Microsoft ® Official Course Module 7 Configuring and Troubleshooting Remote Access.

Microsoft® Official Course

Module 7

Configuring and Troubleshooting Remote

Access

Module Overview

Configuring Network Access

Configuring VPN Access

Overview of Network Policies

Troubleshooting Routing and Remote Access•Configuring DirectAccess

Lesson 1: Configuring Network Access

Components of a Network Access Services Infrastructure

What Is the Network Policy and Access Services Role?

What Is the Remote Access Role?

Network Authentication and Authorization

Authentication Methods

What Is a PKI?• Integrating DHCP with Routing and Remote Access

Components of a Network Access Services Infrastructure

Intranet

InternetNAP Health Policy Server

DHCP Server

Health Registration Authority

IEEE 802.1X

DevicesAD DS

VPN Server

Restricted Network

Perimeter Network

Remediation Servers

Network Policy Server

CA

What Is the Network Policy and Access Services Role?

With the Network Policy and Access Services role, you can:• Enforce health policies• Help to secure wireless and wired access• Centralize network policy management

What Is the Remote Access Role?

You can use the Remote Access role to:• Provide remote users access to resources on a private network over a VPN or dial-up connection• Provide NAT services• Provide LAN and WAN routing services to connect network segments• Enable and configure DirectAccess

Network Authentication and Authorization

•Authentication:• Verifies the credentials of a connection attempt• Uses an authentication protocol to send the credentials from the remote access client to the remote access server in either plain text or encrypted form

•Authorization:• Verifies that the connection attempt is allowed• Occurs after successful authentication

Authentication Methods

Protocol Description Security Level

PAP

Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation.

The least secure authentication protocol. Does not protect against replay attacks, remote client impersonation, or remote server impersonation.

CHAPA challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme.

An improvement over PAP in that the password is not sent over the PPP link.

Requires a plaintext version of the password to validate the challenge response. Does not protect against remote server impersonation.

MS-CHAPv2

An upgrade of MS-CHAP. Provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server to which it is dialing in to has access to the user’s password.

Provides stronger security than CHAP.

EAP

Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.

Offers the strongest security by providing the most flexibility in authentication variations.

What Is a PKI?

CADigital

CertificatesCRLs and Online

RespondersCertificate Templates

Certificates and CA Management

ToolsAIA and CDPs

Public Key–Enabled Applications and

Services

Integrating DHCP with Routing and Remote Access

•You can provide remote clients with IP configurations by using either:• A static pool created on the Remote Access server for use with remote clients• A DHCP server

•DHCP servers that run Windows Server 2012:• Provide a predefined user class called the Default Routing and Remote Access Class• Are useful for assigning options that are provided to Routing and Remote Access clients only

Lesson 2: Configuring VPN Access

What Is a VPN Connection?

Tunneling Protocols for VPN Connections

What Is VPN Reconnect?

Configuration Requirements

Demonstration: How to Configure VPN Access

Completing Additional Configuration Tasks

What Is the Connection Manager Administration Kit?•Demonstration: How to Create a Connection Profile

What Is a VPN Connection?

Large Branch Office

Medium Branch Office

Small Branch Office

Home Office with VPN Client

Remote User with VPN Client

Corporate Headquarters

VPN

VPN Server

VPN Server

VPN Server VPN

Server

Tunneling Protocols for VPN Connections

•Windows Server 2012 supports the following VPN tunneling protocols:• PPTP• L2TP/IPsec• SSTP• IKEv2

What Is VPN Reconnect?

VPN Reconnect maintains connectivity across network outages•VPN Reconnect:• Provides seamless and consistent VPN connectivity • Uses the IKEv2 technology • Automatically re-establishes VPN connections when connectivity is available• Maintains the connection if users move between different networks• Provides transparent connection status to users

Configuration Requirements

VPN server configuration requirements include:• Two network interfaces (public and private)• IP Address allocation (static pool or DHCP)• Authentication provider (NPS/RADIUS or the VPN server)• DHCP relay agent considerations • Membership in the Local Administrators group or equivalent

Demonstration: How to Configure VPN Access

In this demonstration, you will see how to:• Configure Remote Access as a VPN server• Configure a VPN client

Completing Additional Configuration Tasks

You may need to perform additional steps to help to secure the installation of Remote Access:• Configure static packet filters • Configure services and ports • Adjust logging levels for routing protocols • Configure number of available VPN ports• Create a Connection Manager profile for users • Add Certificate Services • Increase remote access security • Increase VPN security • Consider implementing VPN Reconnect

What Is the Connection Manager Administration Kit?

The CMAK:• Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks• Creates an executable file that can be run on a client computer to establish a network connection that you have designed• Reduces Help Desk requests related to the configuration of RAS connections by:• Assisting in problem resolution because the configuration is known• Reducing the likelihood of user errors when they configure their own connection objects

Demonstration: How to Create a Connection Profile

In this demonstration, you will see how to:• Install CMAK• Create a connection profile• Examine the profile

Lesson 3: Overview of Network Policies

What Is a Network Policy?

Network Policy Processing

Process for Creating and Configuring a Network Policy•Demonstration: How to Create a Network Policy

What Is a Network Policy?

A network policy consists of the following elements:• Conditions• Constraints• Settings

Network Policy Processing

Are there policies to process?

START

Does connection attempt match policy conditions?

Yes

Reject connection attempt

Is the remote access permission for the user account set to Deny Access?

Is the remote access permission for the user account set to Allow Access?

Yes

Yes

No Go to next policy

No

Yes

Is the remote access permission on the policy set to Deny remote access permission?

Does the connection attempt match the user object and profile settings?

No

Yes

Accept connection attempt

Reject connection attempt

No

Yes

No

No

Process for Creating and Configuring a Network Policy

To create a network policy:• Determine authorization by user or group • Determine appropriate settings for the user account’s network access permissions

To configure the New Network Policy Wizard:• Configure network policy conditions• Configure network policy constraints• Configure network policy settings

Demonstration: How to Create a Network Policy

In this demonstration, you will see how to:• Create a VPN policy based on Windows Groups condition• Test the VPN

Lesson 4: Troubleshooting Routing and Remote Access

Configuring Remote Access Logging

Configuring Remote Access Tracing

Resolving General VPN Problems•Troubleshooting Other Issues

Configuring Remote Access Logging

You can configure remote access logging to:• Log errors only• Log errors and warnings• Log all events• Not log any events• Log additional routing and remote access information

Configuring Remote Access Tracing

•You can configure remote access tracing by using:• The Netsh command:

Netsh ras diagnostics set rastracing * enabled (enables tracing on all components in RAS)

• The Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

Tracing consumes resources, you should use it for troubleshooting only, and then disable it

Resolving General VPN Problems

• Verify the host name • Verify the credentials • Verify the user account • Reset the password • Verify user account has not been locked • Check that Routing and Remote Access is running • Verify that the VPN server is enabled for remote access • Verify the WAN Miniport protocols• Check for a common authentication method• Check for at least one common encryption strength• Verify the connection’s parameters

Troubleshooting Other Issues

Common problems regarding remote access include:• Error 800: VPN unreachable• Error 721: Remote computer not responding• Error 741/742: Encryption mismatch• L2TP/IPsec issues• EAP-TLS issues

Lab A: Configuring Remote Access

Exercise 1: Configuring a Virtual Private Network Server•Exercise 2: Configuring VPN Clients

Logon InformationVirtual machines: 20411B-LON-DC1

20411B-LON-RTR20411B-LON-CL2

User name: Adatum\AdministratorPassword: Pa$$w0rd

Estimated Time: 30 minutes

Lab A Scenario

A. Datum Corporation wants to implement a Remote Access solution for its employees so they can connect to the corporate network while away from the office. You are required to enable and configure the necessary server services to facilitate this remote access. To support the VPN solution, you need to configure a Network Policy that reflects corporate remote connection policy. For the pilot, only the IT security group should be able to use VPN. Required conditions include the need for a client certificate, and connection hours are only allowed between Monday and Friday, at any time.

• If you use the alternative solution, how many addresses are allocated to the VPN server at one time?

• In the lab, you configured a policy condition of tunnel type and a constraint of a day and time restriction. If there were two policies—the one you created plus an additional one that had a condition of membership of the Domain Admins group and constraints of tunnel type (PPTP or L2TP)—why might your administrators be unable to connect out of office hours?

Review Questions

Lesson 5: Configuring DirectAccess

Complexities of Managing VPNs

What Is DirectAccess?

Components of DirectAccess

What Is the Name Resolution Policy Table?

How DirectAccess Works for Internal Clients

How DirectAccess Works for External Clients

Prerequisites for Implementing DirectAccess•Configuring DirectAccess

Complexities of Managing VPNs

VPN connections can pose the following problems:• Users must initiate the VPN connections• The connections may require multiple steps to initiate• Firewalls can pose additional considerations• Troubleshooting failed VPN connections can be time-consuming• VPN-connected computers are not easily managed

What Is DirectAccess?

Features of DirectAccess:• Connects automatically to corporate network over the public network• Uses various protocols, including HTTPS, to establish IPv6 connectivity• Supports selected server access and IPsec authentication• Supports end-to-end authentication and encryption• Supports management of remote client computers• Allows remote users to connect directly to intranet servers

Components of DirectAccess

Internet websitesInternet websites

DirectAccess Server

DirectAccess Server

AD DS domain controller

DNS server


DNS server

Internal network resources


NLSNLS

PKI deploymentPKI deployment

IPv6\IPsecIPv6\IPsec

External clientsExternal clients

NRPT/ ConsecNRPT/

Consec

Internal clientsInternal clients

NRPT is a table that defines DNS servers for different namespaces and corresponding security settings; NRPT is used before the adapter’s DNS settings

Using NRPT:• DNS servers can be defined for each DNS namespace

rather than for each interface• DNS queries for specific namespaces can be optionally

secured by using IPsec

Name Resolution Policy Table


DirectAccess serverDirectAccess server


DNS server


DNS server

Internal client computers

Internal client computers

Internal network resourcesInternal network resources


DirectAccess server

DirectAccess server

Internal client

computers

Internal client

computers


DNS server


DNS server

CRL dist point

CRL dist point

NLSNLS

How DirectAccess Works for Internal Client Computers

Connection security

rules

Connection security

rules

NRPTNRPT



DNS server


DNS server

Connection security rules


NRPTNRPT

External client computersExternal client computers

DNS serverDNS server


Infrastr

uct

ure

How DirectAccess Works for External Client Computers



DNS server


DNS server



NRPTNRPT

External client computers





Infrastructure

Intranet



DNS server


DNS server



NRPTNRPT

External client computersExternal client computers



Infrastr

ucture

Intranet

DirectAccess server

DirectAccess server


DNS server


DNS server

Connection security rulesConnection

security rules

NRPTNRPT






Prerequisites for Implementing DirectAccess

Sample

AD DS

Group Policy

IPv6 and transition technologies

IPv6

ICMPv6 Echo Request traffic

ICMPv6

IPsec policies

PKI

DirectAccessserver

DNS and domain controller

Configuring DirectAccess

To configure DirectAccess:1. Configure the AD DS domain controller and

DNS

2. Configure the PKI environment

3. Configure the DirectAccess server

4. Configure the DirectAccess clients and test intranet and Internet access

Lab B: Configuring DirectAccess

Exercise 1: Configuring the DirectAccess Infrastructure

Exercise 2: Configuring the DirectAccess Clients•Exercise 3: Verifying the DirectAccess ConfigurationLogon InformationVirtual machines: 20411B-LON-DC1

20411B-LON-SVR120411B-LON-RTR20411B-LON-CL1

User name: Adatum\AdministratorPassword: Pa$$w0rd

Estimated Time: 90 minutes

Lab B Scenario

Because A. Datum Corporation has expanded, many of the employees are now frequently out of the office, either working from home or traveling. A. Datum wants to implement a remote access solution for its employees so they can connect to the corporate network while they are away from the office. Although the VPN solution that you implemented provides a high level of security, business management is concerned about the complexity of the environment for end users. In addition, IT management is concerned that they are not able to manage the remote clients effectively. To address these issues, A. Datum has decided to implement DirectAccess on client computers that are running Windows 8.

As a senior network administrator, you are required to deploy and validate the DirectAccess deployment. You will configure the DirectAccess environment, and validate that the client computers can connect to the internal network when operating remotely.

Review Questions• Your organization wants to implement a cost effective

solution that interconnects two branch offices with your head office. In what way could VPNs play a role in this scenario?

• The IT manager at your organization is concerned about opening too many firewall ports to facilitate remote access from users that are working from home through a VPN. How could you meet the expectations of your remote users while allaying your manager’s concerns?

• You have a VPN server with two configured network policies. The first has a condition that grants access to members of the Contoso group, to which everyone in your organization belongs, but has a constraint of Day and Time restrictions for office hours only. The second policy had a condition of membership of the Domain Admins group and no constraints. Why are administrators being refused connections out of office hours, and what can you do about it?

• How does the DirectAccess client determine if it is connected to the intranet or the Internet?

• What is the use of an NRPT?

Module Review and Takeaways

Review Questions•Tools

Microsoft ® Official Course Module 7 Configuring and Troubleshooting Remote Access.

Documents

Transcript of Microsoft ® Official Course Module 7 Configuring and Troubleshooting Remote Access.