after extolling the network policy service is on to our bar. But we're gonna take action to have to configure some general settings in our NPS environment. So it's going to get our network policy server council open tools
their policy, Sir. Open up. Our manager counsel
takes a moment, and then we go get our banter castle up and running. We're going to figure a few general settings here for our environment.
First centers we're gonna work with is we're going to you
Look at the drop down list here.
stated configuration, who knows? We have on our drop down list. We actually have
a choice of that access protection radius server for Dallas for VP connections and radius silver for edited out one ex violence or wire connections. So we have three that we could choose from
we're gonna actually do for our environment. Wasn't going to configure it for VPs. So we're gonna do radius for dialing for VP and connections.
Go and click on that.
So we have that setting
head that we're going to
go to the next step which is configured the VPN or dial up wizard that which pops up when we actually change it to that standard configuration options. We click on that
and we start our wizard for *** dollop of virtual private double connections.
What type of connections we could we could do a dial up connection,
uh, stood Houston someplace in the world
or a virtual private network
so we could do VPN we're going to do for our purposes, for this lesson is, we're actually going to do a VPN connection so we can actually select the VPN box.
And that's the default name is it puts in forces virtual private network connections serve you peeing connections.
We could actually put a different name and there if you wanted to, for
it could be anything you want.
But it's a virtual private network. Connections
is sufficient at a lot of cases, so we go and click on next.
Now we have a radius clients part of the screen, so
obviously there's nothing in the radius planets. Hey, we're trying to VP and September connection with authentication. We need to
actually put in radius. Client radius is remote access dialling user service.
the way it actually translates out
in terms of our acronym. So remember, Radius has, even though it's his dial in user service, it also includes VP and Environments. It's not just dial, and it's essentially a remote connection across broadband also, So we're gonna have to click on add here.
That was our next screen.
Obviously, we had to put in some data in there
in our friendly name That's going to start with
what are we gonna call this?
Okay, well, let's just say we're gonna be bringing it in through a router somewhere, So let's go put it Ln
That gives us our first half of the puzzle.
And now we can go and click on
so basically they're friendly Name is element that Artie Artie are right anyway
on that and that obviously here for the address or D and s I cook up, verify
for the family name.
It's going to say Give me an address to resolve.
I could actually put in the information for that. Or
I guess I could you go back to my D. N s name here and put in Ln
they click on verify
That's a breeze about my I p address associated with that
Then click out okay.
And now we actually have to choose the shared secret.
Thio decide? What we're gonna do is going to be a shared secret or down unless we have none.
So we're using an existing shared secrets template. We don't have one yet, so we can't use one.
We can generate one where we can put in the manual shared secret.
Now, this is if you do generate, you will get a
more complex than you want to generate here and notice how you get a flashing little
yellow triangle here is not already has claimed support. Long secret. You might need to edit the generated secret
so we actually have to choose. Well, when I do in that particular case now, we're gonna actually go with this. But what we really want to do is we're gonna make it simple for our purposes of our
demonstration. We're just gonna do manual here
head. We then need to get rid of that long secret that we had in there
or simplistic secret, which is obviously not best practices in a production environment. But we're just going to
do the demonstration.
password for your shared secret, whatever it's going to be. And obviously, if you're gonna do this, you wanted to be a more complex password.
And what you have those two pieces of in
if a mission you're going click out okay,
gives us a radius client. So basically we've said that we have a radius we have. They're such are VPN environment. Our network policy server is on one
particular server box. Do we have
another server that's running routing Service's, which is also part of our policy and access virus, so that router needs to be a client to the number policy service. That's why we added it in there.
So we get at that at it in here. Here we go ahead on next,
and we now have authentication methods.
We need to choose an authentic authentication method.
So notice the default standard. Here's
Microsoft encrypted authentication version to Emma's Chap V to we could go back if we need backwards compatibility, get of his tap
And if you're going to use it. You have the option to do extensive authentication protocol, which is things such as Microsoft Smartcard or certificate Microsoft protected Extensible Access Protocol or secured password
authentication protocol. Chappie to you could actually use any of those that you wanted for that. Obviously you can figure it if you want to see what? Actually, we take a look at that just real quick so they could figure and now actually have to
give the information that we're gonna have so cancel out of that.
We're not going to use extensive authentication protocol in this particular environment. Workers shouldn't stick with this chap V two.
It was who done that. We click on next
that we need to specify
some type of user groups.
This actually is important of groups we could
normally, if we're gonna do this, we would actually want to put in some user groups. But we don't actually have to for the purpose of what we're doing, because we're just reading it from the active directory remote access users groups.
So going click out next
ad. How would I pee folders?
Do we worry about high P filters? We might. It depends. We can, actually, if we know. For example, we have environment where we have a very specific set of I p addresses they were gonna work with. We could actually put a filter, for example, For
if you could get input filter, we could say,
Do not permit the Pakis listed below. You could click out next year.
Then you could put in information for the destination that work if you wanted to. So if we could block entire ranges of I p addresses
if we first, we also could select from an existing I P filter template. We don't have one,
so you can't do it yet. But in the future, when you set one up, you could actually do something for HPV six.
They were going click out next.
This is okay. What about encryption?
Obviously, we want to make sure we encrypt data. It's a VPN. So virtual private network requires description.
We have to decide what level that we're going to allow. I will get to force our kitchen 128 bit. Are we going to allow less
secure encryption? Basically, it's encryption, but obviously 40 bit is nowhere near as strong as 128.
You have to decide what works for you have. I would remember, If you're going across country borders,
you may run into a situation where the level of encryption is not permitted to be above a certain amount in terms of the policies that you're dealing with. So we're going to click on next year,
says specify Realm name
communicating back to a UNIX environment. UNIX uses the term around, whereas we used remains slash in active directory. So relevance basically going back to the
UNIX vibrant for directory service is
so your eyes pieces a portion of this information in terms of the realm name. You would have to put it in if your eyes P requires that realm name if they should be included.
And then we also have four authentication removed the realm name from the user name.
So if you go across your eyes and you need some type of Rome authentication in the process, you want to make sure that before you tried authenticating its active directory, did you also remove it
when we don't have a situation? But if we did we were put in the realm name. Go ahead and click on next,
and we get our final screen. Tells us what we've configured, the options we've made. Look, click here on the link for configuration details.
XML based Web page gives our information.
And we could actually save this of water, too, because it's in the form ethical be saved.
So there we go. There's our list of what we've done
going close out of that
and we're gonna click on finish here,
add very quickly. It finishes.
Now we want to do is we'll take that configuration that we just
we're looking at and we actually want to make sure that we can have that separately. Let's go ahead and open up our shell here.
Open up our power show environment.
Ed was good. And get that export it out.
It's a power show. It's ah, Freddie simple. Come in.
dash and then another policy serves and P s
So we're gonna export that MPs configuration that we have to tell where to export it to. So we have to give it a pass command.
We had to tell it where to put it on. So this particular case
And so we're going to say export the configuration
path, which in this case is going to be our server
That will export it for us.
We need to go on to the next step, which is
so we can actually look at it right from here. So if we type in, uh, application to do after this note pad
and then we talked to open up
dash d c one dot xml
You actually launched a note pad with that XML information in there.
So there we go. We actually have
everything we just configured
So we have a whole variety of information here, you know? So we have things like myself writing remote access Use win this authentication for all users.
They were gonna scroll down here, and we could actually expand it out because scroll across
all kinds of information in terms of our schema. There's
and p authentication type we have.
But Microsoft riding remote access server says connections too.
If you go down this list to find out this is sexually everything we just configured in an XML format.
So going down here scroll way down to the bottom we get into things like
Nass Vendor I d if we put one in. So it's a radio standard we have, right?
Yes, we have things like
So these are things we could custom could figure
Ln dash RTR from a reactive use that as our environment
we have component informations things like
It's a very long list. You notice as even as we're going down here
scrolled out There's a significant amount of data in here.
So this is your Mexico Radius proxy sdo Microsoft Policy Evaluator
You have your re mediations server group SDO
that authentication port information like 10 28 and 31 36
down and you could keep going through this list and you notice what you actually have this and you can actually use that as a template
and P s servers if you need to configure other MPs service
great clothes out of that.
Hey, we don't need our
power shell anymore so we could go ahead close out of our power shell
and we're back to our MPs Management Council and we could actually go ahead and do additional configuration with us.
But that's what we need to do. It turns getting our basic configuration set up.
We now have a functioning network policy service that is set up for