Ing. | GOPAS a.s. | [email protected] | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE...
Transcript of Ing. | GOPAS a.s. | [email protected] | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE...
![Page 1: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/1.jpg)
NETWORK ACCESS SOLUTIONS
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker |[email protected] | www.sevecek.com |
NETWORK ACCESS SOLUTIONSTroubleshooting Remote Access
![Page 2: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/2.jpg)
Network Access Technologies
VPN SMB/SQL/LDAP/DCOM sensitive to RTT
Remote Desktop no clipboard, no file proliferation limited malware surface
802.1x WiFi or Ethernet no encryption, authorization only
DirectAccess GPO managed IPSec tunnel over IPv6
Web Application Proxy HTTPS reverse proxy for web applications
RDP
VPN ScenarioVPN
Client
VPN Gateway
DCFS
SQL
RADIUS
SharePoint
![Page 3: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/3.jpg)
RDP
DA ScenarioDA
Client
DA Server
DCFS
SQL
RADIUS
SharePoint
WksWks
RDP
RDP ScenarioRDP
Client
RDP Gateway
DCFS
SQL
RADIUS
SharePoint
Wks
![Page 4: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/4.jpg)
RDP
802.1x WiFi Scenario
WiFiClient
DCFS
SQL
RADIUS
WiF
iAP
SharePoint
RDP
802.1x Ethernet Scenario
Wks
DCFS
SQL
RADIUS
Switch
SharePoint Wks
Printer
![Page 5: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/5.jpg)
Exchange
WAP ScenarioWeb
Browser or GUI client
Web Application
Proxy
DC
Web
Lync
AD FS
SharePoint
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
PPTPTCP 1723IP GRE
MS-DOS and newerNT 4.0 and newer -
-
L2TPUDP 500, 4500IP ESP
NT 4.0, 98and newer
2000 and newerIPSec certificatepublic namePublic IPIPSec machine
certificate
SSTPTCP 443TLS
Vista/2008 and newer2008 and newer
TLS certificatepublic name
-
IKEv2UDP 500, 4500IP ESP
7/2008 R2 and newer2008 R2 and newer
IPSec certificatepublic namePublic IP
IPSec machinecertificate
![Page 6: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/6.jpg)
VPN Compared
Protocol Transport Client RRAS ServerServer Requirements
RD GatewayTCP 443TLS
RDP Client 6.0and newer 2008 and newer
TLS certificatepublic name
-
DirectAccess
IPSec insideIPv6 insideTCP 443 TLSor Teredo/6-to-4
7/2008 R2 EntepriseIPv6 enabled, GPO
2012 and newerIPSec certificateTLS certificatepublic nameIPSec machine
certificate
Web Application Proxy
HTTPSweb browserGUI web client (office)
2012 R2 and newer WAP and AD FS server
TLS certificatepublic nameTLS certificate for AD FS
Network Access Protection (NAP)
Client health validation before connecting
Firewall on?
Windows up-to-date?
Antimalware up-to-date?
SCCM compliance items in order?
Client validates itself
no security, only an added layer of obstruction
![Page 7: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/7.jpg)
Microsoft RADIUS Server
Standard authentication server
IAS - Internet Authentication Service (2003-)
NPS - Network Policy Service (2008+)
Authentication options
login/password
certificate
Active Directory authentication only
Clear-text transport with signatures
message authenticator (MD5)
RADIUS General
Access Client
RADIUS
Active Directory
VPN
WiFi
Ethernet
RDP GWRADIUS
Access Server
AD PassthroughAuthentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
![Page 8: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/8.jpg)
RADIUS Terminology
Access Client
RADIUS
Active Directory
VPN
WiFi
Ethernet
RDP GWRADIUS
RADIUS Client
AD PassthroughAuthentication
RRAS VPN
WiFi AP
Ethernet Switch
RDP GW
DHCP
DHCP Server
Authentication Methods
PAP, SPAP clear, hash resp.
CHAP MD5 challenge response, Store passwords using reversible encryption
MS-CHAP NTLM equivalent, DES(MD4)
MS-CHAPv2 NTLMv2 equivalent plus improvements (time constraints), HMAC-MD5 (MD4)
EAP+MS-CHAPv2 MS-CHAPv2 equivalent, different packeting
EAP+PEAP+MS-CHAPv2 MS-CHAPv2 wrapped in TLS
EAP+PEAP+TLS client authentication certificate, in user profile or in smart/card
No authentication sometimes the authentication occurs on the Access Server itself (RD Gateway)
![Page 9: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/9.jpg)
REMOTE ACCESS AUTHENTICATION
Troubleshooting Remote Access
PPTP issues
MPPE encryption
proprietary, RC4
Encrypted by authentication products
"by" password or "by" certificate
PAP/SPAP/EAP travels in clear
![Page 10: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/10.jpg)
EAP-TLS vs. PEAP
EAP-TLS is designed for protected transport
does not protect itself
Protected EAP
EAP wrapped in standard TLS
EAP/PEAP Generic
Access Client
RADIUS
Active Directory
EAP/PEAP Server
Certificate
Access Server
EAP/PEAP Client
Certificate
VPN Tunnel Server
Certificate
VPN Tunnel Client
Certificate
![Page 11: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/11.jpg)
MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Directory
Access Server
VPN Tunnel Server
Certificate
EAP + MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Directory
Access Server
VPN Tunnel Server
Certificate
![Page 12: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/12.jpg)
EAP + TLS with SSTP
Access Client
RADIUS
Active Directory
EAP TLSServer
Certificate
Access Server
EAP TLS Client
Certificate
VPN Tunnel Server
Certificate
EAP + PEAP + MS-CHAPv2 with SSTP
Access Client
RADIUS
Active Directory
PEAP TLS Server Certificate
Access Server
VPN Tunnel Server
Certificate
![Page 13: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/13.jpg)
EAP + PEAP + TLS with SSTP
Access Client
RADIUS
Active Directory
PEAP TLS Server Certificate
Access Server
EAP TLS Client
Certificate
VPN Tunnel Server
Certificate
EAPTLS Server Certificate
RADIUS Clients configuration
IP address of the device
can translate from DNS, but must match IP address of the device (no reverse DNS)
Shared secrets
MD5(random message authenticator + shared secret)
NETSH NPS DUMP ExportPSK=YES
![Page 14: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/14.jpg)
Implementing NPS Policy
Implementing NPS Policy
![Page 15: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/15.jpg)
Implementing NPS Policy
Implementing NPS Policy
![Page 16: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/16.jpg)
NPS AuditingAudit Network Policy Server
802.1x Auditing on ClientsAudit Other Logon/Logoff Events
![Page 17: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/17.jpg)
PEAP on NPS
PEAP on NPS
![Page 18: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/18.jpg)
VPN Client Notes
Validates CRL
SSTP does not use CRL cache HKLM\System\CCS\Services\SSTPSvc\Parameters NoCertRevocationCheck = DWORD = 1
IPSec set global ipsec strongcrlcheck 0 HKLM\System\CCS\Services\PolicyAgent StrongCrlCheck = 0 = disabled StrongCrlCheck = 1 = fail only if revoked StrongCrlCheck = 2 = fail even if CRL not available HKLM\System\CCS\Services\IPSec AssumeUDPEncapsulationContextOnSendRule = 2
PEAP Client Settings
![Page 19: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/19.jpg)
VPN Client Configuration
Group Policy Preferences
limited options
Connection Manager Administration Kit (CMAK)
create VPN installation packages
SSTP VPN troubleshooting
https://vpn.gopas.cz/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
![Page 20: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/20.jpg)
802.1x Notes
Required services
WLAN Autoconfig (WlanSvc)
Wired Autoconfig (Doc3Svc)
Group Policy Settings
Windows XP SP3 and newer
full configuration options
802.1x Authentication
User authentication
login/password
client certificate in user profile or in smart card
Computer authentication
MACHINE$ login/password
client certificate in the local computer store
Computer authentication with user re-authentication
since Windows 7 works like charm
![Page 21: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/21.jpg)
MS-CHAPv2 with 802.1x
Access Client
RADIUS
Active Directory
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP/TLS with 802.1x
Access Client
RADIUS
Active Directory
APswitchsingle
Ethernetcable
WiFi
EAP/PEAP Client
Certificate
User MachineEAP-TLS
Server Certificate
EAP/PEAP Server
Certificate
![Page 22: Ing. | GOPAS a.s. | ondrej@sevecek.com | ...€¦ · Server Requirements PPTP TCP 1723 IP GRE MS-DOS and newer NT 4.0 and newer --L2TP UDP 500, 4500 IP ESP NT 4.0, 98 and newer 2000](https://reader033.fdocuments.net/reader033/viewer/2022052105/60404e94a506b96c2a21b062/html5/thumbnails/22.jpg)
RD Proxy Troubleshooting
RPCPING-t ncacn_http-e 3388-s localhost (local TSGateway COM service)-v 3 (verbose output 1/2/3)-a connect (conntect/call/pkt/integrity/privacy)-u ntlm (nego/ntlm/schannel/kerberos/kernel)-I "kamil,gps,*"
-o RpcProxy=gps-wfe.gopas.virtual:443-F ssl-B msstd:gps-wfe.gopas.virtual-H ntlm (RPCoverHTTP proxy authentication ntlm/basic)-P "proxykamil,gps,*"
-U NTLM (HTTP proxy authentication ntlm/basic) rpcping -t ncacn_http -e 3388 -s localhost -v 3 -a connect -u ntlm -I "kamil,gps,Pa$$w0rd" -o
RpcProxy=rdp.gopas.cz:443 -F ssl -B msstd:rdp.gopas.cz -H ntlm -P "kamil,gps,Pa$$w0rd"
RPC Proxy Troubleshooting
https://rpcserver/Rpc/RpcProxy.dll
https://rpcserver/RpcWithCert/RpcProxy.dll