Module 6: Configuring and Troubleshooting Routing and Remote Access Course 6421A Module 6: Configuring and Troubleshooting Routing and Remote Access Presentation: 90 minutes Lab: 60 minutes Module 6: Configuring and Troubleshooting Routing and Remote Access This module helps students to configure and troubleshoot Routing and Remote Access in Windows Server® 2008. After completing this module, students will be able to: Configure network access. Configure virtual private network (VPN) access. Configure dial-up access. Describe network policies. Use the Connection Manager Administration Kit (CMAK). Troubleshoot Routing and Remote Access. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6421A_06.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.

Module 6: Configuring and Troubleshooting Routing and Remote Access Course 6421A Module Overview Module 6: Configuring and Troubleshooting Routing and Remote Access Configuring Network Access Configuring VPN Access Overview of Network Policies Overview of the Connection Manager Administration Kit Troubleshooting Routing and Remote Access

Lesson 1: Configuring Network Access Course 6421A Lesson 1: Configuring Network Access Module 6: Configuring and Troubleshooting Routing and Remote Access Components of a Network Access Services Infrastructure What Is the Network Policy and Access Services Role? What Is Routing and Remote Access? Considerations for Configuring and Enabling Routing and Remote Access Demonstration: How to Install Routing and Remote Access Services Network Authentication and Authorization Types of Authentication Methods Integrating DHCP Servers with the Routing and Remote Access service

Components of a Network Access Services Infrastructure Course 6421A Components of a Network Access Services Infrastructure Module 6: Configuring and Troubleshooting Routing and Remote Access Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Discuss with students the underlying infrastructure in a complete Network Access Service (NAS). Review the graphic on the slide and explain the different connection options that you can use in a Microsoft environment using the Network Policy Server (NPS)/Routing and Remote Access service.

What Is the Network Policy and Access Services Role? Course 6421A What Is the Network Policy and Access Services Role? Module 6: Configuring and Troubleshooting Routing and Remote Access Component Description Network Policy Server The Microsoft implementation of RADIUS Server and proxy Routing and Remote Access Provides VPN and dial-up solutions for users, deploys full-featured software routers, and shares Internet connections across the intranet Health Registration Authority Issues health certificates to clients when using IPsec NAP enforcement Host Credential Authorization Protocol Integrates with Cisco network access control server Describe the slide’s components for students. Explain that each component is a separate option in NPS/Routing and Remote Access services. You choose to install the components that you will use in your Routing and Remote Access service deployment. References Windows Server 2008 Technical Library http://go.microsoft.com/fwlink/?LinkId=99823&clcid=0x409

What Is Routing and Remote Access? Course 6421A What Is Routing and Remote Access? Module 6: Configuring and Troubleshooting Routing and Remote Access Used to provide remote users access to resources on a private network over Dial-up or VPN services Elaborate on the Routing and Remote Access service role to the students. Explain that the Routing and Remote Access service role by itself offers the capability to serve as a VPN, Dial- up, a network-address translation (NAT) routing service, or multiprotocol local area network (LAN)-to-LAN, LAN-to-wide area network (WAN) routing service. References Help Topic: Routing and Remote Access Service Windows Server 2008 Technical Library http://go.microsoft.com/fwlink/?LinkId=99823&clcid=0x409 Can be used to provide NAT services Can provide LAN and WAN routing services to connect network segments

Demonstration: How to Install Routing and Remote Access Services Course 6421A Demonstration: How to Install Routing and Remote Access Services Module 6: Configuring and Troubleshooting Routing and Remote Access In this demonstration, you will see how to install the Routing and Remote Access server role in Windows Server 2008 You can install the Routing and Remote Access service role by using Initial Configuration Tasks or the Server Manager – Roles tool. Using Initial Configuration Tasks: On the Initial Configuration Tasks page, under Initial Configuration Tasks, click Add Roles. On the Add Roles Wizard-before you begin page, click Next. On the Select Server Roles page, click Network Policy and Access Services, and then click Next. Complete the wizard by selecting the appropriate settings to finish installing the role. The process is the same when using Server Manager: Open Administrative Tools from the Start menu, point to Server Manager, point to Roles, and then click Add Roles. Select the Network Policy and Access Services from the available roles listed. Complete the wizard to install the role. After you complete these steps, the Routing and Remote Access service is installed but is not enabled. You must be a member of the Administrators group to complete the installation and enable the appropriate access services in the Routing and Remote Access service console under the Administrative Tools menu. References Help Topic: Install and Enable the Routing and Remote Access Service

Network Authentication and Authorization Course 6421A Network Authentication and Authorization Module 6: Configuring and Troubleshooting Routing and Remote Access Authentication: Verifies the credentials of a connection attempt Make certain that the students understand the difference between these terms. Emphasize that authorization takes place AFTER successful authentication. References Authentication vs. authorization http://go.microsoft.com/fwlink/?LinkId=99902&clcid=0x409 Uses an authentication protocol to send the credentials from the remote access client to the remote access server in either plain text or encrypted form Authorization: Verifies that the connection attempt is allowed Occurs after successful authentication

Types of Authentication Methods Course 6421A Types of Authentication Methods Module 6: Configuring and Troubleshooting Routing and Remote Access Protocol Description Security Level PAP Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. The least secure authentication protocol. Does not protect against replay attacks, remote client impersonation, or remote server impersonation. CHAP A challenge-response authentication protocol that uses the industry- standard MD5 hashing scheme to encrypt the response. An improvement over PAP in that the password is not sent over the PPP link. Requires a plaintext version of the password to validate the challenge response. Does not protect against remote server impersonation. MS-CHAPv2 An upgrade of MS-CHAP. Two-way authentication, also known as mutual authentication, is provided. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password. Provides stronger security than CHAP. EAP Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. Offers the strongest security by providing the most flexibility in authentication variations. Discuss each of the different authentication protocols and explain why you would not want to allow the use of Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) as options for a Routing and Remote Access service solution because of nonexistent or weak encryption. MS-CHAP v2 may be useful to support legacy clients that are incapable of using newer, stronger authentication methods. CHAP may be useful to support some non-Microsoft-based client authentication. Explain EAP/PEAP authentication and the requirement of x.509 certificates. Discuss some of the issues with deployment of certificate-based authentication, and the potential overhead of having to run a certificate authority (CA) internally for certificate distribution. Also, mention that certificate-based authentications are recommended strongly for wireless authentication. This slide describes 4 types of authentication methods, while the student manual mentions 5. PEAP is missing from the PPT. Refer to the student CD for information on how PEAP works. References Help Topic: EAP and NPS Help Topic: EAP Help Topic: PEAP and NPS Help Topic: Certificates and NPS Help Topic: Certificate Requirements for PEAP and EAP

Integrating DHCP Servers with the Routing and Remote Access Service Course 6421A Integrating DHCP Servers with the Routing and Remote Access Service Module 6: Configuring and Troubleshooting Routing and Remote Access You can provide remote clients with IP configurations by using either: A static pool created on the Routing and Remote Access server for use with remote clients Explain to students that the Routing and Remote Access service administrator can provide a pool of addresses on the Routing and Remote Access server to support remote clients with an IP configuration, or they can use the existing Dynamic Host Configuration Protocol (DHCP) infrastructure on the corporate LAN. If the administrator chooses to use the existing DHCP server, the Routing and Remote Access server acquires a pool of 10 IP addresses. The Routing and Remote Access server applies the first IP address to its own interface, and the remaining nine IP addresses are used for remote client connections. After the first 10 IP addresses are assigned, the Routing and Remote Access server refers back to DHCP to acquire 10 more IP addresses. Note: DHCP servers running Windows Server 2008 provide a predefined user class (called the Default Routing and Remote Access class) for assigning options that are provided only to Routing and Remote Access clients. References Help Topic: Using Routing and Remote Access Servers with DHCP The corporate DHCP server located on the corporate LAN DHCP servers running Windows Server 2008: Provide a predefined user class called the Default Routing and Remote Access Class Are useful for assigning options that are provided to Routing and Remote Access clients only

Lesson 2: Configuring VPN Access Course 6421A Lesson 2: Configuring VPN Access Module 6: Configuring and Troubleshooting Routing and Remote Access What Is a VPN Connection? Components of a VPN Connection Tunneling Protocols for a VPN Connection Configuration Requirements Demonstration: Configuring VPN Access Completing Additional Tasks Components of a Dial-up Connection

What Is a VPN Connection? Course 6421A What Is a VPN Connection? Module 6: Configuring and Troubleshooting Routing and Remote Access Corporate Headquarters Large Branch Office Describe how a VPN connection is used to connect remote network clients. Present the slide while explaining the benefits of using a public network (the Internet) to tunnel securely into the corporate LAN and gain access to resources. The main benefits of using a VPN connection, rather than a dial-up connection, are cost savings and increased bandwidth. Explain a VPN connection’s properties for each of the following: Encapsulation Authentication Data Encryption The differences between remote access VPNs and site to site VPNs are described on the student CD. Use the student CD information (also listed here) to present this topic. Remote access VPN Remote access VPN connections enable users working at home or on the road to access a server on a private network using the infrastructure that a public network provides, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization’s server. The exact infrastructure of the shared or public network is irrelevant because it appears logically as if the data is sent over a dedicated private link. Site-to-site VPN Site-to-site VPN connections (also known as router-to-router VPN connections) enable organizations to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated WAN link. When networks connect over the Internet, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link. A site-to-site VPN connection connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. The calling router (the VPN client) authenticates itself to the answering router (the VPN server), and, for mutual authentication, the answering router authenticates itself to the calling router. In a site- to site VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers. References MOC 2277C: Module 10 Help Topic: Routing and Remote Access: Virtual Private Networking Small Branch Office VPN Server VPN Server VPN Server Medium Branch Office VPN Home Office with VPN Client VPN Server Remote User with VPN Client

Components of a VPN Connection Course 6421A Components of a VPN Connection Module 6: Configuring and Troubleshooting Routing and Remote Access Client Operating System VPN Tunnel Routing and Remote Access Describe the components of a VPN solution: VPN client. Runs Windows or other vendor client operating system. VPN server. Runs Microsoft Routing and Remote Access. Domain Controller. Provides authentication. DHCP server. Provides IP configuration. VPN tunnel. Provides the virtual network between the remote host and the VPN server. Briefly discuss the security that NAP provides the VPN solution by having the VPN client placed on a remediation network if the client does not meet the network’s health requirements. Briefly describe the difference between Network Access Quarantine Control (NAQC) and NAP: NAQC uses scripts to verify the connecting client’s health, only at connection, and offers no remediation. NAP provides ongoing monitoring of the NAP client to ensure that it remains compliant with the policy. References Help Topic: Network Access Quarantine Control and NAP VPN Server VPN Client Virtual Network Authentication IP Configuration Domain Controller DHCP Server

Tunneling Protocols for a VPN Connection Course 6421A Tunneling Protocols for a VPN Connection Module 6: Configuring and Troubleshooting Routing and Remote Access PPTP: GRE header IP header PPP trailer PPP payload (IPv4 packet) Encrypted PPP frame Talk to the students about the different support for each of the client protocols: Point-to-Point Tunneling Protocol (PPTP): Widely usable on a variety of Microsoft clients Layer Two Tunneling Protocol (L2TP): Windows 2000, Windows XP, or Windows Vista™ Secure Socket Tunneling Protocol (SSTP): Windows Vista SP1 or Windows Server 2008 The student CD contains the following information on the benefits and disadvantages of each tunneling protocol. Use the student CD information when presenting this topic. Choosing between tunneling protocols When choosing between PPTP, L2TP/IPsec, and SSTP remote access VPN solutions, consider the following: • You can use PPTP with a variety of Microsoft clients, including Microsoft Windows 2000, Windows XP, Windows Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP- based VPN connections provide data confidentiality, as captured packets cannot be interpreted without the encryption key. PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data-origin authentication (proof that the data was sent by the authorized user). • You can use L2TP only with client computers running Windows 2000, Windows XP, or Windows Vista. L2TP supports either computer certificates or a preshared key as the IPsec authentication method. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data confidentiality, integrity, and authentication. • Unlike PPTP and SSTP, L2TP/IPsec enables computer authentication at the IPsec layer and user-level authentication at the PPP layer. • You can use SSTP only with client computers running Windows Vista Service Pack 1 (SP1) or Windows Server 2008. By using SSL, SSTP VPN connections provide data confidentiality, integrity, and authentication. • All three tunnel types carry PPP frames on top of the network protocol stack. Therefore, the common features of PPP, such as authentication schemes, NAP, and Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPV6) negotiation, are the same for the three tunnel types. References Help Topic: VPN Tunneling Protocols IP header PPP header L2TP header PPP payload (IP diagram, IPX datagram, NetBEUI frame) UDP header L2TP: PPP frame L2TP frame UDP message SSTP: Encapsulates PPP frames in IP datagrams, and uses port 443 (TCP) for tunnel management and PPP data frames Encryption is performed by the SSL channel of the HTTPS protocol

Configuration Requirements Course 6421A Configuration Requirements Module 6: Configuring and Troubleshooting Routing and Remote Access VPN server configuration requirements include: Two network interfaces (public and private) Comment on slide: Is “Radius” supposed to be “RADIUS”? Discuss the importance of, and best practices for, renaming LAN connections to reflect their scope (public or private). Discuss the use of internal DHCP versus static pool. Facilitate a discussion with students about the remaining configuration requirements by asking the following questions: Why would you use a Remote Authentication Dial-In User Service (Remote Authentication Dial-In User Service [RADIUS]) server instead of the VPN server for authentication? (multiple VPN servers, accounting, logging) Do you require a relay agent? Is your DHCP server on a different LAN segment? Do you have the rights to configure the service? References Help Topic: Configure a Remote Access VPN Server IP Address allocation (static pool or DHCP) Authentication provider (NPS/Radius or the VPN server) DHCP relay agent considerations Membership in the Local Administrators group or equivalent

Demonstration: Configuring VPN Access Course 6421A Demonstration: Configuring VPN Access Module 6: Configuring and Troubleshooting Routing and Remote Access In this demonstration, you will see how to: Configure user dial-in settings Configure Routing and Remote Access as a VPN server Configure a VPN client To verify user Dial-In settings, open the Properties sheet for the user object in Active Directory® directory service and verify that the settings on the Dial-In tab are the desired settings. For a Windows Vista client, you can locate the VPN/Dial-up settings by clicking Start, pointing to Connect to, and then clicking Set up a connection or network. To configure Routing and Remote Access as a VPN server, install the role on a computer running Windows Server 2008. After the installation is complete, click Start, point to Administrative Tools, and then click Routing and Remote Access. If the Routing and Remote Access service is not configured, right-click servername, and then click Configure and Enable Routing and Remote Access. Follow the wizard interface to complete the configuration. If Routing and Remote Access is configured and enabled, right-click servername, and then click Properties. On the Properties sheet, select either the IPv4 or IPv6 remote access server check box. References Help Topic: Configure a Remote Access VPN Server

Completing Additional Tasks Course 6421A Completing Additional Tasks Module 6: Configuring and Troubleshooting Routing and Remote Access Configure static packet filters ü Configure services and ports Adjust logging levels for routing protocols Configure number of available VPN ports Create a Connection Manager profile for users Add Certificate Services Increase remote access security Increase VPN security Explain to the students that even after enabling the service, there are more tasks to complete for securing the Routing and Remote Access solution to meet the necessary requirements: Static filters (inbound/outbound) to create traffic restrictions and allowances. Adjust logging options to monitor utilization and to troubleshoot connectivity issues. Configure available VPN ports. For example, you may want to increase L2TP, and remove all PPTP and SSTP connections. Configure the ports to support the number of users and the type of connections allowed. CMAK profiles to automate the configuration of Routing and Remote Access connections on the client computers. Certificate Services if you will be using Authentication methods that require user/computer certificates. Increase security by de-selecting authentication protocols that you do not want to allow. Use the reference information to elaborate on each of these points. References Help Topic: Configure a Remote Access VPN server

Components of a Dial-Up Connection Course 6421A Components of a Dial-Up Connection Module 6: Configuring and Troubleshooting Routing and Remote Access Remote Access Server LAN and Remote Access Protocols Describe the multiple components of a dial-up connection. A dial-up connection comprises several components. These components include remote access servers, dial-up clients, remote access protocols, and authentication methods. References Help Topic: Configure a Remote Access VPN Server WAN Options: Telephone, ISDN, X.25, or ATM Dial-Up Client Domain Controller Authentication DHCP Server Address and Name Server Allocation

Lesson 3: Overview of Network Policies Course 6421A Lesson 3: Overview of Network Policies Module 6: Configuring and Troubleshooting Routing and Remote Access What Is a Network Policy? Process for Creating and Configuring a Network Policy How Are Network Policies Processed?

What Is a Network Policy? Course 6421A What Is a Network Policy? Module 6: Configuring and Troubleshooting Routing and Remote Access A network policy consists of the following elements: Define Network Policy as a set of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can connect. Ensure that the students understand the definition of a network policy, and the conditions, constraints, and settings of network policies. Discuss the two default policies in Windows Server 2008 Routing and Remote Access which DENY access to both Microsoft Remote Access Service (RAS) and any other RAS server by default. References Help Topic: Network Policies Conditions Constraints Settings

Process for Creating and Configuring a Network Policy Course 6421A Process for Creating and Configuring a Network Policy Module 6: Configuring and Troubleshooting Routing and Remote Access Determine authorization by user or group ü Explain that to configure a new policy in Windows Routing and Remote Access, open Routing and Remote Access, right-click Remote Access Logging and Policies, and click Launch NPS. Alternatively, you can open Network Policy Server from the Administrative Tools menu. In NPS, right-click Network Policies, and then click New to start the NPS New Policy Wizard. Conduct a demonstration by going through the wizard, and view all of the options that are available during network-policy creation. References Help Topic: Add a Network Policy Help Topic: Network Policies Determine appropriate settings for the user account’s network access permissions ü Configure the New Network Policy Wizard: Configure Network Policy conditions Configure Network Policy constraints Configure Network Policy settings ü

How Are Network Policies Processed? Course 6421A How Are Network Policies Processed? Module 6: Configuring and Troubleshooting Routing and Remote Access START Yes No Go to next policy When NPS performs the authorization of a connection request, it compares the request with each network policy in the ordered list of policies, starting with the first policy and moving down the list. If NPS finds a policy in which the conditions match the connection request, NPS uses the matching policy and the user account’s dial-in properties to perform authorization. If the dial-in properties of the user account are configured to grant or control access through network policy, and the connection request is authorized, NPS applies the settings that are configured in the network policy: If NPS does not find a network policy that matches the connection request, it is rejected unless the dial-in properties on the user account are set to grant access. If the dial-in properties of the user account are set to deny access, NPS rejects the connection request. References Help Topic: Add a Network Policy Are there policies to process? Does connection attempt match policy conditions? No Yes Yes Is the remote access permission for the user account set to Deny Access? No Reject connection attempt No Yes Reject connection attempt Is the remote access permission for the user account set to Allow Access? Is the remote access permission on the policy set to Deny remote access permission? Yes No Yes Accept connection attempt No Does the connection attempt match the user object and profile settings?

Lesson 4: Overview of the Connection Manager Administration Kit Course 6421A Lesson 4: Overview of the Connection Manager Administration Kit Module 6: Configuring and Troubleshooting Routing and Remote Access What Is the Connection Manager Administration Kit? Demonstration: Installing CMAK Process for Configuring a Connection Profile Demonstration: Creating a Connection Profile Distributing the Connection Profile to Users

What Is the Connection Manager Administration Kit? Course 6421A What Is the Connection Manager Administration Kit? Module 6: Configuring and Troubleshooting Routing and Remote Access The Connection Manager Administration Kit: Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks Creates an executable file that can be run on a client computer to establish a network connection that you have designed Reduces Help Desk requests related to the configuration of RAS connections Assists in problem resolution because the configuration is known Reduces the likelihood of user errors when they configure their own connection objects Explain to the students the benefit of storing RAS configurations as an executable file that you can e-mail, place on optical media, or access from a file shares, as compared to manually configuring connection objects. Also, discuss the benefits of the troubleshooting process. References Help Topic: Welcome to the Connection Manager Administration Kit

Demonstration: Installing CMAK Course 6421A Demonstration: Installing CMAK Module 6: Configuring and Troubleshooting Routing and Remote Access In this demonstration, you will see how to use the Server Manager tool to install the Connection Manager Administration Kit The Connection Manager Administration Kit (CMAK) is an optional feature that is not installed by default. You must install CMAK to create connection profiles that your users can install to access remote networks. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To install CMAK: Click Start, point to Administrative Tools, and then click Server Manager. In Server Manager, in the left pane, click Features. Click Add Features. On the Select Features page, select Connection Manager Administration Kit, and then click Next. On the Confirm Installation Selections page, click Install. When the installation is complete, confirm that the installation was successful, and then click Close. References Help Topic: Install the Connection Manager Administration Kit

Process for Configuring a Connection Profile Course 6421A Process for Configuring a Connection Profile Module 6: Configuring and Troubleshooting Routing and Remote Access The CMAK Connection Profile Wizard assists in the process of creating custom connection profiles for users Ensure that the students understand how thorough the CMAK INSERT is for creating an enterprise’s custom connection solutions, and use the slide to introduce some high-level tasks of the creation process. You will demonstrate how to use the CMAK in the next topic. References Help Topic: Run the CMAK to Create a Connection Profile Use the CMAK Connection Profile Wizard to configure: The target operating system Support for VPN Support for Dial-up, including the custom phone book Proxy Custom Help file Custom support information

Demonstration: Creating a Connection Profile Course 6421A Demonstration: Creating a Connection Profile Module 6: Configuring and Troubleshooting Routing and Remote Access In this demonstration, you will see how to use the Connection Manager Administration Kit to create a connection profile To start the CMAK wizard: Click Start, point to Administrative Tools, and then click Connection Manager Administration Kit. If Connection Manager Administration Kit does not appear on the menu, it is not installed. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. On the Welcome page, click Next. Use the reference “Run the CMAK Wizard to Create a Connection Profile” in Connection Manager Administration Kit Help as a guide for completing the pages in the Connection Profile wizard. Note: For complete information about creating a connection profile, see the CMAK Operations Guide (http://go.microsoft.com/fwlink/?linkid=57535). References Help Topic: Run the CMAK Wizard to Create a Connection Profile

Distributing the Connection Profile to Users Course 6421A Distributing the Connection Profile to Users Module 6: Configuring and Troubleshooting Routing and Remote Access The connection profile can be distributed to users in the following ways: Ensure that students understand that because the Connection Profile wizard creates an executable as the finished product, there are different methods available for distributing a connection profile to users. References Help Topic: Distribute Your Connection Profile to your users As part of an image for new computers On removable media for the user to install manually With software distribution tools, such as Systems Management Server or System Center Configuration Manager 2007

Lesson 5: Troubleshooting Routing and Remote Access Course 6421A Lesson 5: Troubleshooting Routing and Remote Access Module 6: Configuring and Troubleshooting Routing and Remote Access TCP/IP Troubleshooting Tools Authentication and Accounting Logging Configuring Remote Access Logging Configuring Remote Access Tracing Common Troubleshooting Solutions

TCP/IP Troubleshooting Tools Course 6421A TCP/IP Troubleshooting Tools Module 6: Configuring and Troubleshooting Routing and Remote Access Command Description Ipconfig Displays current TCP/IP network configuration values, updates, or releases; DHCP allocated leases; and used to display, register, or flush DNS names Ping Sends ICMP Echo Request messages to verify that TCP/IP is configured correctly and that a TCP/IP host is available Pathping Displays a path of a TCP/IP host and packet losses at each router along the way Tracert Displays the path of a TCP/IP host Use the information in the slide to describe the commands that you can use to troubleshoot TCP/IP. References How to troubleshoot TCP/IP connectivity with Windows XP http://go.microsoft.com/fwlink/?LinkId=99912&clcid=0x409

Authentication and Accounting Logging Course 6421A Authentication and Accounting Logging Module 6: Configuring and Troubleshooting Routing and Remote Access There are three types of logging for Network Policy Server: Event logging for auditing and troubleshooting connection attempts Logging authentication and accounting requests to a local file Logging authentication and accounting requests to a SQL server database Event logging is useful for troubleshooting connection attempts. When NPS rejects a connection attempt, the event in the system log contains information such as the user name, access server identifiers, authentication type, the name of the first matching network policy, and the reason for rejection. To configure logging, open Network Policy Server from the Administrative Tools menu, and in the console tree, click Accounting. Select the appropriate log type (local file or Microsoft SQL Server), specify settings, and then click OK. References Help Topic: Configure Log File Properties

Configuring Remote Access Logging Course 6421A Configuring Remote Access Logging Module 6: Configuring and Troubleshooting Routing and Remote Access You can configure remote access logging to: Log errors only Log errors and warnings Log all events Not log any events Log additional routing and remote access information Open the Routing and Remote Access service console, right-click servername, and then click Properties. Click the Logging tab to view the available options for, and the location of, the tracing log. Initially, it may be best to specify more logging options than too few, until such time as you determine the logging level that is most useful for troubleshooting your infrastructure. You can change the logging level at any time. References Help Topic: Routing and Remote Access Help: Server Properties – Logging Tab

Configuring Remote Access Tracing Course 6421A Configuring Remote Access Tracing Module 6: Configuring and Troubleshooting Routing and Remote Access You can configure remote access tracing by using: The Netsh command: Netsh ras diagnostics set rastracing * enabled (enables tracing on all components in RAS) The Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing Explain to the students that tracing provides significant information to help resolve complex network problems for the Routing and Remote Access service. Use the reference to view all possible subkeys in the Registry and the Netsh options. References Help Topic: VPN troubleshooting Tools Tracing consumes resources, so you should use it for troubleshooting only, and then disable it

Common Troubleshooting Solutions Course 6421A Common Troubleshooting Solutions Module 6: Configuring and Troubleshooting Routing and Remote Access Common problems regarding remote access include: Error 800: VPN unreachable Error 721: Remote computer not responding Error 741/742: Encryption mismatch Unable to establish VPN connection L2TP/IPsec issues EAP-TLS issues Use the reference to explain some typical solutions to the issues that the slide presents. Ensure that the students understand that there are many more issues than those presented and that it would be unlikely that they are the first to receive a particular error. Searching the Web resources usually will help you locate a solution to most problems. Inform the student that they can search the Knowledge Base, TechNet, and the Help file for the particular platform they are using to find solutions for the most common issues regarding Routing and Remote Access. References Help Topic: Troubleshoot Remote Access

Lab: Configuring and Managing Network Access Course 6421A Lab: Configuring and Managing Network Access Module 6: Configuring and Troubleshooting Routing and Remote Access Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Exercise 2: Configuring a Custom Network Policy Exercise 3: Configuring Logging Exercise 4: Configuring a Connection Profile Lab objectives: Configure Routing and Remote Access as a VPN remote access solution Configure a custom Network Policy Configure logging Configure a connection profile Scenario: The Windows Infrastructure Services Technology Specialist has been tasked with installing and configuring a VPN solution in the existing environment. Note: In this lab, the students will be creating a VPN connection from NYC-CL1 to NYC-SVR1 using the internal IP address of NYC-SVR1 (10.10.0.24). Normally, the VPN connection would be made to the VPN server’s external IP address. This lab uses the VPN connection to examine the log files that are created by VPN connections. The connection used for the VPN connection does not affect the validity of the lab. In this lab, the students will be creating a VPN server and network policy that uses L2TP and PPTP. Windows Server 2008 provides a new technology that provides similar functionality, SSTP. SSTP can also be used to create VPNs, however, SSTP can only be used with Windows Vista SP1 and Windows Server 2008 client computers. Exercise 1: Configuring Routing and Remote Access as a VPN Remote Access Solution Students will install and configure Routing and Remote Access as a VPN solution. Configuration tasks include configuring IP Address allocation and the number of ports. Exercise 2: Configuring a Custom Network Policy Given a scenario, the student will configure a custom network policy to secure the VPN connection. Exercise 3: Configuring Logging Students will enable logging for the VPN solution, and perform testing to verify the connection. Exercise 4: Configuring a Connection Profile Students will create a custom connection profile using CMAK, and perform testing to verify the profile works as expected. Inputs: Provided scenarios Virtual machines - the Routing and Remote Access computer will need to have two network adapters Outputs: Routing and Remote Access service role installed and configured Network Policy configured Logging configured CMAK Profile created Logon information Virtual machine 6421A-NYC-DC1, 6421A-NYC-SVR1 and 6421A-NYC-CL1 User name Administrator Password Pa$$w0rd Estimated time: 60 minutes

Module 6: Configuring and Troubleshooting Routing and Remote Access Course 6421A Lab Review Module 6: Configuring and Troubleshooting Routing and Remote Access What feature in Windows Server 2008 can help to keep support calls for connection object creation to a minimum? When using DHCP to allocate addresses to remote clients, how many IP addresses does the Routing and Remote Access Service server acquire from the Corporate DHCP server at a time? You must create a remote access solution for a company that requires that multiple VPN servers exist in different offices throughout the country. What service in Windows Server 2008 can help to simplify administration in configuring multiple servers running the Routing and Remote Access Service?

Module Review and Takeaways Course 6421A Module Review and Takeaways Module 6: Configuring and Troubleshooting Routing and Remote Access Review Questions Best Practices Tools Review Questions Question: You are adding Remote Access services to an existing infrastructure that uses nonRFC 1542 compliant routers. The DHCP server is not on the same subnet as the Remote Access server. What is one issue that might arise due to this configuration? How would you mitigate the issue? Answer: DHCP broadcasts will not pass the router if it is not RFC 1542-compliant, and the clients will not receive IP configuration from the corporate DHCP server. There are two possible solutions for mitigating this issue: Install and configure DHCP relay on the server running Routing and Remote Access Service to assist the remote clients in getting proper IP configurations. Use a static scope on the server running Routing and Remote Access Service to create a pool of addresses that will be assigned to clients when they connect. Question: You want to implement a VPN solution for users in your company, but the group responsible for security does not want to open the firewall to PPTP and L2TP traffic. Is it possible to create such a solution in Windows Server 2008? If so, what would you use? Answer: SSTP is a new VPN protocol that you can use to create secure tunnels in such circumstances. Another issue might be that only Windows Vista can make use of such technologies at this time. Question: Based on the scenario in the previous question, what encryption should you use to secure the traffic? Answer: HTTPS is the security offered over the VPN connection using SSTP. Question: Is it possible to ignore the dial-in properties assigned to accounts in Active Directory with network policies? In what property category would this be set? Answer: Yes, on the Overview properties, you can specify to ignore the dial-in settings assigned to the account in Active Directory. Question: You have enabled full RADIUS logging on the Remote Access servers in your organization and verified that the logs are gathering the requested information. After a few weeks of logging, users begin to call the Help Desk because all of their connection attempts are failing. What is the most likely problem? Answer: If RADIUS accounting fails due to a full hard-disk drive or other reasons, NPS stops processing connection requests, which prevents users from accessing network resources.