Lab B: Implementing NAP into a VPN Remote Access Solution
Task 3: Move the client to the Internet
1. Configure NYC-CL1 for the Internet network segment:
a. Click Start, click Control Panel, and then click Network and Internet.
b. Click Network and Sharing Center.
c. Click Change adapter settings.
d. Right-click Local Area Connection 3, and then click Properties.
e. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
f. Ensure Use the following IP address is already selected. Next to IP address, type 131.107.0.20.
Next to Subnet mask, type 255.255.255.0. Remove the Default gateway.
g. Next to Preferred DNS server, remove 10.10.0.10.
h. Click OK, and then click Close to close the Local Area Connection 3 Properties dialog box.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Implementing a Virtual Private Network L6-11
i. Close the Network Connections window.
2. Verify network connectivity for NYC-CL1:
a. Click Start, click All Programs, click Accessories, and then click Run.
b. Type cmd, and then press ENTER.
c. At the command prompt, type ping 131.107.0.2 and then press ENTER.
d. Verify that the response reads “Reply from 131.107.0.2”
e. Close the command window.
Task 4: Create a VPN on NYC-CL1
1. Configure a VPN connection:a. Click Start, click Control Panel, and then click Network and Internet.
b. Click Network and Sharing Center.
c. Click Set up a new connection or network.
d. On the Choose a connection option page, click Connect to a workplace, and then click Next.
e. On the How do you want to connect page, click Use my Internet connection (VPN).
f. Click I’ll set up an Internet connection later.
g. On the Type the Internet address to connect to page, next to Internet address, type
131.107.0.2. Next to Destination name, type Contoso VPN, select the Allow other people to use this connection check box, and then click Next.
h. On the Type your user name and password page, type administrator next to User name, and type Pa$$w0rd next to Password, select the Remember this password check box, type Contoso next to Domain (optional), and then click Create.
i. On The connection is ready to use page, click Close.
j. In the Network and Sharing Center window, click Change adapter settings.
k. Right-click the Contoso VPN connection, click Properties, and then click the Security tab.
l. Under Authentication, click Use Extensible Authentication Protocol (EAP).
m. In the Microsoft: Secured password (EAP-MSCHAP v2) (encryption enabled) list, click Microsoft: Protected EAP (PEAP) (encryption enabled), and then click Properties.
n. Ensure that the Validate server certificate check box is already selected. Clear the Connect to these servers check box, and then ensure that Secured password (EAP-MSCHAP v2) is already selected under Select Authentication Method, clear the Enable Fast Reconnect check box, and then select the Enforce Network Access Protection check box.
o. Click OK twice to accept these settings.
2. Test the VPN connection:
a. In the Network Connections window, right-click the Contoso VPN connection, and then click Connect.
b. In the Connect Contoso VPN window, click Connect.
c. You are presented with a Windows Security Alert window the first time this VPN connection is used. Click Details, and verify that Certificate Information states that the certificate was issued to NYC-EDGE1.Contoso.com by ContosoCA. Click Connect.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
L6-12 Lab A: Implementing a Virtual Private Network
d. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet.
e. Click Start, click All Programs, click Accessories, and then click Command Prompt.
f. Type ipconfig /all, and view the IP configuration. System Quarantine State should be Not Restricted.
g. In the command window, type ping 10.10.0.10 and then press Enter. This should be successful.
The client now meets the requirement for VPN full connectivity.
h. Disconnect from the Contoso VPN.
3. Configure Windows Security Health Validator to require an antivirus application:
a. On NYC-EDGE1, click Start, point to Administrative Tools, and then click Network Policy Server.
b. Expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings.
c. In the right pane under Name, double-click Default Configuration.
d. On the Windows 7/Windows Vista selection, select the An antivirus application is on check box, and then click OK.
4. Verify the client is placed on the restricted network:
a. On NYC-CL1, in the Network Connections window, right-click the Contoso VPN, and then click Connect.
b. Click Connect.
c. Wait for the VPN connection to be made. Verify that a message appears in the Action Center that states that the computer doesn’t meet security standards.
d. Click Start, click All Programs, click Accessories, and then click Command Prompt.
e. Type ipconfig /all and then press ENTER. View the IP configuration. System Quarantine State should be Restricted.
The client does not meet the requirements for the network, and therefore is placed on the restricted network.
f. Disconnect the Contoso VPN.
Results: In this exercise, you enabled and configured a VPN NAP enforcement policy for Contoso Ltd.
To prepare for the next module
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat these steps for 6419B-NYC-EDGE1and 6419B-NYC-CL1.
M C T U SE O N LY . S TU D EN T U SE P R O H IB IT ED
Lab A: Creating and Managing User and Computer Accounts L7-1