Create VPN Connection in Windows 7

How to Create L2TP/IPSec VPN Connection in Windows 7

Before you could establish a L2TP/IPSec connection to VPN Server, it is important for you to check if the computer you are dialing does have all the necessary certificates. You may visit my blog Create L2TP/IPSec Certificate for TMG 2010 using Enterprise CA which I mentioned all the steps to import certificates from CA to your computer.

1. Right click on Network Connection at the task bar and select Open Network and Sharing Center

2. Select Connect to a Network. Click Next

3. Select Connect to a Workplace. Click Next

4. Select No, create a new connection. Click Next. (This only if you have other connection)

5. Select Use my Internet connection (VPN)

6. Type in the VPN server IP or FQDN
7. Give the connection a name
8. Check Don't connect now, just set it up so I can connect later. Click Next

9. Type in the credential. Click Finish

10. Right click the connection you have created. Select Properties

11. At the Options tab, uncheck include Windows logon domain

12. At the Security tab:-

• Type of VPN : Layer 2 Tunnelling Protocol with IPSec (L2TP/IPSec)
• Data encryption: Optional encryption (connect even if no encryption)
• only check Microsoft CHAP Version 2 (MS-CHAP v2) (you may have differences setting compare to mine. Refer to you VPN administrator for the correct authentication protocol)
• Click Advanced settings. Check Verify the Name and Usage attributes of the server's certificate

13. At the Networking tab, uncheck Internet Protocol Version 6 (TCP/IPv6)
14.Select Internet Protocol Version 4 (TCP/IPv4). Click Properties

15. Uncheck Use default gateway on remote network. (This will prevent you network traffic being route to the remote gateway)
16. Click OK

17. Click OK to close the connection Properties page
18. Double click the connection you have created. Click Connect

19.Upon connection established, verify the connection Details

20. Also verify the session in TMG 2010

Create L2TP/IPSec Certificate for TMG 2010 using Enterprise CA

It took me quite a while to get the right certificate and to remember the steps,therefore, I am blogging it here for my future reference and also for some of us out there who may need this.


This blog is useful for you if you are about to create a certificate for your VPN using Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec) that to be use with Microsoft Forefront Threat Management Gateway (TMG) 2010.


Ultimately, you have to create a certificate as shown below, with the highlighted attributes being the most critical:-

Use VPN server's FQDN as the certificate CN

Entensions that are important

Both Server 'Authentication' and 'IP Security IKE intermediate' are must included

Both Digital 'Signature' and 'Key Encipherment' must be available

Make sure the certificate path is not broken

How to create L2TP/IPsec Certificate for TMG 2010

This blog assume that a CA is deployed and is running. the first thing to do is to log on to the CA server and bring up the Server Manager (I am using Windows Server 2008 R2) and select Roles-> Certification Authority

1. On then CA Server, click Certificate Templates
2. Right click on the IPSec (Offline Request), select Duplicate Template
3. On the General page, type HV VPN L2TP IPSec 2 in the Template display name
4. You might change the Validity period to 5 years or longer.

5. Select Request Handling tab, set a checkmark in Allow private key to be exported

6. Click CSPs…, and select Requests can use any CSP available on the subject’s computer, click Ok

7. Select Extensions tab. Change the highlighted in accordance

8. Click Ok

9. Expand <Enterprise Root CA Name>

10. Right click Certificate Templates, select New, click Certificate Template to Issue

11. On the Enable Certificate Templates page select HV VPN L2TP IPSec 2 on the list and click Ok

How to request a L2TP/IPsec Certificate for TMG 2010

1. On the TMG 2010 Server (HV-PROXY1.hv.com)
2. Open Internet Explorer and browse to https://hv-dc.hv.com/Certsrv (my CA server)
3. Select Request a certificate
4. Select Advanced certificate request
5. Select Create and submit a request to this CA
6. In the Certificate Template, select HV VPN L2TP IPSec 2

7. Put a checkmark in Store certificate in the local computer certificate store
8. Click Submit
9. Click Yes to the Potential Scripting Violation box
10. Click Install this certificate
11. Click Yes to the Potential Scripting Violation box

12. Use MMC with Certificates plugin and locate the certificate at User Certificate Store->Personal

13. Right click on the certificate you just created, select All Tasks, select Export
14. On the Welcome to the Certificate Export Wizard page, click Next
15. On the Export Private Key page, select Yes, export the private key, click Next
16. On the Export file format page, leave the default and click Next
17. On the Password page, type a Password for the certificate, click Next
18. On the File to Export page, type a name for the certificate e.g. c:\Applications\Cert\HV VPN L2TP IPSec 2.pfx, click Next
19. On the Completing the Certificate Export Wizard page, click Finish
20. Click Ok

How to import the certificate to TMG 2010

The certificate now is saved on a file HV VPN L2TP IPSec 2.pfx. You have to import this certificate to the TMG 2010 Personal Store.

1. On the TMG 2010 Server, expand Certificates (Local Computer

2. Right click Personal, select All Tasks, select Import
3. On the Welcome to the Certificate Import Wizard page, click Next
4. On the File to Import page, type c:\ Applications\Cert\HV VPN L2TP IPSec 2.pfx , click Next
5. On the Password page, type the Password for the certificate, click Next
6. On the Certificate Store page, select Place all certificates in the following store, and 7. select Personal, click Next
8. On the Completing the Certificate Import Wizard page, click Finish
9. Click Ok

How to import the certificate to the VPN Client

We are now half the way of the field. So far we have create and issued a custom certificate from Enterprise CA to the TMG 2010 server. It is now we have to tackle the VPN Client which may be non domain computer. And this leave us the hard way, install the certificate manually.

1. Save the HV VPN L2TP IPSec.pbx file to the non domain computer 
2. On the non domain member computer copy the file HV VPN L2TP IPSec 2.pfx to a temporary directory.
3. Create a custom MMC for the Certificates
4. Click Start, click Run, type MMC, and then press Enter
5. Click File, and then click Add/Remove Snap in
6. Click Add, and then select Certificates from the list and click Add, select Computer
account, click Next, selectLocal computer, click Finish
7. Click Close, click Ok
8. Expand Certificates
9. Right click Personal, select All Tasks, select Import
10. On the Welcome to the Certificate Import Wizard page, click Next
11. On the File to Import page, type <dir> HV VPN L2TP IPSec 2.pfx , click Next
12. On the Password page, type the Password for the certificate, click Next
13. On the Certificate Store page, select Place all certificates in the following store, and select Personal, clickNext
14. On the Completing the Certificate Import Wizard page, click Finish
15. Click Ok

The creation and assignment of the certificate which is require for L2TP/IPSec implementation is now completed. You may now proceed with the rest configuration of the VPN server and client access.

SCSM 2012 RTM : Self-Service Portal Installation

In this blog, I will be sharing with you of the SCSM 2012 Self-Service Portal (SSP) installation and configuration. The point i am sharing this as through my test and deployment experience, the SSP for SCSM 2012 is not easy.

Software Prerequisites:

Firstly, we have to make sure all the software prerequisites below are met:-

• Windows Server 2008 R2 RTM or with SP1
• IIS 7.5 with IIS 6 metabase compatibility
• Self-signed SSL certificate (follow the FQDN of the SSP server)
• ASP.NET 2.0
• Microsoft .NET Framework 4.0
• Microsoft Analysis Management Objects
• Microsoft SharePoint Foundation 2010
• Excel Services in SharePoint 2010 is required for hosting dashboards for advanced analytical reports

Installation:

I will skip all the screen shot of the installation of SCSM 2012 RTM as i have recorded the process in the video below:-

You can go to this link http://youtu.be/N9TRzJIwbn8 for the video above.

Post-Installation and Configurations:

Soon after the completion of the installation. You may not get the Silverlight to load the page completely and it end up partially blank as below:-

The installation does not end here. you may now have to look a little bit more in depth of each component configurations.

IIS 7

From the IIS both SCSMWebContentServer and Service Manager Portal has to bind to the same certificate.

The FQDN that has to be changed manually.

Certificate for client browser:

You have to trust the certificate that binds to the SSP.

After all the above are verified, you should be getting a page look similar as below:-

SMPortal, it works !!

And here you can see my SSP showing the case i have logged through the Portal.

Other Useful Links:

http://social.technet.microsoft.com/wiki/contents/articles/8113.system-center-2012-service-manager-survival-guide-en-us.aspx

• Nothing more useful than the top-to-bottom details about SCSM 2012 which you can find from this link.

http://www.petri.co.il/system-center-service-manager-2012-installation-requirements.htm

• Useful sharing by Petri on SCSM 2012 Beta with screen cast step-by-step