Objectives

ObjectivesConfigure Network Access Services in Windows Server 2008RADIUS *

Configuring Remote Access Services in Windows Server 2008Dial-up networkingConnects remote users using a phone lineVirtual Private NetworksAllow client connections to your network from remote locationsWorks by creating a secure tunnel for transmitting data packets between two pointsVPN tunneling protocols: Point-to-Point Tunneling Protocol, Layer 2 Tunneling Protocol, Secure Socket Tunneling Protocol*

A VPN TunnelPoint-to-Point Tunneling Protocol (PPTP)Layer Two Tunneling Protocol (L2TP)IP Security (IPSec) tunnel modeIP-in-IP

*MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration

VPN Remote AccessUses Internet to transmit private informationEncryption is usedHigh speed and reduced maintenanceSecurity risk presented by allowing access to network resources from the InternetWindows Server 2008 uses RRAS as a VPN serverRemote computers are configured as VPN clients


Corporate Internetwork


Implement a VPN through a NAT Server


Enable and Configure a VPN ServerEnabling packet filters should only be chosen if the server has multiple network cards with the filtered card connected to the Internet and the unfiltered cards connected to VPN traffic


VPN ProtocolsPPTP and L2TP are supported by Win. Server 2008By default, 128 PPTP ports and 128 L2TP ports availableCan increase the number of ports or Disable a protocol by setting the number of ports to zeroPPTP is the most popular and can function through NATL2TP requires IPSec to function


VPN Protocols (continued)


Configuring Remote Access ServersControl authentication and logging. Server and Client must support common protocol to authenticate and connectNo AuthenticationPassword Authenticated ProtocolShiva Password Authentication ProtocolChallenge Handshake Authentication ProtocolMicrosoft Challenge Handshake Authentication ProtocolMicrosoft Challenge Handshake Authentication Protocol version 2Extensible Authentication ProtocolSpecify whether or not the server is a router for IP, and if it allows IP-based remote access connectionsEnable broadcast name resolution


Allowing Client AccessBy default, none of the users are granted remote access permissionRemote access permission is controlled by their user objectIf RRAS does not participate in Active Directory, the user object is stored in the local user account databaseIf RRAS belongs to an Active Directory domain, the user object is stored in the Active Directory database located on the domain controller


Network Access PoliciesControl who is allowed to access remotelyDepends on the domains functional level (mixed, 2000 native or 2003 native or 2008)Depend on the machine user is connecting toTo use remote access, you must understand:Network access policy componentsNetwork access policy evaluationDefault Network access policies: Deny access


Network Access Policy ComponentsComposed of Conditions, Constraints, and SettingsConditions are criteria that must be met in order for remote access policy to apply to a connectionAllow if met constraints and Deny if notAfter conditions and constrains are met, settings are applied to the connection


Network Access Policy Evaluation


Creating a VPN Client ConnectionConfigure VPN clients on client machines, e.g. Win XPWindows Server 2008 can be configured as a VPN clientCreate VPN connections using the New Connection Wizard in XP or earlier and Set up a connection or network wizard in Vista and 2008Specify IP address (or FQDN) of VPN serverConfigure whether or not an initial connection is createdConfigure dialing and redialing optionsSpecify if password and data encryption are requiredConfigure the network configuration for VPN connectionConfigure an Internet connection firewall and Internet connection sharing


Routing and Remote Access and DHCPProvide remote access clients with IP addresses during a dial-up connection.Dynamic configuration is different than LAN-based clients.Server Assigned IP Address option.Routing and Remote Access uses DHCP to lease addresses.DHCP leases are released when Routing and Remote Access is shut down.Number of leased addresses can be configured.


Troubleshooting Remote AccessSoftware configuration errors by users or administratorsIncorrect phone numbers and IP addressesIncorrect authentication settingsIncorrectly configured network access policiesName resolution is not configuredClients receive incorrect IP optionsBest troubleshooting tools include:Log filesError messagesNetwork MonitorIpconfig and Ping command line toolsHardware errors can also cause problems


Hardware ErrorsCommon hardware troubleshooting tips:Ensure hardware is on the Microsoft hardware compatibility listUse ping to determine if the address is reachableSee if you can dial in to a different remote access serverEnsure there is a link light on the network card


Resource Kit UtilitiesRASLIST.EXERASSRVMON.EXERASUSERS.EXETRACEENABLE.EXE


RASSRVMON.EXEMonitors remote access server activities in great detailProvides Server informationPort informationSummary informationIndividual connection informationAlerting set up to run program of choice


Introduction to Network Policy ServerNetwork Policy Server (NPS) Role service that provides a framework for creating and enforcing network access policies for client healthCan be used to perform:Configure a RADIUS serverConfigure a RADIUS proxyConfigure and implement Network Access Protection (NAP)

*

Introduction to RADIUSRADIUSIndustry-standard protocol that provides centralized authentication, authorization, and accounting for network access devices Components of RADIUSRADIUS clients VPN serverNetwork access serversRADIUS proxyRADIUS server Perform authentication & authorizationUser account database*


Server 2008 NPS ConsoleNPS ConsoleCentral utility for managing RADIUS clients and remote RADIUS serversNetwork health and access policiesNAP settings for NAP scenariosLogging settings

*

Server 2008 NPS Console*


Server 2008 NPS Console*


*

Objectives

Documents

Transcript of Objectives