1
00:00:00,040 --> 00:00:03,940
Once that's done, let's go ahead and install the role,

2
00:00:03,940 --> 00:00:08,040
and to do that, once again, I'm going to use PowerShell.

3
00:00:08,040 --> 00:00:09,980
And again, just as a reminder,

4
00:00:09,980 --> 00:00:12,450
we're going to install the Windows feature and the feature is

5
00:00:12,450 --> 00:00:29,940
directaccess‑vpn and will include the Management Tools.

6
00:00:29,940 --> 00:00:30,530
(Typing) And next,

7
00:00:30,530 --> 00:00:39,970
we will configure the remote access service. (Typing) Once that's complete,

8
00:00:39,970 --> 00:00:41,470
we can import the configuration.

9
00:00:41,470 --> 00:00:46,240
So I'm going to navigate to the desktop where that configuration file is,

10
00:00:46,240 --> 00:00:49,000
and the command to import the configuration is just simply

11
00:00:49,000 --> 00:00:59,840
netsh.exe exec and the name of the file.

12
00:00:59,840 --> 00:01:03,200
So once that's finished, we need to restart the remote access service,

13
00:01:03,200 --> 00:01:06,970
and in this case, we actually need to start the RasMan service as well,

14
00:01:06,970 --> 00:01:11,210
and if we restart the RasMan service and use the ‑force parameter,

15
00:01:11,210 --> 00:01:15,260
we'll also restart the remote access service and that will completely install

16
00:01:15,260 --> 00:01:24,350
that imported configuration. (Typing) So at this point,

17
00:01:24,350 --> 00:01:27,390
the bulk of the configuration has been imported,

18
00:01:27,390 --> 00:01:30,990
but again, as I've stated previously, it doesn't bring over everything.

19
00:01:30,990 --> 00:01:36,640
So let's go to the Routing and Remote Access Management console.

20
00:01:36,640 --> 00:01:39,250
So at this point, I'm going to right‑click on the server and choose Properties.

21
00:01:39,250 --> 00:01:41,800
I'm going to go to the Security settings,

22
00:01:41,800 --> 00:01:45,660
and now I'm going to select, in the SSL Certificate Binding section,

23
00:01:45,660 --> 00:01:50,070
I'm going to choose my public SSL certificate. So I'll click View,

24
00:01:50,070 --> 00:01:52,940
make sure that's my public SSL certificate,

25
00:01:52,940 --> 00:01:58,260
and then I also need to define my RADIUS server settings.

26
00:01:58,260 --> 00:02:00,270
So if I click Configure here,

27
00:02:00,270 --> 00:02:03,580
what you'll notice is that we have our server settings

28
00:02:03,580 --> 00:02:05,820
that were imported from our first server,

29
00:02:05,820 --> 00:02:06,690
however,

30
00:02:06,690 --> 00:02:09,020
it doesn't bring over the shared secret so I would

31
00:02:09,020 --> 00:02:11,310
have to input those there as well.

32
00:02:11,310 --> 00:02:14,050
So I'm going to click Edit, click Change,

33
00:02:14,050 --> 00:02:16,420
and even though it looks like, let me back up for a second,

34
00:02:16,420 --> 00:02:19,240
it looks like I've actually got a shared secret there,

35
00:02:19,240 --> 00:02:20,960
I don't, so I'm going to click Change,

36
00:02:20,960 --> 00:02:25,720
and then I'm going to paste the shared secret there as accordingly.

37
00:02:25,720 --> 00:02:31,340
So I'm going to click OK, I'm going to repeat that step here,

38
00:02:31,340 --> 00:02:42,540
and then I will repeat those steps for the accounting providers as well.

39
00:02:42,540 --> 00:02:44,010
So once that's done, I'm going to click OK,

40
00:02:44,010 --> 00:02:52,540
and I'll be prompted to restart the service.

41
00:02:52,540 --> 00:02:53,090
Finally,

42
00:02:53,090 --> 00:02:55,700
I want to just make sure that my configuration came

43
00:02:55,700 --> 00:02:59,750
over as expected because occasionally, sometimes things don't work out.

44
00:02:59,750 --> 00:03:03,040
So I'm going to actually right‑click on Ports and choose Properties,

45
00:03:03,040 --> 00:03:05,740
and I want to make sure that all of these are set correctly,

46
00:03:05,740 --> 00:03:08,510
and what you'll see here, of course, is that one is not.

47
00:03:08,510 --> 00:03:13,140
So I actually have, or I'm expecting 500 ports each.

48
00:03:13,140 --> 00:03:17,500
In this scenario, sometimes, and I can't really explain this,

49
00:03:17,500 --> 00:03:18,530
but for some reason,

50
00:03:18,530 --> 00:03:20,540
some of these settings don't come over, like if I were to

51
00:03:20,540 --> 00:03:22,530
look at this in the configuration file,

52
00:03:22,530 --> 00:03:25,240
it would say 500 for the number of IKEv2 ports.

53
00:03:25,240 --> 00:03:27,400
So here I'm just going to click Configure,

54
00:03:27,400 --> 00:03:30,410
and I'm going to set this to what I expect.

55
00:03:30,410 --> 00:03:31,540
We'll click OK.

56
00:03:31,540 --> 00:03:33,580
It's going to ask me if I want to restart,

57
00:03:33,580 --> 00:03:36,740
and again, this reboots the server so I'm going to choose No,

58
00:03:36,740 --> 00:03:39,100
and I'm going to reboot that a little bit later.

59
00:03:39,100 --> 00:03:40,510
So once that's done,

60
00:03:40,510 --> 00:03:42,760
I'm going to reboot the server and we'll pick up the

61
00:03:42,760 --> 00:03:45,440
configuration on the other side.

62
00:03:45,440 --> 00:03:48,400
Now that the VPN server configuration has been imported,

63
00:03:48,400 --> 00:03:52,230
there are a few outstanding configuration tasks that must still be completed.

64
00:03:52,230 --> 00:03:53,840
Recall that earlier in this course,

65
00:03:53,840 --> 00:03:56,930
we set up the first VPN server. We made some adjustments to

66
00:03:56,930 --> 00:03:59,080
the security configuration. Specifically,

67
00:03:59,080 --> 00:04:02,420
we defined the root of trust for IPsec authentication,

68
00:04:02,420 --> 00:04:06,140
and we configured a custom IPsec policy.

69
00:04:06,140 --> 00:04:06,930
Unfortunately,

70
00:04:06,930 --> 00:04:10,300
neither of these settings come over during the configuration import

71
00:04:10,300 --> 00:04:13,070
so we'll have to make those changes here manually.

72
00:04:13,070 --> 00:04:14,540
Now, as a reminder,

73
00:04:14,540 --> 00:04:19,150
we made both of those changes using my AO VPN Tools PowerShell module,

74
00:04:19,150 --> 00:04:21,420
which I've already installed on this server.

75
00:04:21,420 --> 00:04:24,460
So to define the root of trust for IPsec,

76
00:04:24,460 --> 00:04:30,070
we need to run the command Set‑IKEV2VpnRootCertificate and supply the

77
00:04:30,070 --> 00:04:37,140
thumbprint of our trusted root certification authority.

78
00:04:37,140 --> 00:04:41,830
Next, we'll run the Set‑IKEv2VpnSecurityBaseline command with the

79
00:04:41,830 --> 00:04:47,450
‑EnforceIKEv2CrlCheck and the ‑EnhancedSecurity parameters.

80
00:04:47,450 --> 00:04:53,780
This will define our custom IPsec policy like we configured on the first server.

81
00:04:53,780 --> 00:05:05,000
And once that's done, we'll restart the remote access service, and we'll be done with the configuration.