Server-to-Client Remote Access and DirectAccess

Nội dung VPN in Windows Server 2008 R2 Authentication Options to RRAS System VPN Protocols DirectAccess in Windows Server 2008 Choosing Between Traditional VPN Technologies & DirectAccess Traditional VPN Scenario DirectAccess Scenario

Connect securely over Internet

VPN

RRAS Features & Services Windows NT 4.0

Windows 2000

Windows 2k3

Win2k8

Components Needed to Create a Traditional VPN Connection

Windows Server 2008 R2 consist of VPN client RRAS server NPS server Certificate server Active Directory server

RRAS server server with accepts VPN connections from VPN clients. Network Policy and Access Services role Routing and Remote Access Service role accepts VPN connections from VPN clients.

NPS server provides authentication, authorization, auditing, accounting for VPN clients. Server with Network Policy and Access Services work with Network Access Protection System Health Agents (SHAs) are used to inspect and assess health of client according to policies

SHA

Certificate Server Certificate Authority (CA) that issues certificates for servers and clients to use in authentication and encryption of tunnels server with Certification Authority Certification Authority Web Enrollment

Authentication Options to an RRAS System variety of PPP authentication protocols

Authentication for PPTP Connections 4 authentication protocols (MS-CHAP, MS-CHAP v2, EAP,PEAP) provide a mechanism to generate same encryption key on both VPN client &VPN server

EAP & PEAP Authentication Protocols Extensible Authentication Protocol (EAP) &Protected Extensible Authentication Protocol (PEAP) used user certificates or smart cards.

Authentication for L2TP/IPSec Connections any authentication protocol can be used with secure connection(IPSec).

Best Authentication Protocol EAP or PEAP authentication protocol for PPTP, L2TP & SSTP connections PEAP with EAP-MS-CHAP v2 as a method of easing deployment burden. MS-CHAP v2 & enforce strong passwords using Group Policy if you must use a password-based authentication protocol.

VPN Protocols Windows Server 2008 R2 includes Layer 2 tunneling protocols PPTP L2TP, SSTP tunneling protocols both tunnel client and tunnel server must be using same tunneling protocol IPSec tunnel mode is a Layer 3 tunneling protocol

Comparing VPN Protocols

Tunneling Within a 2008 R2 Networking env

Point-to-Point Tunneling Protocol Layer 2 protocol that encapsulates PPPframes in IP datagrams for transmission over Internet. used for remote access and router-to-router VPN connections uses a TCP connection for tunnel maintenance

Structure of PPTP packet

Layer 2 Tunneling Protocol combination of Point-to-Point Tunneling Protocol (PPTP) Layer 2 Forwarding (L2F) encapsulates PPP frames that are sent over IP, X.25, frame relay, ATMnetwork

Structure of L2TP packet

IP Security ensuring data security in IP-based communications two important functions data encryption data integrity

Structure & architecture of the IPSec packet.

Secure Socket Tunneling Protocol ses HTTP over SSL (HTTPS) protocol

DirectAccess new remote access protocol Provides network node connectivity to remote systems without any user login requirements. address challenges of traditional VPN

DirectAccess uses IPv6, IPSec, certificates to establish secure connections traverse public IPv4 networks, DirectAccess uses IPv6 transition technologies such as ISATAP, Teredo, & 6to4.

DirectAccess requirements

DirectAccess and IPv6

IPv6 tunneling protocols

Two Tunnels

End-to-Edge DirectAccess Model DirectAccess client establish IPSec tunnel to DirectAccess server forwards unprotected traffic to intranet resources.

End-to-End DirectAccess Model DirectAccess client establish IPSec tunnel with each application server that they connect to. ensures that traffic is protected end-end by IPSec encryption, including while traversing intranet requires that each application server run on Windows Server 2008.

DirectAccess Components DirectAccess server DirectAccess client PC with Windows 7 must be a domain member with a certificate. Corporate IPv6 network Certificate server Network Location Server (NLS) Active Directory and DNS server

DirectAccess Connection Process

choice between a traditional VPN technology new DirectAccess ?

Traditional VPN Scenario

steps to configure VPN architecture

Setting Up Certificate Server used to issue certificates for VPN infrastructure. NPS1 server was chosen be the centralized policy server situated to provide certificate services.

Steps

Certificate Autoenrollment configure root CA computer certificates are issued automatically through a group policy using a GPO named Cert Auto Enrollment Group Policy Object.

Steps

Setting Up Network Policy Server

Config Network Policy Server

health validators in the NPS

health policy

network policies for systems - pass health validation

network policies for systems - fail health validation

configure connection request policy

config RRAS server as a RADIUS client on NPS system

Finish for NPS

Setting Up RRAS Server VPN1 server Has config with internal NIC 172.16.1.152 external NIC 192.168.1.201 member of companyabc.com Active Directory domain

Steps

Setting Up VPN Client

Security Center

Remote Access Quarantine Enforcement Client: enable

Network Access Protection Agent service  auto

export certificate from Certificate Authority

import a certificate into client PC trusted CA store

setup &config VPN connection on VPN client

Testing VPN Connection

To test the connection, complete following steps

Controlling Unhealthy VPN Clients turn off the Windows Firewall see what happens when the client connects to the VPN

SSTP Troubleshooting

DirectAccess Scenario two major goals Allow workstation to move between internal, public, home networks while retaining access to application servers. Enable IPv6 in an IPv4 network using IPv6 transition technologies.

Scenario

System’s components

three networks in the scenario

Configuring Infrastructure configure DNS service to remove ISATAP from default global block list DNS to service ISATAP requests

Create NLS record in DNS

create a security group for DirectAccess client PC

Using a GPO to Config Firewall Rules create & enable firewall rules for ICMPv4 & ICMPv6 traffic. ICMP firewall rules will be deployed with GPO “DirectAccess Group Policy Object.”

Steps

Custom Certificate Template for IP-HTTPS

Certificate Autoenrollment

IP-HTTP Certificate

Installing DirectAccess Feature on DA1

Configuring DirectAccess Feature

Testing DirectAccess

Testing client connection to networks

connection to internal network

connection to public network

connection to home network

Monitoring DirectAccess Server