over CRL checking is that the client doesn’t need to download the full CRL (which of course could generate traffic if the CRL is big). The online responder will query the CRL distribution points on the client’s behalf, therefore only the online responder needs to be exposed to the Internet.

Let’s configure this service and expose it to the Internet. We have already installed the role service in the previous article. Now we need to configure it. The first thing to do is to assign an OCSP response signing template to the CA.

ocsp template In server manager go to Active Directory certification services, then go to the certificate templates mmc, select the OCSP response signing template, security and add our test computer to the ACL and grant enroll and read. Then go to the CA mmc (testcompany-test-ca) and go to certificate templates, right mouse, new, certificate template to issue and select the OCSP response signing template.

Now we are ready to setup the OCSP service, go to the online responder mmc which is also found under the Active directory certification services, go to revocation configuration and right mouse, add revocation configuration.

A wizard pops up, press next, in the following screen name the configuration (testcompany.nl), in the next screen select the option, select a certificate for an existing enterprise CA and press next, now select browse ca certificates published in Active Directory and press browse, The CA certificate should be listed, select it and press next once back in the previous screen. On the next screen you can manually select an OCSP signing certificate or use the defaulted autorenrollment of the signing certificate, which we will choose in this case.

ocsp setup

Press next and we end up with the screen where we can setup the revocation provider, this is important as this is where the OCSP provider will get it’s revocation information from, to get to the screen press provider:

 

revocation providers

Please note that our two existing CRL distribution points are listed here, we can add additional points here, but we will just press ok.

After this we press finish to end the wizard.

Finally we need to make the OCSP responder available and we also need to provide the CA with it’s location, so that certificates will contain the URL of the OCSP. Therefore we will also need to request a new certificate for our VPN server, as the old one only contains the two CRL distribution points, not the new OCSP responder URL.

Go to the CA mmc (testcompany-test-ca) inside server manager, select properties and go to the extensions tab, select extension Authority information access (AIA) and press add.

Here we need to enter the URL that the OCSP responder will use, we also have to keep in mind that this URL should be reachable by external clients, and we also have to consider which port to use. I have chosen to use the same hostname as we are going to use for the VPN connection: vpn.testcompany.nl, I also chose to use port 8080 for this OCSP service, so the URL would be http://vpn.testcompany.nl:8080/ocsp.

aia location

Press ok to save this information you will get back to the AIA extension screen, tick include in the online certificate status protocol (OCSP) extension and press ok.

You will receive the question that the CA service needs to be restarted, so just do that.

Finally we need to setup IIS to bind to port 8080 for the online responder, so go to IIS manager, right click the default website, bindings, and set the binding to port 8080.

We are almost done, we now need to request a new certificate for the VPN server (which includes the OCSP URL) but before we do that we will learn how to check revocation information using certutil. We will first export our existing vpn certificate to a file. So run, mmc, add remove snap in, certificates, computer, local computer, go to the personal store and export the vpn.testcompany.nl certificate to c:\vpn.cer.

Then run cmd and change to the c:\ directory where you enter certutil -URL vpn.cer and press enter.

certutil

When we select CRL’s from CDP, and press retrieve, we will see that only the LDAP location is verified, the http location will have status failed, which makes sense since we have changed the port of the default website to 8080 instead of 80. Of course we should at least fix  this for the local network, so we have to add port 80 as an additional binding for IIS, so that we bind to both port 80 and port 8080.

When we click on OCSP from AIA, we will get no URL’s status, since this certificate doesn’t know we now use OCSP, that’s why we need to request a new certificate for our VPN server.

So let’s do just that, go to run, mmc, add remove snap in, certificates, computer, local computer, to to the personal store and request a new certificate, right mouse click, all tasks, request new certificate, next, and again press the more information is required under the web server certificate, set the common name to vpn.testcompany.nl and press add, then okay, select web server and press enroll. Finally press finish.

Let’s check the Authority information access (that’s the one used by OCSP) on our new certificate, and also copy the certificate hash to a file, because we will need to adjust the certificate bindings for the SSTP service again. Also we are going to export the certificate to a file (vpnnew.cer) we are going to  use this file with certutil to check revocation. The hash for my new certificate is d9de5adf34b2edb0eb7530c78a0e74c37989fc51. The AIA are:

[1]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=ldap:///CN=testcompany-TEST-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testcompany,DC=nl?cACertificate?base?objectClass=certificationAuthority
[2]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://test.testcompany.nl/CertEnroll/Test.testcompany.nl_testcompany-TEST-CA.crt
[3]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://vpn.testcompany.nl:8080/ocsp

The last one will be reachable from the Internet (we should add the hostname vpn.testcompany.nl into dns (also for the SSTP connection) and we should open port 443 (for the SSTP connection) and port 8080 for the OCSP online responder). Not only should we open both ports on our router, but of course also open them at the local windows firewall, port 443 is already open, 8080 isn’t.

Now we need to change the certificate binding for SSTP, be also aware that if you bind a certificate to IIS, this will override the certificate that is binded to SSTP.

netsh http show  ssl, will show that SSTP is still using the old certificate, so we enter the commands to bind the correct certificate with hash d9de5adf34b2edb0eb7530c78a0e74c37989fc51

netsh http delete ssl 0.0.0.0:443 (to remove the binding from IPv4
netsh http delete ssl [::]:443 (remove binding to IPv6)
reg delete hklm\system\currentcontrolset\services\sstpsvc\parameters /v sha256certificatehash /f

Now we bind the new certificate:

netsh http add sslcert ipport=0.0.0.0:443 certhash=d9de5adf34b2edb0eb7530c78a0e74c37989fc51 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

and

netsh http add sslcert ipport=[::]:443 certhash=d9de5adf34b2edb0eb7530c78a0e74c37989fc51 appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY

and finally

net stop sstpsvc /y
net start “routing and remote access”

Now let’s check the revocation from the client pc, copy the vpnnew.cer file to the client (c:\) and run cmd, go to c:\ and enter certutil -url vpnnew.cer enter.

When we now select CRL’s from CDP, we will get failed for Ldap and verified for the certenroll location (we have added a binding for port 80 on IIS again, clients from the Internet will also have failed here. But this doesn’t matter as the client can use OCSP, try this now and we should now have a verified result.

certutil 1

We should now be able to make a connection, both from the local network and also from the Internet, since we can run the revocation check using OCSP at address http://vpn.testcompany.nl:8080/ocsp.

This concludes this post, in my next post, we are going to introduce yet another new feature in Windows Server 2008, the new radius server (Network Policy Server or NPS) which enables us to use certificate authentication instead of password authentication, also we are going to introduce NAP (Network Access Protection).

See you later.