1
00:00:01,540 --> 00:00:05,270
To begin, we're going to create some security groups, and for Always On VPN,

2
00:00:05,270 --> 00:00:10,190
we need a number of different groups created in Active Directory. To start,

3
00:00:10,190 --> 00:00:12,530
we need a group for our VPN servers. Now,

4
00:00:12,530 --> 00:00:12,940
of course,

5
00:00:12,940 --> 00:00:16,250
this assumes that your VPN servers are joined to the domain. As

6
00:00:16,250 --> 00:00:19,520
we discussed in the previous modules, domain join is optional for

7
00:00:19,520 --> 00:00:21,530
our VPN servers, so quite clearly,

8
00:00:21,530 --> 00:00:24,210
if you're not joining your VPN servers to the domain,

9
00:00:24,210 --> 00:00:25,910
there's no need for these security groups.

10
00:00:25,910 --> 00:00:28,470
But if you are, and that's a pretty standard deployment,

11
00:00:28,470 --> 00:00:31,080
then we'll need to create a security group in Active Directory for

12
00:00:31,080 --> 00:00:35,480
our VPN servers. We'll also create a group for our NPS servers, our

13
00:00:35,480 --> 00:00:40,340
VPN users, as well as our VPN devices.

14
00:00:40,340 --> 00:00:43,060
We're going to use these security groups for a variety of things.

15
00:00:43,060 --> 00:00:44,930
The first is Certificate Enrollment.

16
00:00:44,930 --> 00:00:50,630
We're going to use the security groups as ACLs or access control lists on

17
00:00:50,630 --> 00:00:54,010
our security templates to restrict enrollment for those certificates to

18
00:00:54,010 --> 00:00:57,740
only those devices and users that require them.

19
00:00:57,740 --> 00:01:01,860
In addition, we'll use these security groups to control access to the VPN.

20
00:01:01,860 --> 00:01:06,200
We don't want everyone or everything in the domain to be able to access our

21
00:01:06,200 --> 00:01:09,780
network remotely, so we're going to restrict that to a very specific subset of

22
00:01:09,780 --> 00:01:15,740
users and define access controls in NPS on those users.

23
00:01:15,740 --> 00:01:16,920
So in this demonstration,

24
00:01:16,920 --> 00:01:19,190
I'm going to create some security groups in Active Directory.

25
00:01:19,190 --> 00:01:22,500
I'm going to do so using the standard method of the UI

26
00:01:22,500 --> 00:01:24,180
Active Directory users and computers,

27
00:01:24,180 --> 00:01:26,120
but I am also going to demonstrate how to do this with

28
00:01:26,120 --> 00:01:33,000
PowerShell if you're working in Server Core or you just want to simply automate the process.