Post on 16-Jan-2016
Module 11: Remote Access Fundamentals
Module 11: Remote Access Fundamentals
• Remote Access Overview
• RADIUS Overview
• Network Policy Server
• Troubleshooting Remote Access
Lesson 1: Remote Access Overview
• What Is Remote Access?
• Discussion: Characteristics of VPN and Dial-up Connections
• VPN Protocols
• What Is Routing and Remote Access?
What Is Remote Access?
Remote access is access to corporate resources from outside the corporate network
Remote Access Server
Remote Computer at Internet Hot
Spot
Wireless Access Point
Wireless Clients
Remote Computer at Home
Corporateresources
Discussion: Characteristics of VPN and Dial-up Connections
What are the characteristics of VPN and Dial-up connections?
VPN Protocols
VPN Protocol Description
Point-to-Point Tunneling Protocol (PPTP)
•Widely supported in clients
•Traverses NAT easily
•Easy to configure
Layer 2 Tunneling Protocol (L2TP)
• Uses IPsec to encrypt data
• Increased security over PPTP
• More difficult to configure
Secure Socket Tunneling Protocol (SSTP)
• Uses Secure Sockets Layer (SSL) to encrypt data
• Can pass through proxy servers on port 443
• Easy to configure
VPN connections can use various protocols to provide encryption
What Is Routing and Remote Access?
Router:
• Typically used on small networks
• Less expensive than hardware-based routers
• Network Address Translation (NAT) for Internet access
Remote Access server:
• VPN server
• Dial-up server
• Demand dial connection to help secure connectivity between two locations
Routing and Remote Access is a component that allows Windows Server® 2008 to act as a router and remote access serverRouting and Remote Access is a component that allows Windows Server® 2008 to act as a router and remote access server
Lesson 2: RADIUS Overview
• What Is RADIUS?
• How RADIUS Works for Remote Access
• How RADIUS Works for 802.1X Connections
• Discussion: Benefits of RADIUS
• What Is A RADIUS Proxy?
What Is RADIUS?
RADIUS Server
RADIUS Server
RADIUS Client
RADIUS Client
Remote Access Client
Remote Access Client
DirectoryServer
DirectoryServer
Remote Access Server
Remote Authentication Dial In User Service (RADIUS) is a protocol for controlling authentication, authorization, and accounting
How RADIUS Works for Remote Access
For remote access, RADIUS:
• Enables an ISP to authenticate users against a corporate directory such as Active Directory® Domain Services
• Enables accounting for all remote access to centralized in a single location
Corporate Office
Corporate Office
ISPISP
RADIUS Client
Remote Access Client
RADIUS Server
Domain Controller
How RADIUS Works for 802.1X Connections
RADIUS Client
ClientsRADIUS Server
Domain Controller
For 802.1X, RADIUS:
• Authenticates network connections
• Can be used for wired or wireless connections
Discussion: Benefits of RADIUS
What are the benefits of using RADIUS?
What Is a RADIUS Proxy?
RADIUS Client
Remote Access Client
RADIUS Proxy RADIUS
Server
A RADIUS proxy distributes RADIUS requests to the appropriate RADIUS server
Company A
Company A
ISPISP
RADIUSServer
CompanyBCompanyB
Lesson 3: Network Policy Server
• What Is Network Policy Server?
• What Is Network Access Protection?
• What Are Connection Request Policies?
• What Are Network Policies?
• Demonstration: Configuring NPS Policies
What Is Network Policy Server?
Network Policy Server replaces Internet Authentication Service (IAS) from earlier versions of Microsoft® Windows®Network Policy Server replaces Internet Authentication Service (IAS) from earlier versions of Microsoft® Windows®
Network Policy Server is a role service that can function as a:
• RADIUS server
• RADIUS proxy
• Network Access Protection server
What Is Network Access Protection?
Network Access Protection is a system that:
• Enforces client health before it allows access to the network
• Does not block intruders or malicious users
• Has various enforcement mechanisms
Enforcement mechanisms include:
• IPsec
• 802.1X
• VPN
• DHCP
• RADIUS
What Are Connection Request Policies?
Are part of the RADIUS proxy functionality in NPS that:
• Determine whether authentication of connection requests is performed locally or passed to another RADIUS server.
• Contain conditions and settings
• Must be configured for NAP with 802.1X or VPN even when it is processed locally
Some potential conditions:
• User Name • Client IPv4 address
• Service Type • Client Vendor• Tunnel Type • Called Station ID
• Day and Time Restrictions
What Are Network Policies?
Network Policy component Description
Conditions Determine whether this policy is used to evaluate a connection request
Access permissionDetermine whether access is allowed, denied, or determined by user dial-in properties
Authentication methods
Determine the authentication methods that can be negotiated.
Constraints Limits on the connection such as idle time or maximum connection time
Settings Set characteristics of the connection such as encryption or IP filters
Network policies control remote access requests, replacing remote access policies in earlier versions of WindowsNetwork policies control remote access requests, replacing remote access policies in earlier versions of Windows
Demonstration: Configuring NPS Policies
In this demonstration, you will see how to configure:
• A connection request policy
• A network policy
Lesson 4: Troubleshooting Remote Access
• What Is NPS Accounting?
• Common Remote Access Issues
• Process for Troubleshooting Remote Access Issues
What Is NPS Accounting?
NPS Accounting is an administration tool that:
• Is used for logging
• Applies only to locally authenticated connections
• Can be used for connection analysis and billing
• Can be used for security investigation
• Can store data in a file or a Microsoft SQL Server® Database
Common Remote Access Issues
Some common remote access issues are:
• Client configuration
• Firewall configuration
• Network Policy configuration
Discussion: Process for Troubleshooting Remote Access Issues
What are some methods used to troubleshoot remote access issues?
Lab: Implementing Remote Access
• Exercise 1: Implementing a VPN server
• Exercise 2: Implementing a RADIUS server
• Exercise 3: Implementing a RADIUS proxy
Logon information
Virtual machine NYC-DC1, NYC-RASNYC-CL1
User name Administrator
Password Pa$$w0rd
Estimated time: 60 minutes
Lab Review
• Does the NPS service role of the Network Policy and Access Services role have to be installed to create network policies?
• Why were the policies created during this lab moved to be evaluated first?
• Why did a network policy have to be created on NYC-DC1 when one already existed on NYC-SRV1?
Module Review and Takeaways
• Review Questions
• Real-world Issues and Scenarios
• Tools