1 00:00:04,940 --> 00:00:09,840 Now let's configure high availability for our NPS infrastructure. 2 00:00:09,840 --> 00:00:14,560 So to begin, we're going to export the NPS policy from our existing NPS server. 3 00:00:14,560 --> 00:00:17,310 This is the NPS server that we created earlier in this course. 4 00:00:17,310 --> 00:00:18,520 To export the configuration, 5 00:00:18,520 --> 00:00:21,750 just open the Network Policy Server management console, 6 00:00:21,750 --> 00:00:23,930 right‑click where it says server name Local, 7 00:00:23,930 --> 00:00:27,740 and then choose Export Configuration. 8 00:00:27,740 --> 00:00:30,670 Check the box that says, I'm aware I'm exporting shared secrets, 9 00:00:30,670 --> 00:00:34,240 and the reason they're warning you here is that this XML 10 00:00:34,240 --> 00:00:36,960 configuration file includes all of the settings, 11 00:00:36,960 --> 00:00:39,500 but it also includes potentially sensitive information, 12 00:00:39,500 --> 00:00:44,480 specifically, the shared secrets between the VPN servers and the NPS servers. 13 00:00:44,480 --> 00:00:45,960 Those are stored in plain text, 14 00:00:45,960 --> 00:00:48,200 and so you'll want to take good care of this file. 15 00:00:48,200 --> 00:00:50,140 Don't leave it around needlessly. 16 00:00:50,140 --> 00:00:55,270 So, let's go ahead and click OK, and then we'll just place this on the Desktop, 17 00:00:55,270 --> 00:00:58,340 and then click Save. 18 00:00:58,340 --> 00:01:01,370 You also have the option of exporting the policy using PowerShell. 19 00:01:01,370 --> 00:01:05,540 To do that, we'll just open an elevated PowerShell command window, 20 00:01:05,540 --> 00:01:08,230 and the command to do this is actually very simple. 21 00:01:08,230 --> 00:01:10,510 It's export‑NpsConfiguration. 22 00:01:10,510 --> 00:01:16,110 Specify the path and make sure it's in XML file format. 23 00:01:16,110 --> 00:01:20,140 Hit Enter and you're good to go. 24 00:01:20,140 --> 00:01:22,090 So here we are on our new NPS server, 25 00:01:22,090 --> 00:01:25,470 and I've copied the NPS export file over to the desktop, 26 00:01:25,470 --> 00:01:26,600 here as you can see. 27 00:01:26,600 --> 00:01:29,960 And the first thing I want to do is I want to make sure that this 28 00:01:29,960 --> 00:01:32,300 server has been enrolled for the certificate. 29 00:01:32,300 --> 00:01:34,970 So I've built the server, I've joined it to the domain, 30 00:01:34,970 --> 00:01:38,200 I want to make sure that it's enrolled for its certificate correctly. 31 00:01:38,200 --> 00:01:41,430 So I'm going to open up the local computer certificate store, 32 00:01:41,430 --> 00:01:44,970 and here we want to expand personal and certificates, 33 00:01:44,970 --> 00:01:49,450 and here I should see a certificate enrolled for 34 00:01:49,450 --> 00:01:51,150 with the template for NPS Servers. 35 00:01:51,150 --> 00:01:54,100 So this certificate is installed correctly. 36 00:01:54,100 --> 00:01:57,560 We could proceed with installing the role and configuring it. 37 00:01:57,560 --> 00:02:00,880 So to do that, I'm going to open an elevated PowerShell command window. 38 00:02:00,880 --> 00:02:03,450 And again, this server is already joined to the domain. 39 00:02:03,450 --> 00:02:05,440 We validated that it has its certificate, 40 00:02:05,440 --> 00:02:08,230 so now we're going to install the NPAS, 41 00:02:08,230 --> 00:02:16,940 or Network Policy and Access Service role. 42 00:02:16,940 --> 00:02:20,370 And once complete, let's open up the Network Policy management console, 43 00:02:20,370 --> 00:02:22,890 and once again, I'm going to right‑click, 44 00:02:22,890 --> 00:02:25,190 choose Import Configuration, 45 00:02:25,190 --> 00:02:30,310 and then find that XML file that we created previously, 46 00:02:30,310 --> 00:02:33,530 and you can click OK on this warning message; we 47 00:02:33,530 --> 00:02:36,640 are not using SQL Server logging. 48 00:02:36,640 --> 00:02:39,650 The bottom line is here we should now see our RADIUS clients 49 00:02:39,650 --> 00:02:43,130 are there, and we look at our policies, and all of our policies 50 00:02:43,130 --> 00:02:47,430 are in place, and this server is now ready to begin accepting 51 00:02:47,430 --> 00:02:48,730 authentication requests. 52 00:02:48,730 --> 00:02:51,170 Finally, once the NPS server is configured, 53 00:02:51,170 --> 00:02:55,040 we need to update the configuration on the VPN server to support this. 54 00:02:55,040 --> 00:02:58,780 So here we are on our VPN server, and we'll right‑click on the server 55 00:02:58,780 --> 00:03:03,920 and choose Properties. We'll select Security, and then next to RADIUS 56 00:03:03,920 --> 00:03:08,280 on Authentication, we'll click Configure. And here we have our first 57 00:03:08,280 --> 00:03:10,930 server configured, so I'm going to click Add, and we're going to add 58 00:03:10,930 --> 00:03:15,180 our second server. And since we exported our configuration and 59 00:03:15,180 --> 00:03:17,770 imported it, the shared secret remains the same. 60 00:03:17,770 --> 00:03:23,440 So I'm going to grab that and we'll just paste that in here, and then click OK. 61 00:03:23,440 --> 00:03:27,280 And we'll click OK once more, and now you'll see we have two servers, and 62 00:03:27,280 --> 00:03:31,550 they both have an initial score of 30, and that's fantastic if you want to 63 00:03:31,550 --> 00:03:34,950 do round‑robin load balancing between these two. 64 00:03:34,950 --> 00:03:36,760 So in this scenario, 65 00:03:36,760 --> 00:03:40,430 the VPN server prefers the NPS server with the highest 66 00:03:40,430 --> 00:03:42,770 initial score, and if they have the same score, 67 00:03:42,770 --> 00:03:45,040 it'll just round‑robin between the two. 68 00:03:45,040 --> 00:03:49,530 Now, this may work great, but if, for example, nps2 was in a remote 69 00:03:49,530 --> 00:03:54,500 location, then I would certainly want to prefer nps1 over nps2. 70 00:03:54,500 --> 00:03:59,070 So in other words, use nps1 unless it didn't respond, and then use nps2. 71 00:03:59,070 --> 00:04:00,100 In that scenario, 72 00:04:00,100 --> 00:04:03,940 I would just simply lower the initial score for the second server, 73 00:04:03,940 --> 00:04:06,290 and we'll set it to something lower like 20. 74 00:04:06,290 --> 00:04:08,300 So here in this scenario, 75 00:04:08,300 --> 00:04:13,050 nps1 would always be preferred, and it would always respond, but if it 76 00:04:13,050 --> 00:04:17,080 does not respond, then it will send the request to nps2. 77 00:04:17,080 --> 00:04:22,010 So in that scenario you could prefer a more local NPS server, unless it 78 00:04:22,010 --> 00:04:25,750 wasn't available, and then use a remote server as fallback. 79 00:04:25,750 --> 00:04:28,030 So we'll click OK, and then we're going to repeat this 80 00:04:28,030 --> 00:04:38,540 process for the accounting provider. 81 00:04:38,540 --> 00:04:41,240 The last bit of configuration that has to be done is on the 82 00:04:41,240 --> 00:04:44,600 endpoint itself. Recall that when we set up our client 83 00:04:44,600 --> 00:04:48,160 configuration, we defined which NPS servers it was allowed to 84 00:04:48,160 --> 00:04:50,610 talk to, so we need to update that setting. 85 00:04:50,610 --> 00:04:54,930 So let's go into our VPN settings, and here, I'm going to 86 00:04:54,930 --> 00:04:57,770 click on Change adapter options because I need to get to 87 00:04:57,770 --> 00:04:58,880 the more advanced settings. 88 00:04:58,880 --> 00:05:01,250 So we're going to right‑click our VPN connection, 89 00:05:01,250 --> 00:05:02,570 choose Properties, 90 00:05:02,570 --> 00:05:06,640 go to the Security tab, and under protected EAP here, I want to select 91 00:05:06,640 --> 00:05:09,820 Properties, and here's where you'll see that we supplied that 92 00:05:09,820 --> 00:05:14,080 information previously. So you can add multiple names here; they just 93 00:05:14,080 --> 00:05:16,010 have to be separated by a semicolon. 94 00:05:16,010 --> 00:05:20,270 So I'm going to add my second NPS server here. Then I'm 95 00:05:20,270 --> 00:05:22,000 going to copy this whole string here. 96 00:05:22,000 --> 00:05:26,290 We'll go down here to click Configure, and then I'm going to paste this string 97 00:05:26,290 --> 00:05:28,800 in here as well, because they need to be in both places. 98 00:05:28,800 --> 00:05:33,650 So once that's done, we'll click OK, click OK once more, and OK. 99 00:05:33,650 --> 00:05:36,760 And at this point, the client configuration is complete. 100 00:05:36,760 --> 00:05:40,690 Now, of course, if you're deploying this with PowerShell or with Intune, 101 00:05:40,690 --> 00:05:42,740 you need to update the settings there. 102 00:05:42,740 --> 00:05:43,540 So again, 103 00:05:43,540 --> 00:05:46,600 following those steps as we outlined previously in this course, you'll 104 00:05:46,600 --> 00:05:51,470 export the XML configuration, and then upload that to Intune into the 105 00:05:51,470 --> 00:05:54,620 device configuration profile, and then once your clients synchronize, 106 00:05:54,620 --> 00:05:56,820 then they'll be able to support that. 107 00:05:56,820 --> 00:05:57,430 Now, 108 00:05:57,430 --> 00:06:01,910 the challenge here is when you're migrating these settings, I would encourage 109 00:06:01,910 --> 00:06:06,700 you to deploy the new NPS server configuration settings to your endpoints 110 00:06:06,700 --> 00:06:09,860 prior to adding the new server on the back end. 111 00:06:09,860 --> 00:06:10,610 That way, 112 00:06:10,610 --> 00:06:13,540 you don't get an issue where once you add the NPS 113 00:06:13,540 --> 00:06:15,670 server to the VPN server configuration, 114 00:06:15,670 --> 00:06:17,090 your clients are going to start complaining. 115 00:06:17,090 --> 00:06:18,790 So you want to front load those clients with that 116 00:06:18,790 --> 00:06:23,290 information first, deploy those settings using Intune or 117 00:06:23,290 --> 00:06:25,770 XML, and then once everybody has them, 118 00:06:25,770 --> 00:06:33,000 then you can update the VPN server configuration and there shouldn't be any complaints from your endpoints.