Rutoken documentation

Page tree

This section contains instructions for setting up access to VPN networks upon presentation of a token.

To configure, you need a computer with the Windows 2019 Server Rus operating system and Rutoken drivers installed, as well as the distribution of this OS.

The operating system must be configured as the Domain controller. Certification Services,The Routing and Remote Access service (the Windows Firewall must have a permission rule configured for this service) must have been installed in the system, and certificates of the User with a smart card or Login with a smart card type must have been issued to the users.

All the actions described below are performed with system administrator rights.

The Admin account is used as an example.

Stages of setting up access to VPN networks upon presentation of a token:

Stage 1: Configuring routing and remote access.

Stage 2: Setting up user accounts.

Configuring routing and remote access

Before configuring routing and remote access, you need to make sure that the roles Network and Access Policy Services and Remote Access are installed on the server.

To configure routing and remote access:

  1. Open the Control panel.
  2. Enter the word "administration" in the search box.
  3. Double-click on the name of the Administration item.
  4. Double-click on the snap-in name Routing and Remote Access.
  5. Right-click on the server name and select Configure and enable routing and remote access.
  6. In the window called Routing and Remote Access Server Setup Wizard click on the Next button.
  7. Set the switch to Special configuration, click on the Next button.
  8. Check the box Access to a virtual private network (VPN) and click on the Next button.
  9. Make sure that all the necessary functions of the routing and remote access server are selected (field Summary of the selected parameters). Click on the Done button.
  10. Click on the Start the Service button and wait for the service startup process to complete.
  11. Right-click on the server name and select the Features menu item.
  12. In the window with the server properties, go to the Security tab and click on the Authentication Methods...
  13. In the window Authentication Methods check the box EAP protocol and click on the OK button.
  14. In our example, the DHCP service is not configured on the computer. Therefore, remote clients must first be assigned IP addresses from the specified range. Go to the IPv4 tab and set the switch to the statistical address pool position.
  15. Click on the Add button.
  16. Enter the beginning and end of the IP address range, click on the OK button.
  17. Click on the OK button.
  18. Right-click on the categories called Remote access logging policies. Select the Update item.
  19. Right-click on the categories called Remote access logging policies. Select the Starting NPS item.
  20. In the window called Network Policy Server click on the Network policies category name.
  21. Right-click on the line Connecting to the Routing and Remote Access Server (Microsoft) and select the menu item Features.
  22. On the Overview tab set the switch to Grant access and click on the OK button.
  23. Right-click on the line Connecting to the Routing and Remote Access Server (Microsoft) and select the menu item Features.
  24. On the tab Restrictions, in the left part of the window, click on the name of the restriction Authentication methods.
  25. The line Microsoft: smart card or other certificate should be displayed in the right part of the window in the EAP types list.
  26. If this line is not displayed, then click on Add...
  27. In the list Authentication methods select Microsoft: smart card or other certificate, click on the OK button.
  28. Next, specify the server for authentication. To do this, click on the line Microsoft: smart card or other certificate and click on Edit....
  29. Make sure that the name of the remote access server corresponds to reality.
  30. Click on the OK button.
  31. Close the snap-in Network Policy Server.

Setting up user accounts

After setting up remote access, users need to be given the rights to connect to the VPN.

To set up user accounts:

  1. Go to the Control panel.
  2. Enter the word "administration" in the search box.
  3. Double-click on the name of the Administration item.
  4. Double-click on the snap-in name Active Directory users and computers.
  5. In the window called Active Directory - Users and Computers, click on the name of the Users folder.
  6. In the right part of the window, right-click in the line with the user name and select Features. In this example, the user1 user is selected.
  7. In the window Features:[User Name] go to the tab Incoming calls.
  8. Set the switch to Allow access and click on the OK button.
  9. Close the snap-in Active Directory - Users and Computers.

Server setup is complete. Now you need to set up a remote connection to a virtual private network (VPN) on the client computer

  • No labels