Module 5: Configuring and Troubleshooting Routing and Remote Access
To support your organization’s distributed workforce, you must become familiar with technologies that enable remote users to connect to your organization’s network infrastructure. These technologies include virtual private networks (VPNs) and DirectAccess. It is important that you understand how to configure and secure your remote access clients by using network policies. This module explores these remote access technologies.
Lessons
Configuring Network Access
Configuring VPN Access
Overview of Network Policies
Overview of the Connection Manager Administration Kit
Troubleshooting Routing and Remote Access
Configuring DirectAccess
Lab : Configuring and Managing Network Access
Configuring Routing and Remote Access as a VPN Remote Access Solution
Configuring a Custom Network Policy
Create and distribute a CMAK Profile
Lab : Configuring and Managing DirectAccess
Configure the AD DS Domain Controller and DNS
Configure the PKI Environment
Configure the DirectAccess Clients and Test Intranet Access
Configure the DirectAccess Server
Verify DirectAccess Functionality
After completing this module, students will be able to:
Configure network access.
Create and configure a VPN solution.
Describe the role of network policies.
Use the Connection Manager Administration Kit to create and configure client connection profiles.
Troubleshoot routing and remote access.
Implement DirectAccess.
2. Module Overview
• Configuring Network Access
• Configuring VPN Access
• Overview of Network Policies
• Overview of the Connection Manager Administration Kit
• Troubleshooting Routing and Remote Access
• Configuring DirectAccess
3. Lesson 1: Configuring Network Access
• Components of a Network Access Services Infrastructure
• What Is the Network Policy and Access Services Role?
• What Is Routing and Remote Access?
• Network Authentication and Authorization
• Types of Authentication Methods
• Integrating DHCP Servers with Routing and Remote Access
Service
4. Components of a Network Access Services
Infrastructure
Intranet
Remediation
Servers
Internet
NAP Health
Policy Server
DHCP Server
Health
Registration
Authority
IEEE 802.1X
Devices
Active
Directory
VPN Server
Restricted
Network
NAP Client with
limited access
Perimeter
Network
5. What Is the Network Policy and Access Services Role?
Component Description
Network Policy Server
The Microsoft implementation of
RADIUS Server and proxy
Routing and Remote
Access
Provides VPN and dial-up solutions for
users, deploys full-featured software
routers, and shares Internet
connections across the intranet
Health Registration
Authority
Issues health certificates to clients
when using IPsec NAP enforcement
Host Credential
Authorization Protocol
Integrates with Cisco network access
control server
6. What Is Routing and Remote Access?
• Used to provide remote users access to resources on a
private network over Dial-up or VPN services
• Can be used to provide NAT services
• Can provide LAN and WAN routing services to connect
network segments
7. Network Authentication and Authorization
Authentication:
• Verifies the credentials of a connection attempt
• Uses an authentication protocol to send the credentials from
the remote access client to the remote access server in
either plain text or encrypted form
Authorization:
• Verifies that the connection attempt is allowed
• Occurs after successful authentication
8. Types of Authentication Methods
Protocol Description Security Level
PAP
Uses plaintext passwords. Typically
used if the remote access client and
remote access server cannot
negotiate a more secure form of
validation.
The least secure authentication
protocol. Does not protect against
replay attacks, remote client
impersonation, or remote server
impersonation.
CHAP
A challenge-response authentication
protocol that uses the industry-
standard MD5 hashing scheme to
encrypt the response.
An improvement over PAP in that the
password is not sent over the PPP link.
Requires a plaintext version of the
password to validate the challenge
response. Does not protect against
remote server impersonation.
MS-CHAPv2
An upgrade of MS-CHAP. Two-way
authentication, also known as
mutual authentication, is provided.
The remote access client receives
verification that the remote access
server that it is dialing in to has
access to the user’s password.
Provides stronger security than CHAP.
EAP
Allows for arbitrary authentication of
a remote access connection through
the use of authentication schemes,
known as EAP types.
Offers the strongest security by
providing the most flexibility in
authentication variations.
9. Integrating DHCP Servers with Routing and
Remote Access Service
You can provide remote clients with IP
configurations by using either:
• A static pool created on the Routing and Remote
Access server for use with remote clients
• The corporate DHCP server that is located on the
corporate LAN
DHCP servers that run Windows Server 2008 R2:
• Provide a predefined user class called the
Default Routing and Remote Access Class
• Are useful for assigning options that are provided to
Routing and Remote Access clients only
10. Lesson 2: Configuring VPN Access
• What Is a VPN Connection?
• Components of a VPN Connection
• Tunneling Protocols for a VPN Connection
• Configuration Requirements
• Demonstration: How to Configure VPN Access
• What Is VPN Reconnect?
• Completing Additional Tasks
11. What Is a VPN Connection?
Large Branch Office
Medium Branch Office
Small Branch Office
Home Office with
VPN Client
Remote User with VPN Client
Corporate Headquarters
VPN
VPN Server
VPN Server
VPN Server
VPN Server
12. Components of a VPN Connection
VPN Tunnel
VPN ClientVPN Server
IP Configuration
DHCP Server
Domain Controller
Authentication
Virtual Network
Client Operating System
Routing and
Remote Access
13. Tunneling Protocols for a VPN Connection
Windows Server 2008 supports four VPN tunneling
protocols:
• PPTP
• L2TP/IPsec
• SSTP
• IKEv2
14. Configuration Requirements
VPN server configuration requirements include:
• Two network interfaces (public and private)
• IP Address allocation (static pool or DHCP)
• Authentication provider (NPS/Radius or the
VPN server)
• DHCP relay agent considerations
• Membership in the Local Administrators group
or equivalent
15. Demonstration: How to Configure VPN Access
This demonstration shows how to:
• Configure user dial-in settings
• Configure Routing and Remote Access as a VPN server
• Configure a VPN client
16. What Is VPN Reconnect?
The VPN Reconnect feature maintains connectivity across network
outages. It requires Windows Server 2008 R2 or Windows 7.
VPN Reconnect:
• Provides seamless and consistent VPN connectivity
• Uses the Internet Key Encryption version 2 (IKEv2) technology
• Automatically re-establishes VPN connections when
connectivity is available
• Maintains the connection if users move between different
networks
• Makes the connection status transparent to users
17. Completing Additional Tasks
Configure static packet filters
Configure services and ports
Adjust logging levels for routing protocols
Configure number of available VPN ports
Create a Connection Manager profile for users
Add Certificate Services
Increase remote access security
Increase VPN security
Consider implementing VPN Reconnect
18. Lesson 3: Overview of Network Policies
• What Is a Network Policy?
• Process for Creating and Configuring a Network Policy
• Demonstration: How to Create a Network Policy
• How are Network Policies Processed?
19. What Is a Network Policy?
A network policy consists of the
following elements:
• Conditions
• Constraints
• Settings
20. Process for Creating and Configuring a Network Policy
• Determine authorization by user or group
• Determine appropriate settings for the user account’s
network access permissions
• Configure the New Network Policy Wizard:
• Configure Network Policy conditions
• Configure Network Policy constraints
• Configure Network Policy settings
21. Demonstration: How to Create a Network Policy
This demonstration shows how to:
• Create a VPN policy based on Windows Groups condition
• Test the VPN
22. How are Network Policies Processed?
Are there policies
to process?
START
Does connection attempt
match policy conditions?
Yes
Reject
connection
attempt
Is the remote access permission for the
user account set to Deny Access?
Is the remote access
permission for the
user account set to
Allow Access?
Yes
Yes
No
Go to next policy
No
Yes
Is the remote access permission
on the policy set to Deny remote
access permission?
Does the connection
attempt match the user
object and profile settings?
No
Yes
Accept
connection
attempt
Reject
connection
attempt
No
Yes
No
No
23. Lesson 4: Overview of the Connection Manager
Administration Kit
• What Is the Connection Manager Administration Kit?
• Demonstration: How to Install CMAK
• Process for Configuring a Connection Profile
• Demonstration: How to Create a Connection Profile
• Distributing the Connection Profile to Users
24. What Is the Connection Manager Administration Kit?
The Connection Manager Administration Kit:
• Allows you to customize users’ remote connection
experience by creating predefined connections on
remote servers and networks
• Creates an executable file that can be run on a client
computer to establish a network connection that you
have designed
• Reduces Help Desk requests related to the configuration
of RAS connections
• Assists in problem resolution because the configuration
is known
• Reduces the likelihood of user errors when they
configure their own connection objects
25. Demonstration: How to Install CMAK
This demonstration shows how to:
• Install the CMAK feature
26. Process for Configuring a Connection Profile
Use the CMAK Connection Profile Wizard to configure:
• The target operating system
• Support for VPN
• Support for Dial-up, including the custom phone book
• Proxy
• Custom Help file
• Custom support information
The CMAK Connection Profile Wizard assists in the
process of creating custom connection profiles for users
27. Demonstration: How to Create a Connection Profile
This demonstration shows how to:
• Create a connection profile
• Examine the profile
28. Distributing the Connection Profile to Users
The connection profile can be distributed to users in the
following ways:
• As part of an image for new computers
• On removable media for the user to install manually
• With software distribution tools, such as
Systems Management Server or
System Center Configuration Manager 2007
29. Lesson 5: Troubleshooting Routing and
Remote Access
• Authentication and Accounting Logging
• Configuring Remote Access Logging
• Configuring Remote Access Tracing
• Resolving General VPN Problems
• Troubleshooting Other Issues
30. Authentication and Accounting Logging
There are three types of logging for Network Policy Server:
• Event logging for auditing and troubleshooting
connection attempts
• Logging authentication and accounting requests to a
local file
• Logging authentication and accounting requests to a
SQL server database
31. Configuring Remote Access Logging
You can configure remote access logging to:
• Log errors only
• Log errors and warnings
• Log all events
• Not log any events
• Log additional routing and remote access information
32. Configuring Remote Access Tracing
You can configure remote access tracing by using:
• The Netsh command:
• Netsh ras diagnostics set rastracing * enabled
(enables tracing on all components in RAS)
• The Registry:
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftTracing
Tracing consumes resources, so you should use it for
troubleshooting only and then disable it
35. Lab A: Configuring and Managing Network Access
• Exercise 1: Configuring Routing and Remote Access as a
VPN Remote Access Solution
• Exercise 2: Configuring a Custom Network Policy
• Exercise 3: Create and distribute a CMAK Profile
Estimated time: 60 minutes
Logon information
Virtual machines
6421B-NYC-DC1
6421B-NYC-EDGE1
6421B-NYC-CL1
User name ContosoAdministrator
Password Pa$$w0rd
36. Lab Scenario
Contoso, Ltd. wants to implement a remote access solution
for its employees so they can connect to the corporate
network while away from the office. Contoso requires a
network policy that mandates that VPN connections are
encrypted for security reasons.
You are required to enable and configure the necessary
server services to facilitate this remote access.
37. Lab Review
• In the lab, you configured the VPN server to allocate an IP
address configuration by using a static pool of addresses.
What alternative is there?
• If you use the alternative, how many addresses are
allocated to the VPN server at one time?
• In the lab, you configured a policy condition of tunnel type
and a constraint of a day and time restriction. If there
were two policies – the one you created plus an additional
one that had a condition of membership of the Domain
Admins group and a constraints of tunnel type (PPTP or
L2TP) – why might your administrators be unable to
connect out of office hours?
38. Lesson 6: Configuring DirectAccess
• Discussion: Complexities of Managing VPNs
• What Is DirectAccess?
• Components of DirectAccess
• What Is the Name Resolution Policy Table?
• How DirectAccess Works for Internal Clients
• How DirectAccess Works for External Clients
• Configure DirectAccess
40. What Is DirectAccess?
Features of DirectAccess:
• Connects automatically to corporate network over the public network
• Uses various protocols, including HTTPS, to establish IPv6 connectivity
• Supports selected server access and IPSec authentication
• Supports end-to-end authentication and encryption
• Supports management of remote client computers
• Allows remote users to connect directly to intranet servers
41. Components of DirectAccess
Internet websites
DirectAccess
Server
AD DS domain
controller
DNS server
Internal
network
resources Network
location server
PKI
deployment
IPv6
IPsec
External clients
NRPT/
Consec
Internal clients
42. What Is the Name Resolution Policy Table?
Using NRPT:
NRPT is a table that defines DNS servers for different
namespaces and corresponding security settings. It is used
before the adapter’s DNS settings
• DNS servers can be defined for each DNS namespace rather than
for each interface
• DNS queries for specific namespaces can be optionally
secured by using IPSec
43. How DirectAccess Works for Internal Clients
Internet Web sites
DirectAccess
Server
Internal client AD DS domain
controller
DNS server
CRL dist point
Network
location server
Consec
NRPT
Internet websites
DirectAccess
Server
AD DS domain
controller
DNS server
Internal clients
Internal
network
resources
44. How DirectAccess Works for External Clients
DirectAccess
Server
AD DS domain
controller
DNS server
Consec
NRPT
External clients
DNS server
Internal
network
resources
DirectAccess
Server
AD DS domain
controller
DNS server
Consec
NRPT
External clients
DNS server
Internal
network
resources
DirectAccess
Server
AD DS domain
controller
DNS server
Consec
NRPT
External clients
DNS server
Internal
network
resources
DirectAccess
Server
AD DS domain
controller
DNS server
Consec
NRPT
External clients
DNS server
Internal
network
resources
Internet websites
45. Configuring DirectAccess
1. Configure the AD DS domain controller and DNS
2. Configure the PKI environment
3. Configure the DirectAccess clients and test Intranet and Internet
Access
4. Configure the DirectAccess server
5. Verify DirectAccess functionality
46. Lab B: Configuring and Managing DirectAccess
Estimated time: 60-90 minutes
Logon information
Virtual machines
6421B-NYC-DC1, 6421B-NYC-SVR1
6421B-NYC-EDGE1, 6421B-NYC-CL1
6421B-INET1
User name ContosoAdministrator or Administrator
Password Pa$$w0rd
• Exercise 1: Configure the AD DS domain controller and DNS
• Exercise 2: Configure the PKI environment
• Exercise 3: Configure the DirectAccess clients and test
Intranet Access
• Exercise 4: Configure the DirectAccess server
• Exercise 5: Verify DirectAccess functionality
47. Lab Scenario
You are server administrator at Contoso, Ltd. Your
organization consists of a large mobile workforce that
carries laptops to stay connected. Your organization wants
to provide a secure solution to protect data transfer. To do
this, you will use DirectAccess to enable persistent
connectivity, central administration, and management of
remote computers.
48. Lab Review
• Why did you create the DA_Clients group?
• What is the purpose of the nls.contoso.com DNS host record that
you associated with an internal IP address?
• What is the purpose of the certificate revocation list?
• Why do you make the CRL available on the DirectAccess server in
the perimeter network?
• Why would you use GPO to configure certificate deployment?
• Why did you install a certificate on the client computer?
49. Module Review and Takeaways
• Review Questions
• Windows Server 2008 R2 Features introduced in this
module
• Tools