MOAC 70-687 L18 RDC

8/10/2019 MOAC 70-687 L18 RDC

1/56

8/10/2019 MOAC 70-687 L18 RDC

2/56

Using BranchCacheLesson 18: Configuring Remote Connections

2013 John Wiley & Sons, Inc. 2

8/10/2019 MOAC 70-687 L18 RDC

3/56

BranchCache BranchCache is a feature in Windows 8 and

Windows Server 2012 that enables networkswith computers at remote locations to

conserve bandwidth by storing frequentlyaccessed files on local drives.


8/10/2019 MOAC 70-687 L18 RDC

4/56

Understanding NetworkInfrastructure Requirements

To use BranchCache, you must have

o A server running Windows Server 2008 R2 orWindows Server 2012 at the main office

o Computers running Windows Server 2008 R2,Windows Server 2012, Windows 7, or Windows 8at the branch office


8/10/2019 MOAC 70-687 L18 RDC

5/56

Understanding BranchCacheCommunications

This is the BranchCache communicationsprocess:

1. Client request (BranchCache)

2. Server reply (metadata)3. Client cache check

4. Caching computer reply

5. Client request (non-BranchCache)

6. Server reply (data)

7. Client data cache


8/10/2019 MOAC 70-687 L18 RDC

6/56

Understanding ContentInformation Versions

Any BranchCache implementation thatincludes one or more computers runningWindows Server 2008 R2 or Windows 7 in any

role is said to use content information version1, or V1.

If all the computers involved in theBranchCache transactions are running

Windows Server 2012 or Windows 8, theimplementation can use contentinformation version 2, or V2.


8/10/2019 MOAC 70-687 L18 RDC

7/56

Understanding ContentInformation Versions

The Hash Version support for BranchCachepolicy setting


8/10/2019 MOAC 70-687 L18 RDC

8/56

Configuring BranchCacheSettings

To implement BranchCache on yournetwork, install the appropriate modules onyour server(s) and configure Group Policysettings on both servers and clients.

BranchCache requires a minimum of onecontent server and one or more branchoffice workstations.

You can install additional content servers atany location that serves files to branchoffices.


8/10/2019 MOAC 70-687 L18 RDC

9/56

Configuring a ContentServer

Once you have installed the requiredBranchCache modules, configure a GroupPolicy setting called Hash Publication forBranchCache.

This setting is located in the ComputerConfiguration\Policies\AdministrativeTemplates\Network\Lanman Server node of aGroup Policy object (GPO) or in LocalComputer Policy.

The Hash Publication for BranchCache settingenables the server to respond to file requestsfrom BranchCache clients with metadatainstead of the files themselves.


8/10/2019 MOAC 70-687 L18 RDC

10/56

Configuring a Content Server

The Hash Publication for BranchCache settingin Group Policy


8/10/2019 MOAC 70-687 L18 RDC

11/56

Configuring a Content Server

A shares Properties sheet in Windows Server 2012Server Manager


8/10/2019 MOAC 70-687 L18 RDC

12/56

Configuring BranchCacheClients

To configure BranchCache clients, configurethe appropriate Group Policy settings.

These are found in the Computer

Configuration\Policies\AdministrativeTemplates\Network\BranchCache node ofa GPO or in Local Computer Policy.


8/10/2019 MOAC 70-687 L18 RDC

13/56

Configuring BranchCache Clients

The BranchCache settings in Group Policy


8/10/2019 MOAC 70-687 L18 RDC

14/56

BranchCache GroupPolicy Settings

These are the BranchCache Group Policysettings:o Turn on BranchCacheo Set BranchCache Distributed Cache modeo

Set BranchCache Hosted Cache modeo Enable Automatic Hosted Cache Discovery by

Service Connection Pointo Configure Hosted Cache Serverso Configure BranchCache for network fileso

Set percentage of disk space used for clientcomputer cacheo Set age for segments in the data cacheo Configure Client BranchCache Version Support


8/10/2019 MOAC 70-687 L18 RDC

15/56

Configuring a HostedCache Mode Server

To use hosted cache mode on your branchoffice network, you must have a server runningWindows Server 2012 or Windows Server 2008 R2with the BranchCache feature installed.

You must also configure the Turn onBranchCache and Set BranchCache HostedCache mode Group Policy settings.

The hosted cache mode server must also have

a digital certificate issued by a certificationauthority (CA) that the BranchCache clientstrust.


8/10/2019 MOAC 70-687 L18 RDC

16/56

Using Remote NetworkConnections

Lesson 18: Configuring Remote Connections


8/10/2019 MOAC 70-687 L18 RDC

17/56

Understanding VirtualPrivate Networking

A dial-up connection is a dedicated linkbetween the two modems that remains inplace during the entire session.

The client and the server establish a Point-to-

Point Protocol (PPP) connection, during whichthe server authenticates the client and thecomputers negotiate a set of communicationparameters they have in common.

In a virtual private network (VPN) connection,

the remote client and the remote access serverare both connected to the Internet, using localservice providers.


8/10/2019 MOAC 70-687 L18 RDC

18/56

Understanding Virtual PrivateNetworking

A dial-up remote access connection


8/10/2019 MOAC 70-687 L18 RDC

19/56

Understanding Virtual PrivateNetworking

A VPN remote access connection


8/10/2019 MOAC 70-687 L18 RDC

20/56

Tunneling In the tunneling process, the two computers

establish a PPP connection, just as they would in adial-up connection, but instead of transmitting thePPP packets over the Internet as they are, theyencapsulate the packets again using one of the

VPN protocols supported by the Windows operatingsystems.

The original PPP data packet generated by thecomputer consists of an network layer IP datagram,encapsulated within a data-link layer PPP frame.

The system then encapsulates the entire frame inanother IP datagram, which the VPN protocolencrypts and encapsulates one more time, fortransmission over the network.


8/10/2019 MOAC 70-687 L18 RDC

21/56

Tunneling

VPN protocol encapsulation


8/10/2019 MOAC 70-687 L18 RDC

22/56

VPN Protocols These are the VPN protocols that Windows 8

supports:

o Point-to-Point Tunneling Protocol (PPTP)

o Layer 2 Tunneling Protocol (L2TP)o Secure Socket Tunneling Protocol (SSTP)

o Internet Key Exchange, Version 2 (IKEv2)


P i P i T li

8/10/2019 MOAC 70-687 L18 RDC

23/56

Point-to-Point TunnelingProtocol (PPTP)

The oldest and least secure of the VPN protocols, PPTPtakes advantage of the authentication, compression,and encryption mechanisms of PPP, tunneling the PPPframe within a Generic Routing Encapsulation (GRE)

header and encrypting it with Microsoft Point-to-PointEncryption (MPPE), using encryption keys generatedduring the authentication process.

For authentication, PPTP supports only the Microsoft

Challenge Handshake Authentication Protocol version1 (MS-CHAP v1), Microsoft Challenge HandshakeAuthentication Protocol version 2 (MS-CHAP v2),Extensible Authentication Protocol (EAP), or ProtectedExtensible Authentication Protocol (PEAP).


L 2 T li

8/10/2019 MOAC 70-687 L18 RDC

24/56

Layer 2 TunnelingProtocol (L2TP)

L2TP relies on the IP security extensions (IPsec) forencryption and performs a double encapsulation.

The system adds an L2DP header to the PPP frame andpackages it with the User Datagram Protocol (UDP).

Then it encapsulates the UDP datagram with the IPsecEncapsulating Security Payload (ESP) protocol,encrypting the contents using the Data Encryption

Standard (DES) or Triple DES (3DES) algorithm, with

encryption keys generated during IPsecs Internet KeyExchange (IKE) negotiation process.

L2TP/IPsec can use certificates or preshared keys forauthentication, although administrators typically usethe latter only for testing.


S S k

8/10/2019 MOAC 70-687 L18 RDC

25/56

Secure SocketTunneling Protocol (SSTP) Introduced in Windows Server 2008 and

supported only by clients running WindowsVista SP1 or later, SSTP encapsulates PPPtraffic using the Secure Sockets Layer (SSL)protocol supported by virtually all webservers.

SSTP uses certificates for authentication, withthe EAP-TLS authentication protocol, and inaddition to data encryption, providesintegrity checking and enhanced keynegotiation services.


I K E h

8/10/2019 MOAC 70-687 L18 RDC

26/56

Internet Key Exchange,Version 2 (IKEv2)

Internet Key Exchange Version 2 (IKEv2):

Was first introduced in Windows 7 andWindows Server 2008 R2.

Uses TCP port 500. Provides support for IPv6 and the new VPN

Reconnect feature, as well asauthentication by EAP, using PEAP, EAP-

MSCHAPv2, or smart cards. Does not support the older authentication

mechanisms, such as PAP and CHAP.


A h i i

8/10/2019 MOAC 70-687 L18 RDC

27/56

AuthenticatingRemote Users

In Windows 8, you configure theauthentication method a VPN connectionuses on the Security tab of the connections

Properties sheet. These are the options:

o Use Extensible Authentication Protocol (EAP)

o Allow these protocols


8/10/2019 MOAC 70-687 L18 RDC

28/56

Authenticating Remote Users

The Security tab of a connections Properties sheet


C ti VPN

8/10/2019 MOAC 70-687 L18 RDC

29/56

Creating a VPNConnection

To connect a computer running Windows 8to a remote access server, you must createa new VPN or dial-up connection.

In Windows 8, the Network Connectionswindow contains a connection for everynetwork interface adapter installed in thecomputer.

The Windows installation program createsthese connections automatically, but toconnect to a dial-up or VPN server, you mustcreate additional connections manually.


8/10/2019 MOAC 70-687 L18 RDC

30/56

Create a VPN Connection

The Choose a connection option page


8/10/2019 MOAC 70-687 L18 RDC

31/56


The How do you want to connect? page


8/10/2019 MOAC 70-687 L18 RDC

32/56


The Type the Internet address to connect to page


8/10/2019 MOAC 70-687 L18 RDC

33/56


The Networks pane


8/10/2019 MOAC 70-687 L18 RDC

34/56


The Network Authentication pane


8/10/2019 MOAC 70-687 L18 RDC

35/56

Using VPN Reconnect Windows 8 includes a feature called VPN

Reconnect, based on the IKEv2 Mobility andMultihoming (MOBIKE) protocol, which enablesa computer to reconnect to a VPN serverautomatically, after an interruption as long aseight hours.

To configure VPN Reconnect, you open theProperties sheet for a VPN connection, click theSecurity tab, and click Advanced settings.

In the Advanced Properties dialog box thatappears, click the IKEv2 tab and select theMobility check box.


8/10/2019 MOAC 70-687 L18 RDC

36/56

Using VPN Reconnect

Enabling VPN Reconnect


N t k A

8/10/2019 MOAC 70-687 L18 RDC

37/56

Network AccessProtection (NAP)

NAP is a component of the Network Policyand Access Services role in Windows Server2012, Windows Server 2008 R2, and Windows

Server 2008 It is designed to prevent potentially

dangerous clientslocal or remotefromconnecting to the network.


C eati a B oadba d

8/10/2019 MOAC 70-687 L18 RDC

38/56

Creating a BroadbandConnection

While many Internet Service Providers (ISPs)offer broadband services that providealways on connections to the Internet,

some still offer metered connections thatrequire users to log on and log off.

Windows 8 provides wizard options thatenable you to create a broadband

connection that you can activate anddeactivate at will.


8/10/2019 MOAC 70-687 L18 RDC

39/56

Create a Broadband Connection

The Type the information from your Internet ServiceProvider (ISP) page


8/10/2019 MOAC 70-687 L18 RDC

40/56


The The connection to the Internet is ready to use page


8/10/2019 MOAC 70-687 L18 RDC

41/56


The Networks display


8/10/2019 MOAC 70-687 L18 RDC

42/56

Using Remote Desktop Windows Server 2012 includes a role called

Remote Desktop Services, which providesclients with access to server resources in a

variety of ways. The Remote Desktop Session Host role

service functions much like the RemoteDesktop Services service in Windows 8,

except that it can provide multiple(licensed) users with access to the serverdesktop.


8/10/2019 MOAC 70-687 L18 RDC

43/56

DirectAccess DirectAccess is a feature in Windows 8 and

Windows Server 2012 that enables remoteusers to automatically connect to the

company network whenever they haveInternet access.


8/10/2019 MOAC 70-687 L18 RDC

44/56

DirectAccess Benefits Designed as a replacement for VPNs,

DirectAccess eliminates the need for client usersto manually establish wide area connections totheir networks.

DirectAccess provides many other benefits tousers and administrators, including:o Bidirectional

o Encrypted

o Authenticatedo Authorized

o Verified


Understanding the

8/10/2019 MOAC 70-687 L18 RDC

45/56

Understanding theDirectAccess Infrastructure

The DirectAccess implementation inWindows 8 and Windows Server 2012includes a number of improvements over

the Windows 7/Windows Server 2008 R2version, including the ability for DirectAccessto coexist on the same server with theRouting and Remote Access Service (RRAS)

that provides VPN server services.


Understanding the

8/10/2019 MOAC 70-687 L18 RDC

46/56

Understanding theDirectAccess Infrastructure

DirectAccess is heavily reliant on IPv6. IPv6 is notyet deployed universally, however. Manynetworks still rely on IPv4, most notably theInternet. Therefore, DirectAccess also relies on avariety of transition technologies that enableIPv4 networks to carry IPv6 traffic:o 6to4o Teredoo IP-HTTPSo Intra-Site Automatic Tunnel Addressing Protocol

(ISATAP)o Network Address TranslationProtocol Translation

(NAT-PT)


8/10/2019 MOAC 70-687 L18 RDC

47/56

DirectAccess and IPsec IPsec is a collection of IP extensions that

provide additional security for networkcommunications.

DirectAccess relies on IPsec forauthentication of users and computers andfor encryption of the data exchanged byclients and servers.


8/10/2019 MOAC 70-687 L18 RDC

48/56

DirectAccess and IPsec

DirectAccess: The end-to-end access model


8/10/2019 MOAC 70-687 L18 RDC

49/56


DirectAccess: The end-to-edge access model


8/10/2019 MOAC 70-687 L18 RDC

50/56


DirectAccess: The modified end-to-edge access model


DirectAccess Server

8/10/2019 MOAC 70-687 L18 RDC

51/56

DirectAccess ServerRequirements

The DirectAccess server must be runningWindows Server 2012 and must also have:

o Membership in an AD DS domain

o At least one network interface adapter installedo A direct connection to the Internet (that does

not use NAT or a similar technology)

o A direct connection to the company intranet

o The Group Policy Management feature installed


DirectAccess Client

8/10/2019 MOAC 70-687 L18 RDC

52/56

DirectAccess ClientRequirements

DirectAccess clients must be runningWindows 8 Enterprise, Windows 7 Enterpriseor Ultimate, Windows Server 2012, orWindows Server 2008 R2, and they must be

joined to the same domain as theDirectAccess server.

You must deploy the client computers onthe company network first, so they can join

the domain and receive certificates andGroup Policy settings, before you send themout into the field.


Establishing a

8/10/2019 MOAC 70-687 L18 RDC

53/56

Establishing aDirectAccess Connection

These are the individual steps of the connection process:1. The client attempts to connect to a designated network detection

server on the intranet.2. The client connects to the DirectAccess server on the host network

using IPv6.3. The client and the DirectAccess server authenticate each other

using their computer certificates.4. The client establishes a second connection through theDirectAccess server to the domain controller and performs astandard AD DS user authentication, using NTLMv2 credentials andthe Kerberos V5 authentication protocol.

5. The DirectAccess server uses AD DS group memberships toauthorize the client computer and user to access the intranet.

6. lf required, the client submits a health certificate to a NetworkPolicy Server (NPS) on the host network, to verify its compliance withexisting policies.

7. The client begins to access application servers and other resourcesin the intranet, using the DirectAccess server as a gateway.


8/10/2019 MOAC 70-687 L18 RDC

54/56

Configuring DirectAccess The process of installing and configuring

DirectAccess is much simpler in WindowsServer 2012, requiring only that you install the

Remote Access role and run a simpleconfiguration wizard.

The wizard then configures the server andcreates the Group Policy settings needed to

configure the DirectAccess clients.


8/10/2019 MOAC 70-687 L18 RDC

55/56

Configuring DirectAccess

The DirectAccess prerequisite check


8/10/2019 MOAC 70-687 L18 RDC

56/56

Configuring DirectAccess

The Remote Access Management Console

MOAC 70-687 L18 RDC

Documents

Transcript of MOAC 70-687 L18 RDC