Lab 7: Remote Access - RDP - - · PDF fileLab 7: Remote Access - RDP 3 This work by the...

CompTIA Network+® Lab Series

Network Concepts

Lab 7: Remote Access - RDP Objective 1.2: Classify how applications, devices and protocols relate to the OSI model Objective 1.5: Identify common TCP and UDP default ports Objective 5.2: Explain the methods of network access security Objective 5.5: Given a scenario, install and configure a basic firewall Objective 6.3: Explain the methods of network access security

Document Version: 2015-09-18

This work by the National Information Security and Geospatial Technologies Consortium (NISGTC), and except where otherwise noted, is licensed under the Creative Commons Attribution 3.0 Unported License.

Development was funded by the Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48; The National Information Security, Geospatial Technologies Consortium (NISGTC) is an entity of Collin College of Texas, Bellevue College of Washington, Bunker Hill Community College of Massachusetts, Del Mar College of Texas, Moraine Valley Community College of Illinois, Rio Salado College of Arizona, and Salt Lake Community College of Utah.

This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership.

http://creativecommons.org/licenses/by/3.0/deed.en_US

http://creativecommons.org/licenses/by/3.0/deed.en_US

Lab 7: Remote Access - RDP

2


Contents 1 Connect to Another Machine Using RDP .................................................................... 7

1.1 RDP and the OSI Model ...................................................................................... 15

1.2 Conclusion .......................................................................................................... 15

1.3 Review Questions ............................................................................................... 16

2 Configuring the Routing and Remote Access (RRAS) Server Role ............................ 17

2.1 Enable RRAS and Configure It as a VPN Server for Secure Connection Between Two Private Networks (Site-to-Site VPN) ..................................................................... 17

2.2 Conclusion .......................................................................................................... 20


3 Use the Built-in VPN Client to Create a VPN Connection ......................................... 21

3.1 Explore the Configuration Options of a VPN Client Connection to the Remote VPN Server .................................................................................................................... 21

3.2 Conclusion .......................................................................................................... 25



3


Introduction

This lab is part of a series of lab exercises designed to supplement coursework and provide students with a hands-on training experience based on real world applications. This series of lab exercises is intended to support courseware for CompTIA Network+® certification. This lab will explore Remote Desktop Protocol (RDP) as a remote access method. RDP can be used to remotely connect to a Windows-based PC and navigate the GUI using your local keyboard and mouse. By the end of this lab, students will be able to use the Remote Desktop Connection client on Windows to access a remote machine. Students will also learn how to allow or block RDP using the Windows Firewall, as well as allow specific users to connect remotely using RDP. This lab includes the following tasks:

1. Connect to Another Machine using RDP 2. Configuring the Routing and Remote Access (RRAS) server role 3. Use the Built-in VPN Client to Create a VPN Connection

Objective: Enable and Utilize RDP for Remote Access

Remote Desktop Protocol (RDP) provides users and network administrators a method of connecting and remotely controlling a windows-based machine through the network or over the internet. RDP is disabled by default; so, this lab will cover enabling RDP, how to allow specific users the right to connect using RDP, and finally, how to allow or block the Remote Desktop Protocol through the Windows Firewall. Key terms for this lab: Firewall Exception – an exemption from a specific firewall rule. Exceptions can be made based on IP address or hostname, etc. Exceptions are configured from within the firewall Firewall Rule – In the firewall, a rule is what is created when we explicitly allow or block a connection. A firewall works based on the rules provided. A single firewall may have dozens, hundreds or even thousands of rules, depending on how much is allowed or blocked OSI – Open System Interconnect; developed by the International Standards Organization (ISO). Remote Desktop Protocol (RDP) – protocol developed by Microsoft to provide remote control of Windows-based PCs using a graphical interface


4


Terminal Server – In the context of this lab, the terminal server is the remote machine that will be controlled over RDP Terminal Server Client - software installed on the local machine that provides the function of connecting to the remote machine. Remote Desktop Connection is the default Terminal Server Client for the Remote Desktop Protocol. Terminal Services – used to define the software and features that provide remote access to a computer from the client to the server. Remote Desktop is part of Microsoft’s Terminal Services.


5


Lab Topology


6


Lab Settings

The information in the table below will be needed in order to complete the lab. The task sections below provide details on the use of this information. Required Virtual Machines and Applications Log in to the following virtual machines before starting the tasks in this lab:

Windows 2k8 R2 Internal 1

192.168.12.10

Windows 2k8 R2 Internal 1 password

P@ssw0rd

Windows 2k8 R2 Internal 2

192.168.12.11

Windows 2k8 R2 Internal 2 password

P@ssw0rd

Windows 2k8 R2 Login (applies to all Windows machines)

1. Click on the Windows 2k8 R2 icon on the topology that corresponds to the machine you wish to log into.

2. Use the PC menu in the NETLAB+ Remote PC Viewer to send a Ctrl-Alt-Del (version 2 viewer), or click the Send Ctrl-Alt-Del link in the bottom right corner of the viewer window (version 1 viewer).

3. In the password text box, type P@ssw0rd and press Enter to log in.


7


1 Connect to Another Machine Using RDP

Using Remote Desktop Protocol (RDP) allows a user to connect and assume control of the GUI on a remote Windows-based PC. By default, Remote Desktop uses TCP port 3389. In the following steps, we will use the default RD client on Windows 2k8 R2 Internal 1 to connect to and remotely control the Windows 2k8 R2 Internal 2 machine in the lab topology diagram. Remote Desktop Services was previously known as Terminal Services and is a Windows component that allows a server to host multiple, simultaneous client sessions. RD uses this technology to sessions to run remotely.

Did you know? The default port that Remote Desktop listens on (3389) can be changed through the Windows Registry. Using non-standard ports for common protocols could be helpful in mitigating security threats!

1. Click on the Windows 2k8 R2 Internal 1 icon in the topology diagram. Use the

instructions in the Lab Settings section to log into the Windows 2k8 R2 Internal 1. 2. If the Initial Configuration Tasks and/or Server Manager windows appear, close

them by clicking on the “X” in the top-right corner of the window. 3. Click the Start button in the bottom-left corner and type Remote in the Search

Bar. Click Remote Desktop Connection to open the RD client.


8


4. Type the IP address of the Windows 2k8 R2 Internal 2 remote machine, 192.168.12.11, into the textbox. Click Connect.

You should see a screen, like the one below, indicating that Remote Desktop Connection is attempting to establish a remote connection:

After a brief wait, the connection will fail and the following screen will be displayed:

Listed on the page are three reasons why the RD Connection may fail: 1) Remote access to the server is not enabled 2) The remote computer is turned off 3) The remote computer is not available on the network

5. Click OK to close the warning message.


9


We will determine why this system is not able to connect to the remote machine and remedy the problem. When troubleshooting connectivity issues, it is always good to begin with a ping command issued at the command prompt.

6. Open a Command Prompt window (Start Command Prompt) and ping the remote computer by issuing the following command: ping 192.168.12.11

The ping of 192.168.12.11 being sucessful will eliminate reason 2, “The remote computer is turned off”, and reason 3, “The remote computer is not available on the network”. Through the process of elimination, the problem has narrowed to reason 1, “Remote access to the server is not enabled”. Check to see if Remote Access is enabled on the Windows 2k8 R2 Internal 2 machine.

7. Using the login credentials and process provided earlier in Lab Settings section,

login to the Windows 2k8 R2 Internal 2 machine. 8. If the Initial Configuration Tasks and/or Server Manager windows appear, close

them by clicking on the “X” in the top right corner of the window. 9. To determine if Remote Access is enabled, click Start, then right-click on

Computer and select Properties.


10


10. In the System window, click Remote settings.

11. The System Properties window should appear. Select the Remote tab at the top

of the dialog window to access the settings for Remote Desktop.

You should see that the “Don’t allow connections to this computer” option is selected in the Remote Desktop section of the Remote tab. For security purposes, this is the default option. In order to enable remote connectivity to this computer, you need to change the option. There are two other options for enabling Remote Desktop. Select the middle option, “Allow connections from computers running any version of Remote Desktop (less secure)”. The last option, which incorporates Network Level Authentication is beyond the scope of this lab; however, you can read more on this setting at the following URL: http://technet.microsoft.com/en-us/library/cc732713.aspx

http://technet.microsoft.com/en-us/library/cc732713.aspx


11


12. Select Allow connections from computers running any version of Remote Desktop (less secure). The following window will appear to notify you of the exception being created in the firewall. Click OK. Click OK again to close the System Properties dialog window.

There are other reasons that a Remote Desktop connection may fail, but they are beyond the scope of this lab.

13. There will be a popup warning if the Windows Firewall service is not running on

the system. Windows Firewall helps control which programs or ports can be used to communicate between the Windows Server 2008 R2 server and other computers on the network. To allow a program or port to communicate through Windows Firewall, an exception needs to be enabled and this can only be done if the service is enabled. Carefully read the warning, and then click OK again to close the warning window.

14. To enable the Windows Firewall, click on the Control Panel Home link in the upper-left side of the page, click on the System and Security link, and then click Windows Firewall.


12


15. In the left panel, click Turn Windows Firewall on or off. Click on Use recommended settings.

16. Under the Home or work (private) network location settings heading click the radio button next to Turn on Windows Firewall then click OK.

17. Repeat Steps 9-12 to enable Remote Desktop connections. 18. Now that Remote Desktop connections have been enabled on the remote

machine, we should be able to initiate an RDP session. Return to the Windows 2k8 R2 Internal 1 machine by clicking on its icon in the lap topology diagram. If necessary, re-open the Remote Desktop Connection program, as outlined in Step 3 above.

19. In the Computer textbox, enter the IP address of 192.168.12.11 once again and click the Connect button.


13


20. You should be prompted to enter your credentials (username and password) to connect to the remote machine. If necessary, type Administrator for the user name and P@ssw0rd for the password. Click OK.

The following window will appear as the computer attempts a connection:

21. After a brief period, the following certificate warning will appear and you will be prompted to proceed with the connection. Click Yes.


14


The connection to the remote computer should be successful. You should notice the following tab at the top of the screen, called the Connection Bar that indicates the IP address of the remote host, 192.168.12.11:

22. To verify that we are on the remote machine Windows 2k8 R2 Internal 2, click the Start button, right-click on Computer and select Properties.

The System dialog window will appear. Notice in the Computer name, domain, and workgroup settings area that the computer name is listed as W2K8R2Internal2.


15


Look at the W2K8R2_Internal_2 window to see that the screen is locked. No one sitting at the remote PC can see what is being done.

23. Click Start -> the right arrow to the right of Log off -> Disconnect.

1.1 RDP and the OSI Model

Most of the functionality of the Remote Desktop Protocol (RDP) occurs at the Presentation (6) Layer. Layer 6 of the OSI Model, the Presentation Layer, deals mostly with how data is “presented” to the applications running at layer 7, the Application Layer. The Presentation Layer handles the delivery and formatting of data that is passed to the Application Layer for display. Generally speaking, RDP, running at layer 6, is responsible for the delivery and formatting of the data that will be presented to the Remote Desktop Connection program running at the Application Layer.

1.2 Conclusion

Remote Desktop Protocol (RDP) is used to establish a connection to a host by which the remote user may “remotely control” the destination machine. RDP is a Microsoft proprietary protocol used on Windows-based PCs only and it part of Microsoft’s Terminal Services.


16


1.3 Review Questions

1. What protocol handles a terminal services connection to a Windows-based

PC?

2. When you establish a connection to a remote host using Remote Desktop Connection, what appears at the top of the screen that lets the user know they are connected to a remote machine?

3. At what layer of the OSI model does RDP primarily function?


17


2 Configuring the Routing and Remote Access (RRAS) Server Role

Configuring a Windows 2008 R2 server as a RRAS provides software routing and allows a remote access feature for VPN services. Acting as a router the server can manage data between network segments, or subnets. This does not handle heavy router demands of a hardware-based router, but is less expensive and can be used to handle the lighter routing loads in some areas of the network. 2.1 Enable RRAS and Configure It as a VPN Server for Secure Connection

Between Two Private Networks (Site-to-Site VPN)

1. Click on the Windows 2k8 R2 Internal 1 icon in the topology diagram. Use the

instructions in the Lab Settings section to log into the Windows 2k8 R2 Internal 1. This server will simulate a server that is connected to both a private and public network using two NICs. This exercise will enable you to proceed through the process of configuring RRAS for VPN, but will not allow connectivity testing.

2. The Initial Configuration Tasks and/or Server Manager windows appear when logging into Windows 2k8 R2 Internal 1. If they do not appear click on the Server Manager icon in the Task Bar.

3. In the Server Manager Window click the + next to Roles in the left pane, and then click on the + next to Network Policy and Access Services. You will see Routing and Remote Access role has been installed, but is not enabled, which is indicated by the downward pointing red arrow. The installation has already been completed for you so RRAS appears in the list of server roles under Network Policy and Access Services. You must now enable the service to configure your server for routing and remote access.

4. Right-click Routing and Remote Access, and then click Configure and Enable Routing and Remote Access.


18


5. On the Welcome page, click Next.

6. On the Configuration page, click Remote Access (dial-up or VPN), and then click

Next.

7. On the Remote Access page, put a check in the box next to VPN, then click Next.

8. On the VPN Connection page, select the network interface that is connected to the public Internet from which remote VPN clients will connect to this server. In this exercise, you will be choosing the IP address to the external network to simulate an Internet connection. Leave the Enable security on the selected interface by setting up static packet filters box checked. This will allow only VPN traffic on this link. Click Next to continue.


19


9. On the IP Address Assignment page, you will specify the way in which the RRAS server will acquire IP addresses for the remote VPN clients. Click Automatically. This is used because Windows 2k8 R2 Internal 1 machine is configured with the DHCP role. Click Next to continue.

10. On the Managing Multiple Remote Access Servers page, select No, then RRAS uses its local account database of users. Click Next. Selecting to use a centralized RADIUS server for authentication of your network clients would require that an additional server to be configured for user account authentication.

11. On the Completing page, click Finish. Click OK on all remaining popups. No additional action is required as indicated in the popups. You have now explored the configuration options for the Windows 2k8 R2 Internal 1 machine with the role of Routing and Remote Access service.


20


2.2 Conclusion

Routing and Remote Access service (RRAS) is named for the two primary networking services that it provides. Routing is used to direct incoming and outgoing traffic. Remote access service allows remote users to access an organizations private network and give them access to resources on the LAN. Virtual private networks (VPN) and dial-up networking are two types of remote connectivity. VPN is secured, point-to-point connection through a public network to a private network. Dial-up networking is a direct physical connection between the dial-up networking client and the dial-up networking server using a telephone connection to a physical port on the remote access server. 2.3 Review Questions

1. Routing and Remote Access services allow users to connect to private networks

using _______or ___________.

2. True/False Using a RADIUS server with RRAS means that the local server database will be used to authenticate users for accessing the local network.

3. On the VPN Connection page, the IP address selected is the address that belongs

to the network connected to the ________________.


21


3 Use the Built-in VPN Client to Create a VPN Connection

VPN service permits remote users to access corporate networks securely over a public network as if they are directly connected on the corporate network. It also allows users to use dial-up communication links to access the corporate network. A virtual private network (VPN) is a point-to-point connection across a private or public network, such as the Internet. A VPN client uses special TCP/IP-based protocols called tunneling protocols that establish a secure channel between two computers through which they can send data. From the perspective of the two participating computers, there is a dedicated point-to-point link between them, though in reality the data is routed through the Internet as would be any other packet. Site-to-site VPNs connect entire networks to each other such as connecting a branch office network to a company headquarters network. In a site-to-site VPN, hosts do not have VPN client software. Remote access VPNs connect individual hosts to private networks such as teleworkers who need to access their company's network securely over the Internet. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. In a remote access VPN, every host must have VPN client software. Now that the RRAS with VPN connections configuration has been explored, you will explore the configuration options of a VPN client connection to the remote VPN server. 3.1 Explore the Configuration Options of a VPN Client Connection to the

Remote VPN Server

1. Click on the Windows 2k8 R2 External icon in the topology diagram. Use the

instructions in the Lab Settings section to log into the Windows 2k8 R2 External machine. This machine will be used to represent a client machine on the public networking accessing the VPN server on the private corporate network.

2. If the Initial Configuration Tasks and/or Server Manager windows appear, close them by clicking on the “X” in the top-right corner of the window.

3. Locate the network connection icon in the right corner of the taskbar and click it. This will bring up the link to Open Network and Sharing Center, click on the link and open Network and Sharing Center.


22


4. Click on Set up a new connection or network.

5. Click Connect to a workplace, click Next,

6. Click on Use my Internet connection (VPN). Because there is no Internet connection in this configuration you will proceed by choosing I’ll set up an Internet connection later. Once you click on it, you will be asked to provide the IP address of the Internet connection.


23


7. Type in the IP address of the NIC on the Windows 2k8 R2 External machine (131.107.0.100). Change the Destination name to Internal 1. Click Next.

8. On the Connect to a Workplace page, type in the username Administrator and the password P@ssw0rd. You will receive the message that your connection is ready to use. Click Close and then Next to continue.

9. Although you will not be able to connect to the remote server, you can explore the process of using the VPN client connection. Click on the network connection icon in the right corner of the taskbar. You will now see the Dial-up and VPN connection dropdown menu with the new VPN connection that you configured. Click on the Internal 1 link.


24


10. Click on Connect and you will be asked to type in a username and password for an account on the remote server to be authenticated to the VPN connection and access the remote network resources. Use the username Administrator and password P@ssw0rd. An attempt will be made to connect to the server, but you will receive an error. This is due to not having completed configurations that are outside the scope of the lab.

11. However, if you click on the Diagnose button it will indicate that the client is configured correctly, but the server is not responding.

12. Close all open windows for the VPN client connection.


25


3.2 Conclusion

VPN service permits remote users to access corporate networks securely over a public network as if they are directly connected on the corporate network. It also allows users to use dial-up communication links to access the corporate network. A VPN client uses special TCP/IP-based protocols called tunneling protocols that establish a secure channel between two computers through which they can send data. From the perspective of the two participating computers, there is a dedicated point-to-point link between them, though in reality the data is routed through the Internet as would be any other packet. 3.3 Review Questions

1. _________VPNs connect entire networks to each other.

2. In a ___________, every host must have VPN client software.

3. TCP/IP-based protocols called _________ establish a _______ between two

computers through which they can send data.

Date post:	14-Mar-2018
Category:	Documents
Upload:	hathien
View:	283 times
Download:	1 times

Lab 7: Remote Access - RDP - - · PDF fileLab 7: Remote Access - RDP 3 This work by the...

Documents