Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring and Troubleshooting Remote Access

Published byPatricia Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring and Troubleshooting Remote Access"— Presentation transcript:

1 Configuring and Troubleshooting Remote Access
Presentation: 120 minutes Lab: 120 minutes After completing this module, students will be able to: Configure network access. Configure virtual private networks (VPN) access. Describe the role of network policies. Troubleshoot routing and remote access. Configure DirectAccess, a feature of the Windows® 7 operating system and Windows 8 operating system. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 20411B_07.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of Office PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations. Practice performing the labs. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover. Module 7 Configuring and Troubleshooting Remote Access

2 Configuring DirectAccess
20411B Module Overview 7: Configuring and Troubleshooting Remote Access Configuring DirectAccess Briefly describe the module content.

3 Lesson 1: Configuring Network Access
20411B Lesson 1: Configuring Network Access 7: Configuring and Troubleshooting Remote Access Integrating DHCP with Routing and Remote Access Briefly describe the lesson content.

4 Components of a Network Access Services Infrastructure
20411B Components of a Network Access Services Infrastructure 7: Configuring and Troubleshooting Remote Access Intranet Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices AD DS VPN Server Restricted Network Perimeter Network Remediation Servers Network Policy Server Discuss the underlying infrastructure in a complete Network Access Service (NAS). Review the graphic on the slide and explain the different connection options that you can use in a Windows operating system environment using the Network Policy Server (NPS)/Routing and Remote Access service. Note: Do not spend too long discussing Network Access Protection (NAP) components, as these will be discussed later in the course. CA

5 What Is the Network Policy and Access Services Role?
20411B What Is the Network Policy and Access Services Role? 7: Configuring and Troubleshooting Remote Access With the Network Policy and Access Services role, you can: Enforce health policies Help to secure wireless and wired access Centralize network policy management Describe each of the functions on the slide. Remind students that the Remote Access component is separate from the Network Policy and Access Services role in Windows Server® 2012, and must be installed as a separate role.

6 What Is the Remote Access Role?
20411B What Is the Remote Access Role? 7: Configuring and Troubleshooting Remote Access You can use the Remote Access role to: Provide remote users access to resources on a private network over a VPN or dial-up connection Provide NAT services Provide LAN and WAN routing services to connect network segments Enable and configure DirectAccess Describe each of the services mentioned on the slide. Use this as a way of introducing each of the subsequent lessons, which will focus on the functions supported by the Remote Access role.

7 Network Authentication and Authorization
20411B Network Authentication and Authorization 7: Configuring and Troubleshooting Remote Access Authentication: Verifies the credentials of a connection attempt Uses an authentication protocol to send the credentials from the remote access client to the remote access server in either plain text or encrypted form Authorization: Verifies that the connection attempt is allowed Occurs after successful authentication Make certain that the students understand the difference between authentication and authorization. Emphasize that authorization takes place after successful authentication.

8 Authentication Methods
20411B Authentication Methods 7: Configuring and Troubleshooting Remote Access Protocol Description Security Level PAP Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. The least secure authentication protocol. Does not protect against replay attacks, remote client impersonation, or remote server impersonation. CHAP A challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme. An improvement over PAP in that the password is not sent over the PPP link. Requires a plaintext version of the password to validate the challenge response. Does not protect against remote server impersonation. MS-CHAPv2 An upgrade of MS-CHAP. Provides two-way authentication, also known as mutual authentication. The remote access client receives verification that the remote access server to which it is dialing in to has access to the user’s password. Provides stronger security than CHAP. EAP Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. Offers the strongest security by providing the most flexibility in authentication variations. Discuss each of the different authentication protocols, and explain why you would not want to allow the use of Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) as options for a Routing and Remote Access service solution. This is because of nonexistent or weak encryption. MS-CHAP v2 may be useful to support legacy clients that are incapable of using newer, stronger authentication methods. CHAP may be useful to support some non-Microsoft-based client authentication protocols. Explain Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) authentication and the requirement of X.509 certificates.

9 What Is a PKI? Digital Certificates Certificate Templates
20411B What Is a PKI? 7: Configuring and Troubleshooting Remote Access Briefly describe each component of the PKI solution. Digital Certificates Certificate Templates CRLs and Online Responders CA Public Key–Enabled Applications and Services Certificates and CA Management Tools AIA and CDPs

10 Integrating DHCP with Routing and Remote Access
20411B Integrating DHCP with Routing and Remote Access 7: Configuring and Troubleshooting Remote Access You can provide remote clients with IP configurations by using either: A static pool created on the Remote Access server for use with remote clients A DHCP server DHCP servers that run Windows Server 2012: Provide a predefined user class called the Default Routing and Remote Access Class Are useful for assigning options that are provided to Routing and Remote Access clients only Explain that the Remote Access service administrator can provide a pool of addresses on the Routing and Remote Access server to support remote clients with an IP configuration, or they can use the existing Dynamic Host Configuration Protocol (DHCP) infrastructure on the corporate local area network (LAN). If the administrator chooses to use the existing DHCP server, the Routing and Remote Access server acquires a pool of at least 10 IP addresses. The Routing and Remote Access server applies the first IP address to its own interface, and the remaining nine IP addresses are used for remote client connections. After the first 10 IP addresses are assigned, the Routing and Remote Access server refers to DHCP to acquire 10 more IP addresses.

11 Lesson 2: Configuring VPN Access
20411B Lesson 2: Configuring VPN Access 7: Configuring and Troubleshooting Remote Access Demonstration: How to Create a Connection Profile Briefly describe the lesson content.

12 What Is a VPN Connection?
20411B What Is a VPN Connection? 7: Configuring and Troubleshooting Remote Access Corporate Headquarters Large Branch Office Describe how a VPN connection is used to connect remote network clients. Present the slide while explaining the benefits of using a public network (the Internet) to tunnel securely into the corporate LAN and gain access to resources. The main benefits of using a VPN connection, rather than a dial-up connection, are cost savings and increased bandwidth. Explain a VPN connection’s properties for each of the following: Encapsulation Authentication Data Encryption Small Branch Office VPN Server VPN Server Medium Branch Office VPN Server VPN Home Office with VPN Client VPN Server Remote User with VPN Client

13 Tunneling Protocols for VPN Connections
20411B Tunneling Protocols for VPN Connections 7: Configuring and Troubleshooting Remote Access Windows Server 2012 supports the following VPN tunneling protocols: PPTP L2TP/IPsec SSTP IKEv2 Talk about the different support for each of the client protocols. You might want to discuss the port requirements for each VPN protocol: To implement Point-to-Point Tunneling Protocol (PPTP), you must configure your firewall to pass Transmission Control Protocol (TCP) Port 1723 and IP Protocol ID 47. To implement Layer 2 Tunneling Protocol (L2TP), you must configure your firewall to pass User Datagram Protocol (UDP) Port 500, UDP Port 1701, UDP Port 4500, and IP Protocol ID 50. To implement Secure Socket Tunneling Protocol (SSTP), you must configure your firewall to pass TCP port 443. To implement Internet Key Exchange version 2 (IKEv2), you must configure your firewall to pass UDP port 500.

14 VPN Reconnect maintains connectivity across network outages
20411B What Is VPN Reconnect? 7: Configuring and Troubleshooting Remote Access VPN Reconnect maintains connectivity across network outages VPN Reconnect: Provides seamless and consistent VPN connectivity Uses the IKEv2 technology Automatically re-establishes VPN connections when connectivity is available Maintains the connection if users move between different networks Provides transparent connection status to users Give an overview of VPN Reconnect. You can provide students with the following example for VPN Reconnect: Consider a user with a laptop that is running Windows XP. When the user travels to work in a train, he or she connects to the Internet by using a 3G data card and then establishes a VPN connection to the company’s network. When the train passes through a tunnel, the Internet connection is lost. After the train comes out of the tunnel, the user must redial the VPN connection, and every time thereafter that the user loses Internet connectivity. If the user has Windows 7 or Windows 8, the computer’s operating system will appear to maintain Internet connectivity with VPN Reconnect. The client will be reconnected automatically to the VPN once the underlying network connectivity is re-established.

15 Configuration Requirements
20411B Configuration Requirements 7: Configuring and Troubleshooting Remote Access VPN server configuration requirements include: Two network interfaces (public and private) IP Address allocation (static pool or DHCP) Authentication provider (NPS/RADIUS or the VPN server) DHCP relay agent considerations Membership in the Local Administrators group or equivalent Discuss the importance of, and best practices for, renaming LAN connections to reflect their scope (public or private). Discuss the use of internal DHCP versus a static pool. Facilitate a discussion with students about remaining configuration requirements. Ask them to consider the following: Why would you use a Remote Authentication Dial-in User Service (RADIUS) server instead of the VPN server for authentication? (Typically because you have multiple VPN servers, or to centralize accounting and logging) Do you require a relay agent? (Is your DHCP server on a different LAN segment?)

16 Demonstration: How to Configure VPN Access
20411B Demonstration: How to Configure VPN Access 7: Configuring and Troubleshooting Remote Access In this demonstration, you will see how to: Configure Remote Access as a VPN server Configure a VPN client Leave the virtual machine running for the subsequent demonstrations. Preparation Steps You require the 20411B-LON-DC1, 20411B-LON-RTR, and 20411B-LON-CL2 virtual machines for this demonstration. Demonstration Steps Configure Remote Access as a VPN server Sign in to LON-RTR as Adatum\Administrator with the password Pa$$w0rd. If necessary, on the taskbar, the click Server Manager icon. In the Details pane, click Add roles and features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, click Role-based or feature based installation, and then click Next. On the Select destination server page, click Next. On the Select server roles page, select the Network Policy and Access Services check box. Click Add Features, and then click Next twice. On the Network Policy and Access Services page, click Next. On the Select role services page, verify that the Network Policy Server check box is selected, and then click Next. On the Confirm installation selections page, click Install. Verify that the installation was successful, and then click Close. Close the Server Manager window. Pause your mouse pointer in the lower left of the taskbar, and then click Start. On the Start menu, click Network Policy Server. (More notes on the next slide)

17 7: Configuring and Troubleshooting Remote Access
In Network Policy Manager, in the navigation pane, right-click NPS (Local), and then click Register server in Active Directory. In the Network Policy Server message box, click OK. In the subsequent Network Policy Server dialog box, click OK. Leave the Network Policy Server console window open. Pause your mouse pointer in the lower left of the taskbar, and then click Start. In Start, click Administrative Tools, and then double-click Routing and Remote Access. If the Enable DirectAccess Wizard starts, click Cancel and then click OK. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Disable Routing and Remote Access. In the dialog box, click Yes. In the Routing and Remote Access console, right-click LON-RTR (local), and then click Configure and Enable Routing and Remote Access. Click Next, click Remote access (dial-up or VPN), and then click Next. Select the VPN check box, and then click Next. Click the Local Area Connection 2 network interface, clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next. On the IP Address Assignment page, click From a specified range of addresses, and then click Next. On the Address Range Assignment page, click New. In the Start IP address field, type , in the End IP address field, type , and then click OK. Verify that 11 IP addresses were assigned for remote clients, and then click Next. On the Managing Multiple Remote Access Servers page, click Next. (More notes on the next slide)

18 7: Configuring and Troubleshooting Remote Access
Click Finish. In the Routing and Remote Access dialog box, click OK. If prompted, click OK again. Configure a VPN Client Switch to LON-CL2. Sign in as Adatum\Administrator with the password of Pa$$w0rd. Click Start, type Control, and then in the Apps list, click Control Panel. In Control Panel, click Network and Internet, click Network and Sharing Center, and then click Set up a new connection or network. On the Choose a connection option page, click Connect to a workplace, and then click Next. On the How do you want to connect page, click Use my Internet connection (VPN). Click I’ll set up an Internet connection later. On the Type the Internet address to connect to page, in the Internet address box, type In the Destination name box, type Adatum VPN. Select the Allow other people to use this connection check box, and then click Create. In the Network And Sharing Center window, click Change adapter settings. Right-click the Adatum VPN connection, click Properties, and then click the Security tab. On the Security tab, in the Type of VPN list, click Point to Point Tunneling Protocol (PPTP). Under Authentication, click Allow these protocols, and then click OK. In the Network Connections window, right-click the Adatum VPN connection, and then click Connect/Disconnect. In the Networks list on the right, click Adatum VPN, and then click Connect. (More notes on the next slide)

19 7: Configuring and Troubleshooting Remote Access
In Network Authentication, in the User name text box, type Adatum\Administrator. In the Password text box, type Pa$$w0rd, and then click OK. Wait for the VPN connection to be made. Your connection is unsuccessful. You receive an error relating to authentication issues. This will be addressed in a later demonstration. Close all open windows.

20 Completing Additional Configuration Tasks
20411B Completing Additional Configuration Tasks 7: Configuring and Troubleshooting Remote Access You may need to perform additional steps to help to secure the installation of Remote Access: Configure static packet filters Configure services and ports Adjust logging levels for routing protocols Configure number of available VPN ports Create a Connection Manager profile for users Add Certificate Services Increase remote access security Increase VPN security Consider implementing VPN Reconnect Explain that even after enabling the Remote Access service, there are more tasks that students should complete for securing the Routing and Remote Access solution, and to meet the necessary requirements: Static filters (inbound/outbound) to create network traffic restrictions and allowances. Adjust logging options to monitor utilization and to troubleshoot connectivity issues. Configure available VPN ports. For example, you may want to increase L2TP, and remove all PPTP and SSTP connections. Configure the ports to support the number of users and the types of connection allowed. Connection Manager profiles to automate the configuration of Routing and Remote Access connections on the client computers. Certificate Services if you will be using Authentication methods that require user/computer certificates. Increase security by clearing authentication protocols that you do not want to allow. Use the reference information to elaborate on each of these points.

21 What Is the Connection Manager Administration Kit?
20411B What Is the Connection Manager Administration Kit? 7: Configuring and Troubleshooting Remote Access The CMAK: Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks Creates an executable file that can be run on a client computer to establish a network connection that you have designed Reduces Help Desk requests related to the configuration of RAS connections by: Assisting in problem resolution because the configuration is known Reducing the likelihood of user errors when they configure their own connection objects Explain the benefit of storing Remote Access Service (RAS) configurations as an executable file that you can send through , place on removable media, or access from file shares, as compared to manually configuring connection objects. Also, discuss the benefits of the troubleshooting process. Ensure that students understand that because the Connection Manager Administration Kit (CMAK) wizard creates an executable as the finished product, there are different methods available for distributing a connection profile to users.

22 Demonstration: How to Create a Connection Profile
20411B Demonstration: How to Create a Connection Profile 7: Configuring and Troubleshooting Remote Access In this demonstration, you will see how to: Install CMAK Create a connection profile Examine the profile Leave the virtual machine running for the subsequent demonstrations. Preparation Steps The required virtual machines 20411B-LON-DC1, 20411B-LON-RTR, and 20411B-LON-CL2, should already be running after the preceding demonstration. Demonstration Steps Install CMAK If necessary, on LON-CL2, sign in as Adatum\administrator with the password Pa$$w0rd. Pause your mouse pointer in the lower left of the taskbar, and then click Start. In Start, type Control, and then in the Apps list, click Control Panel. In Control Panel, click Programs. In Programs, click Turn Windows features on or off. In Windows® Features, select the RAS Connection Manager Administration Kit (CMAK) check box, and then click OK. Click Close. Create a connection profile In Control Panel, click Control Panel Home. In the View by list, click Large icons. Click Administrative Tools, and then double-click Connection Manager Administration Kit. In the Connection Manager Administration Kit Wizard, click Next. On the Select the Target Operating System page, click Windows Vista or above, and then click Next. On the Create or Modify a Connection Manager profile page, click New profile, and then click Next. (More notes on the next slide)

23 7: Configuring and Troubleshooting Remote Access
On the Specify the Service Name and the File Name page, in the Service name text box, type Adatum HQ, in the File name text box, type Adatum, and then click Next. On the Specify a Realm Name page, click Do not add a realm name to the user name, and then click Next. On the Merge Information from Other Profiles page, click Next. On the Add Support for VPN Connections page, select the Phone book from this profile check box. In the VPN server name or IP address text box, type , and then click Next. On the Create or Modify a VPN Entry page, click Next. On the Add a Custom Phone Book page, clear the Automatically download phone book updates check box, and then click Next. On the Configure Dial-up Networking Entries page, click Next. On the Specify Routing Table Updates page, click Next. On the Configure Proxy Settings for Internet Explorer page, click Next. On the Add Custom Actions page, click Next. On the Display a Custom Logon Bitmap page, click Next. On the Display a Custom Phone Book Bitmap page, click Next. On the Display Custom Icons page, click Next. On the Include a Custom Help File page, click Next. On the Display Custom Support Information page, click Next. On the Display a Custom License Agreement page, click Next. On the Install Additional Files with the Connection Manager profile page, click Next. On the Build the Connection Manager Profile and Its Installation Program page, click Next. On the Your Connection Manager Profile is Complete and Ready to Distribute page, click Finish. (More notes on the next slide)

24 7: Configuring and Troubleshooting Remote Access
Examine the created profile Open Windows Explorer. In Windows Explorer, expand drive C, expand Program Files, expand CMAK, expand Profiles, expand Windows Vista and above, and then expand Adatum. These are the files that you must distribute. Close all open windows.

25 Lesson 3: Overview of Network Policies
20411B Lesson 3: Overview of Network Policies 7: Configuring and Troubleshooting Remote Access Demonstration: How to Create a Network Policy Briefly describe the lesson content.

26 What Is a Network Policy?
20411B What Is a Network Policy? 7: Configuring and Troubleshooting Remote Access A network policy consists of the following elements: Conditions Constraints Settings Define network policy as a set of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network, and the circumstances under which they can connect. Ensure that the students understand the definition of a network policy, and the conditions, constraints, and settings of network policies. Discuss the two default policies in NPS in Windows Server 2012, which deny access to both Microsoft RAS and any other RAS server by default.

27 Network Policy Processing
20411B Network Policy Processing 7: Configuring and Troubleshooting Remote Access START Yes No Go to next policy Step through the diagram with your students. Are there policies to process? Does connection attempt match policy conditions? No Yes Yes Is the remote access permission for the user account set to Deny Access? No Reject connection attempt No Yes Is the remote access permission for the user account set to Allow Access? Is the remote access permission on the policy set to Deny remote access permission? Reject connection attempt Yes No Yes Accept connection attempt No Does the connection attempt match the user object and profile settings?

28 Process for Creating and Configuring a Network Policy
20411B Process for Creating and Configuring a Network Policy 7: Configuring and Troubleshooting Remote Access To create a network policy: Determine authorization by user or group Determine appropriate settings for the user account’s network access permissions To configure the New Network Policy Wizard: Configure network policy conditions Configure network policy constraints Configure network policy settings Explain that to configure a new policy, students should open Network Policy Server from the Administrative Tools menu. Note: Remind students that network policies are part of the Network Policy and Access Services server role. In NPS, right-click Network Policies and then click New to start the New Policy Wizard. Conduct a demonstration by going through the New Policy Wizard, and view all of the options that are available during network-policy creation. You can use the following demonstration as guidance to discuss the configurable options in a network policy. Also, consider combining this content with the following demonstration to discuss the configurable options.

29 Demonstration: How to Create a Network Policy
20411B Demonstration: How to Create a Network Policy 7: Configuring and Troubleshooting Remote Access In this demonstration, you will see how to: Create a VPN policy based on Windows Groups condition Test the VPN Following the demonstration, revert all the virtual machines. Preparation Steps The required virtual machines 20411B-LON-DC1, 20411B-LON-RTR, and 20411B-LON-CL2 should already be running after the preceding demonstration. Demonstration Steps Create a VPN policy based on Windows Groups condition Switch to LON-RTR. Switch to Network Policy Server. In Network Policy Server, expand Policies, and then click Network Policies. In the details pane, right-click the policy at the top of the list, and then click Disable. In the details pane, right-click the policy at the bottom of the list, and then click Disable. In the navigation pane, right-click Network Policies, and then click New. In the New Network Policy Wizard, in the Policy name text box, type Adatum VPN Policy. In the Type of network access server list, click Remote Access Server(VPN-Dial up), and then click Next. On the Specify Conditions page, click Add. In the Select condition dialog box, click Windows Groups, and then click Add. In the Windows Groups dialog box, click Add Groups. In the Select Group dialog box, in the Enter the object name to select (examples) text box, type Domain Admins, and then click OK. Click OK again, click Next. On the Specify Access Permission page, click Access granted, and then click Next. (More notes on the next slide)

30 7: Configuring and Troubleshooting Remote Access
On the Configure Authentication Methods page, click Next. On the Configure Constraints page, click Next. On the Configure Settings page, click Next. On the Completing New Network Policy page, click Finish. Test the VPN Switch to LON-CL2. Pause your mouse pointer in the lower left of the taskbar, and then click Start. In Start, type Control, and then in the Apps list, click Control Panel. In Control Panel, click Network and Sharing Center. In Network and Sharing Center, click Change adapter settings. In the Network Connections window, right-click the Adatum VPN connection, and then click Connect/Disconnect. In the Networks list on the right, click Adatum VPN, and then click Connect. In Network Authentication, in the User name text box, type Adatum\Administrator. In the Password text box, type Pa$$word, and then click OK. Wait for the VPN connection to be made.

31 Lesson 4: Troubleshooting Routing and Remote Access
7: Configuring and Troubleshooting Remote Access Troubleshooting Other Issues Briefly describe the lesson content.

32 Configuring Remote Access Logging
20411B Configuring Remote Access Logging 7: Configuring and Troubleshooting Remote Access You can configure remote access logging to: Log errors only Log errors and warnings Log all events Not log any events Log additional routing and remote access information Demonstrate the process of configuring logging options.

33 Configuring Remote Access Tracing
20411B Configuring Remote Access Tracing 7: Configuring and Troubleshooting Remote Access You can configure remote access tracing by using: The Netsh command: Netsh ras diagnostics set rastracing * enabled (enables tracing on all components in RAS) The Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing Tracing consumes resources, you should use it for troubleshooting only, and then disable it Explain that tracing provides significant information to help resolve complex network problems for the Remote Access service.

34 Resolving General VPN Problems
7: Configuring and Troubleshooting Remote Access Verify the host name Verify the credentials Verify the user account Reset the password Verify user account has not been locked Check that Routing and Remote Access is running Verify that the VPN server is enabled for remote access Verify the WAN Miniport protocols Check for a common authentication method Check for at least one common encryption strength Verify the connection’s parameters Go through the general VPN resolution steps with the students.

35 Troubleshooting Other Issues
7: Configuring and Troubleshooting Remote Access Common problems regarding remote access include: Error 800: VPN unreachable Error 721: Remote computer not responding Error 741/742: Encryption mismatch L2TP/IPsec issues EAP-TLS issues Use the reference to explain some typical solutions to the issues that the slide presents. Ensure that students understand that there are many more issues than those presented, and that it would be unlikely that they are the first to receive a particular error. Searching the web usually will help locate a solution to most problems. Inform the students that they can search the Microsoft Knowledge Base, Microsoft TechNet, and the Help file of the particular platform that they are using, to find solutions for the most common issues regarding Remote Access.

36 Lab A: Configuring Remote Access
7: Configuring and Troubleshooting Remote Access Exercise 2: Configuring VPN Clients Exercise 1: Configuring a Virtual Private Network Server A. Datum Corporation wants to implement a Remote Access solution for its employees so they can connect to the corporate network while away from the office. You are required to enable and configure the necessary server services to facilitate this remote access. To support the VPN solution, you need to configure a Network Policy that reflects corporate remote connection policy. For the pilot, only the IT security group should be able to use VPN. Required conditions include the need for a client certificate, and connection hours are only allowed between Monday and Friday, at any time. Exercise 2: Configuring VPN Clients You must now provide a simple client solution so that users can install a preconfigured L2TP-based VPN connection, which enables them to connect to the corporate network. Configuring a VPN Server Configuring VPN Clients Question In the lab, you configured the VPN server to allocate an IP address configuration by using a static pool of addresses. Is there an alternative, and if so, what is it? Answer Yes, you could use a DHCP server on the internal network to allocate addresses. Logon Information Virtual machines: B-LON-DC1 20411B-LON-RTR 20411B-LON-CL2 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 30 minutes

37 20411B Lab A Scenario 7: Configuring and Troubleshooting Remote Access A. Datum Corporation wants to implement a Remote Access solution for its employees so they can connect to the corporate network while away from the office. You are required to enable and configure the necessary server services to facilitate this remote access. To support the VPN solution, you need to configure a Network Policy that reflects corporate remote connection policy. For the pilot, only the IT security group should be able to use VPN. Required conditions include the need for a client certificate, and connection hours are only allowed between Monday and Friday, at any time.

38 20411B Review Questions 7: Configuring and Troubleshooting Remote Access If you use the alternative solution, how many addresses are allocated to the VPN server at one time? In the lab, you configured a policy condition of tunnel type and a constraint of a day and time restriction. If there were two policies—the one you created plus an additional one that had a condition of membership of the Domain Admins group and constraints of tunnel type (PPTP or L2TP)—why might your administrators be unable to connect out of office hours? Question If you use the alternative solution, how many addresses are allocated to the VPN server at one time? Answer The DHCP server allocates the VPN server blocks of 10 addresses at a time to allocate to remote clients. In the lab, you configured a policy condition of tunnel type and a constraint of a day and time restriction. If there were two policies—the one you created plus an additional one that had a condition of membership of the Domain Admins group and constraints of tunnel type (PPTP or L2TP)—why might your administrators be unable to connect out of office hours? The administrators are affected by the first policy, because they are using the tunnel type of either PPTP or L2TP. Change the policy order.

39 Lesson 5: Configuring DirectAccess
20411B Lesson 5: Configuring DirectAccess 7: Configuring and Troubleshooting Remote Access Configuring DirectAccess Briefly describe the lesson content.

40 Complexities of Managing VPNs
20411B Complexities of Managing VPNs 7: Configuring and Troubleshooting Remote Access VPN connections can pose the following problems: Users must initiate the VPN connections The connections may require multiple steps to initiate Firewalls can pose additional considerations Troubleshooting failed VPN connections can be time- consuming VPN-connected computers are not easily managed Discuss with students the methods for remote connections, and the problems with remote connections— including closed ports and the inability to manage remote clients. Encourage students to share their experience in configuring remote connections. Explain that VPNs are traditionally used for remote connections. Discuss the limitations of a VPN. Point out how DirectAccess overcomes those limitations, and why DirectAccess is a better solution. Discuss the challenges of implementing VPN solutions to enable remote access on their corporate networks. The problems of using VPNs might include: Management of client software. VPN connections disconnecting. Users must initiate a connection. Might require additional firewall configuration. Unidirectional configuration.

41 Features of DirectAccess:
20411B What Is DirectAccess? 7: Configuring and Troubleshooting Remote Access Features of DirectAccess: Connects automatically to corporate network over the public network Uses various protocols, including HTTPS, to establish IPv6 connectivity Supports selected server access and IPsec authentication Supports end-to-end authentication and encryption Supports management of remote client computers Allows remote users to connect directly to intranet servers Provide a high-level overview of DirectAccess. Concentrate on benefits of DirectAccess, and why a company would implement it. Do not talk about requirements. Mention that DirectAccess ensures seamless connectivity on application infrastructure for internal users and remote users. Both Windows Server 2012 and Windows 8 support DirectAccess (Windows Server 2008 R2 and Windows 7 also support DirectAccess). DirectAccess enables uninterrupted remote access to intranet resources. Explain that VPNs are traditionally used for remote connections. Point out how DirectAccess overcomes those limitations, and why DirectAccess is a better solution.

42 Components of DirectAccess
20411B Components of DirectAccess 7: Configuring and Troubleshooting Remote Access AD DS domain controller DNS server Internet websites Internal clients DirectAccess Server Describe the architecture and components of DirectAccess in Windows Server 2012. This is an animated slide. Explain as follows each individual component that is included in the DirectAccess scenario: PKI is needed to issue computer certificates to the DirectAccess server, DirectAccess clients, and intranet servers. The DirectAccess server is connected to both the intranet and the Internet, and acts as the gateway for DirectAccess clients that are located on the Internet. The network location server is a web server that is only reachable when the DirectAccess client is connected directly to the intranet. External DirectAccess clients have active Name Resolution Policy Table (NRPT) rules and Connection Security tunnel rules. When accessing intranet resources, the connection security rules use IPv6, and use either IPsec tunneling or end-to-end IPsec traffic protection. DirectAccess clients that are connected to the intranet can access intranet resources like any other intranet computer. External clients NRPT/ Consec IPv6\IPsec NLS Internal network resources PKI deployment

43 Name Resolution Policy Table
7: Configuring and Troubleshooting Remote Access NRPT is a table that defines DNS servers for different namespaces and corresponding security settings; NRPT is used before the adapter’s DNS settings Using NRPT: DNS servers can be defined for each DNS namespace rather than for each interface DNS queries for specific namespaces can be optionally secured by using IPsec Students should be familiar with the Domain Name System (DNS) name resolution process. You can ask students how the name resolution process works, to see if they are familiar with this concept. After you get the answer, extend the explanation of DNS name resolution with the introduction of NRPT, and how it is used during name resolution. Mention that NRPT, a feature in Windows Server 2012, is controlled through Group Policy, but can also be deployed through scripts that modify registry settings. Provide an example how NRPT can be beneficial if you are using DirectAccess or VPN to connect to the corporate intranet. Note: Windows 7 client also use NRPT to define a DNS namespace for each DNS server in the same way as Windows 8 and Windows Server 2012.

44 How DirectAccess Works for Internal Client Computers
20411B How DirectAccess Works for Internal Client Computers 7: Configuring and Troubleshooting Remote Access Internet websites DirectAccess server Internal client computers AD DS domain controller DNS server CRL dist point NLS Internet websites DirectAccess server AD DS domain controller DNS server Internal client computers Internal network resources Connection security rules Using the animated slide, explain how DirectAccess clients connect to intranet resources. First click: Explain how the DirectAccess client tries to resolve the Fully Qualified Domain Name (FQDN) of the network location server (NLS) URL. Second click: Explain how the DirectAccess client establishes connection with NLS. Third click: Explain the process of checking CRL revocation status of NLS certificate. Fourth click: Explain how based on successful connection of the NLS, the DirectAccess client ignores DirectAccess rules in the NRPT. Fifth click: Explain how the DirectAccess client attempts to locate and sign in to Active Directory® Domain Services (AD DS) domain using a computer account. Sixth click: Explain how the DirectAccess client assigns the domain firewall profile, which ignores Connection Security Tunnel Rules, and starts accessing intranet resources normally. NRPT

45 How DirectAccess Works for External Client Computers
20411B How DirectAccess Works for External Client Computers 7: Configuring and Troubleshooting Remote Access DirectAccess server AD DS domain controller DNS server Connection security rules NRPT External client computers Internal network resources Infrastructure Intranet DirectAccess server AD DS domain controller DNS server Connection security rules NRPT External client computers Internal network resources Internet websites Infrastructure Intranet DirectAccess server AD DS domain controller DNS server Connection security rules NRPT External client computers Internal network resources Infrastructure DirectAccess server AD DS domain controller DNS server Connection security rules NRPT External client computers Internal network resources Use the build slide to explain the following processes: First click: Explain how the DirectAccess client attempts to access the NLS. Second click: Explain how the DirectAccess client attempts to locate a domain controller. Third click: Explain how the DirectAccess client attempts to access intranet resources. Fourth click: Explain how the DirectAccess client attempts to access Internet resources.

46 Prerequisites for Implementing DirectAccess
20411B Prerequisites for Implementing DirectAccess 7: Configuring and Troubleshooting Remote Access PKI DNS and domain controller IPsec policies Explain the following infrastructure requirements for DirectAccess to students: AD DS must be in place. Group Policy is required to configure DirectAccess. DNS must be on Windows Server 2012 or Windows Server 2008 Service Pack 2 (SP2) or Windows Server 2008 R2, and the Public Key Infrastructure (PKI) policy must be in place. IPv6 transition technologies are probably used, and ICMPv4 and ICMPv6 Echo Request must be allowed through the firewall. As already discussed, mention that DirectAccess has high infrastructure requirements; therefore, it is not suitable for every environment. ICMPv6 Echo Request traffic ICMPv6 Group Policy IPv6 and transition technologies IPv6 AD DS Sample DirectAccess server

47 Configuring DirectAccess
20411B Configuring DirectAccess 7: Configuring and Troubleshooting Remote Access To configure DirectAccess: Configure the AD DS domain controller and DNS Configure the PKI environment Configure the DirectAccess server Configure the DirectAccess clients and test intranet and Internet access Give an overview of DirectAccess configuration on the server and on the client. Remind students that they must install the Remote Access role on the DirectAccess server. For a simple deployment, this server can have a single network interface with a single IP address that is connected to the private network, and then can be published over Microsoft Forefront® Unified Access Gateway (UAG) or Forefront Threat Management Gateway (TMG) for external computers. For an advanced deployment that includes support for two-factor authentication using smart cards and one-time password (OTP) devices, you still need to configure the DirectAccess server to establish two IPsec tunnels. This means that the DirectAccess server needs at least two network adapters, with two consecutive IP addresses on the Internet interface. IPv6 must be enabled on the DirectAccess server and client computer, and the firewall must allow Internet Control Message Protocol (ICMP) Echo traffic. For ease of deployment, mention that students can use self-sign certificate on a DirectAccess server. You can also configure the DirectAccess server in such a way that the CRL list is not mandatory for establishing DirectAccess connectivity. Explain to students that they also need to create a security group and add all client computer accounts as members. In addition, the PKI infrastructure and certificate revocation list (CRL) distribution point must be accessible.

48 Lab B: Configuring DirectAccess
7: Configuring and Troubleshooting Remote Access Exercise 3: Verifying the DirectAccess Configuration Exercise 1: Configuring the DirectAccess Infrastructure You decided to implement DirectAccess as a solution for remote client computers that are not able to connect through VPN. In addition, you want to address management problems, such as GPO application for remote client computers. For this purpose, you will configure the prerequisite components of DirectAccess, and configure the DirectAccess server. Exercise 2: Configuring the DirectAccess Clients After you configured the DirectAccess server and the required infrastructure, you must configure DirectAccess clients. You decide to use Group Policy to apply DirectAccess settings to the clients and for certificate distribution. Exercise 3: Verifying the DirectAccess Configuration When client configuration is completed, it is important to verify that DirectAccess works. You do this by moving the DirectAccess client to the Internet, and trying to access internal resources. Question Why would you use a GPO to configure certificate deployment? Answer You would use a GPO to quickly deploy the required certificates to the DirectAccess clients with the least amount of effort. How do you install the DirectAccess feature? You use Server Manager to install the Remote Access role, which provides the configuration option for DirectAccess. Alternatively, you could also install this role by using the Windows PowerShell command- line interface. Logon Information Virtual machines: B-LON-DC1 20411B-LON-SVR1 20411B-LON-RTR 20411B-LON-CL1 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 90 minutes

49 20411B Lab B Scenario 7: Configuring and Troubleshooting Remote Access Because A. Datum Corporation has expanded, many of the employees are now frequently out of the office, either working from home or traveling. A. Datum wants to implement a remote access solution for its employees so they can connect to the corporate network while they are away from the office. Although the VPN solution that you implemented provides a high level of security, business management is concerned about the complexity of the environment for end users. In addition, IT management is concerned that they are not able to manage the remote clients effectively. To address these issues, A. Datum has decided to implement DirectAccess on client computers that are running Windows 8. As a senior network administrator, you are required to deploy and validate the DirectAccess deployment. You will configure the DirectAccess environment, and validate that the client computers can connect to the internal network when operating remotely.

50 20411B Review Questions 7: Configuring and Troubleshooting Remote Access Your organization wants to implement a cost effective solution that interconnects two branch offices with your head office. In what way could VPNs play a role in this scenario? The IT manager at your organization is concerned about opening too many firewall ports to facilitate remote access from users that are working from home through a VPN. How could you meet the expectations of your remote users while allaying your manager’s concerns? You have a VPN server with two configured network policies. The first has a condition that grants access to members of the Contoso group, to which everyone in your organization belongs, but has a constraint of Day and Time restrictions for office hours only. The second policy had a condition of membership of the Domain Admins group and no constraints. Why are administrators being refused connections out of office hours, and what can you do about it? How does the DirectAccess client determine if it is connected to the intranet or the Internet? What is the use of an NRPT?

51 Module Review and Takeaways
20411B Module Review and Takeaways 7: Configuring and Troubleshooting Remote Access Tools Review Questions Question Your organization wants to implement a cost effective solution that interconnects two branch offices with your head office. In what way could VPNs play a role in this scenario? Answer You could implement VPNs in a site-to-site configuration over the Internet to provide the necessary routing capabilities. The IT manager at your organization is concerned about opening too many firewall ports to facilitate remote access from users that are working from home through a VPN. How could you meet the expectations of your remote users while allaying your manager’s concerns? Implement SSTP as the tunneling protocol. This implements a connection by using HTTPS. This protocol relies on TCP port 443, a port that is typically already open on corporate firewalls to facilitate connections to other applications and services—for example, Microsoft Outlook® Web App, and Web services. You have a VPN server with two configured network policies. The first has a condition that grants access to members of the Contoso group, to which everyone in your organization belongs, but has a constraint of Day and Time restrictions for office hours only. The second policy had a condition of membership of the Domain Admins group and no constraints. Why are administrators being refused connections out of office hours, and what can you do about it? Administrators are also members of the Contoso group, and therefore the first policy condition is met. The second policy is not processed. The solution is either to remove the administrators from the Contoso group, or change the policy order so that the administrator policy is first in the list. (More notes on the next slide)

52 7: Configuring and Troubleshooting Remote Access
Question How does the DirectAccess client determine if it is connected to the intranet or the Internet? Answer When you configure the DirectAccess server, you need to determine the computer that will be a NLS. The NLS should be a highly-available web server. Based on the response from this web server, the DirectAccess client determines if it is connected to the intranet or the Internet. What is the use of an NRPT? The NRPT stores a list of DNS namespaces and their corresponding configuration settings. These settings define the DNS server to contact, and the DNS client behavior for that namespace. Tools Tool Use for Where to find it Services.msc Managing Windows services Administrative Tools Launch from Run Gpedit.msc Editing the local Group Policy Mmc.exe Creating and managing the Microsoft Management Console Gpupdate.exe Managing Group Policy application Run from a command-line

Download ppt "Configuring and Troubleshooting Remote Access"

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Direct Access, Do’s and Don’ts

Direct Access, Do’s and Don’ts
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.
Implementing and Administering AD FS

Implementing and Administering AD FS
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.

Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
Module 8 Configuring Mobile Computers and Remote Access in Windows 7.

Module 8 Configuring Mobile Computers and Remote Access in Windows 7.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Similar presentations

Ads by Google