Server-to-Client Remote Access and DirectAccess
Nội dung VPN in Windows Server 2008 R2 Authentication Options to RRAS System VPN Protocols DirectAccess in Windows Server 2008 Choosing Between Traditional VPN Technologies & DirectAccess Traditional VPN Scenario DirectAccess Scenario
Connect securely over Internet
VPN
RRAS Features & Services Windows NT 4.0
Windows 2000
Windows 2k3
Win2k8
Components Needed to Create a Traditional VPN Connection
Windows Server 2008 R2 consist of VPN client RRAS server NPS server Certificate server Active Directory server
RRAS server server with accepts VPN connections from VPN clients. Network Policy and Access Services role Routing and Remote Access Service role accepts VPN connections from VPN clients.
NPS server provides authentication, authorization, auditing, accounting for VPN clients. Server with Network Policy and Access Services work with Network Access Protection System Health Agents (SHAs) are used to inspect and assess health of client according to policies
SHA
Certificate Server Certificate Authority (CA) that issues certificates for servers and clients to use in authentication and encryption of tunnels server with Certification Authority Certification Authority Web Enrollment
Authentication Options to an RRAS System variety of PPP authentication protocols
Authentication for PPTP Connections 4 authentication protocols (MS-CHAP, MS-CHAP v2, EAP,PEAP) provide a mechanism to generate same encryption key on both VPN client &VPN server
EAP & PEAP Authentication Protocols Extensible Authentication Protocol (EAP) &Protected Extensible Authentication Protocol (PEAP) used user certificates or smart cards.
Authentication for L2TP/IPSec Connections any authentication protocol can be used with secure connection(IPSec).
Best Authentication Protocol EAP or PEAP authentication protocol for PPTP, L2TP & SSTP connections PEAP with EAP-MS-CHAP v2 as a method of easing deployment burden. MS-CHAP v2 & enforce strong passwords using Group Policy if you must use a password-based authentication protocol.
VPN Protocols Windows Server 2008 R2 includes Layer 2 tunneling protocols PPTP L2TP, SSTP tunneling protocols both tunnel client and tunnel server must be using same tunneling protocol IPSec tunnel mode is a Layer 3 tunneling protocol
Comparing VPN Protocols
Tunneling Within a 2008 R2 Networking env
Point-to-Point Tunneling Protocol Layer 2 protocol that encapsulates PPPframes in IP datagrams for transmission over Internet. used for remote access and router-to-router VPN connections uses a TCP connection for tunnel maintenance
Structure of PPTP packet
Layer 2 Tunneling Protocol combination of Point-to-Point Tunneling Protocol (PPTP) Layer 2 Forwarding (L2F) encapsulates PPP frames that are sent over IP, X.25, frame relay, ATMnetwork
Structure of L2TP packet
IP Security ensuring data security in IP-based communications two important functions data encryption data integrity
Structure & architecture of the IPSec packet.
Secure Socket Tunneling Protocol ses HTTP over SSL (HTTPS) protocol
DirectAccess new remote access protocol Provides network node connectivity to remote systems without any user login requirements. address challenges of traditional VPN
DirectAccess uses IPv6, IPSec, certificates to establish secure connections traverse public IPv4 networks, DirectAccess uses IPv6 transition technologies such as ISATAP, Teredo, & 6to4.
DirectAccess requirements
DirectAccess and IPv6
IPv6 tunneling protocols
Two Tunnels
End-to-Edge DirectAccess Model DirectAccess client establish IPSec tunnel to DirectAccess server forwards unprotected traffic to intranet resources.
End-to-End DirectAccess Model DirectAccess client establish IPSec tunnel with each application server that they connect to. ensures that traffic is protected end-end by IPSec encryption, including while traversing intranet requires that each application server run on Windows Server 2008.
DirectAccess Components DirectAccess server DirectAccess client PC with Windows 7 must be a domain member with a certificate. Corporate IPv6 network Certificate server Network Location Server (NLS) Active Directory and DNS server
DirectAccess Connection Process
choice between a traditional VPN technology new DirectAccess ?
Traditional VPN Scenario
steps to configure VPN architecture
Setting Up Certificate Server used to issue certificates for VPN infrastructure. NPS1 server was chosen be the centralized policy server situated to provide certificate services.
Steps
Certificate Autoenrollment configure root CA computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.
Steps
Setting Up Network Policy Server
Config Network Policy Server
health validators in the NPS
health policy
network policies for systems - pass health validation
network policies for systems - fail health validation
configure connection request policy
config RRAS server as a RADIUS client on NPS system
Finish for NPS
Setting Up RRAS Server VPN1 server Has config with internal NIC 172.16.1.152 external NIC 192.168.1.201 member of companyabc.com Active Directory domain
Steps
Setting Up VPN Client
Security Center
Remote Access Quarantine Enforcement Client: enable
Network Access Protection Agent service auto
export certificate from Certificate Authority
import a certificate into client PC trusted CA store
setup &config VPN connection on VPN client
Testing VPN Connection
To test the connection, complete following steps
Controlling Unhealthy VPN Clients turn off the Windows Firewall see what happens when the client connects to the VPN
SSTP Troubleshooting
DirectAccess Scenario two major goals Allow workstation to move between internal, public, home networks while retaining access to application servers. Enable IPv6 in an IPv4 network using IPv6 transition technologies.
Scenario
System’s components
three networks in the scenario
Configuring Infrastructure configure DNS service to remove ISATAP from default global block list DNS to service ISATAP requests
Create NLS record in DNS
create a security group for DirectAccess client PC
Using a GPO to Config Firewall Rules create & enable firewall rules for ICMPv4 & ICMPv6 traffic. ICMP firewall rules will be deployed with GPO “DirectAccess Group Policy Object.”
Steps
Custom Certificate Template for IP-HTTPS
Certificate Autoenrollment
IP-HTTP Certificate
Installing DirectAccess Feature on DA1
Configuring DirectAccess Feature
Testing DirectAccess
Testing client connection to networks
connection to internal network
connection to public network
connection to home network
Monitoring DirectAccess Server