How to Install and Configure OpenVPN Server on Linux CentOS

How to Install and Configure OpenVPN Server on Linux CentOS

In this article we will cover the installation and configuration of the OpenVPN server based on Linux CentOS, and show how to connect two remote computers (or offices) behind NAT into one network using OpenVPN server. We will also use certificates for encrypted connection. If you are a Windows user, check out the guide about configuring VPN in Windows server operating system.

Contents

  • What is OpenVPN
  • How to Install OpenVPN and Easy-RSA
  • How to Configure Easy-RSA and Issue a Certificate
  • How to Create Keys and Certificates for the OpenVPN Server
  • How to Configure OpenVPN Server
  • How to Configure Firewall with OpenVPN
  • How to Connect Computers and Networks using OpenVPN

What is Open VPN

Virtual Private Network (VPN) – a set of technologies that allow you to build a secure network over public networks or the Internet. With a VPN, you can consolidate Internet-divided segments of networks into a single local network.
OpenVPN – one of the implementations of open source VPN technology based on SSL/TLS. With the help of OpenVPN it is possible to connect in a single network both remote offices and separate local PCs, which are behind firewall with Network Address Translation (NAT).

How to Install OpenVPN and Easy-RSA

First thing you need to do is to connect the Extra Packages for Enterprise Linux (EPEL) repository and update the system:

sudo yum install epel-release -y
sudo yum update -y

When the system is updated, you need to use the yum package manager to install OpenVPN and Easy-RSA to implement a Public Key Infrastructure (PKI) infrastructure on the VPN server.

sudo yum install openvpn easy-rsa -y
Easy-RSA Installation

How to Configure Easy-RSA and Issue a Certificate

Copy all the Easy-RSA scripts into /etc/openvpn/:

sudo cp -r /usr/share/easy-rsa /etc/openvpn/

Let’s go to /etc/openvpn/easy-rsa/3/ and create a file named vars there:

cd /etc/openvpn/easy-rsa/3/
sudo nano vars

Let’s fill this file with the following parameters (you can edit the location and company parameters for yourself):

set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "CA"
set_var EASYRSA_REQ_CITY "LA"
set_var EASYRSA_REQ_ORG "MyCompany"
set_var EASYRSA_REQ_EMAIL "admin@domain.com".
set_var EASYRSA_REQ_OU "IT Department"
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha512"

Press Ctrl+x to exit the file then y to save it and then hit Enter. The file must be executable, so next step is to execute the following:

sudo chmod +x vars


How to Create Keys and Certificates for the OpenVPN Server

Before creating the key, we need to initialize the Public Key Infrastructure (PKI) directory and create the CA key:

cd /etc/openvpn/easy-rsa/3/
sudo ./easyrsa init-pki
Initializing PKI Directory

Now let’s create a CA key:

sudo ./easyrsa build-ca

After running the command, we will need to specify a password to generate the certificates and key. The password will be required in the future to sign the certificates.

Creating CA Key

After that the system will ask to enter Distinguished Name (DN) enter your server and domain name for example server.domain.com and create a server key with nopass option which disables the password for domain.com:

sudo ./easyrsa gen-req server.domain.com nopass
Creating Server Key

During the certificate issuance process, you will be asked to enter Common Name, just press Enter to continue.

Sign the domain.com key using our CA certificate:

sudo ./easyrsa sign-req server server.domain.com
Server Key Signing

First you need to confirm the request by typing “yes”. After that you will need to enter the password that we set when the CA certificate was issued:

To make sure that the certificates were generated without errors, run the command:

sudo openssl verify -CAfile pki/ca.crt pki/issued/server.domain.com.crt 

The output must be “pki/issued/server.domain.com.crt: OK
Now all OpenVPN server certificates are created.

  • The root certificate is located: ‘pki/ca.crt
  • The server private key is located: ‘pki/private/server.domain.com.key
  • The server certificate is located: ‘pki/issued/server.domain.com.crt

To generate a client key, you need to execute the following command and specify the client name (“admin” in our example):

sudo ./easyrsa gen-req admin nopass

As with the server key, you must sign it using a CA certificate:

sudo ./easyrsa sign-req client admin
Signing key via CA certificate

Similar to the server certificate we need to type “yes” and enter CA password. Now the certificate for the user is created.

Additionally, you must generate a Diffy-Hellman key to be used for key exchange:

sudo ./easyrsa gen-dh

Note that it’s been generated for a long time.

After that we need to generate a TLS certificate:

sudo openvpn --genkey --secret ta.key

If we plan to revoke client certificates in the future, we need to generate a CRL key:

sudo ./easyrsa gen-crl
Generating CRL key

To revoke a certificate, you must execute a command:

sudo ./easyrsa revoke admin

Where “admin” is the certificate name.

So all necessary certificates are created, let’s copy them into working directories:

Server certificates:

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/server.domain.com.crt /etc/openvpn/server/
cp pki/private/server.domain.com.key /etc/openvpn/server/
cp pki/private/dh.pem /etc/openvpn/server/
cp pki/private/ta.key /etc/openvpn/server/
cp pki/crl.pem /etc/openvpn/server/

Client certificates:

cp pki/issued/admin.crt /etc/openvpn/client/
cp pki/private/admin.key /etc/openvpn/client/


PureVPN : UNLOCK THE BEST VPN DEAL

How to Configure OpenVPN Server

Let’s move on to the settings of the OpenVPN configuration file. First let’s create the OpenVPN configuration file named server.conf:

sudo cd /etc/openvpn/ && nano server.conf

Change the contents of the file to the following:

# Specify port, protocol and device
port 1194
proto udp
dev tun
# Specify path to server certificates
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.domain.com.crt
key /etc/openvpn/server/server.domain.com.key
# Paths to CRL and DH keys
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
# Specify the network IP and mask which the VPN clients will enter
server 10.0.2.0 255.255.255.0
push "redirect-gateway def1"
# Enter the target DNS servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Allow users to connect with the same key
duplicate-cn
# TLS security
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other config
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# Log file path
log-append /var/log/openvpn.log
verb 3

Then we save the file. I specified the default UDP port 1194 for the VPN server, but for OpenVPN you can specify any free port on the server.

How to Configure Firewall with OpenVPN

What remains is to configure firewall rules to allow connection and routing between segments.

If you are using Firewalld, you must first activate the kernel module forwarding:

sudo echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sudo sysctl -p

Add the openvpn service to Firewalld, and the tun0 interface to the trusted zone.

sudo firewall-cmd --permanent --add-service=openvpn
sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0

Activate ‘MASQUERADE’ for the trusted Firewalld zone:

sudo firewall-cmd --permanent --zone=trusted --add-masquerade

Activate NAT:

sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.0.2.0/24 -o IP server -j MASQUERADE
sudo firewall-cmd -reload

If you are using iptables without Firewalld, you need to execute the following:

sudo iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
sudo iptables -A INPUT -p tcp -dport 1194 -j ACCEPT
sudo service iptables save

Let’s run OpenVPN service and let it start when Linux boots up:

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Let’s check if port 1194 is available:

sudo lsof -i:1194

Let’s check the IP settings of the network interface:

sudo ip a

3: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

link/none

inet 10.0.2.1 peer 10.0.2.2/32 scope global tun0

valid_lft forever preferred_lft forever

inet6 fe80::932a:e40b:ac2f:6b2/64 scope link flags 800

valid_lft forever preferred_lft forever

As you can see, the network specified in the configuration has been added to the tun0.

These are the minimum settings you need to make for OpenVPN to work.


How to Connect Computers and Networks using OpenVPN

How to connect to the OpenVPN server from two remote computers that are connected to the Internet via NAT, and organize a private network between them? To connect a Windows computer to the OpenVPN server you will need the official client from that can be downloaded from the official site. The installation is straightforward, so we will focus on the configuration.

After you have installed the client, you need to go to the configuration file, which you need to create along the way:

C:\Program Files\OpenVPN\config

Create a file with the name Client.ovpn and add the following content to it:

client
dev tun
proto udp
remote publicVPNserverIP 1194
resolv-retry infinite
nobind
block-outside-dns
perist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
tls-client
auth SHA512
tls-auth "C:\Program Files\OpenVPN\config.key" 1
remote-cert-eku "TLS Web Server Authentication"
ca "C:\Program Files\OpenVPN\config\ca.crt".
cert "C:\Program Files\OpenVPN\config\admin.crt".
key "C:\Program Files\OpenVPN\config\admin.key".
cipher AES-256-CBC
comp-lzo
verb 3

As you can see we need the client, security and server certificates and keys we created earlier to configure. They need to be downloaded from the OpenVPN server and placed in a C:\Program Files\OpenVPN\config\ directory.

After that we connect through the shortcut Open VPN client in the tray:

I connected and got the next IP for my PC:

IPv4 address . . . . . . . . . . . . . . . . . . . . . . . : 10.0.2.17

Subnet mask . . . . . . . . . . . . . . . : 255.255.255.252

On the second computer behind the NAT, we need to do the same thing by first creating a certificate for the second user. After connection the second computer has IP address in the same network:

IPv4 address . . . . . . . . . . . . . . . . . . . . . . . . . : 10.0.2.8
Subnet mask . . . . . . . . . . . . . . . . . : 255.255.255.252

Once connected, both computers are on the same network and ping each other. Both connected VPN clients can exchange packets and transfer files directly to each other. This way, we were able to combine two PCs located in different parts of the world into one local network.

On your OpenVPN server you can create an unlimited number of keys and certificates for users. If you need a new certificate, run the following commands in /etc/openvpn/easy-rsa/3:

sudo ./easyrsa gen-req client name nopass
sudo ./easyrsa sign-req client name

Remember to periodically revoke client certificates if they are not used to keep your network secure.


Group Policy Diagnostics with GPResult Command

Group Policy Diagnostics with GPResult Command

GPResult.exe – is a console application designed to analyze settings and diagnose group policies that apply to a computer and/or user in an Active Directory domain. Specifically, GPResult provides the resulting set of policies (RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about processing errors. The utility has been part of the Windows operating system since Windows XP. The GPResult utility let you know whether a particular policy applies to a computer, which GPO has changed a particular Windows setting, and why it takes so long for GPP/GPO to apply, even if you’ve run gpupdate /force.

In this article, we will look at how you can use the GPResult command to troubleshoot and debug the application of Group Policy in an Active Directory domain.

Contents

  • Resultant Set of Policies (RSOP)
  • How to Use GPResult Utility
  • How to Get RSOP HTML Report via GPResult
  • How to Get GPResult Data From a Remote Computer
  • How to Get RSOP Data for a Certain User
  • Possible Reasons for GPOs to not Apply


Resultant Set of Policies (RSOP)

Initially, the RSOP.msc graphical console was used to diagnose the application of group policies in Windows, which allowed the resulting policy settings (domain + local) to be applied to the computer and the user in a graphical interface similar to the GPO editor console.

Resultant Set of Policies (RSOP)

However, the RSOP.msc console does not make sense in modern versions of Windows, as it does not reflect the settings applied by various client side extensions (CSEs), such as GPP (Group Policy Preferences). Also, it does not allow searching, and provides little diagnostic information. Therefore, the GPResult command that is the primary tool for troubleshooting GPOs in Windows. Moreover, in Windows 10, there is even a warning that RSOP does not provide a full report as opposed to GPResult.

How to Use GPResult Utility

In order to check for group policy enforcement the GPResult command have to be run on the computer where you want to check for it. The GPResult command has the following syntax:

GPRESULT [/S <system> [/U <user> [/P <password> ]]] [/SCOPE ] [/USER <enduser> ] [/R | /V | /Z] [(/X | /H) <filename> [/F]]

To learn more about Group Policies that apply to the following AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings – RsoP), run the command:


Gpresult /r

The results of the command execution are divided into 2 sections:

  • COMPUTER SETTINGS – this section contains information about GPO operating on the computer
  • USER SETTINGS – user policies (policies that apply to the user account in AD)

Let’s briefly run through the main settings/partitions that may be useful in GPResult output:

  • Site Name – the name of the AD site where the computer is located;
  • CN – full canonical user/computer name for which RSoP data were generated;
  • Last time Group Policy was applied – the time when Group Policy was last applied;
  • Group Policy was applied from – the domain controller from which the latest version of the GPO was downloaded;
  • Domain Name and Domain Type – the name and version of the Active Directory domain schema;
  • Applied Group Policy Objects – lists of active Group Policy Objects;
  • The following GPOs were not applied because they were filtered out – not applied, filtered GPOs;
  • The user/computer is a part of the following security groups – domain groups that the user belongs to.
gpresult /r output

In our example, you can see that there are 3 Group Policies that apply to the user object.

  • Default Domain Policy;
  • Drive Mapping;
  • Outlook Coding;

If you do not want the console to display both user and computer policies at the same time, you can use the /scope option to display only the needed section. For example here is the command for user settings:

gpresult /r /scope:user

And here is for the computer policies:

gpresult /r /scope:computer

Since the Gpresult utility outputs its data directly to the command line console, which is not always convenient for further analysis, its output can be redirected to the clipboard:

Gpresult /r |clip

or a text file:

Gpresult /r > c:\gpresult.txt

To output RSOP super detailed information, you need to add the /z key:

Gpresult /r /z

How to Get RSOP HTML Report via GPResult

In addition, the GPResult utility can generate an HTML report on the applied resulting policies (available in Windows 7 and above). This report will contain detailed information about all system settings that are set by Group Policies. The resulting report is structured like the Settings tab in the Domain Group Policy Management Console (GPMC). You can generate a GPResult HTML report using the following command:

GPResult /h c:\temp\GPreport.html /f
GPResult HTML Report

To generate a report and then automatically open it in your browser, follow the command:

GPResult /h GPReport.html & GPReport.html

The gpresult HTML report contains quite a lot of useful information:

  • GPO’s application errors
  • Processing time in ms
  • Application of specific policies and CSE (that are located in Computer Details ⇒ Component Status)

As you can see, this HTML report is much more useful for analyzing the policies than the rsop.msc console.

How to Get GPResult Data from a Remote Computer

GPResult can also collect data from a remote computer, eliminating the need for the administrator to log on to the remote computer locally or via RDP. The syntax of the command to collect RSOP data from the remote computer is the following:

GPResult /s servername /r

Similarly, you can remotely collect data by both user and computer policies.

How to Get RSOP Data for a Certain User

When UAC is enabled, running GPResult without elevated privileges displays only the user’s group policy settings. If you want to display both settings at the same time (User and computer settings), you need to run the command with administrative privileges. If the cmd.exe with elevated privileges is run on an account that differs from the current system user, the utility will generate an INFO warning: The user “domain\user” does not have RSOP data. This happens because GPResult is trying to collect information for the user who started it, but because the user has not logged on, there is no RSOP information for him. To collect RSOP information for a user with an active session, you need to specify their account:

gpresult /r /user:domain\username

If you do not know the name of an account that is logged on to a remote computer, the account can be obtained this way:

qwinsta /SERVER:remotePCname

Also check the time (and time zone) on the client. The time must correspond to the time on the PDC (Primary Domain Controller).

Possible Reasons for GPOs to not Apply

While troubleshooting group policies, you should also take a look at the section: “The following GPOs were not applied because they were filtered out“. This section displays a list of GPOs do not apply to this object. Policy may not apply due to following options:

  • Filtering: Not Applied (Empty) – the policy is empty (there’s nothing to apply);
  • Filtering: Denied (Unknown Reason) – It is likely that the user or computer does not have permission to read/apply this policy. Permissions can be configured in the Security tab in the Group Policy Management Console (GPMC);
  • Filtering: Denied (Security) – the “Apply Group Policy” section has an explicit deny permission, or the AD object is not listed in the Security Filtering section of the GPO settings.

You can also understand whether the policy should apply or not to a specific AD object on the Advanced ⇒ Effective Access tab.

So, these are all options for the Group Policies diagnostic features using the GPResult utility.


PureVPN : UNLOCK THE BEST VPN DEAL

How to Update Windows Group Policy on Domain Computers

How to Update Windows Group Policy on Domain Computers

In this article, we will take a look at the features of updating Group Policy settings on Active Directory domain computers:

  • Automatic Group Policy update interval
  • The GPUpdate command
  • Remote update via the Group Policy Management Console (GPMC.msc)
  • PowerShell Invoke-GPUpdate command

Group Policy Update Interval

In order for the new settings that you have defined in a Local or Domain Group Policy (GPO) to apply to clients, the Group Policy Client service must reload the policies and make changes to the client settings. This process is called updating Group Policies. Group Policy settings are updated when the computer boots up and the user logs on, or automatically in the background every 90 minutes plus random offset between 0 and 30 minutes (i.e., the policies are guaranteed to apply to clients between 90 and 120 minutes after the GPO files are updated on the domain controller).

Domain controllers by default update the GPO settings much more frequently – once every 5 minutes.
You can change the refresh interval for GPO settings using the Set Group Policy refresh interval for computers option, which is located in the GPO Computer Configuration ⇒ Administrative Templates ⇒ System ⇒ Group Policy section. Enable the policy and set the time (in minutes) in the following settings:

  • This setting allows you to customize how often Group Policy is applied to computers (0 to 44640 minutes) – if you specify 0 here, the policies will start to update every 7 seconds – you should not do this
  • This is a random time added to the refresh interval to prevent all clients from requesting Group Policy at the same time (0 to 1440 minutes) – the maximum value of a random time interval that is added as an offset to the previous setting.
Set Group Policy Refresh Interval for Computers

Keep in mind that frequent GPO updates result in increased traffic to domain controllers and increased network load.

GPUpdate.exe – Group Policy Settings Update Command

All administrators are familiar with the gpupdate.exe command, which allows you to update group policy settings on your computer. Many of them do not hesitate to use the gpupdate /force command to update the GPO. This command forces the computer to reread all the policies from the domain controller and reapply all settings. The client accesses the domain controller, and receives ALL policies that are targeting it. This puts an increased load on the network and the domain controller.

A simple gpudate without /force key command applies only the new/changed GPO settings.

If all is OK when we update the GPO, the following lines should appear:

Updating policy…
Computer Policy Update has completed successfully.
User Policy Updating has completed successfully.

If any policies or settings have not applied, use the gpresult command to troubleshoot.


You can separately update GPO user settings by running the following command:

gpupdate /target:user

or just computer policies:

gpupdate /target:computer /force

If some policies cannot be updated in the background, gpudate can force the logoff of the current user:

gpupdate /target:user /logoff

Or reboot the computer (if the GPO changes can only be applied when Windows boots):

gpupdate /Boot

Force Update of Group Policy from the Group Policy Management Console

GPMC.msc (Group Policy Management Console), starting with Windows Server 2012, provides the ability to remotely update Group Policy settings on domain computers.

In Windows 10, you will need to install the RSAT component to use this console. In order to install it run the following command with administrator privileges:

Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

Now, after changing the settings or creating and linking a new GPO, all you have to do is right click on the desired Organizational Unit (OU) in the GPMC and select Group Policy Update from the context menu. In the new window, you will see the number of computers that will update the GPO. Confirm the forced policy update by clicking Yes.

Group Policy Update via GPMC

Then, the GPO begin to update on each computer in the OU and you get a result with the status of the policy update on the computers (Succeeded/Failed).

This command remotely creates a scheduled task on the computers with the GPUpdate.exe /force command for each logged user. The task starts at a random time interval (up to 10 minutes) to reduce the network load.

The following conditions must be met for this GPMC functionality to work on the client:

  • TCP port 135 needs to be opened in Windows Firewall
  • Windows Management Instrumentation and Task Scheduler services must be enabled

If the computer is shut down or access to it is blocked by the firewall, the message “The remote procedure call was cancelled” will appear next to the computer name.

In a nutshell, this functionality would have the same effect if you had manually updated the policy settings on each computer with the GPUpdate /force command.

Group Policy Update with Invoke-GPUpdate Powershell Command

You can also trigger remote Group Policy updates on computers using the Invoke-GPUpdate PowerShell cmdlet (included in the RSAT). For example, you can use the command to remotely update user policies on a specific computer:

Invoke-GPUpdate -Computer "domain\computer035" -Target "User".

When running the Invoke-GPUpdate command without settings, it updates the GPO settings on the current computer (gpudate.exe analogue).

When combined with the Get-ADComputer cmdlet, you can update Group Policies on all computers in a specific OU:

Get-ADComputer -filter * -Searchbase "ou=Computers,dc=domain,dc=com" | foreach{ Invoke-GPUpdate -computer $_.name -force}

Or all computers that fall under certain criteria (for example, all Windows Server in the domain):

Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like 'Windows Server' }| foreach{ Invoke-GPUpdate -computer $_.name -RandomDelayInMinutes 10 -force}

You can specify a random delay in updating a GPO using the RandomDelayInMinutes setting. In this case you can reduce the load on the network if you want to update policies on multiple computers at the same time. The RandomDelayInMinutes 0 setting is used to apply the policies immediately.

For inaccessible computers, the command will return the error:

Invoke-GPUpdate: Computer "spb-srv01" is not responding. The target computer is either turned off or Remote Scheduled Tasks Management Firewall rules are disabled.

When running the Invoke-GPUpdate command remotely or updating a GPO through the GPMC, a cmd window may briefly appear on the user’s monitor with the gpupdate command running.

How to Configure Direct Access in Windows Server

How to Configure Direct Access in Windows Server

In this article, we’ll step by step describe how to deploy the Direct Access (DA) remote connection service on Microsoft Windows Server. Before we get started, let’s take a quick look at what the Direct Access service is. The Direct Access component was first introduced by Microsoft in Windows Server 2008 R2 and was designed to provide transparent access for remote computers to internal company network resources. When connecting through a DA, the user can take full advantage of the enterprise and domain services, and the IT support staff can manage and keep the computers up to date in terms of security. At its core, Direct Access is a lot like a traditional VPN connection to the corporate network. You can also call it “always on VPN”.

Difference Between Direct Access and VPN

Let’s look at the basic difference between Direct Access and VPN:

  • In order to establish the Direct Access connection, the user does not need to start the VPN client – the connection is made automatically when there is Internet access.
  • To establish a connection between the DA client and the server, you need to open port 443.
  • The user’s computer must be in an Active Directory domain.
  • The communication channel between the remote PC and the corporate gateway is encrypted with robust algorithms using IPsec.
  • It is possible to organize two-factor authentication using a one-time password system.

Difference Between the First Version of Direct Access and Latest

What are the major differences between the new Windows Server versions of Direct Access and the first version on Windows 2008 R2? The main difference is the reduced requirements for the related infrastructure. For example, here are some differences:

  • The Direct Access server no longer needs to be an edge server, it can now be behind NAT.
  • If you’re using Windows 8 Enterprise and later as the remote client, you don’t need to deploy an internal PKI infrastructure (client authentication will be handled by the Kerberos proxy located on the DA server).
  • Having IPv6 on the internal network of the organization is not necessary.
  • New Direct Access supports OTP (One Time Password) and NAP (Network Access Protection) without requiring Unified Access Gateway (UAG) deployment.

Direct Access Installation Requirements

Here are infrastructure requirements to deploy Direct Access based on Windows Server:

  • Active Directory domain and domain administrator rights.
  • A dedicated (recommended) DA server running Windows Server 2012 R2 and later, included in a Windows domain. The server has 2 network cards: one is on the internal corporate network and the other is on the DMZ network.
  • Dedicated DMZ subnet.
  • The external DNS name or IP address available from the Internet that Direct Access clients will connect to.
  • Traffic redirection configuration from TCP port 443 to DA server address.
  • Deployed PKI infrastructure for certificate issuance. The certificate authority must publish the Web Server certificate template and allow it to be auto-enrolled (Not needed for Windows 8 and above).
  • Clients must run Windows Professional / Enterprise edition.
  • AD Group that will consist of computers that are allowed to connect to the network via Direct Access.

Installing Remote Access Server Role

First we need to start the Server Manager console and use the Add Roles and Features wizard to install the Remote Access role.

Remote Access Server Role

As part of the Remote Access role, you must install the Direct Access and VPN (RAS) service.

Direct Access Role Services

Leave all other settings by default and restart the server after installation.

Configuring the Direct Access Service in Windows Server

Once the Remote Access service has been installed, open the Tools ⇒ Remote Access Management snap-in.

Remote Access Management Snap-in

The remote access console will start. Click on DirectAccess and VPNRun the Remote Access Setup Wizard. Now we only need to install Deploy DirectAccess only role.

This should open a window in the right half of which you can see the four steps (Step 1 – 4) of the DA service configuration graphically.

Remote Access Setup

Step One: Remote Clients

Let’s say that we’re deploying full DirectAccess for client access and remote management.

Now you need to specify the AD security group that will contain the computer accounts that are allowed to connect to the corporate network via Direct Access (in this example, we will use alwayonvpn group).

Security Group of Direct Access

Enable DirectAccess for mobile only option – allows you to limit connection via DA only for mobile devices (laptops, tablets). This feature is implemented by polling clients via WMI.

The Force Tunneling option – means that remote clients when accessing any remote resources (including regular websites) always use DA servers (all external client traffic goes through the corporate gateway).


On the next step we need to specify a list of internal network names or URLs from which the client can check (Ping or HTTP request) that he is connected to the corporate network. You can also specify the help desk email address and the name of the DirectAccess connection (so that it will appear on the client’s network connections).

If necessary, you can enable the Allow DirectAccess clients to use local name resolution option, which allows the client to use the company’s internal DNS servers (DNS server addresses can be obtained by DHCP).

Direct Access Client Setup

Step Two: Remote Access Server

The next step is to configure the Remote Access server. In our example we will have an edge server (firewall) with two network cards, so we need to select – Behind an edge device (with two network adapters), one of which is on the corporate network and the other is connected directly to the Internet or DMZ subnet. You also need to provide the external DNS name or IP address on the Internet (which is where port 443 is pinged to the external interface of the DirectAccess server) that the DA clients should connect to.

Network Topology Options

Then you must specify which NIC will be considered Internal (LAN) and which External (DMZ).

Now we need to generate a DA server certificate. To do this, create a new mmc snap-in, and add the Certificates console that manages local computer certificates.

Computer Certificates Snap-in

In the Certificate Management Console, request a new personal certificate by clicking on Certificates (Local Computer) ⇒ Personal ⇒ Certificates and selecting All Tasks ⇒ Request New Certificate…

Request New Certificate

Request a certificate through the Active Directory Enrollment Policy. We are interested in a certificate based on the Web Servers template.

In the new certificate request settings on the Subject tab, let’s fill out the fields that identify our company and on the Private Key tab, let’s specify that the certificate private key can be exported (Make private key exportable).

Certificate Creation Options

Save the changes and request a new certificate from CA. Request and generate a new certificate.

Return to the DirectAccess server settings window and click the Browse button to select the generated certificate. Specify our certificate.

In the next step of the wizard, we’ll select a method for authenticating Direct Access clients. Specify that authentication with Active Directory credentials (username/password) is used. Select the checkbox of Use computer certificates and Use an intermediate certificate. Click the Browse button to specify the certificate authority that will be responsible for issuing client certificates.

DirectAccess Client Authentication Settings

Step Three – Infrastructure Servers

The third stage contains configuration of infrastructure servers. We need to specify the address of the Network Location Server, which is located inside the corporate network. Network Location Server (NLS) – is a server through which the client can determine that it is on the internal network of the organization, i.e. you do not need to use DA to connect. NLS server can be any internal web server (even with a default IIS page), the main requirement is that the NLS server must not be accessible from outside the corporate network.

Network Location Server

Now let’s specify a list of DNS servers for name resolution by clients. It is recommended to leave the option Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended).

Then specify the DNS suffixes of internal domains in order of priority of their use.

Management settings window we will keep default.

Step Four – Application Servers

In this step we will configure application servers. This phase allows you to configure additional authentication and traffic encryption between the back-end application servers and DA clients. In this example we do not need this, so let’s leave the option Do not extend authentication to application servers.

This completes the Remote Access role configuration wizard, so we just need to save the changes.

After you finish, the wizard will create two new group policies – DirectAccess Client Settings and DirectAccess Server Settings that are attached to the root of the domain. You can either leave them as they are, or link them to the desired OU.

Direct Access Group Policies

Test Direct Access on the Windows Client

To test how Direct Access works from the client side, let’s add a computer with Windows Enterprise OS to our direct access group (alwaysonvpn) and update Group Policy via gpupdate /force on it.

Disconnect the laptop from the corporate network and connect to the Internet via public Wi-Fi. The system automatically connects to the corporate network via DirectAccess. The connection name will be displayed in Network & Internet Settings.

You can verify if there is a DirectAccess established using the PowerShell command:

Get- DAConnectionStatus

If it returns ConnectedRemotely, then the DA is connected to the corporate network

How to View RDP Connection Logs in Windows

How to View RDP Connection Logs in Windows

In this article we will take a look at the features of Remote Desktop Protocol (RDP) connection auditing and log analysis in Windows. Typically, it is useful when investigating various incidents on Windows servers when a system administrator is required to provide information about what users logged on to the server, when he logged on and off, and from which device (name or IP address) the RDP user was connecting.

Remote Desktop Connection Events

Like other events, the Windows RDP connection logs are stored in the event logs. The Windows logs contain a lot of information, but it can be difficult to find the right event quickly. When a user remotely connects to a Windows server, many events are generated in the Windows logs. We will take a look at the following:

  • Network Connection
  • Authentication
  • Logon
  • Session Disconnect/Reconnect
  • Logoff

Network Connection Events

Network Connection connects user’s RDP client with the Windows server. That logs EventID – 1149 (Remote Desktop Services: User authentication succeeded). The presence of this event does not indicate successful user authentication. This log can be found at Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ Terminal-Services-RemoteConnectionManager ⇒ Operational. You can filter this log by right clicking on Operational log ⇒ Selecting “Filter Current Log” and type in EventID 1149.

Event log filtering
Filtering the log for EventID 1149

The result is a list with the history of all network RDP connections to this server. As you can see, the log file contains the username, domain (When Network Level Authentication (NLA) authentication is used), and IP address of the computer from which the RDP connection is made.

EventID 1149
EventID 1149 output

Authentication Events

User authentication can be successful or unsuccessful on the server. Navigate to Windows logs ⇒ Security. We are interested in logs with EventID – 4624 (An account was successfully logged on) or 4625 (An account failed to log on). Pay attention to the LogonType value in the event. LogonType – 10 or 3 indicates a new logon to the system. If LogonType is 7, it indicates re-connection to an existing RDP session.

EventID 4624
EventID 4624

The username of the connecting account is written in the Account Name field, his computer name is written in Workstation Name, and the IP address in Source Network Address.

Take a look at TargetLogonID field, which is a unique user session identifier that can be used to track further activity of this user. However, if a user disconnects from the RDP session and reconnects to the session again, the user will be issued a new TargetLogonID (although the RDP session remains the same).

You can get a list of successful authentication events over RDP (EventID 4624) using the following PowerShell command:

Get-EventLog security -after (Get-date -hour 0 -minute 0 -second 0) | ?{$_.eventid -eq 4624 -and $_.Message -match 'logon type:\s+(10)\s'} | Out-GridView

Logon Events

RDP logon is the event that appears after successful user authentication. Log entry with EventID – 21 (Remote Desktop Services: Session logon succeeded). This log can be found in Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ TerminalServices-LocalSessionManager ⇒ Operational. As you can see here you can see the RDP Session ID for the user.

RDS EventID 21
Remote Desktop Services EventID 21

Remote Desktop Services: Shell start received” details in EventID 21 means that the Explorer shell has been successfully launched in the RDP session.

Session Disconnect and Reconnect Events

Session Disconnect/Reconnect events have different codes depending on what caused the user to end the session, for example disable by inactivity, selecting “Disconnect” in Start menu, RDP session drop by another user or administrator, etc. These events can be found in Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ TerminalServices-LocalSessionManager ⇒ Operational. Let’s take a look at the RDP events that may be of interest:

  • EventID – 24 (Remote Desktop Services: Session has been disconnected) – the user has disconnected from the RDP session.
  • EventID – 25 (Remote Desktop Services: Session reconnection succeeded) – The user has reconnected to his existing RDP session on the server.
  • EventID – 39 (Session A has been disconnected by session B) – user disconnected from his RDP session by selecting the appropriate menu item (not just closed the RDP client window by clicking on “x” in the top right corner). If the session IDs are different, then the user has been disconnected by another user or administrator.
  • EventID – 40 (Session A has been disconnected, reason code B). Here you should look at the reason code for the disconnection in the event. For example:
    • Reason code 0 (No additional information is available) – usually indicates that the user just closed the RDP client window.
    • Reason code 5 (The client’s connection was replaced by another connection) – the user re-connected to his old session.
    • Reason code 11 (User activity has the disconnect) – the user clicked the Disconnect button on the menu.
  • EventID – 4778 in Windows log ⇒ Security (A session was reconnected to a Window Station). The user re-connected to an RDP session (the user is given a new LogonID).
  • EventID 4799 in Windows Logon ⇒ Security (A session was reconnected to a Window Station). Disconnection from an RDP session.

Logoff Events

Logoff logs track the user disconnection from the system. In the Applications and Services Logs ⇒ Microsoft ⇒ Windows ⇒ TerminalServices-LocalSessionManager ⇒ Operational logs we can find EventID 23. In this case in Security log we need to search for EventID 4634 (An account was logged off).

logoff EventID 23
RDP session logoff EventID 23

Event 9009 (The Desktop Window Manager has exited with code (x)) in the System log shows that the user initiated the end of the RDP session and the user’s window and graphical shell were terminated. Below is a small PowerShell that uploads the history of all RDP connections for the current day from the Remote Desktop Service server. The table below shows the connection time, client IP address, and RDP username (you can include other logon types in the report if necessary).

Get-EventLog -LogName Security -after (Get-date -hour 0 -minute 0 -second 0)| ?{(4624,4778) -contains $_.EventID -and $_.Message -match 'logon type:\s+(10)\s'}| %{
(new-object -Type PSObject -Property @{
TimeGenerated = $_.TimeGenerated
ClientIP = $_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'
UserName = $_.Message -replace '(?smi).*Account Name:\s+([^\s]+)\s+.*','$1'
UserDomain = $_.Message -replace '(?smi).*Account Domain:\s+([^\s]+)\s+.*','$1'
LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
})
} | sort TimeGenerated -Descending | Select TimeGenerated, ClientIP `
, @{N='Username';E={'{0}\{1}' -f $_.UserDomain,$_.UserName}} `
, @{N='LogType';E={
switch ($_.LogonType) {
2 {'Interactive - local logon'}
3 {'Network conection to shared folder)'}
4 {'Batch'}
5 {'Service'}
7 {'Unlock (after screensaver)'}
8 {'NetworkCleartext'}
9 {'NewCredentials (local impersonation process under existing connection)'}
10 {'RDP'}
11 {'CachedInteractive'}
default {"LogType Not Recognised: $($_.LogonType)"}
}
}}

Exporting RDP logs

Sometimes it is needed to export RDP logs into Excel table, in this case you can upload any Windows log to a text file and afterwards import it into Excel. You can export the log from the Event Viewer console or from the command line:

WEVTUtil query-events Security > c:\ps\security_log.txt

Or:

get-winevent -logname "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Export-Csv c:\ps\rdp-log.txt -Encoding UTF8 

A list of the current RDP sessions on the server can be displayed as a command “Qwinsta”

qwinsta command output
qwinsta output

The command returns as session identifier, username and status (Active/Disconnect). This command is useful when you need to determine the RDP session ID of a user during a shadow connection.

After defining a Session ID you can list running processes in a particular RDP session:

qprocess /id:1
qprocess command output
qprocess output

So here are the most common ways to view RDP connection logs in Windows.

How to Configure Zabbix Monitoring System

How to Configure Zabbix Monitoring System

Zabbix is an open-source enterprise level monitoring system. At the moment Zabbix is one of the most popular and functional free monitoring systems, with its easy installation and configuration. Zabbix server can be used for monitoring large infrastructures with hundreds of servers, as well as for small environment. In this article we will cover how to install and configure free monitoring system Zabbix with Linux Ubuntu based web interface. Install Zabbix agents on Windows and Linux server, and add new hosts to the system for monitoring.

Contents

  • Zabbix structure and functionality
  • Installing Zabbix server on Linux
  • Configuring Zabbix web interface
  • Installing Zabbix agent on Windows
  • Adding a device on a Zabbix server
  • Installing Zabbix agent on Linux

Zabbix Structure and Functionality

Zabbix is rather simple to install and configure. It is written in C++ (server, proxy and agent) and PHP (frontend). Zabbix server and Zabbix proxy can only run on Linux systems. The agent can be installed on many supported operating systems and platforms.

The Zabbix server installation package consists of:

  • Zabbix server binary
  • MySQL (MariaDB)/PostgreSQL databases
  • Apache2/Nginx web server with PHP frontend
  • Frontend files – .php, .js, .css, etc…

The scheme of work looks like this:

  1. The Zabbix agent sends data to the server
  2. The Zabbix server receives and processes the data
  3. If the received data is subject to the specified conditions, a trigger is triggered
  4. An active trigger signals a problem. A notification is displayed on the frontend, the notification emails is sent and needed actions are automatically performed. This depends on the configuration, for example Zabbix agent can restart the service that is being monitored.

Zabbix can work with all known protocols, thanks to a system of external scripts.

Installing Zabbix Server on Linux

In this article we will take a look at an example installation of Zabbix Server on Linux (using Ubuntu Server) through a batch manager.

Go to the download page https://www.zabbix.com/download and select the repository corresponding to your Linux distribution. Ready-made packages are available for all popular distributions.

For example, to install Zabbix 5 on Ubuntu 18.04 you have to select :

Zabbix Version 5 ⇒ OS Distribution (Ubuntu) ⇒ OS Version (18.04 Bionic) ⇒ Database (MySQL) ⇒ Web Server (Nginx or Apache).

Download and add a repository:

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+bionic_all.deb
dpkg -i zabbix-release_5.0-1+bionic_all.deb
apt update

Now you can install the necessary packages:

apt install zabbix-server-mysql zabbix-frontend-php zabbix-nginx-conf zabbix-agent

Create a database and give the rights to the service account under whom Zabbix will access the database:

mysql -uroot
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> grant all privileges on zabbix.* to zabbix@localhost identified by 'Your Password';
mysql> quit;

Import the Zabbix database. You will need to enter the password that you specified for the zabbix@localhost user.

zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p Zabbix

Edit the configuration file /etc/zabbix/zabbix_server.conf, specify the password from the newly created user.

DBPassword=users password

Since in this example the web server is nginx, you need to change nginx.conf by removing “#” from the following lines:


listen 80;

server_name example.com;

Also change “example.com” to the domain name you want to log in to Zabbix web console, in this example it’s “test.zabbix.local“.

Now let’s set the time zone in PHP. In the /etc/zabbix/php-fpm.conf file lets remove “#” from the following line:

php_value[date.timezone] = Europe/Moscow

Additionally, you can set the following PHP settings in /etc/php.ini:

  • memory_limit 128M
  • upload_max_filesize 8M
  • post_max_size 16M
  • max_execution_time 300
  • max_input_time 300
  • max_input_vars 10000

Add the zabbix-server service to autostart and run it:

systemctl enable zabbix-server zabbix-agent nginx php7.2-fpm
systemctl restart zabbix-server zabbix-agent nginx php7.2-fpm

Configuring Zabbix Web Interface

Now you need to configure the frontend (web interface) of Zabbix. Open the previously specified URL of Zabbix server in your browser. In our example it is test.zabbix.local. Do not forget to register it on your DNS server.

Make sure that all installer requirements are OK.

Enter the data to connect to the database. Use the user and password you created earlier.

Enter the name of the Zabbix server. I recommend not to change the standard port – TCP 10051.

Note. The default Zabbix system uses two ports:

  • TCP 10050 is a passive agent port, on which the zabbix server polls clients;
  • TCP 10051 – the port on which zabbix server receives data from clients (active agent).

After that press Next Step and Finish. After successful installation, you will need to log in. Use “Admin” as login and “zabbix” as password, these are the default credentials.

This concludes the installation of the Zabbix Server.

Installing Zabbix Agent on Windows Server

Let’s try to install Zabbix agent on a Windows server and add it to our Zabbix monitoring. Download Zabbix agent for Windows here: https://www.zabbix.com/download_agents.

Select the desired version of the agent for Windows. For this example we will choose the “.msi x64” format (without OpenSSL). If you plan to install zabbix agent on servers/computers via Group Policy or SCCM, you can download the zip archive with binary and configuration files.

Start the installer, accept the license agreement, specify the requested data. Note that in the “Server or Proxy for active checks” field I entered the IP address in “IP:PORT” format. Since I left the port as standard, it will be serverip:10051.

Then click Next and Install.

Now we need to make sure that our agent is installed. The Zabbix agent service should appear in the services.msc list.

On the Windows client Firewall, you need to allow incoming connections from the Zabbix server:

New-NetFirewallRule -DisplayName "Zabbix" -RemoteAddress "ZabbixserverIP" -Direction Inbound -Protocol TCP -LocalPort 10050 -Action Allow

To make sure that the agent is working, you need to add our host to the Zabbix server and assign it checks.

Note. There are two types of checks in the Zabbix:
Passive – the Zabbix server asks for some data from the agent;
Active – the agent sends data to the server;

While installing the agent, we specified a server in IP:PORT format just for active checks.

Adding Device on a Zabbix Server

So We’ve installed the agent, now we need to add it on the monitoring platform via web-interface. Go to Configuration Hosts ⇒ Click Create host and fill in the data. Note that the host’s name must match the host name of the server with the agent or the value of the Hostname parameter in the agent config.

On the Templates tab, add some built-in Windows templates. Templates in Zabbix are sets of values, triggers, graphs and detection rules that can be assigned to one or more hosts.

These integrated templates have “active” in the end, which means that active checks will be used.

Click Add. To avoid waiting for the server and agent to connect with each other (usually takes a couple of minutes), restart the Zabbix Agent service on monitored host and check the agent’s log (C:\Program Files\Zabbix Agent\zabbix_agentd.txt).

The message “started [active checks #1]” indicates that active checks for this host have been found on the server. Now let’s look at the data that came to the Zabbix server from the agent. To do this in Zabbix, go to MonitoringLatest Data and select the desired host in the Hosts field.

This section shows the latest data that came to the server by selected hosts or groups of hosts. Note that there is a notification on the Zabbix dashboard that the BITS service is not running. This notification appears because we have assigned standard templates to our host. One of the templates was monitoring the BITS service and the corresponding trigger, which is triggered if the BITS service is not in status Running.

This concludes the configuration of the Windows Agent.

Installing the Zabbix Agent on Linux

Now let’s install the Zabbix agent on Linux. To install the Zabbix agent in Ubuntu Server using the package manager you need to download and install the Zabbix repository. Then we will install the zabbix agent from the repository:

wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+bionic_all.deb
dpkg -i zabbix-release_5.0-1+bionic_all.deb
apt update
apt install zabbix-agent

Before we run the zabbix agent, we need to edit the /etc/zabbix/zabbix_agentd.conf configuration file. In this file you need to specify the IP address of the Zabbix server for active checks:

Server=ServerIP
ServerActive=IP:10051
Hostname=testagent

After that we need to start the agent service:

service zabbix-agent start

Make sure the agent is successfully launched.

cat /var/log/zabbix/zabbix_agentd.log

Cannot parse list of active checks” string indicates that there are no active checks for this host on the server.

Similar to the Windows agent, you need to add your Linux host to the Zabbix server settings. Note the Hostname parameter in the host configuration in the server’s Zabbix interface must match the Hostname parameter that we specify in the Zabbix config.

Reboot the Zabbix agent and check the log.

Check that the agent data has appeared on the Zabbix server.

This completes the configuration of the Zabbix agent on your Linux system.

How to Set up VPN Connection in Windows

How to Set up VPN Connection in Windows

This is a little VPN configuration guide for Windows using the built-in wizard. The other side of the VPN connection can be a Windows Server with the Routing and Remote Access (RRAS) service enabled.

Let me remind you that VPN is a common protocol that allows you to organize a secure encrypted remote connection of a user to the corporate network via public networks (Internet). The technology is quite complex and requires proper configuration on both sides of the communication tunnel (the VPN client and the server).

Create a VPN Connection in Windows

  1. Go to Control Pannel -> Network and Sharing Center. You can do this also by typing the search phrase “Network” in the search panel (Win+S).
  1. Select the “Set up a new connection or network” option.
  1. Select “Connect to a workplace“, and click Next.
  1. Select the first option – Use my Internet connection (VPN).
  2. In the Internet address field, specify the IP address or DNS name of the host that should accept your incoming VPN connection. Also specify the name of this connection.
  1. Press Create and Done. Now you can close the network settings.

Connect via VPN in Windows

Press Win + I and click on the Network and Internet icon at the top of the panel, which will open the network connections.

Navigate to VPN tab. Here is the list of all VPN connections created on this computer. Select the connection you need and click Connect.

Specify the VPN username and password.

How to change Properties of VPN Connection

Left-click on the VPN connection that you need to edit and select the Additional Properties menu.

Alternatively, go to Control Panel -> Network and Internet-> Network Connections. Open the connection properties of needed VPN connection.

There are a lot of different settings that you need to change in the VPN Connection Properties window depending on the VPN server that you are using or the settings set by your ISP. For example the provider accepts PPTP VPN, in this case we go to the Point to Point Tunneling Protocol ( PPTP ) in Security tab (Dending on the parameters of the VPN server, you may have to set a number of other parameters as well).

How to Set up VPN Server on Windows Server

How to Set up VPN Server on Windows Server

In this article we will show you how to install and configure a simple Windows Server based VPN server that can be used in a small organization.

Note. This manual is not recommended as a guide for organizing a VPN server in a large corporate network. As an enterprise-class solution, it is preferable to deploy Direct Access and use it for remote access.

The first thing that you need to do is install the “Remote Access” role. You can do this through the Server Manager console or PowerShell.

With the Remote Access role, we are interested in the DirectAccess and VPN (RAS) service. Let’s install it! Open Server Manager go to Add Roles and Features -> Click Next two times-> We need to install the Remote Access and IIS web server roles.

Click Next three times and select DirectAccess and VPN (RAS), click next and Install.

When the wizard is finished, click the “Open the Getting Started Wizard” link and the RAS Server Configuration Wizard will start.

Install RAS Service Using PowerShell

You can install the RAS service using the following Powershell command:

Install-WindowsFeatures RemoteAccess -IncludeManagementTools

Configure Remote Access Service

Since we do not need to deploy the DirectAccess service, let us specify that we only need to install the VPN server.

The familiar Routing and Remote Access MMC console opens up. In the console, right click on the server name and click the Configure and Enable Routing and Remote Access option.

The RAS Server Setup Wizard is launched. In the wizard window, select “Custom configuration” and then select the “VPN Access” option.

When the wizard is finished, the system will offer to start the Routing and Remote Access service. Do it.

Configure Firewall to Allow VPN

If there is a firewall between your VPN server and the Internet from which clients will connect, you need to open the following ports and redirect traffic to these ports to your VPN server:

For PPTP: TCP - 1723 and Protocol 47 GRE (also called PPTP Pass-through)
For SSTP: TCP 443
For L2TP over IPSEC: TCP 1701 and UDP 500

After installing the server, you must allow VPN access in the user account properties (Dial-in tab) for those users which you want to connect via VPN. If the server is joined to an Active Directory domain, this should be done in the user properties of the ADUC console. If the server is local, you can find it in user properties of the Computer Management console (Network Access Permission – Allow access).

Configure DHCP for VPN

If you are not using a DHCP server that distributes IP addresses to vpn clients, you should enable “Static address pool” on the IPv4 tab of the VPN server properties and specify the range of addresses to be distributed.

Note. IP addresses distributed by the server for routing purposes must not overlap with IP addressing on the VPN client side.

So it is only remains is to configure the VPN client and test it.

How to Change User Password in AD via PowerShell

How to Change User Password in AD via PowerShell

In this article we will see how to change (reset) the password of one or more Active Directory users from the PowerShell command line using the Set-ADAccountPassword cmdlet.

Most system administrators reset user passwords in AD using the dsa.msc (Active Directory Users & Computers – ADUC) snap-in. They simply find the user account in AD, right-click on it and select Reset password.

But it is not possible to use the ADUC console when you need to reset the password to multiple users at once. In this case, you can change AD passwords from the PowerShell command line.

Import Active Directory Module

To reset a user password in AD, the Set-ADAccountPassword cmdlet is used, which is included in the Active Directory module for Windows PowerShell. In Windows desktop versions it is included in RSAT, and in server editions it is installed as a separate component of AD DS Snap-Ins and Command-Line Tools. Before using the module, you must import it into a PowerShell session:

Import-module ActiveDirectory

Check for Password Reset Rights

To reset your password, your account must have the appropriate rights. Naturally, normal AD users by default cannot reset other accounts’ passwords for this feature to be available, the user (user group) must be delegated the right to reset the password on the AD container, or add it to the domain Account Operators group.

To verify that your account has the right to reset a particular user’s password, open its properties, go to the Security -> Advanced -> Effective Access tab, specify your account name and make sure that you have Reset Password permission.

Reset Password for a Single User Account

To reset a password for a user with a testuser logon name and set a new password to it, follow the command:

Set-ADAccountPassword testuser -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "newP@$$w0rD" -Force -Verbose) -PassThru

By default, the cmdlet returns the object and displays nothing in the console. To display information about the user object in AD we are using the -PassThru option.

As username you can specify SamAccountName (our case), objectGUID, SID of the user, or his DN (Distinguished Name, e.g. CN=TestUser,OU=Users,DC=testdomain,DC=com).

If you do not specify the -Reset parameter when changing the user password, you must specify the old password first and only then a new one.

Note. If the following error occurs when resetting the password using the Set-ADAccountPassword command:

Set-ADAccountPassword : The password does not meet the length, complexity, or history requirement of the domain.

This means that complexity, length or history requirements are defined in the domain password policy or granular password policy but the enetered password doesnt meet them.

If you have PowerShell command history enabled and you do not want passwords to be visible in the PoSh console, the password must be converted to a secure string:

$NewPwd=Read-Host "Enter new user password" -AsSecureString

Now let’s reset the password:

Set-ADAccountPassword testuser -Reset -NewPassword $NewPwd -PassThru

Additional Commands after Resetting User Account Password

When resetting a password, you can force unlock the user account even if it is locked using the following command afterwards:

Unlock-ADAccount -Identity testuser

In order to change a user password to a new one the next time he logs in to the domain, follow the command:

Set-ADUser -Identity testuser -ChangePasswordAtLogon $true

You can combine the command to change the password and enable the password change requirement in a single string:

Set-ADAccountPassword testuser -NewPassword $NewPwd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Verify the Password Change

Using the Get-ADUser command, you can verify that the password has been reset successfully by displaying the last time the account was changed:

Get-ADUser testuser -Properties * | select name, pass *

When the password is reset, EventID 4724 is logged on the domain controller (DC) in security settings of the event log. This event helps to define who has reset the password on the domain controller.

Change the Password of Several Users in AD at Once

We’ve showed you how to reset a single user’s password in AD using PowerShell. Lets consider another scenario where you need to change passwords of multiple users at the same time.

The simplest scenario is when you need to reset passwords of all users with certain account properties. For example, you need to force all employees from marketing department to reset their passwords to default password and force them to change their passwords the next time they log on:

get-aduser -filter "department -eq 'Marketing' -AND enabled -eq 'True'" | Set-ADAccountPassword -NewPassword $NewPasswd -Reset -PassThru | Set-ADuser -ChangePasswordAtLogon $True

Now let’s consider another case. Let’s say you have a CSV / Excel file that contains a list of users who need to reset passwords with a unique password for each user. The format of the file testusers.csv:

SamAccountName;NewPwd
testuser1;u9anklenX7Uf57d
testuser2;ucBclay4wcZKqQ
testuser3;vbullDJNxaG%y

With the following PowerShell script, you can reset the password for each account from the file:

Import-Csv testusers.csv -Delimiter ";" | Foreach {
$NewPwd = ConvertTo-SecureString -AsPlainText $_.NewPassword -Force
Set-ADAccountPassword -Identity $_.sAMAccountName -NewPassword $NewPwd -Reset -PassThru | Set-ADUser -ChangePasswordAtLogon $false
}

After this code is executed, a new unique password will be set for each user from the file.