Remote Strategy

Designing Remote Access and Terminal Services Strategies

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647)

1


2

Learning Objectives

• Design a network access solution• Identify the best tunneling protocol to use with a

VPN• Identify the components of Network Access

Protection• Design a NAP solution to meet specific goals


3

Learning Objectives (cont’d.)

• Choose the appropriate NAP enforcement method• Plan for the deployment of Terminal Services• Identify the purpose and use of different Terminal

Services components• Plan for Terminal Services licensing


4

Designing Remote Access

• Remote access technologies– Allow network access from a remote location

• Access to remote networks– Dial-up or virtual private network (VPN)

• Remote access server – May be placed in a demilitarized zone (DMZ)

• Perimeter network between two firewalls

• May use a single firewall– Remote access server

• Hosted on the Internet or internal network


5

Figure 5-1 A remote access server configured for dial-up and VPN accessCourtesy Course Technology/Cengage Learning


6

Tunneling Protocols

• Use with VPN connection– Provides secure traffic transport through public

networks• Tunneling protocol

– Encapsulates and encrypts traffic• Between client and back-end network

• Types– Point-to-Point Tunneling Protocol (PPTP)– Layer 2 Tunneling Protocol (L2TP)– Secure Socket Tunneling Protocol (SSTP)


7

Choosing a Tunneling Protocol

Table 5-1 Choosing a tunneling protocol


8

Adding the Remote Access Service on Windows Server 2008

• Windows Server 2008 Network Policy and Access Services role– Creates a network access solution– Includes multiple services

• Remote access• Routing• RADIUS• Network Access Protection


9

Figure 5-2 Adding the Remote Access ServiceCourtesy Course Technology/Cengage Learning


10

Adding the Remote Access Service on Windows Server 2008 (cont’d.)

• Activity 5-1: Installing the Remote Access Service

Figure 5-3 Configuring the remote access server for both VPN access and dial-up accessCourtesy Course Technology/Cengage Learning


11

Network Access Policies

• Determines users’ access to a remote server• Previous versions of Windows Server

– Policies configurable from Routing and Remote Access console

• Windows Server 2008– Policies accessible using Network Policy Server

console• Four primary policy components

– Conditions, permissions, constraints, settings

MCITP Guide to Microsoft Windows Server 2008 Enterprise Administration (Exam #70-647) 12

Figure 5-4 Network access policy permissionsCourtesy Course Technology/Cengage Learning


13

Network Access Policies (cont’d.)

• Remote Access Service adds two default policies

Figure 5-5 NPS console showing default policiesCourtesy Course Technology/Cengage Learning


14

Network Access Policies (cont’d.)

• Activity 5-2: Adding a Network Access Policy

Figure 5-6 Configuring a day and time restriction for a network policyCourtesy Course Technology/Cengage Learning


15

Using a RADIUS Server

• Remote Authentication Dial-in User Service (RADIUS) server– Used for central authentication and logging

• Windows Server 2008 server– Used as a RADIUS server by adding the NPS service

• Part of Network Policy and Access Services

• RADIUS server not required– If using only one remote access server


16

Figure 5-7 Using a RADIUS serverCourtesy Course Technology/Cengage Learning


17

Using a RADIUS Server (cont’d.)

• When using multiple remote access servers– Can use a single RADIUS server

• Other RADIUS server uses– Centralized logging– Centralized policies

• Add the Network Policy and Access Services role with the NPS service– NPS service allows server to act as a RADIUS server


18

Figure 5-8 Configuring a remote access server for RADIUS authenticationCourtesy Course Technology/Cengage Learning


19

Using a RADIUS Proxy

• Used with several RADIUS servers• Implemented as a central switching or routing point

– RADIUS client requests go through RADIUS proxy• Determines RADIUS server to handle request

• RADIUS proxy– Receives requests from remote access servers

• Forwards them to a RADIUS server– Can support multiple forests– Can load-balance RADIUS requests– Can interact with non-Microsoft environments


20

Figure 5-9 Using a RADIUS proxyCourtesy Course Technology/Cengage Learning


21

Network Access Protection

• New in Windows Server 2008– Provides added layers of network protection– Ensures healthy clients connect to a network

• Remote access clients hardest to secure• Administrators can:

– Secure computers with Group Policy– Ensure computers regularly receive updates– Ensure computers have anti-malware software

installed


22

Network Access Protection (cont’d.)

• Administrators can: (cont’d.)– Ensure computers have virus signatures updated

regularly– Perform other checks and controls

• Clients connecting via remote access – Not necessarily controlled by administrators

• Must use NAP to design a policy specifying healthy client requirements– Computer inspection

• Determines if it meets requirements• Client issued a health certificate (if requirements met)


23

Network Access Protection (cont’d.)

• NAP goals– Health state validation– Network access limitation– Automatic remediation– Ongoing compliance


24

Components of NAP

• Components– NAP clients– VPN server and NAP servers– NPS– HRA– Health Requirement Servers– DHCP– 802.1x– Domain controllers– Restricted network and remediation servers


25

Figure 5-10 Components of a NAP solutionCourtesy Course Technology/Cengage Learning


26

Adding the NPS Service

• NPS service– Separate from the remote access service

• Both services part of same Network Policy and Access Services role

• After adding the NPS service– NPS console expands to include additional

capabilities• Configure the server System Health Validators• Configure the Remediation Server Groups• Create Health Policies


27

Figure 5-11 Accessing the NPS consoleCourtesy Course Technology/Cengage Learning

Adding the NPS Service (cont’d.)

• Activity 5-3: Adding the Network Policy Server Service


28

System Health Agents, Validators, and NAP Agents

• Important elements of the health policy– Work together to provide client statement of health

• System Health Agents (SHAs)– Perform system health updates on the client– Based on checks identified in SHVs

• Statement of Health (SoH) – Published to the NAP agent

• NAP agent collects an SoH from different SHAs– Creates a System Statement of Health (SSoH)

• Passed to the NAP enforcement client when requested


29

System Health Agents, Validators, and NAP Agents (cont’d.)

• NAP agent service– Gathers information and builds the SSoH– Service set to manual by default

• Majority of process automated on the client• Server includes at least one SHV

– Can be configured and manipulated– Can configure NPS to enforce or not enforce

individual settings for any SHV


30


• Windows Security Health Validator properties settings– Firewall, virus protection, spyware protection,

automatic updating, security update protection• NAP autoremediation enabled

– SHV directs noncompliant client to enable specific security solution

• Autoremediation applies to:– Spyware protection, automatic updating, security

update protection


31

Figure 5-12 Configuring an SHV policyCourtesy Course Technology/Cengage Learning


32


• Activity 5-4: Configuring the Windows Security Health Validator

Figure 5-14 Windows Security Health Validator error code resolutionCourtesy Course Technology/Cengage Learning


33

Creating a Health Policy

• Choose how SHV checks interpreted– Client passes all SHV checks– Client fails all SHV checks– Client passes one or more SHV checks– Client fails one or more SHV checks– Client reported as transitioned by one or more SHV

checks– Client reported as infected by one or more SHV

checks– Client reported as unknown by one or more SHVs


34

Figure 5-15 Creating a new health policy named Pass All SHVCourtesy Course Technology/Cengage Learning

Creating a Health Policy (cont’d.)

• Activity 5-5: Creating a Health Policy


35

Creating a Remediation Server Group

• Includes server names and IP addresses – Hold applications and/or updates bringing client into

compliance• Servers included in Remediation Server Group list

– Examples:• Antivirus servers• WSUS servers• Network Infrastructure servers


36

Creating a Remediation Server Group (cont’d.)

• Activity 5-6: Creating a Remediation Server Group

Figure 5-16 Creating a new Remediation Server GroupCourtesy Course Technology/Cengage Learning


37

Configuring Network Policy Settings

• Configure network access policies– After Network Policy Server and health policies

configured• Health and NAP policy settings configuration

– Based on policy conditions and policy settings• Policy conditions

– Determine if policy used


38

Figure 5-17 Identifying network policy conditionsCourtesy Course Technology/Cengage Learning


39

Configuring Network Policy Settings (cont’d.)

• Conditions relevant to network access– Identity Type– MS-Service Class– Health Policies– NAP-Capable Computers– Operating System– Policy Expiration


40

Configuring Network Policy Settings (cont’d.)

• Possible to use NAP– Without specifying NAP as a condition in a network

access policy• Two settings related to NAP policy settings

– NAP Enforcement– Extended State

• Activity 5-7: Configuring a Network Access Policy with NAP


41

Figure 5-19 Selecting the Remediation Server Group for limited network accessCourtesy Course Technology/Cengage Learning


42

Other NAP Enforcement Methods

• DHCP enforcement• 802.1x enforcement• IPSec enforcement


43

DHCP Enforcement

• Ensures client compliant– Prior to issuing TCP/IP configuration information

• Noncompliant computers– Could be issued a DHCP lease providing access to a

restricted network• Health policy requirements enforced when client:

– Requests a DHCP lease– Renews a lease– While it has a lease (periodically)

• Considered a weak NAP enforcement method


44

802.1x Enforcement

• Used with managed switches and wireless access points– Controls access– Ensures traffic stays within limited network

• Ensures clients compliant with policy– Prior to providing restricted network access

• Fully compliant computer– Could be granted unlimited access

• Noncompliant computers– Could be denied access or provided limited access


45

802.1x Enforcement (cont’d.)

• Restricted networks identified by:– Limited access profile using access control lists

(ACLs)– Virtual LAN identifiers (VLAN IDs)

• 802.1x– Not used on unmanaged network devices

• No configuration or options


46

IPSec Enforcement

• Ensures computer communications protected with IPSec

• IPSec used to:– Encrypt data using Encapsulating Security Payload– Digitally sign data using an Authentication Header

• Benefits of IPSec protected data transfers– Confidentiality, integrity, authentication– Can be used instead of 802.1x in a network using

managed network devices– Most secure form of NAP enforcement


47

Planning for Terminal Services

• Terminal Services (TS)– Provides end users with access to individual

applications or full desktop operating systems• From almost any mobile device

• User connects to the terminal server– Can run applications and use resources on it

• TS RemoteApp programs– Once configured on a TS server:

• Users can run application remotely instead of starting a complete desktop session


48

Planning for Terminal Services (cont’d.)

• User executing TS application– Application runs on TS server– Keyboard, mouse, display data

• Transferred back and forth between user and TS server

• Possible to support full desktop sessions on a TS server– Supports older computers or thin clients

• Thin client– Minimal hardware resources– Has enough resources to connect to a TS server


49

Planning for Terminal Services (cont’d.)

• TS server supports multiple clients– Client has access to their session only– Server requires resources to support clients

• Users connect to terminal server– Using Remote Desktop Connection (RDC)

• RDC version 6.0 or newer– Required to connect to a Windows Server 2008

terminal server• Increased security with Terminal Services

– Windows Vista comes with RDC 6.0– Windows XP SP3 can use RDC 6.1


50

Adding the Terminal Services Role

• Limited version of Terminal Services– Installed on Windows Server 2008 servers by default– Terminal Services menu

• Available via the Administrative Tools menu• For administrative purposes: not for end users

• Terminal Services for end users– Requires addition of Terminal Services role

• May add multiple supporting services


51

Figure 5-20 Adding Terminal Services role servicesCourtesy Course Technology/Cengage Learning


52

Adding the Terminal Services Role (cont’d.)

• Terminal Services role services– Terminal Server service– TS Licensing service– TS Session Broker service– TS Gateway service– TS Web Access service

• Activity 5-8: Adding the Terminal Services Role


53

Figure 5-21 Adding supporting roles and features for TS GatewayCourtesy Course Technology/Cengage Learning


54

Configuring the Terminal Services Server

• Performed after adding Terminal Services role and supporting services

• Steps:– Configure Remote Desktop connections to allow

connections– Add users or groups to the local Remote Desktop

Users group• Activity 5-9: Configuring the Terminal Services

Server


55

Figure 5-22 Configuring the TS server to accept connectionsCourtesy Course Technology/Cengage Learning


56

Figure 5-23 Viewing active connections on the terminal serverCourtesy Course Technology/Cengage Learning


57

Terminal Services Licensing

• Terminal Services client access license (TS CAL)– Required for every user or computing device:

• Connecting to a terminal server– Managed and maintained:

• On a Terminal Services licensing server• TS licensing service

– Can add to the TS server or another server• Support for Windows Server 2008 Terminal

Services servers:– TS licensing server running on a Windows Server

2008 server


58

Terminal Services Licensing (cont’d.)

• Upon TS server accepting first client connection– Licensing grace period of 120 days begins

• Terminal Services clients– Either users or devices

• Client connecting to a TS server– TS server requests TS CAL from the TS licensing

server• Types of CALs

– TS per-device CALs– TS per-user CALs


59


• Choice between per-device and per-user CALs– Organization dependent – Generally: more flexibility when per-user selected

• Especially for mobile users

• Windows Server 2008 Terminal Services– Uses discovery process to locate TS licensing servers


60

Figure 5-24 Choosing the discovery scope for TS licensingCourtesy Course Technology/Cengage Learning


61


• Three discovery scopes– Workgroup discovery scope– Domain discovery scope– Forest discovery scope (for easiest administration)

• Activity 5-10: Adding Terminal Services Licensing


62

Figure 5-25 Choosing the Licensing modeCourtesy Course Technology/Cengage Learning


63

TS RemoteApp

• Configured on a TS server– Clients run application on the server

• Instead of a full desktop session

• Benefits– Users can run incompatible programs from a single

computer– Supports remote users

• Through a VPN or together with TS Gateway– Can support line-of-business (LOB) applications– Can support roaming users


64

TS RemoteApp (cont’d.)

• Methods to start TS RemoteApp applications– Use a Remote Desktop Protocol (.rdp) file– Use Microsoft Windows installer (.msi) files– Use document activation– Use a Web browser


65

TS Web Access

• Allows users to:– Access TS RemoteApp programs via a Web browser– Access complete desktops using Remote Desktop

Web Connection• Web browser

– Uses Microsoft’s Internet Information Services (IIS) 7.0

• Configure TS server hosting RemoteApp applications– To host TS Web Access


66

TS Web Access (cont’d.)

• Can configure separate server– To run TS Web Access and IIS

• TS RemoteApp program– Runs as a session on the TS server

• Only keyboard, mouse, display data transferred back and forth to the client

• Benefits– Accessible via Internet or intranet– Requires minimal configuration


67

TS Gateway

• Allows clients to remotely connect to TS servers– Uses the Remote Desktop Protocol (RDP)– RDP connection encapsulated within an HTTPS

connection• Using port 443 (firewalls often have port 443 open)

– Once user connected:• TS Gateway server forwards connection to a TS server

• Remotely administer server using Terminal Services (without TS Gateway)– Requires port 3389 opened: standard port for

Terminal Services


68

TS Gateway (cont’d.)

• TS Gateway using port 443– No additional open ports needed (assumes port 443

already open)• TS Gateway further enhances network security

– If integrated with Network Access Protection (NAP)• NAP ensures clients meet specific health policies

– Before granted network access


69

Figure 5-26 Designing Terminal Services with TS GatewayCourtesy Course Technology/Cengage Learning


70

Terminal Services Authorization Policies for TS Gateway

• TS Gateway– Requires two authorization policies when

implemented• Adding authorization policies

– Add when TS Gateway role service added– Add later

• Authorization policies– Terminal Services connection authorization policy (TS

CAP)– Terminal Services resource authorization policy (TS

RAP)


71

Terminal Services Authorization Policies for TS Gateway (cont’d.)

• Activity 5-11: Configuring Connection Authorization Policies

Figure 5-27 Creating a TS CAP for TS GatewayCourtesy Course Technology/Cengage Learning


72

Figure 5-28 Creating a TS RAP for TS GatewayCourtesy Course Technology/Cengage Learning


73

TS Session Broker

• Ensures single server not overloaded with requests– While another server remains idle

• Most efficient method• Common implementation

– Use basic load balancing method with TS Session Broker

• Example: DNS round robin

• After basic load-balancing mechanism used:– TS Session Broker implemented

• Provides more advanced load balancing


74

Figure 5-29 Using TS Session Broker for a TS farmCourtesy Course Technology/Cengage Learning


75

TS Session Broker (cont’d.)

• Figure 5-29– How TS Session Broker used for load balancing in a

Terminal Services farm• Client queries DNS for TS server IP address in the TS

server farm• Client’s first connection

– Communication with TS server based on the DNS IP address

• TS server (TS2) communicates with TS Session Broker• TS2 informs client to connect to TS1: client connects


76

TS Session Broker (cont’d.)

• Additional benefits beyond load balancing– Reconnecting disconnected sessions– Servers can be weighted


77

Summary

• Network Policy and Access Services role includes:– Remote Access Service

• Hosts dial-up and VPN remote access server

• VPN server tunneling protocols support– PPTP, L2TP/IPSec, SSTP

• Network access policies– Grant access on remote access servers

• RADIUS– Provides centralized authentication

• For multiple remote access servers


78

Summary (cont’d.)

• Network Access Protection (NAP)– Provide an added layer of protection

• Ensures clients meet certain health requirements– Clients must be running:

• Windows XP SP3, Windows Vista SP1, or newer

• DHCP enforcement – Ensures clients meet specific requirements

• Prior to granting a lease

• 802.1x enforcement and IPSec enforcement also used


79

Summary (cont’d.)

• Terminal Services (TS)– Allows clients to run applications or full operating

system desktops on a remote server– TS licensing must be configured

• Configured with a discovery scope• TS Gateway

– Allows client access to internal TS servers from the Internet

• TS RemoteApp applications– Configured on the TS server

Date post:	30-Mar-2016
Category:	Documents
Upload:	eric-macewen
View:	212 times
Download:	0 times

Remote Strategy

Documents