Microsoft® Official Course
Module 7
Configuring and Troubleshooting Remote
Access
Module Overview
Configuring Network Access
Configuring VPN Access
Overview of Network Policies
Troubleshooting Routing and Remote Access•Configuring DirectAccess
Lesson 1: Configuring Network Access
Components of a Network Access Services Infrastructure
What Is the Network Policy and Access Services Role?
What Is the Remote Access Role?
Network Authentication and Authorization
Authentication Methods
What Is a PKI?• Integrating DHCP with Routing and Remote Access
Components of a Network Access Services Infrastructure
Intranet
InternetNAP Health Policy Server
DHCP Server
Health Registration Authority
IEEE 802.1X
DevicesAD DS
VPN Server
Restricted Network
Perimeter Network
Remediation Servers
Network Policy Server
CA
What Is the Network Policy and Access Services Role?
With the Network Policy and Access Services role, you can:• Enforce health policies• Help to secure wireless and wired access• Centralize network policy management
What Is the Remote Access Role?
You can use the Remote Access role to:• Provide remote users access to resources on a private network over a VPN or dial-up connection• Provide NAT services• Provide LAN and WAN routing services to connect network segments• Enable and configure DirectAccess
Network Authentication and Authorization
•Authentication:• Verifies the credentials of a connection attempt• Uses an authentication protocol to send the credentials from the remote access client to the remote access server in either plain text or encrypted form
•Authorization:• Verifies that the connection attempt is allowed• Occurs after successful authentication
Authentication Methods
Protocol Description Security Level
PAP
Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation.
The least secure authentication protocol. Does not protect against replay attacks, remote client impersonation, or remote server impersonation.
CHAPA challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme.
An improvement over PAP in that the password is not sent over the PPP link.
Requires a plaintext version of the password to validate the challenge response. Does not protect against remote server impersonation.
MS-CHAPv2
An upgrade of MS-CHAP. Provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server to which it is dialing in to has access to the user’s password.
Provides stronger security than CHAP.
EAP
Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.
Offers the strongest security by providing the most flexibility in authentication variations.
What Is a PKI?
CADigital
CertificatesCRLs and Online
RespondersCertificate Templates
Certificates and CA Management
ToolsAIA and CDPs
Public Key–Enabled Applications and
Services
Integrating DHCP with Routing and Remote Access
•You can provide remote clients with IP configurations by using either:• A static pool created on the Remote Access server for use with remote clients• A DHCP server
•DHCP servers that run Windows Server 2012:• Provide a predefined user class called the Default Routing and Remote Access Class• Are useful for assigning options that are provided to Routing and Remote Access clients only
Lesson 2: Configuring VPN Access
What Is a VPN Connection?
Tunneling Protocols for VPN Connections
What Is VPN Reconnect?
Configuration Requirements
Demonstration: How to Configure VPN Access
Completing Additional Configuration Tasks
What Is the Connection Manager Administration Kit?•Demonstration: How to Create a Connection Profile
What Is a VPN Connection?
Large Branch Office
Medium Branch Office
Small Branch Office
Home Office with VPN Client
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
VPN Server
VPN Server VPN
Server
Tunneling Protocols for VPN Connections
•Windows Server 2012 supports the following VPN tunneling protocols:• PPTP• L2TP/IPsec• SSTP• IKEv2
What Is VPN Reconnect?
VPN Reconnect maintains connectivity across network outages•VPN Reconnect:• Provides seamless and consistent VPN connectivity • Uses the IKEv2 technology • Automatically re-establishes VPN connections when connectivity is available• Maintains the connection if users move between different networks• Provides transparent connection status to users
Configuration Requirements
VPN server configuration requirements include:• Two network interfaces (public and private)• IP Address allocation (static pool or DHCP)• Authentication provider (NPS/RADIUS or the VPN server)• DHCP relay agent considerations • Membership in the Local Administrators group or equivalent
Demonstration: How to Configure VPN Access
In this demonstration, you will see how to:• Configure Remote Access as a VPN server• Configure a VPN client
Completing Additional Configuration Tasks
You may need to perform additional steps to help to secure the installation of Remote Access:• Configure static packet filters • Configure services and ports • Adjust logging levels for routing protocols • Configure number of available VPN ports• Create a Connection Manager profile for users • Add Certificate Services • Increase remote access security • Increase VPN security • Consider implementing VPN Reconnect
What Is the Connection Manager Administration Kit?
The CMAK:• Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks• Creates an executable file that can be run on a client computer to establish a network connection that you have designed• Reduces Help Desk requests related to the configuration of RAS connections by:• Assisting in problem resolution because the configuration is known• Reducing the likelihood of user errors when they configure their own connection objects
Demonstration: How to Create a Connection Profile
In this demonstration, you will see how to:• Install CMAK• Create a connection profile• Examine the profile
Lesson 3: Overview of Network Policies
What Is a Network Policy?
Network Policy Processing
Process for Creating and Configuring a Network Policy•Demonstration: How to Create a Network Policy
What Is a Network Policy?
A network policy consists of the following elements:• Conditions• Constraints• Settings
Network Policy Processing
Are there policies to process?
START
Does connection attempt match policy conditions?
Yes
Reject connection attempt
Is the remote access permission for the user account set to Deny Access?
Is the remote access permission for the user account set to Allow Access?
Yes
Yes
No Go to next policy
No
Yes
Is the remote access permission on the policy set to Deny remote access permission?
Does the connection attempt match the user object and profile settings?
No
Yes
Accept connection attempt
Reject connection attempt
No
Yes
No
No
Process for Creating and Configuring a Network Policy
To create a network policy:• Determine authorization by user or group • Determine appropriate settings for the user account’s network access permissions
To configure the New Network Policy Wizard:• Configure network policy conditions• Configure network policy constraints• Configure network policy settings
Demonstration: How to Create a Network Policy
In this demonstration, you will see how to:• Create a VPN policy based on Windows Groups condition• Test the VPN
Lesson 4: Troubleshooting Routing and Remote Access
Configuring Remote Access Logging
Configuring Remote Access Tracing
Resolving General VPN Problems•Troubleshooting Other Issues
Configuring Remote Access Logging
You can configure remote access logging to:• Log errors only• Log errors and warnings• Log all events• Not log any events• Log additional routing and remote access information
Configuring Remote Access Tracing
•You can configure remote access tracing by using:• The Netsh command:
Netsh ras diagnostics set rastracing * enabled (enables tracing on all components in RAS)
• The Registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
Tracing consumes resources, you should use it for troubleshooting only, and then disable it
Resolving General VPN Problems
• Verify the host name • Verify the credentials • Verify the user account • Reset the password • Verify user account has not been locked • Check that Routing and Remote Access is running • Verify that the VPN server is enabled for remote access • Verify the WAN Miniport protocols• Check for a common authentication method• Check for at least one common encryption strength• Verify the connection’s parameters
Troubleshooting Other Issues
Common problems regarding remote access include:• Error 800: VPN unreachable• Error 721: Remote computer not responding• Error 741/742: Encryption mismatch• L2TP/IPsec issues• EAP-TLS issues
Lab A: Configuring Remote Access
Exercise 1: Configuring a Virtual Private Network Server•Exercise 2: Configuring VPN Clients
Logon InformationVirtual machines: 20411B-LON-DC1
20411B-LON-RTR20411B-LON-CL2
User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 30 minutes
Lab A Scenario
A. Datum Corporation wants to implement a Remote Access solution for its employees so they can connect to the corporate network while away from the office. You are required to enable and configure the necessary server services to facilitate this remote access. To support the VPN solution, you need to configure a Network Policy that reflects corporate remote connection policy. For the pilot, only the IT security group should be able to use VPN. Required conditions include the need for a client certificate, and connection hours are only allowed between Monday and Friday, at any time.
• If you use the alternative solution, how many addresses are allocated to the VPN server at one time?
• In the lab, you configured a policy condition of tunnel type and a constraint of a day and time restriction. If there were two policies—the one you created plus an additional one that had a condition of membership of the Domain Admins group and constraints of tunnel type (PPTP or L2TP)—why might your administrators be unable to connect out of office hours?
Review Questions
Lesson 5: Configuring DirectAccess
Complexities of Managing VPNs
What Is DirectAccess?
Components of DirectAccess
What Is the Name Resolution Policy Table?
How DirectAccess Works for Internal Clients
How DirectAccess Works for External Clients
Prerequisites for Implementing DirectAccess•Configuring DirectAccess
Complexities of Managing VPNs
VPN connections can pose the following problems:• Users must initiate the VPN connections• The connections may require multiple steps to initiate• Firewalls can pose additional considerations• Troubleshooting failed VPN connections can be time-consuming• VPN-connected computers are not easily managed
What Is DirectAccess?
Features of DirectAccess:• Connects automatically to corporate network over the public network• Uses various protocols, including HTTPS, to establish IPv6 connectivity• Supports selected server access and IPsec authentication• Supports end-to-end authentication and encryption• Supports management of remote client computers• Allows remote users to connect directly to intranet servers
Components of DirectAccess
Internet websitesInternet websites
DirectAccess Server
DirectAccess Server
AD DS domain controller
DNS server
AD DS domain controller
DNS server
Internal network resources
Internal network resources
NLSNLS
PKI deploymentPKI deployment
IPv6\IPsecIPv6\IPsec
External clientsExternal clients
NRPT/ ConsecNRPT/
Consec
Internal clientsInternal clients
NRPT is a table that defines DNS servers for different namespaces and corresponding security settings; NRPT is used before the adapter’s DNS settings
Using NRPT:• DNS servers can be defined for each DNS namespace
rather than for each interface• DNS queries for specific namespaces can be optionally
secured by using IPsec
Name Resolution Policy Table
Internet websitesInternet websites
DirectAccess serverDirectAccess server
AD DS domain controller
DNS server
AD DS domain controller
DNS server
Internal client computers
Internal client computers
Internal network resourcesInternal network resources
Internet websitesInternet websites
DirectAccess server
DirectAccess server
Internal client
computers
Internal client
computers
AD DS domain controller
DNS server
AD DS domain controller
DNS server
CRL dist point
CRL dist point
NLSNLS
How DirectAccess Works for Internal Client Computers
Connection security
rules
Connection security
rules
NRPTNRPT
DirectAccess serverDirectAccess server
AD DS domain controller
DNS server
AD DS domain controller
DNS server
Connection security rules
Connection security rules
NRPTNRPT
External client computersExternal client computers
DNS serverDNS server
Internal network resourcesInternal network resources
Infrastr
uct
ure
How DirectAccess Works for External Client Computers
DirectAccess serverDirectAccess server
AD DS domain controller
DNS server
AD DS domain controller
DNS server
Connection security rules
Connection security rules
NRPTNRPT
External client computers
External client computers
DNS serverDNS server
Internal network resourcesInternal network resources
Internet websitesInternet websites
Infrastructure
Intranet
DirectAccess serverDirectAccess server
AD DS domain controller
DNS server
AD DS domain controller
DNS server
Connection security rules
Connection security rules
NRPTNRPT
External client computersExternal client computers
DNS serverDNS server
Internal network resourcesInternal network resources
Infrastr
ucture
Intranet
DirectAccess server
DirectAccess server
AD DS domain controller
DNS server
AD DS domain controller
DNS server
Connection security rulesConnection
security rules
NRPTNRPT
External client computers
External client computers
DNS serverDNS server
Internal network resources
Internal network resources
Prerequisites for Implementing DirectAccess
Sample
AD DS
Group Policy
IPv6 and transition technologies
IPv6
ICMPv6 Echo Request traffic
ICMPv6
IPsec policies
PKI
DirectAccessserver
DNS and domain controller
Configuring DirectAccess
To configure DirectAccess:1. Configure the AD DS domain controller and
DNS
2. Configure the PKI environment
3. Configure the DirectAccess server
4. Configure the DirectAccess clients and test intranet and Internet access
Lab B: Configuring DirectAccess
Exercise 1: Configuring the DirectAccess Infrastructure
Exercise 2: Configuring the DirectAccess Clients•Exercise 3: Verifying the DirectAccess ConfigurationLogon InformationVirtual machines: 20411B-LON-DC1
20411B-LON-SVR120411B-LON-RTR20411B-LON-CL1
User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 90 minutes
Lab B Scenario
Because A. Datum Corporation has expanded, many of the employees are now frequently out of the office, either working from home or traveling. A. Datum wants to implement a remote access solution for its employees so they can connect to the corporate network while they are away from the office. Although the VPN solution that you implemented provides a high level of security, business management is concerned about the complexity of the environment for end users. In addition, IT management is concerned that they are not able to manage the remote clients effectively. To address these issues, A. Datum has decided to implement DirectAccess on client computers that are running Windows 8.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment. You will configure the DirectAccess environment, and validate that the client computers can connect to the internal network when operating remotely.
Review Questions• Your organization wants to implement a cost effective
solution that interconnects two branch offices with your head office. In what way could VPNs play a role in this scenario?
• The IT manager at your organization is concerned about opening too many firewall ports to facilitate remote access from users that are working from home through a VPN. How could you meet the expectations of your remote users while allaying your manager’s concerns?
• You have a VPN server with two configured network policies. The first has a condition that grants access to members of the Contoso group, to which everyone in your organization belongs, but has a constraint of Day and Time restrictions for office hours only. The second policy had a condition of membership of the Domain Admins group and no constraints. Why are administrators being refused connections out of office hours, and what can you do about it?
• How does the DirectAccess client determine if it is connected to the intranet or the Internet?
• What is the use of an NRPT?
Module Review and Takeaways
Review Questions•Tools