Troubleshooting and Supporting Windows® 7 in the Enterprise_06
description
Transcript of Troubleshooting and Supporting Windows® 7 in the Enterprise_06
Module 6
Troubleshooting Remote Connectivity
Issues
Module Overview
• Troubleshooting VPN Connectivity Issues
• Using Remote Desktop
• Troubleshooting User Issues by Using Remote Assistance
• Troubleshooting NAP Issues
• Troubleshooting DirectAccess Issues
Lesson 1: Troubleshooting VPN Connectivity Issues
• What Is a Virtual Private Network?
• VPN Tunneling Protocols
• VPN Authentication Methods
• Demonstration: How to Create a VPN Connection
• What Are Network Policies?
• Troubleshooting VPNs
• What Is VPN Reconnect?
What Is a Virtual Private Network?
Large Branch Office
Medium Branch Office
Small Branch Office
Home Office with VPN Client
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
VPN Server
VPN Server
VPN Server
VPN Tunneling Protocols
Windows 7 supports four VPN tunneling protocols:
PPTP
L2TP/IPsec
SSTP
IKEv2
VPN Authentication Methods
Protocol Description Security Level
PAP
Uses plaintext passwords.
Used if remote access client and remote access server cannot negotiate a more secure form of validation.
Least secure authentication protocol.
Does not protect against: replay attacks, remote client impersonation, remote server impersonation.
CHAP
A challenge-response authentication protocol.
Uses the industry-standard MD5 hashing scheme to encrypt the response.
An improvement over PAP because password is not sent over the PPP link.
Requires plaintext version of the password to validate the challenge response.
Does not protect against remote server impersonation.
MS-CHAPv2
An upgrade of MS-CHAP.
Two-way/mutual authentication provided.
Remote access client receives verification that the remote access server has access to the user’s password.
Provides stronger security than CHAP.
EAP
Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.
Offers the strongest security by providing the most flexibility in authentication variations.
Demonstration: How to Create a VPN Connection
In this demonstration, you will see how to:
• Configure user dial-in settings
• Configure Routing and Remote Access as a VPN server
• Configure a VPN client
The VPN Reconnect feature maintains connectivity across network outages. It requires Windows Server 2008 R2 or Windows 7.
What Are Network Policies?
Are there policies to process?
START
Does connection attempt match policy conditions?
Yes
Reject connection attempt
Is the remote access permission for the user account set to Deny Access?
Is the remote access permission for the user account set to Allow Access?
Yes
Yes
NoGo to next policy
No
Yes
Is the remote access permission on the policy set to Deny remote access permission?
Does the connection attempt match the user object and profile settings?
No
Yes
Accept connection attempt
Reject connection attempt
No
Yes
No
No
A network policy consists of the following elements:
Conditions
Constraints
Settings
Network policies enable you to designate who is authorized to connect to the network, and the circumstances under which they can or cannot connect.
Troubleshooting VPNs
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
What Is VPN Reconnect?
The VPN Reconnect feature maintains connectivity across network outages. It requires Windows Server 2008 R2 or Windows 7.
VPN Reconnect:
Provides seamless and consistent VPN connectivity
Uses the Internet Key Encryption version 2 (IKEv2) technology
Automatically reestablishes VPN connections when connectivity is available
Maintains the connection if users move between different networks
Makes the connection status transparent to users
Lesson 2: Using Remote Desktop
• Overview of Windows Remote Desktop
• Practice: Enabling Remote Desktop
• Configuring Remote Desktop by Using GPOs
• Troubleshooting Remote Desktop
Overview of Windows Remote Desktop
Remote Desktop
• A Windows 7 feature that enables users to connect to their desktop computer from another device
• Enables administrators to connect to multiple remote servers for administrative purposes
Practice: Enabling Remote Desktop
In this practice, you will:
• Configure the Windows Firewall
• Enable Remote Desktop
• Use Remote Desktop
15 min
Configuring Remote Desktop by Using GPOs
Troubleshooting Remote Desktop
Cannot Connect to Remote Computer
Check the Windows 7 editionCheck Windows Firewall statusCheck that remote desktop is enabled on the targetEnsure the remote computer is not in sleep mode or hibernationCheck remote desktop permissions
Remote Computer Cannot be Found
Try using the IP addressCheck DNS records
Cannot Copy Text from Remote Computer
Ensure the clipboard is selected as a local resource
Lesson 3: Troubleshooting User Issues by Using Remote Assistance
• Using Remote Assistance to Assist Your Users
• Remote Assistance in Windows 7
• Demonstration: How to Use Remote Assistance (Optional)
• Configuring Remote Assistance by Using GPOs
Using Remote Assistance to Assist Your Users
• See remote desktop
• Chat session
• Take remote control
Remote Assistance in Windows 7
Remote Assistance
• A Windows 7 feature that enables support staff to connect to a remote desktop computer
• Optionally allows for remote control of that computer
• Assistance can be sought or offered
Demonstration: How to Use Remote Assistance (Optional)
In this demonstration, you will see how to:
• Create a Word document
• Request Remote Assistance
• Provide Remote Assistance
Configuring Remote Assistance by Using GPOs
Lesson 4: Troubleshooting NAP Issues
• What Is NAP?
• Components of NAP
• Discussion: How Would You Use NAP?
• Configuring Client-Side NAP Settings
• Best Practices for Troubleshooting NAP
What Is NAP?
Network Access Protection can:
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not meet health requirements
Network Access Protection cannot:
• Enforce health requirement policies on client computers
• Ensure client computers are compliant with policies
Components of NAP
Intranet
Remediation Servers
Internet
NAP Health Policy Server
DHCP Server
Health Registration Authority
IEEE 802.1X
Devices
Active Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
Can you envision using NAP?
What NAP enforcement method would be suitable?
Discussion: How Would You Use NAP?
5 min
Configuring Client-Side NAP Settings
• Some NAP deployments that use Windows Security Health Validator require that you enable Security Center
• The Network Access Protection service is required when you
deploy NAP to NAP-capable client computers
• You also must configure the NAP enforcement clients on the NAP-capable computers
Best Practices for Troubleshooting NAP
• You can use tracing logs to:• Evaluate the health and security of
your network• Troubleshoot and perform maintenance
on your network
• You can use the netsh NAP command to helptroubleshoot NAP
• Use the Event Viewer to identify NAP-related problems
Lesson 5: Troubleshooting DirectAccess Issues
• What Is DirectAccess?
• How Does DirectAccess Work?
• Configuring DirectAccess
• Troubleshooting DirectAccess Client Issues
What Is DirectAccess?
• Always-on connectivity • Seamless connectivity• Bidirectional access • Improved security • Integrated solution
DirectAccess server
• Connects automatically to corporate network over public network• Uses various protocols, including HTTPS, to establish IPv6 connectivity• Supports selected server access and IPsec authentication• Supports end-to-end authentication and encryption• Supports management of remote client computers• Allows remote users to connect directly to intranet servers
Features of DirectAccess:
Benefits of DirectAccess:
How Does DirectAccess Work?
The DirectAccess client running Windows 7 detects whether it is connected to a network
The client attempts to connect to an intranet website that is specified during the DirectAccess configuration
The client connects to the DirectAccess server using IPv6 and IPsec
The DirectAccess client and server authenticate each other by using computer certificates to establish the IPsec session
The DirectAccess server verifies that the computer and user are authorized to connect by using DirectAccess
The client obtains a health certificate from an HRA located on the Internet prior to connecting to the DirectAccess server
The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access
Steps to Configure DirectAccess:
Configuring DirectAccess
• Join the DirectAccess server to an Active Directory domain
• Configure the DirectAccess server on the perimeter network
• Enable ports and protocols needed for DirectAccess in the firewall exceptions
• Create a security group in Active Directory
• Install a web server on the DirectAccess server
• Designate one of the server network adapters as the Internet-facing interface
• Add and configure the Certificate Authority server role
Steps to Troubleshoot DirectAccess Client Issues:
Troubleshooting DirectAccess Client Issues
• Verify the version of Windows 7 on the client
• Verify that the client is joined to the domain and is a member of the security group
• Verify GPO application
• Verify IPv6 connectivity
• Verify correct identification of the internal and external network
• Verify the domain profile is not used on Internet
• Verify the DNS resolution for the internal network
• Verify IPsec connectivity
Lab: Resolving Remote Connectivity Issues
• Exercise: Resolving a Remote Connectivity Problem
Estimated time: 30 minutes
Logon information
Virtual machines6293A-NYC-DC16293A-NYC-SVR26293A-NYC-CL1
User name Contoso\AdministratorNYC-CL1\WSAdmin
Password Pa$$w0rd
Lab Scenario
A user reported a recent problem connecting to the corporate intranet from his home. He cannot connect to the intranet, and receives the error documented in the help desk ticket. The help desk checked the basic network settings, but is unsure how to proceed.
Lab Review
• In the lab, your user complained of being unable to logon. What solutions did you attempt?
• What solution was successful?
Module Review and Takeaways
• Review Questions
• Tools