20411B-ENU-TrainerHandbook
.pdf
•Solution: Check the properties on the Security tab of the VPN connection on the VPN client. MCT If Require data encryption (disconnect if none) is selected, clear the selection and retry the
connection. If you are using NPS, check the encryption level in the network policy in the NPS console,
or check the policies on other RADIUS servers. Ensure that the encryption level that the VPN client requested is selected on the VPN server. USE
•No certificate. By default, L2TP/IPsec connections require that, for IPsec peer authentication, an
exchange of computer certificates occur between the Remote Access server and Remote Access client.ONLY Check the Local Computer certificate stores of both the Remote Access client and the Remote Access
server that are using the Certificates snap-in to ensure that a suitable certificate exists.
•Incorrect certificate. The VPN client must have a valid computer certificate installed, that was issued by a CA that follows a valid certificate chain from the issuing CA to a root CA, and that the VPN server
trusts. Additionally, the VPN server must have a valid computer certificate installed that was issued by
a CA that follows a valid certificate chain from the issuing CA to a root CA, and that the VPN client . trusts.
•A NAT device exists between the remote access client and Remote Access server. If there is a NAT STUDENT between a Windows 2000 Server, Windows Server 2003, or Windows XP-based L2TP/IPsec client and
a Windows Server 2008 L2TP/IPsec server, you cannot establish an L2TP/IPsec connection unless the client and server support IPsec NAT traversal (NAT-T).
•A firewall exists between the Remote Access client and the Remote Access server. If there is a firewall between a Windows L2TP/IPsec client and a Windows Server 2012 L2TP/IPsec server, and if you cannot establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec traffic.
server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating
•The current date must be within the certificate’s validity dates. When certificates are issued, they areUSE issued with a range of valid dates, before which they cannot be used, and after which they are
considered expired.
•The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing CAPROHIBITED maintains a list of certificates that are not considered valid, and publishes an up-to-date certificate revocation list CRL. By default, the authenticating server checks all certificates in the VPN clients’
certificate chain (the series of certificates from the VPN client certificate to the root CA) for revocation. If any of the chain’s certificates have been revoked, certificate validation fails.
•The certificate has a valid digital signature. CAs digitally sign certificates that they issue. The authenticating server verifies the digital signature of each certificate in the chain (with the exception of the root CA certificate), by obtaining the public key from the certificates’ issuing CA and mathematically validating the digital signature.
For the VPN client to validate the authenticating server’s certificate for either EAP-TLS authentication, the following must be true for each certificate in the certificate chain that the authenticating server sends:
o The current date must be within the certificate’s validity dates. o The certificate must have a valid digital signature.
Administering Windows Server® 2012 7-31
The main tasks for this exercise are as follows: |
MCT |
|||
1. |
|
Configure server and client certificates. |
||
2. |
Configure the Remote Access role. |
USE |
||
3. |
Create a network policy for virtual private network (VPN) clients. |
|||
|
||||
Task 1: Configure server and client certificates |
|
|||
1. |
|
Switch to LON-DC1. |
.ONLY |
|
2. |
Sign in as Adatum\Administrator with the password Pa$$w0rd. |
|||
|
||||
3. |
Open Certification Authority. |
|
||
4. |
From the Certificate Templates console, open the properties of the Computer certificate template. |
|
||
5. |
|
On the Security tab, grant the Authenticated Users group the Allow Enroll permission. |
|
|
6. |
|
Restart the Certification Authority. |
|
|
7. |
|
Close Certification Authority. |
STUDENT |
|
8. |
|
Open the Group Policy Management Console. |
||
|
|
|||
9. |
|
Navigate to Forest: Adatum.com\Domains\Adatum.com. |
|
|
10. |
Edit the Default Domain Policy. |
|
||
11. |
Navigate to Computer Configuration\Policies\Windows Settings\Security Settings |
|
||
|
|
\Public Key Policies. |
|
|
12. |
Create a new Automatic Certificate Request Settings for the Computer certificate template. |
|
||
13. |
Close the Group Policy Management Editor and the Group Policy Management Console. |
|
||
14. |
Switch to the LON-RTR computer. |
|
||
15. |
Create a management console by running mmc.exe. |
USE |
||
16. |
Add the Certificates snap-in with the focus on the local computer account. |
|||
|
||||
17. |
Navigate to the Personal certificate store, and Request New Certificate. |
|
||
18. |
On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy, and |
|
||
|
|
then click Next. |
|
|
19. |
Enroll the Computer certificate that is listed. |
PROHIBITED |
||
20. |
Close the console, and do not save the console settings. |
|||
|
||||
21. |
Switch to the LON-CL2 computer, and sign in as Adatum\Administrator with the password |
|
||
|
|
Pa$$w0rd. |
|
|
22. |
Open a command prompt, and run the gpupdate /force command to refresh the group policy |
|
||
|
|
settings. |
|
|
23. |
Create a management console by running mmc.exe. |
|
||
24. |
Add the Certificates snap-in with the focus on the local computer account. |
|
||
25. |
Navigate to the Personal certificate store. |
|
||
26. |
Verify that a certificate exists for LON-CL2 that has been issued by Adatum-LON-DC1-CA. |
|
||
27. |
Close the console, and do not save the console settings. |
|
||
|
|
|
|
|
Administering Windows Server® 2012 |
|
MCT |
|||
|
|
|
|
|
7-33 |
|
|
|
||
|
|
Task 1: Configure and distribute a Connection Manager Administration Kit profile |
|
|
|
|
|
|||
1. |
Switch to LON-CL2. |
|
|
|
|
|
||||
2. |
From Control Panel, install the RAS Connection Manager Administration Kit (CMAK) feature. |
|
USE |
|||||||
3. |
From |
Administrative Tools, open the Connection Manager Administration Kit. |
|
|||||||
|
|
|
|
|
||||||
4. |
Complete the Connection Manager Administration Kit Wizard using defaults except where stated |
|
|
|
|
|
||||
|
|
|
below: |
|
|
|
|
|
||
|
|
|
a. |
Select the Target Operating System page: Windows Vista or above |
|
.ONLY |
||||
|
|
|
b. |
Create or Modify a Connection Manager profile page: New profile |
|
|||||
|
|
|
|
|
|
|
|
|||
|
|
|
c. |
Specify the Service Name and the File Name page: |
|
|
|
|
|
|
|
|
|
|
Service name: Adatum Pilot VPN |
|
|
|
|
|
|
|
|
|
|
|
File name: Adatum |
|
|
|
|
|
|
|
|
d. |
Specify a Realm Name page: Do not add a realm name to the user name |
|
|
|
|
|
|
|
|
|
e. |
Add Support for VPN Connections page: |
|
STUDENT |
||||
|
|
|
|
Phone book from this profile: enabled |
|
|||||
|
|
|
|
|
|
|
|
|
||
|
|
|
|
VPN server name or IP address: 10.10.0.1 |
|
|
|
|
|
|
|
|
|
f. |
Create or Modify a VPN Entry page: Edit the listed VPN entry. On the Security tab: |
|
|
|
|
|
|
|
|
|
|
VPN strategy: Only use Layer Two Tunneling Protocol (L2TP). |
|
|
|
|
|
|
|
|
|
g. |
Add a Custom Phone Book page: Automatically download phone book updates deselected. |
|
|
|
|
||
5. |
Open Windows Explorer and navigate to C:\Program Files\CMAK\Profiles |
|
|
|
|
|
||||
|
|
|
\Windows Vista and above\Adatum. |
|
|
|
|
|
||
6. |
Double-click Adatum.exe, and complete the Adatum Pilot VPN Wizard: |
|
|
|
|
|
||||
|
|
|
o |
Make this connection available for: All users |
|
USE |
||||
7. |
In the connection window, click Cancel. |
|
||||||||
|
|
|
|
|
||||||
|
|
Task 2: Verify client access |
|
|
|
|
|
|||
1. |
Sign out of LON-CL2. |
|
|
|
|
|
||||
2. |
Sign in as Adatum\April with the password of Pa$$w0rd. |
|
PROHIBITED |
|||||||
3. |
Open Network Connections. |
|
||||||||
|
|
|
|
|
||||||
4. |
Test the Adatum Pilot VPN connection. Use the following credentials: |
|
|
|
|
|
||||
|
|
|
o |
User name: Adatum\April |
|
|
|
|
|
|
|
|
|
o |
Password: Pa$$w0rd |
|
|
|
|
|
|
|
|
To prepare for the next lab |
|
|
|
|
|
|||
|
|
• |
When you are finished the lab, revert all virtual machines back to their initial state. |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
Results: After this exercise, you should have successfully distributed a CMAK profile, and tested VPN access.
Administering Windows Server® 2012 |
MCT |
|
7-35 |
|
|
• VPN connected computers are not easily managed. VPN–based remote client computers present a challenge to IT professionals, because these computers might not connect to the internal network for weeks at a time, preventing them from downloading Group Policy Objects (GPOs) and software updates.
Extending the Network to the Remotely-Connected Computers and Users
To overcome these limitations in traditional VPN connections, organizations can implement DirectAccess |
|||||
to provide a seamless connection between the internal network and the remote computer on the Internet. |
|||||
With DirectAccess, organizations can more easily manage remote computers, because they are always |
USE |
||||
|
|
|
|||
connected. |
|
|
|
||
What Is DirectAccess? |
|
|
|
||
The DirectAccess feature in Windows Server 2012 |
|
|
|
|
|
|
|
ONLY. |
|||
enables seamless remote access to intranet |
|
|
|||
resources without first establishing a user-initiated |
|
|
|||
|
|
|
|
||
VPN connection. The DirectAccess feature also |
|
|
|
|
|
ensures seamless connectivity to the application |
|
|
|
|
|
infrastructure for internal users and remote users. |
|
|
|
|
|
Unlike traditional VPNs that require user |
|
|
|
|
|
intervention to initiate a connection to an |
|
|
|
|
|
intranet, DirectAccess enables any IPv6-capable |
|
|
|
|
|
application on the client computer to have |
|
|
|
|
|
complete access to intranet resources. |
|
|
|
|
|
DirectAccess also enables you to specify resources |
|
STUDENT |
|||
and client-side applications that are restricted for remote access. |
|||||
Organizations can benefit from DirectAccess by providing a way in which IT staff can manage remote |
|||||
computers as they would manage local computers. Using the same management and update servers, |
|||||
|
|
|
|||
you can ensure that remote computers are always up-to-date and in compliance with your security and system health policies. You can also define more detailed access control policies for remote access when compared with defining access control policies in VPN solutions.
DirectAccess offers the following features: |
USE |
|
|
• Connects automatically to the corporate intranet when connected to the Internet. |
PROHIBITED |
• Uses various protocols, including HTTPS, to establish IPv6 connectivity—HTTPS is typically allowed |
|
through firewalls and proxy servers. |
|
• Supports selected server access and end-to-end IPsec authentication with intranet network servers. |
|
• Supports end-to-end authentication and encryption with intranet network servers. |
|
• Supports management of remote client computers. |
|
• Allows remote users to connect directly to intranet servers. |
|
DirectAccess also provides the following benefits: |
|
• Always-on connectivity. Whenever the user connects the client computer to the Internet, the client |
|
computer is also connected to the intranet. This connectivity enables remote client computers to |
|
access and update applications more easily. It also makes intranet resources always available, and |
|
enables users to connect to the corporate intranet from anywhere and anytime, thereby improving |
|
their productivity and performance. |
|
|
Administering Windows Server® 2012 |
MCT |
|
7-37 |
|
|
The DirectAccess server can be any Windows Server 2012 server that you join to a domain, and which accepts connections from DirectAccess clients and establishes communication with intranet resources. This
server provides authentication services for DirectAccess clients, and acts as an IPsec tunnel mode endpoint for external traffic. The new Remote Access server role allows centralized administration, configuration, and monitoring for both DirectAccess and VPN connectivity.
USE
Compared with previous implementation in Windows Server 2008 R2, the new DirectAccess Wizard-based setup simplifies DirectAccess management for small and medium organizations. The wizard does this by
removing the need for full PKI deployment and removing the requirement for two consecutive public IPv4 addresses for the physical adapter that is connected to the Internet. In Windows Server 2012, the DirectAccess setup wizard detects the actual implementation state of the DirectAccess server, and selects the best deployment automatically. This hides the complexity of manually configuring IPv6 transition technologies from the administrator.
DirectAccess Clients |
ONLY. |
DirectAccess clients can be any domain-joined computer that is running Windows 8 Enterprise, |
|
Windows 7 Enterprise, or Windows 7 Ultimate. |
|
Note: With off-premise provisioning, you can join a Windows 8 Enterprise client computer in a domain without connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, then the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or |
STUDENT |
Teredo. Note that the user does not have to be logged on to the computer for this step to complete. |
|
|
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from connecting to the DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS protocol, which uses a SSL connection to ensure connectivity. The client has access to the Name Resolution Policy Table (NRPT) rules and Connection Security tunnel rules.
You can configure any IPv6–capable application that is running on internal servers or client computers to be available for DirectAccess clients. For older applications and servers, including those that are not based on Windows operating systems and have no IPv6 support, Windows Server 2012 now includes native support for protocol translation (NAT64) and name resolution (DNS64) gateway to convert IPv6 communication from DirectAccess client to IPv4 for the internal servers.
PROHIBITED USE
7-38 Configuring and Troubleshooting Remote Access
Active Directory Domain
You must deploy at least one Active Directory domain, running at a minimum Windows Server 2003 |
MCT |
|
domain functional level. Windows Server 2012 DirectAccess provides integrated multiple domain support, |
||
|
||
which allows client computers from different domains to access resources that may be located in different |
||
trusted domains. |
USE |
|
Group Policy |
||
Group Policy is required for the centralized administration and deployment of DirectAccess settings. The |
||
DirectAccess Setup Wizard creates a set of GPOs, and settings for DirectAccess clients, the DirectAccess |
|
|
server, and selected servers. |
|
|
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess in Windows Server
2012 enables client authentication requests to be sent over a HTTPS–based Kerberos proxy service that is |
ONLY. |
||
running on the DirectAccess server. This eliminates the need for establishing a second IPsec tunnel |
|||
between clients and domain controllers. The Kerberos proxy will send Kerberos requests to domain |
|||
controllers on behalf of the client. |
|||
STUDENT |
|||
However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication, |
|||
and force tunneling, you still need to implement certificates for authentication for every client that will |
|||
participate in DirectAccess communication. |
|||
DNS Server |
|||
When using ISATAP, you must use at least Windows Server 2008 R2, Windows Server 2008 Service Pack 2 |
|||
(SP2) or newer, or a non-Microsoft DNS server that supports DNS message exchanges over ISATAP. |
|||
NAP Servers |
|||
NAP is an optional component of the DirectAccess solution that allows you to provide compliance |
|||
checking and enforce security policy for DirectAccess clients over the Internet. DirectAccess in Windows |
|||
Server 2012 provides the ability to configure NAP health check directly from the setup user interface, |
|||
instead of manually editing the GPO as is required with DirectAccess in Windows Server 2008 R2. |
|||
USE |
|||
What Is the Name Resolution Policy Table? |
|||
To separate Internet traffic from intranet traffic |
|
||
|
|||
|
|
||
in DirectAccess, both Windows Server 2012 and |
|
|
|
Windows 8 include the NRPT. NRPT is a feature |
|
|
|
that allows DNS servers to be defined per DNS |
|
|
|
namespace, rather than per interface. |
|
|
|
The NRPT stores a list of rules. Each rule defines a |
|
|
|
DNS namespace and configuration settings that |
|
|
|
describe the DNS client’s behavior for that |
|
|
|
namespace. |
|
|
|
When a DirectAccess client is on the Internet, |
|
|
|
each name query request is compared against the |
|
|
|
|
PROHIBITED |
||
namespace rules stored in the NRPT. |
|||
|
|
||
•If a match is found, the request is processed according to the settings in the NRPT rule.
•If a name query request does not match a namespace listed in the NRPT, the request is sent to the DNS servers that are configured in the TCP/IP settings for the specified network interface.