1
00:00:02,340 --> 00:00:03,820
So to create a test profile,

2
00:00:03,820 --> 00:00:06,590
the easiest way to do this is actually just to click on the

3
00:00:06,590 --> 00:00:12,140
Start menu here and then just type in VPN,

4
00:00:12,140 --> 00:00:14,250
and you'll find the VPN settings here.

5
00:00:14,250 --> 00:00:20,050
So go ahead and click on VPN settings, and here click Add a VPN connection.

6
00:00:20,050 --> 00:00:24,510
From the provider drop‑down list, choose Windows (built‑in).

7
00:00:24,510 --> 00:00:27,430
Provide a connection name.

8
00:00:27,430 --> 00:00:30,070
I prefer to call it something very, very simple.

9
00:00:30,070 --> 00:00:31,330
Just Test is fine.

10
00:00:31,330 --> 00:00:41,160
And the server name or address needs to be the VPN server's public hostname.

11
00:00:41,160 --> 00:00:43,540
You always want to use a hostname here, never an IP address,

12
00:00:43,540 --> 00:00:45,390
so we'll add that here.

13
00:00:45,390 --> 00:00:53,560
And then for the VPN type, for now we're going to select SSTP,

14
00:00:53,560 --> 00:00:55,640
or Secure Socket Tunneling Protocol,

15
00:00:55,640 --> 00:00:59,320
because that's the first protocol that we want to validate during our testing.

16
00:00:59,320 --> 00:01:02,860
For the type of sign‑in info, you can choose Certificate.

17
00:01:02,860 --> 00:01:07,550
You can leave the User name and Password fields blank because we're

18
00:01:07,550 --> 00:01:09,820
obviously going to use a certificate for authentication.

19
00:01:09,820 --> 00:01:13,070
And then, uncheck Remember my sign‑in info.

20
00:01:13,070 --> 00:01:16,090
We don't need that information when we're using a certificate.

21
00:01:16,090 --> 00:01:17,000
So click Save.

22
00:01:17,000 --> 00:01:20,700
And unfortunately, it's not quite that easy.

23
00:01:20,700 --> 00:01:24,230
We've got a lot more work to do, but we need to dig down a little bit deeper.

24
00:01:24,230 --> 00:01:28,310
We can't get to all the advanced settings that we need to in this UI.

25
00:01:28,310 --> 00:01:31,890
So over here on the right, or depending on how your screen is oriented,

26
00:01:31,890 --> 00:01:33,270
it may be below this,

27
00:01:33,270 --> 00:01:37,240
but click on the link here that says Change adapter options.

28
00:01:37,240 --> 00:01:43,900
When you go here, minimize this, you'll see our Test VPN connection.

29
00:01:43,900 --> 00:01:48,410
So we're just going to right‑click on that and choose Properties. And I'm going

30
00:01:48,410 --> 00:01:51,990
to jump over to the Security tab, and the first thing I want to do here is

31
00:01:51,990 --> 00:01:58,270
select Protected EAP from the EAP drop‑down list here.

32
00:01:58,270 --> 00:02:00,100
So we're going to select Protected EAP, and then

33
00:02:00,100 --> 00:02:02,140
we're going to click Properties.

34
00:02:02,140 --> 00:02:04,990
So here there is a whole bunch of settings here, so I'm

35
00:02:04,990 --> 00:02:06,890
going to go through all of these in detail.

36
00:02:06,890 --> 00:02:10,580
The first one, probably the most crucial, is this check box next to Verify

37
00:02:10,580 --> 00:02:14,440
the server's identity by validating its certificate.

38
00:02:14,440 --> 00:02:19,260
If we were to uncheck this, this would be a very poor security configuration.

39
00:02:19,260 --> 00:02:22,940
We always want the client to validate the server that it's

40
00:02:22,940 --> 00:02:25,910
authenticating to, and if it's not valid,

41
00:02:25,910 --> 00:02:27,640
we don't want to authenticate this.

42
00:02:27,640 --> 00:02:32,320
This is a security mechanism that's really crucial because it

43
00:02:32,320 --> 00:02:38,490
ensures that it is prohibitively difficult to intercept the

44
00:02:38,490 --> 00:02:41,770
authentication credential exchange between an endpoint or a VPN

45
00:02:41,770 --> 00:02:43,380
client and the VPN server.

46
00:02:43,380 --> 00:02:48,070
This is designed to kind of thwart or prevent man‑in‑the‑middle attacks, so we

47
00:02:48,070 --> 00:02:52,850
want to make sure that this setting is absolutely set. To further improve

48
00:02:52,850 --> 00:02:57,320
security, we actually want to tell the client what is the name of the NPS

49
00:02:57,320 --> 00:02:59,660
server that we're actually authenticating to.

50
00:02:59,660 --> 00:03:03,640
In other words, not only verify that its certificate is valid and trusted,

51
00:03:03,640 --> 00:03:06,660
but is it the actual correct NPS server.

52
00:03:06,660 --> 00:03:11,330
So, in this case, we're going to add the hostname of the NPS server that

53
00:03:11,330 --> 00:03:20,710
we configured previously. I suggest using the fully qualified domain name

54
00:03:20,710 --> 00:03:24,970
because this name needs to match the name that's on the certificate

55
00:03:24,970 --> 00:03:29,600
presented by the NPS server when we're establishing our secure

56
00:03:29,600 --> 00:03:34,340
authentication channel. We'll also need to tell the client which trusted

57
00:03:34,340 --> 00:03:36,700
CA is issuing this certificate.

58
00:03:36,700 --> 00:03:40,560
So here I'm going to go down and find my root CA, and I'm going to select that

59
00:03:40,560 --> 00:03:46,700
option here. By the way, you can't really see much here, and you may in your

60
00:03:46,700 --> 00:03:49,780
environment might have more than one issuing CA.

61
00:03:49,780 --> 00:03:53,700
So if you double‑click on this, you'll get the actual certificate.

62
00:03:53,700 --> 00:03:57,140
I would encourage you to go to the Details,

63
00:03:57,140 --> 00:04:00,990
scroll down to the Thumbprint, and make absolutely certain

64
00:04:00,990 --> 00:04:02,740
that this is the correct certificate.

65
00:04:02,740 --> 00:04:03,840
Again,

66
00:04:03,840 --> 00:04:07,380
if you've renewed certificates in your environment or you've stood up

67
00:04:07,380 --> 00:04:11,430
additional CAs and happened to use the same name, there's a lot of ways

68
00:04:11,430 --> 00:04:15,820
that there could be multiple certificates here that have the same name, but

69
00:04:15,820 --> 00:04:19,670
aren't actually the same certificate itself, so validate that this is the

70
00:04:19,670 --> 00:04:24,570
correct thumbprint for the certificate in your PKI or on your issuing CA,

71
00:04:24,570 --> 00:04:26,340
or root CA in this case.

72
00:04:26,340 --> 00:04:29,620
So, there's a drop‑down list here for Notifications.

73
00:04:29,620 --> 00:04:34,930
This is rather important because the default settings are, again, less

74
00:04:34,930 --> 00:04:38,970
than ideal. What this tells us here is that the default setting is tell

75
00:04:38,970 --> 00:04:43,950
the user if the certificate isn't specified or if there's a problem

76
00:04:43,950 --> 00:04:44,790
with it or something like that.

77
00:04:44,790 --> 00:04:49,120
The problem with this is that we're leaving the job of

78
00:04:49,120 --> 00:04:52,240
determining whether or not to connect up to the user.

79
00:04:52,240 --> 00:04:56,460
What's going to happen is if this connection was intercepted,

80
00:04:56,460 --> 00:05:02,670
an attacker could, you know, again present its own credentials, and the client,

81
00:05:02,670 --> 00:05:05,010
of course, would not trust the certificate,

82
00:05:05,010 --> 00:05:07,540
but it would prompt the user, what do you want to do?

83
00:05:07,540 --> 00:05:08,600
Do you want to continue?

84
00:05:08,600 --> 00:05:10,940
Well, of course, they're just going to click right through that.

85
00:05:10,940 --> 00:05:14,600
So, doesn't really help us from a security perspective. The best

86
00:05:14,600 --> 00:05:19,220
option here is to select Don't ask users to authorize or trust new

87
00:05:19,220 --> 00:05:22,140
CAs because if something comes up there,

88
00:05:22,140 --> 00:05:23,050
we know that, you know,

89
00:05:23,050 --> 00:05:25,910
that's probably bogus or that there's a problem with this connection.

90
00:05:25,910 --> 00:05:31,100
We would rather it fail closed or fail safe, right, and not connect rather

91
00:05:31,100 --> 00:05:33,880
than have the user try to make a determination as to,

92
00:05:33,880 --> 00:05:34,140
you know,

93
00:05:34,140 --> 00:05:38,270
well, is this actually a trusted CA or not. The next thing that we

94
00:05:38,270 --> 00:05:41,430
want to do here is select our authentication method.

95
00:05:41,430 --> 00:05:45,170
We're going to use Smart Card or certificate. And before we

96
00:05:45,170 --> 00:05:46,980
get on to the configuration, there's a couple of little

97
00:05:46,980 --> 00:05:48,920
things I want to touch base on here.

98
00:05:48,920 --> 00:05:51,300
We want to disable fast reconnect because, again,

99
00:05:51,300 --> 00:05:54,430
as I mentioned earlier, that is a Wi‑Fi technology.

100
00:05:54,430 --> 00:05:59,110
It's used to kind of streamline the reauthentication process for,

101
00:05:59,110 --> 00:05:59,390
you know,

102
00:05:59,390 --> 00:06:02,070
typically moving between access points. We don't

103
00:06:02,070 --> 00:06:06,240
want that feature enabled for VPN.

104
00:06:06,240 --> 00:06:10,050
We also want to check the box for Disconnect if server does not

105
00:06:10,050 --> 00:06:14,050
present cryptobinding TLV. Cryptobinding, again,

106
00:06:14,050 --> 00:06:18,710
as I'd mentioned before, is a security mechanism that ensures that the

107
00:06:18,710 --> 00:06:22,160
peers actually communicated directly with each other.

108
00:06:22,160 --> 00:06:27,280
It's designed to detect man‑in‑the‑middle attacks. And so an

109
00:06:27,280 --> 00:06:30,950
attacker could intercept this connection and just simply not send

110
00:06:30,950 --> 00:06:32,620
the cryptobinding TLV to the client.

111
00:06:32,620 --> 00:06:36,110
The client would just say, okay, great, you didn't send me one, then fine.

112
00:06:36,110 --> 00:06:37,840
I'm just going to go ahead and connect.

113
00:06:37,840 --> 00:06:38,800
If that happens,

114
00:06:38,800 --> 00:06:42,490
that is unusual and out of the ordinary, and it is indicative of

115
00:06:42,490 --> 00:06:44,680
an attack, and so we want the client to say,

116
00:06:44,680 --> 00:06:48,930
hey, if you didn't send me a TLV, something's wrong here.

117
00:06:48,930 --> 00:07:00,000
You know, I'm calling bollocks on that, and I'm going to drop out. So in that case, we definitely want this setting here.