Presentation is loading. Please wait.

Presentation is loading. Please wait.

4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing.

Published byGeraldine Young Modified over 9 years ago

Similar presentations

Presentation on theme: "4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing."— Presentation transcript:

1

2 4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing and Remote Access? Considerations for Configuring and Enabling Routing and Remote Access Network Authentication and Authorization Types of Authentication Methods Integrating DHCP servers with the Routing and Remote Access service

3 Components of a Network Access Services Infrastructure Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network

4 What is the Network Policy and Access Services Role? ComponentDescription Network Policy serverThe Microsoft implementation of RADIUS server and proxy Routing and Remote AccessProvides VPN and dial-up solutions for users, deploys full-featured software routers and shares Internet connections across the intranet Health Registration AuthorityIssues health certificates to clients when using IPSec NAP enforcement Host Credential Authorization protocolIntegrates with Cisco network access control server

5 What is Routing and Remote Access? Used to provide remote users access to resources on a private network over Dial-up or VPN services Can be used to provide NAT services Can provide LAN and WAN routing services to connect network segments

6 Network Authentication and Authorization Authentication: - Verifies the credentials of a connection attempt - Uses an authentication protocol to send the credentials from remote access client to the remote access server in either plain text or encrypted form Authorization: - Verifies that the connection attempt is allowed - Occurs after successful authentication

7 Types of Authentication Methods ProtocolDescriptionSecurity Level PAP Uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. The least secure authentication protocol. Does not protect against replay attacks, remote client impersonation, or remote server impersonation. CHAP A challenge-response authentication protocol that uses the industry- standard MD5 hashing scheme to encrypt the response. An improvement over PAP in that the password is not sent over the PPP link. Requires a plaintext version of the password to validate the challenge response. Does not protect against remote server impersonation. MS-CHAPv2 An upgrade of MS-CHAP. Two-way authentication, also known as mutual authentication, is provided. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password. Provides stronger security than CHAP. EAP Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. Offers the strongest security by providing the most flexibility in authentication variations.

8 Integrating DHCP servers with the Routing and Remote Access service You can provide remote clients with IP configurations by using: - A static pool created on the Routing and Remote Access server for use with remote clients - The corporate DHCP server located on the corporate LAN DHCP servers running Windows Server 2008: - Provide a predefined user class called the Default Routing and Remote Access class - Useful for assigning options that are provided to Routing and Remote Access clients only

9 4.2 Configuring VPN Access What is VPN Connection? Components of VPN Connection Tunneling Protocols for a VPN Connection Configuration Requirements Components of Dial-up Connection

10 To emulate a point-to-point link, data is encapsulated with a header. The header provides routing information that enables data to traverse the shared or public network to the destination To emulate a private link, data is encrypted for confidentiality The link in which the private data is encapsulated and encrypted – VPN connection 2 types of VPN connections: - Remote access VPN - Site-to-site VPN What is a VPN Connection?

11 Large Branch Office Medium Branch Office Small Branch Office Home Office with VPN Client Remote User with VPN Client Corporate Headquarters VPN VPN Server

12 Components of a VPN Connection VPN Tunnel VPN Client VPN Server IP Configuration DHCP Server Domain Controller Authentication Virtual Network Client Operating System Routing and Remote Access

13 Tunneling Protocols for a VPN Connection PPTP: GRE header IP header PPP trailer PPP payload (IPv4 packet) Encrypted PPP frame IP header PPP header L2TP header PPP payload (IP diagram, IPX datagram, NetBEUI frame) UDP header L2TP: PPP frame L2TP frame UDP message SSTP: Encapsulates PPP frames in IP datagrams, and uses port 443 (TCP) for tunnel management and PPP data frames Encryption is performed by the SSL channel of the HTTPS protocol

14 Configuration Requirements VPN server configuration requirements include: - 2 network interfaces (public & private) - IP address allocation (static pool or DHCP) - Authentication provider (NPS/RADIUS or the VPN server) - DHCP relay agent considerations - Membership in the Local Administrators group or equivalent

15 Components of Dial-up Connection Dial-Up Client Address and Name Server Allocation DHCP Server Domain Controller Authentication Remote Access Server Remote Access Server WAN Options: Telephone, ISDN, X.25, or ATM WAN Options: Telephone, ISDN, X.25, or ATM LAN and Remote Access Protocols LAN and Remote Access Protocols

16 4.3 Overview of Network Policies What is Network Policy? Process for Creating and Configuring a Network Policy How are Network Policies processed?

17 What is a Network Policy? Network policy consists of: - Conditions - Constraints - Settings Each policy has 4 categories of properties: - Overview - Conditions - Constraints - Settings

18 Process for Creating and Configuring a Network Policy Determine authorization by user or group Determine appropriate settings for the user account’s network access permissions Configure the New Network Policy Wizard: - Configure Network Policy conditions - Configure Network Policy constraints - Configure Network Policy settings

19 You can configure a new network policy in either the NPS MMC snap-in or the Routing and Remote Access Service MMC snap-in Add a network policy using the Windows interface: 1. Open NPS console, double-click Policies 2. In the console tree, right-click Network Policies, then click New 3. Use the New Network Policy Wizard to create a policy 4. Configure the Network Policy properties Process for Creating and Configuring a Network Policy (cont..)

20 How are Network Policies processed? Are there policies to process? START Does connection attempt match policy conditions? Yes Reject connection attempt Is the remote access permission for the user account set to Deny Access? Is the remote access permission for the user account set to Allow Access? Yes No Go to next policy No Yes Is the remote access permission on the policy set to Deny remote access permission? Does the connection attempt match the user object and profile settings? No Yes Accept connection attempt Reject connection attempt No Yes No

21 4.4 Overview of the Connection Manager Administration Kit What is the Connection Manager Administration Kit? Process for Configuring a Connection Profile Distributing the Connection Profile to Users

22 What is the Connection Manager Administration Kit (CMAK)? Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks Creates an executable file that can be run on a client computer to establish a network connection that you have designed Reduces Help Desk requests related to the configuration of RAS connections Assists in problem resolution because the configuration is known Reduces the likelihood of user errors when they configure their own connection objects

23 Process for Configuring a Connection Profile The CMAK Connection Profile Wizard assists in the process of creating custom connection profiles for users Use the CMAK Connection Profile Wizard to configure: - The target operating system - Support for VPN - Support for Dial-up - Proxy - Custom Help file - Custom support information

24 Distributing the Connection Profile to Users Some methods to consider: - As part of an image for new computers - On removable media for the user to install manually - With software distribution tools, such as Systems Management Server or System Center Configuration Manager 2007

25 4.5 Troubleshooting Routing and Remote Access TCP/IP Troubleshooting Tools Authentication and Accounting Logging Configuring Remote Access Logging Configuring Remote Access Tracing Common Troubleshooting Solutions

26 TCP/IP Troubleshooting Tools CommandDescription IpconfigDisplay current TCP/IP network configuration values, updates, or releases; DHCP allocated leases; and used to display, register, or flush DNS names PingSend ICMP Echo Request messages to verify that TCP/IP is configured correctly and that a TCP/IP host is available PathpingDisplays a path of a TCP/IP host and packet losses at each router along the way TracertDisplays the path of a TCP/IP host

27 Basic TCP/IP diagnostic tools: - Network Diagnostics in Help and Support - Network Connections folder - Ipconfig command - Ping command Advanced TCP/IP diagnostic tools: - Hostname command - Nbstat command - Pathping command - Route command - Tracert command TCP/IP Troubleshooting Tools (cont..)

28 Authentication and Accounting Logging 3 types of logging for NPS: - Event logging for auditing and troubleshooting connection attempts - Logging authentication and accounting requests to a local file - Logging authentication and accounting requests to a SQL server database

29 Configuring Remote Access Logging Configure remote access logging to: - Log errors only - Log errors and warnings - Log all events - Not log any events - Log additional routing and remote access information

30 Configuring Remote Access Tracing Configure remote access tracing by using: - The Netsh command: Netsh ras diagnostics set rastracing * enabled (enable tracing on all components in RAS) - The Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing Tracing consumes resources, should use it for troubleshooting only, then disable it

31 Common Troubleshooting Solutions Error 800: VPN unreacheable Error 721: Remote computer not responding Error 741/742: Encryption mismatch Unable to establish VPN connection l2TP/IPSec issues EAP-TLS issues Connection attempt is accepted when it should be rejected VPN clients are unable to access resources beyond the VPN server Unable to establish tunnel

32 End of Chapter 4

Download ppt "4.1 Configuring Network Access Components of a Network Access Services Infrastructure What is the Network Policy and Access Services Role? What is Routing."

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.

1 Routing and Remote Access Service (Week 15, Friday 4/21/2006) © Abdou Illia, Spring 2006.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.
Remote Networking Architectures

Remote Networking Architectures
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.

Overview of Routing and Remote Access Service (RRAS) When RRAS was implemented in Microsoft Windows NT 4.0, it added support for a number of features.
1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services.

1 Chapter Overview Using Remote Access Using Virtual Private Networks Using NAT and ICS Using Terminal Services.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Similar presentations

Ads by Google