You are on page 1of 126

Trin khai dch v VPN

Gio vin hng dn : Trn Ng Nh Khnh

Sinh vin thc hin : Nguyn Vit Sn Nguyn Vn Vinh

0612251 0610185

Lab 3 : Certification Authority


1. Phn 1: Ci t Stand-alone CA

Hng dn : Ch : Ci t Stand-alone CA trong trng hp chng ta cp chng ch CA cho Client thuc nhm Workgroup .

Ci t dch v CA : B1 : logon vo my A bng ti khon Administrator . B2 : Start -> Run -> Control Panel - > Add or Remove Programs . B3 : Trong ca s Add or Remove Programs -> Click vo Add/Remove Windows Compones -> check vo 2 Application Server v Certificate Sevices -> Next

B5 : chn Stand-Alone root CA -> Next

B6 : khung Common name for this CA : nhp tn chng ch -> Next .

B8 : Chon Finish .

ci xong dch v Certification

T my B , xin cp chng ch CA . B1 : m IE -> nhp http://10.10.150.1/certsrv ( 10.10.150.1 l IP ca my A ) Click vo Request a Certificate

B2 : Click advancd certificate request -> Create and submit a request to this CA

B3 : nhp tn ng k -> submit .

Vy l ta xin chng ch CA cho my B xong , gi sang my A kim tra xem c chng ch CA ca my B cha . Qua my A : Start - > Adiministrator Tools -> Certification Authority -> Issued Certificates

Chng ta thy c chng ch CA ca my B .

2. Phn 2: Cu hnh Web server s dng SSL: 2.1 M hnh trin khai :

Hng dn : Thc hin ti my A : B1 : Start -> Administrator Tools -> Internet Information Services ( IIS ) Manager B2 : Ti ca s Internet Information Services ( IIS ) Manager -> chn Web Sites -> Default Web Sites -> click chut phi -> Properties

B3 : Ti ca s Default Web Site Properties -> chn tab Directory Security -> Click Server Certificates -> Click Next -> Create a new certificate -> Click Next -> Click Next .

B4 : hp IIS Certificate Wizard -> nhp tn cho certificate -> click Next

B5 : Ti Country/Region : chn VN(Viet Nam) v nhp thng tin nhng cn li

B6 : Click Browse -> chn ni lu tr -> click Next -> Next -> Finish

B7 : M IE ln -> http://localhost/certsrv -> click Request a certificate -> click advanced certificate request -> click submit a certificate request by using a base 64 encoded CMC or PKCS # 10 file or submit ..

B8 : M file lc ny va to ri copy sau pase vo Saved request -> click Submit

B9 : m IE : http://localhost/certsrv -> click View the status of a pending certificate request -> click Save request certificate ( Sunday April 18 2010 10:35:59 AM ) -> click download certificate

B10 : Start -> Administrator Tools -> Internet Information Services ( IIS ) Manager B12 : Ti ca s Internet Information Services ( IIS ) Manager -> chn Web Sites -> Default Web Sites -> click chut phi -> Properties

B13 : Ti ca s Default Web Site Properties -> chn tab Directory Security -> Click Server Certificates -> Click Next -> Click Next -> Click Next -> click Browse -> tim n file va download trn -> click Next - > Finish .

B14 : Click Edit.. - >

B15 : ti Default Web Site Properties -> click check vo Request sesure channel (SSL) v request 128-bit encryption -> OK

Vy cu hnh xong trn my A truy cp Web s dng SSL . Gi sang my B m IE ln truy cp Web coi kt qu nh th no .

Nhp http://10.10.150.1 ( 10.10.150.1 l IP ca my A ) -> th kt qu nh hnh di .

Gi nhp https://10.10.150.1 th kt qu nh hnh di :

4. Phn 3: Chng thc IPSec bng CA

4.1 M hnh trin khai :

Hng dn : Ch : my cp chng ch CA t ng phi ci t Domain controller .

Trin khai cp chng ch t ng CA : Cc bc ci t lm ging nh phn 1 , nhng ta chn Enterprise root CA

B2 : Start -> Run -> mmc -> Add /Remove Snap-in .

B3 : Ti ca s Add Standalone Snap-in -> Add 3 file Certificate Templates, Certificates , Certification Authority . -> OK

B4 : Click Certificate Templates -> Duplicate Templates 2 chng ch Computer v IPSec .

B5 : Chn Certification Authority -> Certificate Templates -> Click chut phi -> New Certificate Template to Issue -> Chn IPSec v computer -> OK

B6 : Start -> Administrator Tools -> Domain Security Policy

Gi ta s cp chng ch t ng cho Server 1 v WS01 . Ta jon Server 1 v WS01 vo Domain controller sau reset li Server 1 v WS01 . ta thy Server 1 v WS01 c cp chng ch CA nh hnh di .

Lab 4: Remote Access VPN vi Radius v DHCP Relay

Hng dn : Cu hnh RADIUS Server : B1 : logon vo my A bng ti khon Administrator . B2 : Start -> Run -> Control Panel - > Add or Remove Programs .

B3 : Trong ca s Add or Remove Programs -> Click vo Add/Remove Windows Compones -> Click chut vo Networking Services -> Details-> chn Internet Authentication Services -> OK -> Click Next-> Finish .

B4 : Click chut phi vo My Computer -> Manage -> Local Users and Groups -> User To mt user ( tn : user1 ) v mt group ( tn : VPNs ) sau add user1 vo VPNs . user1 dng Cho VPN connect ti th dng ti khon ny ng nhp .

B5 : Start -> Adminitrator Tools -> Internet Authentication Services .

Ci t dch v Web v FTP Server : B1 : To mt web site n gin lu vo th mc tn Web_Server v to mt th mc FTP_Server . B2 : Start -> Run -> Control Panel - > Add or Remove Programs

B3 : start -> Adminsitrator Tools -> Internet Information Services (IIS) Mangager.

B4 :

B5 : Cu hnh FTP lm tng t nh Web .

Kt qu nh hnh di :

Cu hnh VPN Server : B1 : Logon vo my VPN Server bng ti khon Administrator B2 : Start -> Administrator Tools -> Routing and Remote Access

B6 : Cu hnh RADIUS :

To kt ni VPN Client : Ti my VPN Client ta lm nh sau :

2. Phn 2: Remote Access VPN kt hp DHCP Relay

Hng dn : Bi ny chng ta cu hnh ging nh phn 1 ca Lab 4 nhng ch thm 1 my chy dch v DHCP Server .

Ci bc cu hnh cho my Web Server , RADIUS Server v VPN Client ta lm nh phn 1 . Ch c cu hnh VPN Server l hi khc mt cht . Cu hnh DHCP Server : B1 : Logon vo my DHCP Server bng quyn Administrator B2 : Start -> Control Panel -> Add or Remove Programs B3 : Ti ca s : Add or Remove Programs -> chn : Add/Remove Windows Component B4 : Ti ca s Windows Components Wizard -> chn Networking Services -> Details -> Dynamics Host Configuration Protocol (DHCP ) -> OK -> Next -> Finish .

B5 : To mt min IP t ng cp a ch IP cho VPN Client . start -> Administrator Tools -> Dynamics Host Configuration Protocol ( DHCP ) .

Cu hnh VPN Server : B1 : Logon vo my VPN Server bng quyn Administrator B2 : Start -> Administrator Tools -> Routing and Remote Access

B6 : Cu hnh RADIUS :

Gi t VPN Client connect vo th ta s thy kt qu nh hnh di .

Lab 5: Trin khai Remote Access VPN s dng L2TP/IPSec

Hng dn : Bi lab5 thc hin gn ging vi phn 3 ca bi lab 3 , nn mnh khng minh ha y , cc mun tham kho th c th download nhng video m mnh lm t bi lab 1 -> lab 7 2 link ny : http://www.mediafire.com/download.php?5w3nzjnjf1z v http://www.mediafire.com/?4lxnlm3rzmo .

Lab 6: Trin khai Site-to-site VPN

Hng dn : Cu hnh Router Internet : ta s s dng 1 my chy windows server 2003 lm router internet . vi 2 card mng : card DaLat c IP 172.30.1.1/24 ; card SaiGon c IP 172.31.1.1/24 . B1 : logon vao my router internet bng ti khon Administrator . B2 : start -> Administrator Tools -> Routing and Remote Access

Ch : Router_DaLat to mt ti khon c tn : saigon ; password : 123 . Router_SaiGon to mt ti khon c tn : dalat ; password : 123 . 2 user nay c thit lp Allow Access trong phn Dial in . Cu hnh Router_DaLat : B1 : logon vo my Router_DaLat vi quyn Administrator . B2 : Start -> Administrator Tools -> Routing and Remote Access

B3 :

B4 :

Cu hnh Router_SaiGon ta lm tng t nh cu hnh Router_DaLat , nhng mt s bc th ta nhp IP l min ca chi nhnh DaLat v user ca Router_DaLat to .

Gi chng ta connect t chi nhnh Da Lat ti chi nhnh SaiGon .

Hng dn : Ch : Web Server mnh cu hnh bi trc nn khng cu hnh li na . Cu hnh ISA Server : Jon ISA Server vo Domain Controller ri logon vo ISA Server bng quyn Administrator ca Domain Controller ri mi ci t ISA 2006 .

B1 : Chy file Setup.exe

Ci t xong ISA 2006

B2 : Thit lp li min IP ta lm nh sau : M chng trnh ISA -> Click tn Server -> Configuration -> Network -> Click chut Internal -> Properties -> Address -> Click dy IP -> chn Edit -> Nhp li dy IP theo ch nh 192.168.2.0 -> 192.168.2.255 -> OK .

Cu hnh cho php bn trong mng ni b truy cp internet : B1 : Right click vo Firewall Policy -> chn New -> Access Rule

cu hnh xong , gi cc my bn trong mng c th truy cp internet .

Cu hnh cho php VPN Client connect vao mng ni b : B1 : Cu hnh my Domain Controller : Windows Server 2003 SP2 + To OU Remote Access . Tong OU Remote Access , to goup VNP_Users . + Ta s to cc User s dng VPN nm trong OU ny nhm thun tin cho vic qun l . + Add cc users vo group VPN_Users . + Cho cc user quyn Allow Access trong phn Dial in .

B2 : Cu hnh VPN Client to Gateway ti ISA Server . + Click chut phi vo Virtual Private Network -> chn Properties .

B3 : Trong hp thoi Virtual Private Network -> chn tab Address Assignment -> chn Static address pool -> nhn Add -> Nhp vo IP range s cp cho Client . Starting address : 10.10.1.1 ; Ending address : 10.10.1.254 . -> nhn OK -> Apply .

B4 : Trong ca s ISA Server Management , ti khung Task -> Click Enable VPN Client Access - > Nhn chn Apply-> OK .

B5 : Click vo Configure VPN Client Access qui nh group c php kt ni VPN

- Trong hp thoi VPN Client Properties -> chn tab Group -> Add vo group VPN_Users

B6 : To access rule cho php kt ni VPN ti ISA Server .

cu hnh xong VPN to Gateway trn my ISA Server . Gi sang my VPN Client to connect th chng ta s c kt qu nh hnh di .

Gi chng tao cu hnh Publishing Server cho php bn ngoi ( VPN Client ) c th s dng cc dch v ( Web server , Ftp , ..) c cung cp trong mng ni b . Ch : my Web Serve mnh cu hnh web server v dch v DNS vi Forward Lookup Zone tn min : www.vietson.com.vn bi lab trc nn gi mnh ch s dng li ch khng cu hnh na nh ^_^ . B1 : Cu hnh Listening Web trn cng Wan ca ISA Server . - M chng trnh ISA Management - Trong phn Network Objects -> Click chut phi vo Web Listening -> chn New Listener

B2 :

B3 : Tip theo ta cu hnh Publishing Website www.vietson.com.vn

B5 : Cu hnh bn my VPN Client - M My Computer -> vo th mc C:\WINDOWS\system32\drivers\etc -> m file Hosts bng Notepad v chn thm dng nh sau .

Close v Save file Hosts li . Gi m chng trnh Internet Explore nh http://www.vietson.com.vn ta s truy cp thnh cng vo Web Server ca mng ni b .

Vy l mnh cu hnh xong dch v VPN kt hp ISA 2006 .