1
00:00:02,340 --> 00:00:06,090
So let's move onto the next demonstration, configuring our first VPN server.

2
00:00:06,090 --> 00:00:09,390
And so here we are on our VPN server.

3
00:00:09,390 --> 00:00:12,580
The virtual machine has already been provisioned, joined to the domain.

4
00:00:12,580 --> 00:00:16,330
But before we move along too far, I want to talk a little bit about networking.

5
00:00:16,330 --> 00:00:18,500
If you will recall from some of our previous modules,

6
00:00:18,500 --> 00:00:22,700
we talked about the networking model supported for the RRAS server.

7
00:00:22,700 --> 00:00:27,840
You could have a single network interface or you could have multi‑homed server,

8
00:00:27,840 --> 00:00:31,760
which is pretty common where you have an interface in a perimeter

9
00:00:31,760 --> 00:00:35,690
DMZ network and the other internal interfaces either on the LAN or

10
00:00:35,690 --> 00:00:39,810
on an inside perimeter facing the LAN.

11
00:00:39,810 --> 00:00:42,190
And so in that scenario,

12
00:00:42,190 --> 00:00:46,040
there's some special attention you have to take to make sure the

13
00:00:46,040 --> 00:00:49,170
configuration of the network interfaces is functional.

14
00:00:49,170 --> 00:00:52,500
So on this server and in this lab I'm using a

15
00:00:52,500 --> 00:00:54,100
multi‑homed server for demonstration.

16
00:00:54,100 --> 00:00:56,160
Just to reiterate,

17
00:00:56,160 --> 00:00:59,360
a single network interface is perfectly acceptable

18
00:00:59,360 --> 00:01:02,620
in a lot of different scenarios, so don't feel bad if you just have one.

19
00:01:02,620 --> 00:01:03,560
That's okay.

20
00:01:03,560 --> 00:01:04,500
That's acceptable.

21
00:01:04,500 --> 00:01:06,850
And in that scenario, it's very easy.

22
00:01:06,850 --> 00:01:10,200
You just configure it as you would any other server,

23
00:01:10,200 --> 00:01:13,940
but you have to pay careful attention when you have multiple network interfaces.

24
00:01:13,940 --> 00:01:17,300
So I'm going to open the network control panel,

25
00:01:17,300 --> 00:01:20,070
and I like to use the classic one and get right where I'm going.

26
00:01:20,070 --> 00:01:22,920
So I'm just going to type in the search field ncpa.cpa,

27
00:01:22,920 --> 00:01:30,960
and that takes me right to this classic network control panel.

28
00:01:30,960 --> 00:01:32,410
You'll see I have two interfaces,

29
00:01:32,410 --> 00:01:36,500
and the first thing that I want you to notice is that I've renamed them.

30
00:01:36,500 --> 00:01:40,360
They are not Ethernet0 and Ethernet1 and so forth

31
00:01:40,360 --> 00:01:42,210
because those aren't very descriptive,

32
00:01:42,210 --> 00:01:45,520
and you'll find that having clearly labeled network

33
00:01:45,520 --> 00:01:48,040
interfaces is going to be really helpful later on.

34
00:01:48,040 --> 00:01:48,910
So in this case,

35
00:01:48,910 --> 00:01:54,140
I have renamed them LAN and DMZ to kind of illuminate what it

36
00:01:54,140 --> 00:01:57,830
is exactly that their assignments are for.

37
00:01:57,830 --> 00:02:00,460
This is the LAN interface, it's on my domain network,

38
00:02:00,460 --> 00:02:04,940
and the DMZ interface is in a DMZ or perimeter network.

39
00:02:04,940 --> 00:02:08,570
Now, I would encourage you to use whatever naming convention you like.

40
00:02:08,570 --> 00:02:10,920
If you want this one to be VLAN, you know,

41
00:02:10,920 --> 00:02:16,000
2012 and VLAN 52, really doesn't matter as long as they make sense to you.

42
00:02:16,000 --> 00:02:20,450
What I would avoid is using the name Internal for any internal

43
00:02:20,450 --> 00:02:26,800
interfaces because RRAS actually uses Internal for the name of the

44
00:02:26,800 --> 00:02:29,830
virtual interface that it uses for VPN clients,

45
00:02:29,830 --> 00:02:34,000
so we want to avoid using the name internal to avoid

46
00:02:34,000 --> 00:02:39,240
any confusion there in the future, so I've renamed mine LAN and DMZ.

47
00:02:39,240 --> 00:02:42,380
So let's take a look at the DMZ interface properties.

48
00:02:42,380 --> 00:02:44,530
I'm going to right‑click, choose Properties here,

49
00:02:44,530 --> 00:02:48,850
and you'll see that I have an IPv4 and IPv6 enabled,

50
00:02:48,850 --> 00:02:49,690
and that's it.

51
00:02:49,690 --> 00:02:55,390
Since this is a DMZ interface, I have no reason to provide any services in

52
00:02:55,390 --> 00:02:59,240
that network other than IP, so I've disabled everything else.

53
00:02:59,240 --> 00:03:05,130
So this reduces my attack surface in that public‑facing or perimeter‑facing DMZ.

54
00:03:05,130 --> 00:03:10,560
I've just configured IPv4 and in this case IPv6. Also, when you're configuring

55
00:03:10,560 --> 00:03:16,740
IPv4, ensure that you configure an IP address subnet mask and default gateway,

56
00:03:16,740 --> 00:03:19,520
but do not configure DNS servers here.

57
00:03:19,520 --> 00:03:22,440
Those are configured on the internal interface.

58
00:03:22,440 --> 00:03:27,800
So let's go take a look at my internal interface. Choose Properties. And here,

59
00:03:27,800 --> 00:03:30,630
since this is on my domain network, or on my LAN,

60
00:03:30,630 --> 00:03:33,560
I've left a couple of the other services open because I

61
00:03:33,560 --> 00:03:36,440
need Client for Microsoft Network and those types of

62
00:03:36,440 --> 00:03:38,940
things, so for management and whatnot.

63
00:03:38,940 --> 00:03:41,950
But here, when I look at my IPv4 properties,

64
00:03:41,950 --> 00:03:44,840
you'll see that I have an IP address and subnet mask,

65
00:03:44,840 --> 00:03:46,440
but no default gateway.

66
00:03:46,440 --> 00:03:50,750
Again, a server with two network interfaces or more than one network interface,

67
00:03:50,750 --> 00:03:54,770
multi‑homed, can have only a single default gateway. It

68
00:03:54,770 --> 00:03:57,590
should be on the external‑facing network.

69
00:03:57,590 --> 00:04:01,550
The internal network, of course, needs some additional work.

70
00:04:01,550 --> 00:04:05,000
So, and by the way, I have a DNS server defined here as well.

71
00:04:05,000 --> 00:04:08,710
So you would define your DNS servers only on the internal interface.

72
00:04:08,710 --> 00:04:13,350
Now, in the absence of a default gateway, the only network that would be

73
00:04:13,350 --> 00:04:18,660
reachable here would be this 172.16.1.0/24 network.

74
00:04:18,660 --> 00:04:26,090
If I need to reach any remote internal subnets, and in this example here, my

75
00:04:26,090 --> 00:04:31,030
domain services are on 172.16.0, so how does that work?

76
00:04:31,030 --> 00:04:31,970
How I'm able to get to that?

77
00:04:31,970 --> 00:04:33,960
Well, I have to create a static route.

78
00:04:33,960 --> 00:04:36,650
And so the best way to do this is by creating a static route

79
00:04:36,650 --> 00:04:39,160
using PowerShell. So let's open up a PowerShell window.

80
00:04:39,160 --> 00:04:43,240
Needs to be elevated, of course.

81
00:04:43,240 --> 00:04:47,610
And in this case, I've already created this route because I

82
00:04:47,610 --> 00:04:49,430
had to join this server to the domain.

83
00:04:49,430 --> 00:04:55,590
So in this case, you'll see that my IP address is on the 172.16 network, but

84
00:04:55,590 --> 00:05:03,580
I can still ping my domain controller at 172.16.0.200.

85
00:05:03,580 --> 00:05:05,530
And the reason for that is because, again,

86
00:05:05,530 --> 00:05:09,500
I've created the static route previously. And we can take a look at the

87
00:05:09,500 --> 00:05:12,040
routing table. You can use the classic route print,

88
00:05:12,040 --> 00:05:19,540
but again, I prefer to use PowerShell Get‑NetRoute.

89
00:05:19,540 --> 00:05:23,370
So we're going to look at the IPv4 routing table specifically, and here is the

90
00:05:23,370 --> 00:05:28,150
route that you see that I created previously. I define a route, a static route

91
00:05:28,150 --> 00:05:35,870
as 172.16.0.0/16, so I basically summarize the entire 172.16 /16 network, at

92
00:05:35,870 --> 00:05:41,110
least those first two octets, and my next hop is my gateway on this particular

93
00:05:41,110 --> 00:05:44,290
subnet, which is 172.16.1.254.

94
00:05:44,290 --> 00:05:47,070
So to demonstrate what this might look like if we needed to add an

95
00:05:47,070 --> 00:05:49,950
additional route, so let's say I wanted to add,

96
00:05:49,950 --> 00:05:54,990
for example, 172.17.0.0/16, well,

97
00:05:54,990 --> 00:06:04,380
we will use the New‑NetRoute command. The address family is IPv4. The

98
00:06:04,380 --> 00:06:18,640
DestinationPrefix in this case is 172.17.0.0/16.

99
00:06:18,640 --> 00:06:22,830
The NextHop is again the gateway on this network.

100
00:06:22,830 --> 00:06:25,790
Where is the egress point on this network?

101
00:06:25,790 --> 00:06:33,760
And in this case, it is 172.16.1.254. And then we need to provide the interface.

102
00:06:33,760 --> 00:06:34,470
So in other words,

103
00:06:34,470 --> 00:06:38,030
which interface does this traffic egress on. And in this case, it

104
00:06:38,030 --> 00:06:41,620
will accept two values, or one of two values, and that is the

105
00:06:41,620 --> 00:06:45,120
InterfaceAlias or the InterfaceIndex.

106
00:06:45,120 --> 00:06:48,390
I will use the InterfaceAlias because I know what it is because

107
00:06:48,390 --> 00:07:02,110
I renamed it earlier, and that is the LAN interface. And now

108
00:07:02,110 --> 00:07:07,860
you'll see I have my second route, 172.17.0.0. 172.16.0.0 was

109
00:07:07,860 --> 00:07:09,110
the one I added previously.

110
00:07:09,110 --> 00:07:14,030
So I would be able to reach either of these remote internal subnets through the

111
00:07:14,030 --> 00:07:16,990
internal interface without having a default gateway there.

112
00:07:16,990 --> 00:07:21,040
Now, if I needed to reach additional remote internal networks,

113
00:07:21,040 --> 00:07:22,810
let's say I had something in, you know,

114
00:07:22,810 --> 00:07:28,140
10.21.12.0 or something else, maybe I wanted to route the entire 10 network,

115
00:07:28,140 --> 00:07:30,740
I would add additional routes accordingly, and you would

116
00:07:30,740 --> 00:07:33,120
do it here at the command line. I would encourage you to

117
00:07:33,120 --> 00:07:34,830
summarize as much as possible.

118
00:07:34,830 --> 00:07:38,560
So if you have a dozen 10.0.something routes,

119
00:07:38,560 --> 00:07:40,290
you may just want to bring the old, you know,

120
00:07:40,290 --> 00:07:45,100
whole 10.0.0.0/8 network or maybe even just do a /16.

121
00:07:45,100 --> 00:07:48,250
You want to keep it as simple as possible just to,

122
00:07:48,250 --> 00:07:51,740
you know, keep your sanity, but at the end of the day,

123
00:07:51,740 --> 00:07:55,670
as long as the server can reach any of these internal subnets,

124
00:07:55,670 --> 00:07:58,070
then its clients will be able to reach them as well.

125
00:07:58,070 --> 00:07:59,010
And again,

126
00:07:59,010 --> 00:08:07,000
and this is only really required when you have two network interfaces, sSo just keep that in mind.