1
00:00:02,540 --> 00:00:03,650
To continue our configuration,

2
00:00:03,650 --> 00:00:06,390
we'll open the Routing and Remote Access management console,

3
00:00:06,390 --> 00:00:10,080
and since I just installed the role here with the management console open,

4
00:00:10,080 --> 00:00:11,830
I'm just going to choose Refresh.

5
00:00:11,830 --> 00:00:17,450
And now you'll see that the little, it's a tiny,

6
00:00:17,450 --> 00:00:21,220
teeny tiny little arrow there, but it's an up arrow indicating the service is up,

7
00:00:21,220 --> 00:00:23,360
so services are running on this, but again,

8
00:00:23,360 --> 00:00:25,790
this is the default out‑of‑the‑box configuration.

9
00:00:25,790 --> 00:00:28,470
There's some additional work that we need to do.

10
00:00:28,470 --> 00:00:33,940
So, to begin, we're just going to right‑click here and choose Properties,

11
00:00:33,940 --> 00:00:37,330
and then we'll, first things first, go to the Security tab.

12
00:00:37,330 --> 00:00:41,500
And for our Authentication provider we want to choose RADIUS.

13
00:00:41,500 --> 00:00:47,370
And then we'll click Configure, and here we want to add our RADIUS server,

14
00:00:47,370 --> 00:00:49,940
or our NPS server that we provisioned previously.

15
00:00:49,940 --> 00:00:54,480
So I'm going to enter that server's FQDN here,

16
00:00:54,480 --> 00:01:00,340
and then I'm going to click Change here next to Shared secret,

17
00:01:00,340 --> 00:01:03,930
and I'm going to paste that super long complex password

18
00:01:03,930 --> 00:01:07,770
that we created earlier in this module, so I'm going to click OK.

19
00:01:07,770 --> 00:01:10,070
And the default settings here are just fine,

20
00:01:10,070 --> 00:01:12,870
so we'll click OK, and we are good to go.

21
00:01:12,870 --> 00:01:16,060
I'm going to repeat this process for the Accounting provider.

22
00:01:16,060 --> 00:01:19,380
So we'll choose RADIUS Accounting, choose Configure,

23
00:01:19,380 --> 00:01:32,940
and once again add the server, provide the shared secret,

24
00:01:32,940 --> 00:01:34,090
and we're good to go.

25
00:01:34,090 --> 00:01:37,260
And you'll notice that there's a slight delay when we do that.

26
00:01:37,260 --> 00:01:39,570
There's some validation that takes place in the background,

27
00:01:39,570 --> 00:01:41,540
so don't worry about that.

28
00:01:41,540 --> 00:01:44,940
Next thing we want to do is go to Authentication Methods,

29
00:01:44,940 --> 00:01:47,690
and we want to uncheck MS‑CHAP v2.

30
00:01:47,690 --> 00:01:49,930
We don't want to support usernames and passwords.

31
00:01:49,930 --> 00:01:50,170
Again,

32
00:01:50,170 --> 00:01:55,450
we want to use EAP authentication and we want to use certificates within EAP.

33
00:01:55,450 --> 00:01:58,880
Since we're also going to be supporting device‑based connections,

34
00:01:58,880 --> 00:01:59,970
so device tunnels,

35
00:01:59,970 --> 00:02:05,070
we want to select the option Allow machine certificate authentication for IKEv2,

36
00:02:05,070 --> 00:02:07,060
so we'll click OK.

37
00:02:07,060 --> 00:02:10,310
In the SSL Certificate Binding section,

38
00:02:10,310 --> 00:02:13,510
click on the drop‑down list next to Certificate and choose the

39
00:02:13,510 --> 00:02:16,910
correct certificate for the public SSL certificate,

40
00:02:16,910 --> 00:02:19,790
so the public SSL certificate is what gets assigned here.

41
00:02:19,790 --> 00:02:23,170
Now, here's the trick, both of these certificates have the same name,

42
00:02:23,170 --> 00:02:25,920
so there's no way to differentiate from them here,

43
00:02:25,920 --> 00:02:28,130
but we'll select one of them and click View,

44
00:02:28,130 --> 00:02:30,000
and we'll see if it's the right one.

45
00:02:30,000 --> 00:02:31,540
Is it?

46
00:02:31,540 --> 00:02:31,980
It is.

47
00:02:31,980 --> 00:02:33,810
In this case it is issued by GeoTrust.

48
00:02:33,810 --> 00:02:36,850
It's our public. If we were to select the wrong one,

49
00:02:36,850 --> 00:02:40,350
click View, this is our internal CA,

50
00:02:40,350 --> 00:02:43,420
so this is not the correct certificate to assign to

51
00:02:43,420 --> 00:02:46,740
the SSL or the SSTP certificate.

52
00:02:46,740 --> 00:02:49,040
We want to assign our public certificate,

53
00:02:49,040 --> 00:02:52,840
so we'll select that one, click View, just make sure it's our public,

54
00:02:52,840 --> 00:02:55,540
and then click OK and we're good to go.

55
00:02:55,540 --> 00:02:58,490
Now let's go over to our IPv4 tab,

56
00:02:58,490 --> 00:03:02,610
and here we want to assign a Static address pool.

57
00:03:02,610 --> 00:03:07,360
This is the recommended method of provisioning IP addresses to our clients.

58
00:03:07,360 --> 00:03:11,640
And here I'm just going to select a unique subnet environment.

59
00:03:11,640 --> 00:03:13,810
It's not in use anywhere else.

60
00:03:13,810 --> 00:03:16,650
And since I'm not supporting a ton of users,

61
00:03:16,650 --> 00:03:19,640
I'm just going to carve out a simple /24 here.

62
00:03:19,640 --> 00:03:24,340
So the general recommendation here is to carve these

63
00:03:24,340 --> 00:03:26,180
subnets along subnet boundaries,

64
00:03:26,180 --> 00:03:28,790
but there's no hard and fast requirement to do that.

65
00:03:28,790 --> 00:03:32,420
So if you just wanted to do a range, you certainly could do that,

66
00:03:32,420 --> 00:03:35,470
but here I try to keep things neat and tidy.

67
00:03:35,470 --> 00:03:40,220
I've reserved this /24 from my IP address management platform.

68
00:03:40,220 --> 00:03:44,320
I'm going to keep this whole /24 and all of its addresses assigned here.

69
00:03:44,320 --> 00:03:47,670
And, again, you'll use usable addresses,

70
00:03:47,670 --> 00:03:51,440
so don't include network addresses or broadcast addresses here.

71
00:03:51,440 --> 00:03:53,640
So click OK.

72
00:03:53,640 --> 00:03:56,830
And then, if this is a multi‑homed server,

73
00:03:56,830 --> 00:04:02,700
we want to ensure that our internal or LAN interface is selected,

74
00:04:02,700 --> 00:04:05,010
so we'll select LAN there.

75
00:04:05,010 --> 00:04:09,510
And then we'll go to IPv6, and if you're using IPv6,

76
00:04:09,510 --> 00:04:14,090
then we'll need to supply a prefix for address assignment here.

77
00:04:14,090 --> 00:04:17,040
So I'm going to do that now.

78
00:04:17,040 --> 00:04:19,170
And, once again, much like IPv4,

79
00:04:19,170 --> 00:04:23,770
this IPv6 prefix must be unique in your environment.

80
00:04:23,770 --> 00:04:26,400
And then same thing here,

81
00:04:26,400 --> 00:04:29,480
I'm going to select the internal interface network

82
00:04:29,480 --> 00:04:33,100
adapter in this selection box here.

83
00:04:33,100 --> 00:04:37,840
And at this point we're good to go, so we can click OK.

84
00:04:37,840 --> 00:04:41,220
And this is just basically a warning message saying,

85
00:04:41,220 --> 00:04:45,690
hey, you've configured some things that you might want to know more about.

86
00:04:45,690 --> 00:04:48,380
There's some authentication methods here that it's telling

87
00:04:48,380 --> 00:04:50,150
you you should look at the help for.

88
00:04:50,150 --> 00:04:52,470
If you wish to do that, great, click Yes.

89
00:04:52,470 --> 00:04:56,740
We don't need that, so I'm going to go ahead and click No.

90
00:04:56,740 --> 00:04:59,610
And then of course it will prompt you to restart the services.

91
00:04:59,610 --> 00:05:12,000
The changes that we made do require a service restart, so we'll click Yes. Once that's done, click OK to continue.