Configuration: VPN Clients with X.509 Certs plus Static IP Assignment
Tested for this documentation with the following versions on Windows 8:
NextGen Firewall
VPN Client
Configuration on the NextGen Firewall
Authentication Service > MSAD Authentication > Basic
Minimum configuration of MSAD is enough.
VPN Settings > Client Networks
VPN Settings > Root Certificates
Must be imported and configured for client usage and if wanted with CRL’s.
VPN Settings > Server Certificates
Must be imported as well.
Client to Site > External CA > Click here for options (The blue text)
If the CN should be used be careful that is only one value, like “User16” or “10034”.
Client to Site > External CA > Preauthentication Scheme > Details
Again the same attribute.
Client to Site > External CA > Group Policy
Nothing special to configure here.
Client to Site > External CA > Group Policy Condition
Nothing special to configure here.
Active Directory Configuration > User16 Properties > General
Nothing special to configure here.
Active Directory Configuration > User16 Properties > Account
Nothing special to configure here.
Active Directory Configuration > User16 Properties > Dial-In
Configured an IP address and it is assigned to the clients virtual adapter.
VPN Client Test
Active Directory Configuration > User16 Properties > Dial-In
Configured a different IP address, disconnect and connect, and it is assigned to the clients virtual adapter.
VPN Client Test
VPN Client Configuration on Windows
Certificate on the Desktop
VPN Client Profile
VPN Client Profile Properties
General Rollout Procedure
On one system a profile is created, the certificates file name should be the same. This profile is exported as a registry key and imported on all the machines. The certificates are created and also distributed to all systems into the file system. Furthermore a new shell script must be created and distributed as well utilizing the rvpn.exe with new parameters for certificate usage.
Certificate Rollout
The certificates must be deployed on all systems in a folder (on all units the same) where the VPN Client has permissions to access the file.