MSCA Ch05 Remote Access Configuration

MCSA Guide to Administering
Microsoft Windows Server 2012/R2,

Exam 70-411
Chapter 5
Remote Access Configuration
Objectives
Describe remote access
Install and configure the Remote Access server role
Configure the DirectAccess role service
MCSA Guide to Administering Microsoft Windows Server 2012/R2,

Exam 70-411
Cengage Learning 2015
An Overview of Remote Access

Remote Access - a server role that provides
services to keep a mobile workforce and branch
offices securely connected to resources at the main
office
Reasons for using a remote access solution:
Work from home employees

Frequent travelers
Business partners
Branch offices
MCSA Guide to Administering Microsoft Windows Server

2012/R2, Exam 70-411
An Overview of Remote Access

Remote Access services and tools:
Virtual private network

Remote dial-in
Routing
Network Address Translation
Web Application Proxy
DirectAccess
The Remote Access server role has additional

features, but the list above are the core services for
most remote access needs
2012/R2, Exam 70-411
Installing and Configuring the Remote

Access Role
Remote Access Role is installed by using Server
Manager or the Install-WindowsFeature
PowerShell cmdlet
Under the main Remote Access server role, there
are three role services to choose from:
DirectAccess and VPN (RAS) - has features needed
for dial-in, VPN, and DirectAccess remote access
Routing - provides routing and NAT and requires the
Direct Access and VPN (RAS) role service
Web Application Proxy - allows publishing Web-based
applications for use by clients outside the network
2012/R2, Exam 70-411
Virtual Private Networks

Virtual private network (VPN) - a network
connection that uses the Internet to give mobile
users or branch offices secure access to a
companys network resources
VPNs use encryption and authentication to ensure
communication is secure and legitimate
Tunnel - a method of transferring data across an

unsecured network in such a way that the actual
data in the transmission is hidden from all but the
sender and receiver
Created by encapsulation
2012/R2, Exam 70-411
Virtual Private Networks
Figure 5-1 A typical VPN connection

2012/R2, Exam 70-411
VPN Tunnel Types

Three types of VPN tunnels:
Point-to-Point Tunneling Protocol (PPTP) encapsulates Point-to-Point Protocol (PPP), using a
modified version of Generic Routing Encapsulation
(GRE)
Layer 2 Tunneling Protocol with Internet Protocol
Security (L2TP/IPsec) - generally provides a higher
level of security than PPTP
Secure Socket Tunneling Protocol (SSTP) - works
behind most firewalls without the administrator
needing to configure the firewall to allow VPN
2012/R2, Exam 70-411
VPN Requirements
Your server and network must meet requirements
for the type of VPN you want to set up:
Two or more NICs installed on a server

Correctly configured firewall
Authentication
DHCP configuration

2012/R2, Exam 70-411
Network Firewall Configuration for a

VPN
Configuring the perimeter network is crucial for
VPN operation
Perimeter network - a boundary between the
private network and the public Internet
Where most resources available to the Internet are
located
The firewall must be configured to allows certain

types of traffic, according to the VPN tunnel type
See page 174 of the textbook for a lists of traffic per
tunnel type
2012/R2, Exam 70-411
10
VPN Configuration
If the VPN server is a domain member, its
computer account must be added to the RAS and
IAS Servers group in Active Directory
Next, click the server icon and click Configure and
Enable Routing and Remote Access
The Configuration window will give you options for
the type of remote access server you want to
configure:
For a standard VPN server, select the Remote
access (dial-up or VPN) option
2012/R2, Exam 70-411
11
VPN Configuration
Figure 5-2 The Configuration window

2012/R2, Exam 70-411
12
VPN Configuration
In the VPN Connection window:
You can rename network connections
The Enable security on the selected interface by
setting up static packet filters option is enabled by
default
Prevents the interface connected to the Internet from
accepting any traffic that isnt part of a VPN
connection
In the IP Address Assignment window, you decide

how VPN client connections are assigned IP
addresses (Automatically is the preferred option)
2012/R2, Exam 70-411
13
VPN Configuration
Figure 5-4 The IP Address Assignment window

2012/R2, Exam 70-411
14
VPN Configuration
Next, you decide how clients are authenticated to
the VPN server and whether you want to use
RADIUS to handle authentication
See Figure 5-5 on the following slide
After you click Finish in the summary window, you

see a message stating that you must configure the
DHCP relay agent
Do this if you configured automatic IP addresses
assignment and the DHCP server is not on the same
subnet
2012/R2, Exam 70-411
15
VPN Configuration
Figure 5-5 Configuring authentication

2012/R2, Exam 70-411
16
Finishing VPN Configuration

After finishing the RRAS Setup Wizard, the VPN
server is ready to start accepting VPN client
connections
You need to define whos allowed to connect
Two ways to allow users to connect via remote
access:
Configuring dial-in settings in user accounts
Configuring a network policy in the Network Policy
Server (NPS) console

2012/R2, Exam 70-411
17
Configuring Dial-In Settings in User

Accounts
Configure each users account properties in Active
Directory or Local Users and Groups to allow
remote access
In the accounts Properties dialog box, click the
Dial-in tab
By default, the Network Access Permission attribute
is set to Control access through NPS Network
Policy. Select the Allow access option to give the
user permission to connect remotely via dial-in,
VPN, and DirectAccess
2012/R2, Exam 70-411
18
Configuring Dial-In Settings in User

Accounts
Figure 5-6 Configuring the Network Access Permission attribute for a user account
2012/R2, Exam 70-411
19
VPN Client Configuration

The VPN client is configured by setting up a new
connection in the Network and Sharing Center
Choose Connect to a workplace and choose how
you will connect
Next, enter the address of the VPN server youll
connect to and enter a name for the connection
When you create a VPN connection, the default
tunnel type is Automatic
The VPN client attempts to make the connection by
using each method until its successful or the
connection fails
2012/R2, Exam 70-411
20
Configuring Remote Dial-in

A server supporting remote dial-in must have one
modem connected to a phone line for each
simultaneous remote access user
Remote dial-in is configured almost the same way
as VPN configuration
In the Network Selection window, choose the private
network from which dial-in clients are assigned an IP
address
Remote dial-in has been largely replaced by VPN

and DirectAccess in Windows environments
2012/R2, Exam 70-411
21
Configuring Remote Access Options

RRAS allows multiple tunneling types by default for
VPN connections
You may want to consider restricting connections to
a particular tunneling method
You can configure remote access settings in the
properties of a user account
This method can prove inefficient if many users need
remote access permission
Instead, allow or disallow remote access to users

based on connection-related group policies
2012/R2, Exam 70-411
22
Configuring Remote Access Security

To configure security settings for remote access,
right-click the server in the Routing and Remote
Access console and click Properties
In the Security tab you can configure:
Authentication provider
Authentication methods
Accounting provider
Allow custom IPsec policy for L2TP/IKE v2
connection
SSL Certificate Binding

2012/R2, Exam 70-411
23
Configuring Available Tunnel Types

By default, each tunneling type is enabled in the
RRAS service when you configure a VPN
Each type allows up to 128 connections or ports
Configure the number of ports in the Routing and

Remote Access console by right-clicking Ports and
clicking Properties
Double-click a tunnel type to see the Configure
Device dialog box
Changing the number of ports to 0 effectively

disables the tunnel type
2012/R2, Exam 70-411
24
Configuring Network Policies

A user accounts Network Access Permission
attribute is set to Control access through NPS
Network Policy in the Dial-in tab of the Properties
dialog box
By default, NPS Network Policy disallows all remote
access
You must change the Network Access Permission

attribute to Allow access on user accounts
You can also configure an NPS network policy in
the Network Policy Server console
Follow steps starting on page 185
2012/R2, Exam 70-411
25
Configure Routing
Using RRAS, a Windows server can be configured
as a router to connect multiple subnets in a
network or connect a network to the Internet
Windows Server 2012/R2 supports static routing
and dynamic routing with Routing Information
Protocol Version 2 (RIPv2)
To configure a server as a router, select the
Custom configuration option in the Configuration
window of the RRAS Setup Wizard
Then select the LAN routing option
2012/R2, Exam 70-411
26
Configure Routing
Figure 5-17 An RRAS server configured as a router

2012/R2, Exam 70-411
27
Routing Tables
Routing table - a list of network destinations and
information on which interface can be used to
reach the destination
A routing table has the following columns:
Destination
Network mask
Gateway
Interface
Metric
Protocol

2012/R2, Exam 70-411
28
Configuring Static Routes

After routing is enabled, you can add routing
protocols and configure static routes
Static routes instruct the router where to send
packets destined for particular networks
An IPv4 static route has the following information:
Interface
Destination
Network mask
Gateway
Metric

2012/R2, Exam 70-411
29
Configuring Routing Information

Protocol
In the RRAS console, under the IPv4 node, rightclick General and click New Routing Protocol
Select RIP Version 2 for IP
Next, configure RIP by enabling it on interfaces that

RIP uses to send and receive routing information
RIPv2 uses the hop count metric for determining
best path
Hop count is the number of routers a packet must go
through to reach the destination network

2012/R2, Exam 70-411
30
Configuring Network Address

Translation
Network Address Translation (NAT) - a process
where a router or other gateway device replaces
the source or destination IP addresses in a packet
before forwarding the packet
Used to allow networks to use private IP addressing
while connected to the Internet
Port Address Translation (PAT) - allows several

hundred workstations to access the Internet with a
single public Internet address
Uses source TCP or UDP port numbers in addition to
IP addresses
2012/R2, Exam 70-411
31

Translation
To configure NAT in the RRAS Setup Wizard,
select the Network address translation (NAT)
option in the Configuration window
For LAN-based Internet access, choose the
interface connected to the Internet in the NAT
Internet Connection window
If the Internet connection is dial-up, choose the
option to create a new demand-dial interface to the
Internet

2012/R2, Exam 70-411
32

Translation
Figure 5-21 The NAT Internet Connection window

2012/R2, Exam 70-411
33
Configuring Web Application Proxy

Web Application Proxy - allows remote users to
access network applications from any device that
supports a Web browser
Applications made available to users with this
method are said to be published applications
Web Application Proxy works with Active Directory
Federation Services (AD FS) to enable features
such as a single sign-on
AD-FS is used to authenticate and authorize users
who attempt to access published applications
2012/R2, Exam 70-411
34
Configuring Web Application Proxy

Requirements for configuring Web Application
Proxy include the following:
A functioning AD FS deployment on the network
Two NICs installed on the Web Application Proxy
Server
A certificate in the Personal certificate store issued
by a CA that covers the federation service name and
one that covers the address of the Web application
you publish
Follow steps on page 192 to configure

2012/R2, Exam 70-411
35
The DirectAccess Role Service

DirectAccess provides many of the same features
as a VPN but adds client management and alwaysconnected capability
DirectAccess uses IPv6 and IPsec to create secure
connections to the network
DirectAccess almost eliminates client connections
problems caused by firewall settings

2012/R2, Exam 70-411
36
DirectAccess Requirements
DirectAccess requirements in Windows Server
2012/R2:
Two NICs, as for a VPN server
The server must be a domain member
A public IP address
There is an option for DirectAccess to use

Kerberos proxy for authentication and encryption
Kerberos proxy allows a client computer to
authenticate to a domain controller, using the
DirectAccess server as a proxy
2012/R2, Exam 70-411
37
Optional Server Configurations

List of recommended enhancements for production
environments:
An internal PKI
SSL certificate issued by a public CA for IP-HTTPS
SSL certificate issued by an internal PKI for Network
Location Server
Computer certificate issued by an internal PKI for
IPsec authentication
Two consecutive public IP addresses

2012/R2, Exam 70-411
38
DirectAccess Client Requirements

No special software needs to be installed on clients
Requirements for DirectAccess clients:
Must be running at least Windows 7 Enterprise or
Ultimate or Windows 8/8.1 Enterprise, Windows
Server 2008 R2, or Windows Server 2012/R2
The client must be a domain member
IPv6 must be enabled on the client

2012/R2, Exam 70-411
39
How DirectAccess Connections Work

The following basic steps explain the process:
1. The client computer detects that it has a valid
network connection
2. Using an NLS server, the client determines if it is
connected to the Internet or the main network
If it isnt connected to the main network, the process
continues to the next step
3. The client attempts to connect to the DirectAccess

server via IPv6 and IPsec
4. The client and server authenticate with each other,
using computer certificates
2012/R2, Exam 70-411
40
Installing and Configuring

DirectAccess
Follow the steps starting on page 196 to install a
text network similar to Figure 5-24
Figure 5-24 A DirectAccess test network

2012/R2, Exam 70-411
41
Advanced DirectAccess Deployment

Options
After you have established a basic DirectAccess
configuration, you might want to add some of the
following features for security and convenience:
Setting up a PKI
Configuring NLS on a separate Web server
Configuring the name resolution policy table (NRPT)
Configuring forced tunneling
Configuring ISATAP

2012/R2, Exam 70-411
42
Setting Up a PKI
Basic steps to follow:
1. On a server separate from the DirectAccess
server, install AD Certificate Services configured as
an Enterprise Certificate Authority
2. Issue an SSL certificate to the NLS server, set up
on a server separate from the DirectAccess server
3. Issue machine certificates to the DirectAccess
server and each DirectAccess client computer
It is best to configure auto-enrollment so that each
client computer can automatically request and be
issued a machine certificate
2012/R2, Exam 70-411
43
Configuring NLS on a Separate Web

Server
You need IIS installed on any server in the network
DirectAccess clients connect to it with HTTPS, so it
requires an SSL certificate
Make sure a DNS record is created on internal
DNS servers that points to the NLS server using a
name
The name is published to DirectAccess clients with
a group policy

2012/R2, Exam 70-411
44
Configuring the Name Resolution

Policy Table
When DirectAccess clients are connected to the
Internet, the name resolution policy table (NRPT)
makes sure DNS requests for network resources
are directed to internal DNS server
You may need to create NRPT exemptions for
certain cases (referred to as split-brain DNS)
Follow the steps outlined on page 205 to create
exemptions

2012/R2, Exam 70-411
45
Configuring Force Tunneling

The default DirectAccess client configuration is split
tunneling
Split tunneling is a remote access method in which
only requests for resources on the network are sent
over the DirectAccess tunnel
If you configure force tunneling, all traffic from the

client goes over the DirectAccess tunnel
You configure force tunneling by using group
policies with the same procedure for configuring
NRPT exemptions, but enable the Route all traffic
through the internal network policy
2012/R2, Exam 70-411
46
Configuring Force Tunneling
Figure 5-37 Configuring force tunneling

2012/R2, Exam 70-411
47
Configuring ISATAP
ISATAP allows computers on the network to access
DirectAccess clients that are connected via the
Internet
Two ways to enable it on the network:
Enable ISATAP for all computers on the network
Enable ISATAP for only certain computers
ISATAP is a good solution on networks that dont

support IPv6 by default
If you need to initiate communication with
DirectAccess clients
2012/R2, Exam 70-411
48
Summary
Remote Access is a server role that provides services
to keep a mobile workforce and branch offices
securely connected to the main office
When you install the Remote Access server role, you
can install three role services: DirectAccess and VPN,
Routing, and Web Application Proxy
A VPN is a network connection that uses the Internet
to give users or branch offices secure access to a
companys network resources on a private network
Windows Server 2012/R2 supports three tunnel types:
PPTP, L2TP/IPsec, and SSTP
Exam 70-411
49
Summary
Remote dial-in uses the telephone system to connect a
computer with a remote network
The default settings for VPN and dial-up may be
sufficient but you might need to support different OSs
and different VPN clients over different tunneling
methods, which require different security settings
Using RRAS, a Windows server can be configured as a
router to connect multiple subnets in the network or
connect the network to the Internet
Network Address Translation (NAT) is a process
whereby a router replaces the source of destination IP
addresses before forwarding a packet
Exam 70-411
50
Summary
Web Application Proxy is a new Routing and Remote
Access role service that allows users to access
applications from any device that supports a Web
browser from outside the network
The DirectAccess role service provides many of the
same features as a VPN but adds client management
and always-connected capability
A basic DirectAccess deployment requires only a
domain controller, a member server to install the
DirectAccess role service, and a client computer

Exam 70-411
51

MSCA Ch05 Remote Access Configuration

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

MSCA Ch05 Remote Access Configuration

Transféré par

Droits d'auteur :

Formats disponibles

MCSA Guide to Administering

Microsoft Windows Server 2012/R2,

MCSA Guide to Administering Microsoft Windows Server 2012/R2,

Cengage Learning 2015

An Overview of Remote Access

Work from home employees

MCSA Guide to Administering Microsoft Windows Server

Cengage Learning 2015

An Overview of Remote Access

Virtual private network

The Remote Access server role has additional

Cengage Learning 2015

Installing and Configuring the Remote

Cengage Learning 2015

Virtual Private Networks

Tunnel - a method of transferring data across an

Cengage Learning 2015

Virtual Private Networks

Figure 5-1 A typical VPN connection

MCSA Guide to Administering Microsoft Windows Server

Cengage Learning 2015

VPN Tunnel Types

Cengage Learning 2015

Two or more NICs installed on a server

MCSA Guide to Administering Microsoft Windows Server

Cengage Learning 2015

Network Firewall Configuration for a

The firewall must be configured to allows certain

Cengage Learning 2015

Cengage Learning 2015

Figure 5-2 The Configuration window

Cengage Learning 2015

In the IP Address Assignment window, you decide

Cengage Learning 2015

Figure 5-4 The IP Address Assignment window

Cengage Learning 2015

After you click Finish in the summary window, you

Cengage Learning 2015

Figure 5-5 Configuring authentication

Cengage Learning 2015

Finishing VPN Configuration

MCSA Guide to Administering Microsoft Windows Server

Cengage Learning 2015

Configuring Dial-In Settings in User

Cengage Learning 2015

Configuring Dial-In Settings in User

Cengage Learning 2015

VPN Client Configuration

Cengage Learning 2015

Configuring Remote Dial-in

Remote dial-in has been largely replaced by VPN

Cengage Learning 2015

Configuring Remote Access Options

Instead, allow or disallow remote access to users

Cengage Learning 2015

Configuring Remote Access Security

MCSA Guide to Administering Microsoft Windows Server

Cengage Learning 2015

Configuring Available Tunnel Types

Configure the number of ports in the Routing and

Changing the number of ports to 0 effectively

Cengage Learning 2015

Configuring Network Policies

You must change the Network Access Permission