1
00:00:02,340 --> 00:00:05,580
So for validation testing, we're going to perform a couple of different tasks.

2
00:00:05,580 --> 00:00:07,930
We're going to start by creating a test VPN connection.

3
00:00:07,930 --> 00:00:10,320
We're going to do this manually on an endpoint.

4
00:00:10,320 --> 00:00:14,820
We will validate that the endpoint has its prerequisites met.

5
00:00:14,820 --> 00:00:18,470
We need to make sure that it has a client authentication certificate,

6
00:00:18,470 --> 00:00:22,240
a device authentication certificate as well.

7
00:00:22,240 --> 00:00:27,150
And then we're going to update our IPsec policy and our routing configuration.

8
00:00:27,150 --> 00:00:28,890
If you recall,

9
00:00:28,890 --> 00:00:31,800
we made some changes to the default settings on the

10
00:00:31,800 --> 00:00:37,150
VPN server for IPsec because, again, the default settings are less than ideal.

11
00:00:37,150 --> 00:00:39,300
So we made that change on the server side,

12
00:00:39,300 --> 00:00:43,200
but we need to make a corresponding change on the client side.

13
00:00:43,200 --> 00:00:45,260
And again, for testing purposes,

14
00:00:45,260 --> 00:00:48,200
we're going to make this change locally just using PowerShell.

15
00:00:48,200 --> 00:00:49,310
Later,

16
00:00:49,310 --> 00:00:52,590
we'll actually input that information into our configuration files

17
00:00:52,590 --> 00:00:55,490
or an Intune UI, but for now, we're going to use PowerShell to

18
00:00:55,490 --> 00:00:59,740
update the IPsec policy locally so that it aligns with the settings

19
00:00:59,740 --> 00:01:01,940
that are in place on the server.

20
00:01:01,940 --> 00:01:05,630
We also need to update our routing configuration, and again, that's done

21
00:01:05,630 --> 00:01:10,360
using PowerShell. And in a split tunneling scenario, of course, we need to

22
00:01:10,360 --> 00:01:15,520
tell the VPN client what traffic is allowed over the VPN server, so we're

23
00:01:15,520 --> 00:01:20,820
going to use PowerShell to add a couple of subnets to the the the VPN's

24
00:01:20,820 --> 00:01:26,540
routing table so that that traffic will know to traverse the VPN, go to the

25
00:01:26,540 --> 00:01:31,410
on‑premises resources using that path. We'll perform some connectivity

26
00:01:31,410 --> 00:01:35,760
tests. We're going to obviously ensure that we can connect to the VPN

27
00:01:35,760 --> 00:01:39,400
server from the internet. We want to make sure that once we connect that we

28
00:01:39,400 --> 00:01:44,030
can authenticate successfully and that we can reach internal resources, so

29
00:01:44,030 --> 00:01:49,350
we want to make sure that our network routing is functioning and so we can

30
00:01:49,350 --> 00:01:51,840
reach internal services and so forth.

31
00:01:51,840 --> 00:01:56,060
We also want to validate that SSO, or single sign‑on, is working, so we're going

32
00:01:56,060 --> 00:01:59,780
to access some authenticated resources and make sure that we're not receiving

33
00:01:59,780 --> 00:02:02,140
any authentication prompts or anything like that.

34
00:02:02,140 --> 00:02:05,900
And then finally, we're going to export our EAP configuration.

35
00:02:05,900 --> 00:02:10,680
The EAP configuration is not exactly trivial to configure. Thankfully,

36
00:02:10,680 --> 00:02:13,410
we only have to do it once. And once that's done,

37
00:02:13,410 --> 00:02:17,970
we'll export it to an XML file, and we'll use that XML file, or the

38
00:02:17,970 --> 00:02:26,000
data in that XML file, when we provision our Always On VPN client settings using Intune or PowerShell.