Module 4Configuring and Troubleshooting
Routing and Remote Access
Module Overview• Configuring Network Access • Configuring VPN Access• Overview of Network Policies• Overview of the Connection Manager Administration Kit• Troubleshooting Routing and Remote Access• Configuring DirectAccess
Lesson 1: Configuring Network Access• Components of a Network Access Services Infrastructure• What Is the Network Policy and Access Services Role?• What Is Routing and Remote Access?• Network Authentication and Authorization• Types of Authentication Methods• Integrating DHCP Servers with Routing and Remote Access
Service
Components of a Network Access Services Infrastructure
Intranet
Remediation Servers
InternetNAP Health Policy Server DHCP Server
Health Registration Authority
IEEE 802.1X
DevicesActive Directory
VPN Server
Restricted Network
NAP Client with limited access
Perimeter Network
What Is the Network Policy and Access Services Role?
Component Description
Network Policy Server The Microsoft implementation of RADIUS Server and proxy
Routing and Remote Access
Provides VPN and dial-up solutions for users, deploys full-featured software routers, and shares Internet connections across the intranet
Health Registration Authority
Issues health certificates to clients when using IPsec NAP enforcement
Host Credential Authorization Protocol
Integrates with Cisco network access control server
What Is Routing and Remote Access?
• Used to provide remote users access to resources on a private network over Dial-up or VPN services
• Can be used to provide NAT services
• Can provide LAN and WAN routing services to connect network segments
Network Authentication and Authorization
Authentication:• Verifies the credentials of a connection attempt
• Uses an authentication protocol to send the credentials from the remote access client to the remote access server in either plain text or encrypted form
Authorization:• Verifies that the connection attempt is allowed
• Occurs after successful authentication
Types of Authentication MethodsProtocol Description Security Level
PAPUses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation.
The least secure authentication protocol. Does not protect against replay attacks, remote client impersonation, or remote server impersonation.
CHAPA challenge-response authentication protocol that uses the industry-standard MD5 hashing scheme to encrypt the response.
An improvement over PAP in that the password is not sent over the PPP link.Requires a plaintext version of the password to validate the challenge response. Does not protect against remote server impersonation.
MS-CHAPv2
An upgrade of MS-CHAP. Two-way authentication, also known as mutual authentication, is provided. The remote access client receives verification that the remote access server that it is dialing in to has access to the user’s password.
Provides stronger security than CHAP.
EAPAllows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.
Offers the strongest security by providing the most flexibility in authentication variations.
Integrating DHCP Servers with Routing and Remote Access Service
You can provide remote clients with IP configurations by using either:
• A static pool created on the Routing and Remote Access server for use with remote clients
• The corporate DHCP server that is located on the corporate LAN
DHCP servers that run Windows Server 2008 R2:• Provide a predefined user class called the
Default Routing and Remote Access Class
• Are useful for assigning options that are provided to Routing and Remote Access clients only
Lesson 2: Configuring VPN Access• What Is a VPN Connection?• Components of a VPN Connection• Tunneling Protocols for a VPN Connection• Configuration Requirements• Demonstration: How to Configure VPN Access• What Is VPN Reconnect?• Completing Additional Tasks
What Is a VPN Connection?
Large Branch Office
Medium Branch Office
Small Branch Office
Home Office with VPN Client
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
VPN Server
VPN Server
VPN Server
Components of a VPN Connection
VPN Tunnel
VPN ClientVPN Server
IP Configuration
DHCP Server
Domain Controller
Authentication Virtual Network
Client Operating SystemRouting andRemote Access
Tunneling Protocols for a VPN Connection
Windows Server 2008 supports four VPN tunneling protocols:
• PPTP
• L2TP/IPsec
• SSTP
• IKEv2
Configuration Requirements
VPN server configuration requirements include:
• Two network interfaces (public and private)
• IP Address allocation (static pool or DHCP)
• Authentication provider (NPS/Radius or the VPN server)
• DHCP relay agent considerations
• Membership in the Local Administrators group or equivalent
Demonstration: How to Configure VPN AccessThis demonstration shows how to: • Configure user dial-in settings• Configure Routing and Remote Access as a VPN server• Configure a VPN client
What Is VPN Reconnect?
The VPN Reconnect feature maintains connectivity across network outages. It requires Windows Server 2008 R2 or Windows 7.
VPN Reconnect:• Provides seamless and consistent VPN connectivity • Uses the Internet Key Encryption version 2 (IKEv2) technology • Automatically re-establishes VPN connections when
connectivity is available• Maintains the connection if users move between different
networks• Makes the connection status transparent to users
Completing Additional Tasks
Configure static packet filters ü
Configure services and ports ü
Adjust logging levels for routing protocols ü
Configure number of available VPN portsü
Create a Connection Manager profile for users ü
Add Certificate Services ü
Increase remote access security üIncrease VPN security ü
Consider implementing VPN Reconnect ü
Lesson 3: Overview of Network Policies• What Is a Network Policy?• Process for Creating and Configuring a Network Policy• Demonstration: How to Create a Network Policy• How are Network Policies Processed?
What Is a Network Policy?
A network policy consists of the following elements:
• Conditions• Constraints• Settings
Process for Creating and Configuring a Network Policy
• Determine authorization by user or group ü• Determine appropriate settings for the user account’s
network access permissionsü
• Configure the New Network Policy Wizard:• Configure Network Policy conditions• Configure Network Policy constraints• Configure Network Policy settings
ü
Demonstration: How to Create a Network PolicyThis demonstration shows how to: • Create a VPN policy based on Windows Groups condition• Test the VPN
How are Network Policies Processed?
Are there policies to process?
START
Does connection attempt match policy conditions?
Yes
Reject connection attempt
Is the remote access permission for the user account set to Deny Access?
Is the remote access permission for the user account set to Allow Access?
Yes
Yes
No Go to next policy
No
Yes
Is the remote access permission on the policy set to Deny remote access permission?
Does the connection attempt match the user object and profile settings?
No
Yes
Accept connection attempt
Reject connection attempt
No
Yes
No
No
Lesson 4: Overview of the Connection Manager Administration Kit• What Is the Connection Manager Administration Kit?• Demonstration: How to Install CMAK• Process for Configuring a Connection Profile• Demonstration: How to Create a Connection Profile• Distributing the Connection Profile to Users
What Is the Connection Manager Administration Kit?
The Connection Manager Administration Kit:
• Allows you to customize users’ remote connection experience by creating predefined connections on remote servers and networks
• Creates an executable file that can be run on a client computer to establish a network connection that you have designed
• Reduces Help Desk requests related to the configuration of RAS connections
• Assists in problem resolution because the configuration is known
• Reduces the likelihood of user errors when they configure their own connection objects
Demonstration: How to Install CMAKThis demonstration shows how to: • Install the CMAK feature
Process for Configuring a Connection Profile
Use the CMAK Connection Profile Wizard to configure:
• The target operating system• Support for VPN• Support for Dial-up, including the custom phone book• Proxy • Custom Help file• Custom support information
The CMAK Connection Profile Wizard assists in the process of creating custom connection profiles for users
Demonstration: How to Create a Connection ProfileThis demonstration shows how to: • Create a connection profile• Examine the profile
Distributing the Connection Profile to Users
The connection profile can be distributed to users in the following ways:
• As part of an image for new computers• On removable media for the user to install manually• With software distribution tools, such as
Systems Management Server or System Center Configuration Manager 2007
Lesson 5: Troubleshooting Routing and Remote Access• Authentication and Accounting Logging• Configuring Remote Access Logging• Configuring Remote Access Tracing• Resolving General VPN Problems• Troubleshooting Other Issues
Authentication and Accounting Logging
There are three types of logging for Network Policy Server:
• Event logging for auditing and troubleshooting connection attempts
• Logging authentication and accounting requests to a local file
• Logging authentication and accounting requests to a SQL server database
Configuring Remote Access Logging
You can configure remote access logging to:
• Log errors only• Log errors and warnings• Log all events• Not log any events• Log additional routing and remote access information
Configuring Remote Access Tracing
You can configure remote access tracing by using:
• The Netsh command:• Netsh ras diagnostics set rastracing * enabled
(enables tracing on all components in RAS)• The Registry:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
Tracing consumes resources, so you should use it for troubleshooting only and then disable it
Resolving General VPN Problems
Troubleshooting Other Issues
Common problems regarding remote access include:
• Error 800: VPN unreachable• Error 721: Remote computer not responding• Error 741/742: Encryption mismatch• L2TP/IPsec issues• EAP-TLS issues
Lab A: Configuring and Managing Network Access• Exercise 1: Configuring Routing and Remote Access as a
VPN Remote Access Solution• Exercise 2: Configuring a Custom Network Policy• Exercise 3: Create and distribute a CMAK Profile
Estimated time: 60 minutes
Logon information
Virtual machines6421B-NYC-DC16421B-NYC-EDGE16421B-NYC-CL1
User name Contoso\AdministratorPassword Pa$$w0rd
Lab Scenario
Contoso, Ltd. wants to implement a remote access solution for its employees so they can connect to the corporate network while away from the office. Contoso requires a network policy that mandates that VPN connections are encrypted for security reasons.You are required to enable and configure the necessary server services to facilitate this remote access.
Lab Review• In the lab, you configured the VPN server to allocate an IP
address configuration by using a static pool of addresses. What alternative is there?
• If you use the alternative, how many addresses are allocated to the VPN server at one time?
• In the lab, you configured a policy condition of tunnel type and a constraint of a day and time restriction. If there were two policies – the one you created plus an additional one that had a condition of membership of the Domain Admins group and a constraints of tunnel type (PPTP or L2TP) – why might your administrators be unable to connect out of office hours?
Lesson 6: Configuring DirectAccess• Discussion: Complexities of Managing VPNs• What Is DirectAccess?• Components of DirectAccess• What Is the Name Resolution Policy Table? • How DirectAccess Works for Internal Clients• How DirectAccess Works for External Clients• Configure DirectAccess
Discussion: Complexities of Managing VPNs
What are the challenges you face when implementing VPNs?
What Is DirectAccess?
Features of DirectAccess:
• Connects automatically to corporate network over the public network• Uses various protocols, including HTTPS, to establish IPv6 connectivity• Supports selected server access and IPSec authentication• Supports end-to-end authentication and encryption• Supports management of remote client computers• Allows remote users to connect directly to intranet servers
Components of DirectAccessInternet websites
DirectAccess Server
AD DS domain controllerDNS server
Internal network resources Network
location server
PKI deployment
IPv6\IPsec
External clients
NRPT/ Consec
Internal clients
What Is the Name Resolution Policy Table?
Using NRPT:
NRPT is a table that defines DNS servers for different namespaces and corresponding security settings. It is used
before the adapter’s DNS settings
• DNS servers can be defined for each DNS namespace rather than for each interface
• DNS queries for specific namespaces can be optionally secured by using IPSec
How DirectAccess Works for Internal ClientsInternet Web sites
DirectAccess Server
Internal client AD DS domain controllerDNS server
CRL dist point
Network location server
Consec
NRPT
Internet websites
DirectAccess Server
AD DS domain controllerDNS server
Internal clients
Internal network resources
How DirectAccess Works for External Clients
DirectAccess Server
AD DS domain controllerDNS server
Consec
NRPT
External clients
DNS server
Internal network resources
DirectAccess Server
AD DS domain controllerDNS server
Consec
NRPT
External clients
DNS server
Internal network resources
Infrastr
ucture
DirectAccess Server
AD DS domain controllerDNS server
Consec
NRPT
External clients
DNS server
Internal network resources
Infrastr
ucture
Intranet
DirectAccess Server
AD DS domain controllerDNS server
Consec
NRPT
External clients
DNS server
Internal network resources
Internet websites
Infrastructure
Intranet
Configuring DirectAccess
1. Configure the AD DS domain controller and DNS2. Configure the PKI environment3. Configure the DirectAccess clients and test Intranet and Internet
Access4. Configure the DirectAccess server5. Verify DirectAccess functionality
Lab B: Configuring and Managing DirectAccess
Estimated time: 60-90 minutes
Logon information
Virtual machines6421B-NYC-DC1, 6421B-NYC-SVR16421B-NYC-EDGE1, 6421B-NYC-CL16421B-INET1
User name Contoso\Administrator or AdministratorPassword Pa$$w0rd
• Exercise 1: Configure the AD DS domain controller and DNS• Exercise 2: Configure the PKI environment• Exercise 3: Configure the DirectAccess clients and test
Intranet Access• Exercise 4: Configure the DirectAccess server• Exercise 5: Verify DirectAccess functionality
Lab Scenario
You are server administrator at Contoso, Ltd. Your organization consists of a large mobile workforce that carries laptops to stay connected. Your organization wants to provide a secure solution to protect data transfer. To do this, you will use DirectAccess to enable persistent connectivity, central administration, and management of remote computers.
Lab Review• Why did you create the DA_Clients group?
• What is the purpose of the nls.contoso.com DNS host record that you associated with an internal IP address?
• What is the purpose of the certificate revocation list?
• Why do you make the CRL available on the DirectAccess server in the perimeter network?
• Why would you use GPO to configure certificate deployment?
• Why did you install a certificate on the client computer?
Module Review and Takeaways• Review Questions• Windows Server 2008 R2 Features introduced in this
module• Tools