Step by Step Guide: Configuring VPN under Windows Server 2012 with NPS

This tutorials guides you to the setup of an VPN under Windows Server 2012 R2. First we set it up with outdated protocols to get a basic feeling. Than we set up a Certification Authority to create a self signed certificate for securing the VPN connection (SSTP).

The tutorialis for learning purposes in your lab. In production environment you would have to change some things. You would normaly have to buy a official certificate.

For setting it up it would be good if you have a server behind a firewall with a fix IP and an DNS-Name and you could connect to it from extern. For testing purposes you could give your server two NICs and declare one as the external and connect from a client in the externa IP-Range to your VPN-Server via external IP. If you work with certificates you should assign a Hostname to the external IP.

Basic VPN Installation and Configuration

I’m assuming that you are quite familiar with adding roles and features via Server Manager in Windows Server 2012, so I won’t describe these steps in every details.

  • Add the role “Remote Access”
Configuring VPN under Windows Server 2012
  • Add the Role Services “Direct Access and VPN (RAS)”
Configuring VPN under Windows Server 2012

After everything is installed, click on

  • “Remote Access”
  • “More…”
  • “Open the Getting Started Wizard”
Configuring VPN under Windows Server 2012

It usually starts in the background so minimize all other programs.

  • Click on “Deploy VPN only”
  • “Routing an Remote Access” is starting
  • Click right on the server name
  • Choose “Configure and Enable Routing and Remote Access”
Configuring VPN under Windows Server 2012
  • Click “Next”
  • “Routing an Remote Access” is starting
  • Click “Custom configuration”
  • Click “Next”
  • Click “VPN access”
  • Click “Next”
  • Click “Finish”
  • After the basic configuration has finished a new window appears.
  • Click “Start service”

Configuring VPN under Windows Server 2012

Basic NPS Installation and Configuration under Windows Server 2012

  • Add the role “Network Policy and Access Services”
Configuring VPN under Windows Server 2012
  • Add the Role Services “Network Policy Server”
Configuring VPN under Windows Server 2012
  • Start Network Policy Server i. e. via “Server Manager” – “Tools” – “Network Policy Server”
  • Go to “Policies” – “Network Polices”
  • Right click on Polices
  • Click on “New”
Configuring VPN under Windows Server 2012
  • Give the Policy a name and choose “Remote Access Server (VPN-Dial up)” as “Type of network access server”
Configuring VPN under Windows Server 2012
  • Click on “Next”
  • Click on “Add”
  • Click on “User Group”
  • Add the Active Diectory User Group which you want to grant access to your VPN. This requires that you have already defied a group for this.
Configuring VPN under Windows Server 2012

There are several other things you can define here. It is a good idea to click through it to gead a better idea of it.

  • Groups: Windows Groups, Machine Groups and User Groups
  • Host Credential Authprization Protocol (HCAP) Groups – HCAP is used for communication between NPS and third party network access servers.
  • Day and time restrictions
  • Network Access Protection (NAP) – Here you can define several conditions regarding NAP, i. e. if the computer has passed the Health Check.
  • Connection Properties – Here you can define things like IP-Address, Service-Type, Tunnel-Type.
  • Radius Client Properties – Here you can define things concerning RADIUS.
  • Gateway – Here you can define things concerning your Network Access Server.

To continue with your special configuration do the following:

  • Click “Next”
  • Choose “Access granted”
Configuring VPN under Windows Server 2012
  • Click “Next”
  • You can leave the default configuration here at the moment.
Configuring VPN under Windows Server 2012
  • Click “Next”
  • It is a good idea to define a Idle Timeout for your users, so that connections don’t stay open when not used
Configuring VPN under Windows Server 2012
  • Click “Next”
  • You can leave the default configuration here at the moment.
Configuring VPN under Windows Server 2012
  • Click “Finish”
  • Your NPS Policy is created.

Setting up a VPN connection on the Client

  • Open “Network and Sharing Center”
  • Choose “Set up a new connection or network”
Configuring VPN under Windows Server 2012
  • Select “Connect to a workplace”
  • Click “Next”
  • Choose “Use my Internet connection (VPN)
Configuring VPN under Windows Server 2012
  • Enter under “Internet addess” the adress under which your VPN Server is accessible. Normally you would place him behind a firewall and define a NAT to an external address.
  • Enter under “Destination name” a Name for the VPN-Connection. Very useful if you connect to more than one VPN-Servers.
  • Click on “Create”.
Configuring VPN under Windows Server 2012

At this time we are still at a very basic stage. We currently have only configured VPN for PPTP, which is old fashioned, unsecure and should only be used in a LAB-Environment. You need to “tell” your client, that it has to used this protocol.

  • Go to “Network and Internet”.
  • Go to “Network Connections”. You find it under “Change adapter settings”.
  • Click right on your VPN connection.
  • Click “Properties”.
  • Go to the “Security” Tab.
  • Enable the “Microsoft Chap Protocol”.
Configuring VPN under Windows Server 2012
  • To connect to your VPN Site go to the Network Settings and click on “Connect”
Configuring VPN under Windows Server 2012

Add a Certifiation Authority and a template for issuing certificates under Windows Server 2012 R2

Adding a certfication authority is the first step for making the connection more secure.

  • Add the role “Active Directory Certificate Services”
Configuring VPN under Windows Server 2012
  • Add the Role Services “Certification Authority” and “Certification Authority Web Enrollment”
Configuring VPN under Windows Server 2012
  • Go to “AD CS”
  • Click on “More…” at the yellow bar “Configuration required for Active Directory Certificate Services”
  • Click on the Link “Configure Active Directory Certificates”
Configuring VPN under Windows Server 2012
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • Select “Certification Authority” and “Certification Authority Web Enrollment” as “Select Tole Services to configure.
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • Make sure “Enterprise CA” is enabled.
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • Make sure “Root CA” is enabled.
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • We need a new private key so enable the corresponding option.
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • Leave the settings in the next setting default
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • The predefined values for “CA Name” should normaly work fine.
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • In the next window you can change the validity period of the certificates. The default 5 years may be a bit long.
  • Click on “Next”.
Configuring VPN under Windows Server 2012
  • The predefined values for “database locations” should normaly work fine. If you want’t to you can change it.
  • Click on “Next”.
  • Read through the “Confirmation” and if everything is OK click on “Configure”.
  • You should get a result like this one.
Configuring VPN under Windows Server 2012
  • Go to Server Manager
  • Tools
  • Certification Authority
  • Expand you CA
  • Click “Certificate Templates”
  • Click right on the right side and click “Manage”
Configuring VPN under Windows Server 2012
  • Search for IPSec
  • Click right on it
  • Select “Duplicate Template”
Configuring VPN under Windows Server 2012
  • Got to the “General” Tab
  • Change the Name i. e. to “SSTP”
  • Click on “Apply”
Configuring VPN under Windows Server 2012
  • Got to the “Request Handling” Tab
  • Click “Allow private key to be exported”
  • Click on “Apply”
Configuring VPN under Windows Server 2012
  • Got to the “Subject Name” Tab
  • Click “Supply in the request”
  • Click on “OK” in the Warning “Current settings for this…”
  • Click on “Apply”
Configuring VPN under Windows Server 2012
  • Got to the “Extensions” Tab
  • Click on “Edit”
  • Click on “Add”
  • Search for “Server Authentication”
  • Click on “OK” three times to close the boxes.
Configuring VPN under Windows Server 2012
  • In the Certification Authority go to
  • Certificate templates
  • New
  • Certificate Template to Issue
Configuring VPN under Windows Server 2012
  • Select the created Template

Issuing a certificate for SSTP VPN

  • Open a mmc (by just typing in “mmc” at the Start Screen or Windows-Key and R)
  • Go to “File”
  • “Add/Remove Snap-in”
  • Search for “Certificates”
  • Click on “Add”
  • Leave the option “Computer account”
Configuring VPN under Windows Server 2012
  • Click on “Finish”
  • Click on “OK”
  • Expand “Personal”
  • Right click on “Certificates”
  • Click on “All Tasks” – “Request new certificate”
Configuring VPN under Windows Server 2012
  • Click on “Next”
Configuring VPN under Windows Server 2012
  • Click on “Next”
Configuring VPN under Windows Server 2012
  • Click on “More information is required to enroll for this certificate” under the name of the template you created.
  • Change “Type” to “Common Name” and enter the name, under which your server is accessible from exern under “Value”
  • Click on “Add”
  • Click on “OK”
Configuring VPN under Windows Server 2012
  • Activate the Check-Box at your certificate
  • Click on “Enroll”
Configuring VPN under Windows Server 2012
  • In the Server Manager go to “Tools”
  • Routing and Remote Access
  • Right click on the Server Name
  • Select Properties
Configuring VPN under Windows Server 2012
  • Go to the “Security” Tab
  • Select your Certificate under “SSL Certificate Binding”
  • Click “OK”
Configuring VPN under Windows Server 2012
  • A message appears that the router needs to be restarted.
  • Click “Yes”

Setting up a VPN connection on the Client via SSTP

For testing purposes you have to import the SSL certificate and the certificate chain on every client to the computer store. You can download this from http://myvpnserver/certsrv. Change “myvpnserver” to the name of your VPN server. Enrolling the certificate via Active Directory would blast this tutorial.

You have to set NoCertRevocationCheck in HKEY_LOCAL_MACHINESystemCurrentControlSetServicesSstpsvcParameters to 1. This is because your private Revocation List is not accessible from extern without further configuration. This key should only be set in LAB environments.

Now you should be able to connect to your VPN Server with SSTP.

Did you like the article? Then I'm happy if you like and share it.
Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *