MSCA Ch05 Remote Access Configuration

Chapter 5

MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-411Chapter 5Remote Access Configuration1MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-411

Chapter 5Remote Access Configuration

MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-411ObjectivesDescribe remote accessInstall and configure the Remote Access server roleConfigure the DirectAccess role service

2 Cengage Learning 20152Objectives

Describe remote accessInstall and configure the Remote Access server roleConfigure the DirectAccess role service

An Overview of Remote AccessRemote Access - a server role that provides services to keep a mobile workforce and branch offices securely connected to resources at the main officeReasons for using a remote access solution:Work from home employeesFrequent travelersBusiness partnersBranch officesMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4113 Cengage Learning 2015An Overview of Remote Access

Remote Access - a server role that provides services to keep a mobile workforce and branch offices securely connected to resources at the main officeReasons for using a remote access solution:Work from home employeesFrequent travelersBusiness partnersBranch offices

3An Overview of Remote AccessRemote Access services and tools:Virtual private networkRemote dial-inRoutingNetwork Address TranslationWeb Application ProxyDirectAccessThe Remote Access server role has additional features, but the list above are the core services for most remote access needsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4114 Cengage Learning 2015An Overview of Remote Access

Remote Access services and tools:Virtual private networkRemote dial-inRoutingNetwork Address TranslationWeb Application ProxyDirectAccessThe Remote Access server role has additional features, but the list above are the core services for most remote access needs4Installing and Configuring the Remote Access RoleRemote Access Role is installed by using Server Manager or the Install-WindowsFeature PowerShell cmdletUnder the main Remote Access server role, there are three role services to choose from:DirectAccess and VPN (RAS) - has features needed for dial-in, VPN, and DirectAccess remote accessRouting - provides routing and NAT and requires the Direct Access and VPN (RAS) role serviceWeb Application Proxy - allows publishing Web-based applications for use by clients outside the networkMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4115 Cengage Learning 2015Installing and Configuring the Remote Access Role

Remote Access Role is installed by using Server Manager or the Install-WindowsFeature PowerShell cmdletUnder the main Remote Access server role, there are three role services to choose from:DirectAccess and VPN (RAS) - has features needed for dial-in, VPN, and DirectAccess remote accessRouting - provides routing and NAT and requires the Direct Access and VPN (RAS) role serviceWeb Application Proxy - allows publishing Web-based applications for use by clients outside the network

5Virtual Private NetworksVirtual private network (VPN) - a network connection that uses the Internet to give mobile users or branch offices secure access to a companys network resourcesVPNs use encryption and authentication to ensure communication is secure and legitimateTunnel - a method of transferring data across an unsecured network in such a way that the actual data in the transmission is hidden from all but the sender and receiverCreated by encapsulationMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4116 Cengage Learning 2015Virtual Private Networks

Virtual private network (VPN) - a network connection that uses the Internet to give mobile users or branch offices secure access to a companys network resourcesVPNs use encryption and authentication to ensure communication is secure and legitimateTunnel - a method of transferring data across an unsecured network in such a way that the actual data in the transmission is hidden from all but the sender and receiverCreated by encapsulation

6Virtual Private NetworksMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4117

Figure 5-1 A typical VPN connection Cengage Learning 2015Virtual Private Networks

Figure 5-1 A typical VPN connection7VPN Tunnel TypesThree types of VPN tunnels:Point-to-Point Tunneling Protocol (PPTP) - encapsulates Point-to-Point Protocol (PPP), using a modified version of Generic Routing Encapsulation (GRE)Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec) - generally provides a higher level of security than PPTPSecure Socket Tunneling Protocol (SSTP) - works behind most firewalls without the administrator needing to configure the firewall to allow VPNMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4118 Cengage Learning 2015VPN Tunnel Types

Three types of VPN tunnels:Point-to-Point Tunneling Protocol (PPTP) - encapsulates Point-to-Point Protocol (PPP), using a modified version of Generic Routing Encapsulation (GRE)Layer 2 Tunneling Protocol with Internet Protocol Security (L2TP/IPsec) - generally provides a higher level of security than PPTPSecure Socket Tunneling Protocol (SSTP) - works behind most firewalls without the administrator needing to configure the firewall to allow VPN

8VPN RequirementsYour server and network must meet requirements for the type of VPN you want to set up:Two or more NICs installed on a serverCorrectly configured firewallAuthenticationDHCP configurationMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-4119 Cengage Learning 2015VPN Requirements

Your server and network must meet requirements for the type of VPN you want to set up:Two or more NICs installed on a serverCorrectly configured firewallAuthenticationDHCP configuration

9Network Firewall Configuration for a VPNConfiguring the perimeter network is crucial for VPN operationPerimeter network - a boundary between the private network and the public Internet Where most resources available to the Internet are locatedThe firewall must be configured to allows certain types of traffic, according to the VPN tunnel typeSee page 174 of the textbook for a lists of traffic per tunnel typeMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41110 Cengage Learning 2015Network Firewall Configuration for a VPN

Configuring the perimeter network is crucial for VPN operationPerimeter network - a boundary between the private network and the public Internet Where most resources available to the Internet are locatedThe firewall must be configured to allows certain types of traffic, according to the VPN tunnel typeSee page 174 of the textbook for a lists of traffic per tunnel type

10VPN ConfigurationIf the VPN server is a domain member, its computer account must be added to the RAS and IAS Servers group in Active DirectoryNext, click the server icon and click Configure and Enable Routing and Remote AccessThe Configuration window will give you options for the type of remote access server you want to configure:For a standard VPN server, select the Remote access (dial-up or VPN) optionMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41111 Cengage Learning 2015VPN Configuration

If the VPN server is a domain member, its computer account must be added to the RAS and IAS Servers group in Active DirectoryNext, click the server icon and click Configure and Enable Routing and Remote AccessThe Configuration window will give you options for the type of remote access server you want to configure:For a standard VPN server, select the Remote access (dial-up or VPN) option

11VPN ConfigurationMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41112

Figure 5-2 The Configuration window Cengage Learning 2015VPN Configuration

Figure 5-2 The Configuration window12VPN ConfigurationIn the VPN Connection window:You can rename network connectionsThe Enable security on the selected interface by setting up static packet filters option is enabled by defaultPrevents the interface connected to the Internet from accepting any traffic that isnt part of a VPN connectionIn the IP Address Assignment window, you decide how VPN client connections are assigned IP addresses (Automatically is the preferred option)MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41113 Cengage Learning 2015VPN Configuration

In the VPN Connection window:You can rename network connectionsThe Enable security on the selected interface by setting up static packet filters option is enabled by defaultPrevents the interface connected to the Internet from accepting any traffic that isnt part of a VPN connectionIn the IP Address Assignment window, you decide how VPN client connections are assigned IP addresses (Automatically is the preferred option)

13VPN ConfigurationMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41114

Figure 5-4 The IP Address Assignment window Cengage Learning 2015VPN Configuration

Figure 5-4 The IP Address Assignment window14VPN ConfigurationNext, you decide how clients are authenticated to the VPN server and whether you want to use RADIUS to handle authenticationSee Figure 5-5 on the following slideAfter you click Finish in the summary window, you see a message stating that you must configure the DHCP relay agentDo this if you configured automatic IP addresses assignment and the DHCP server is not on the same subnetMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41115 Cengage Learning 2015VPN Configuration

Next, you decide how clients are authenticated to the VPN server and whether you want to use RADIUS to handle authenticationSee Figure 5-5 on the following slideAfter you click Finish in the summary window, you see a message stating that you must configure the DHCP relay agentDo this if you configured automatic IP addresses assignment and the DHCP server is not on the same subnet

15VPN ConfigurationMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41116

Figure 5-5 Configuring authentication Cengage Learning 2015VPN Configuration

Figure 5-5 Configuring authentication16Finishing VPN ConfigurationAfter finishing the RRAS Setup Wizard, the VPN server is ready to start accepting VPN client connectionsYou need to define whos allowed to connectTwo ways to allow users to connect via remote access:Configuring dial-in settings in user accountsConfiguring a network policy in the Network Policy Server (NPS) consoleMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41117 Cengage Learning 2015Finishing VPN Configuration

After finishing the RRAS Setup Wizard, the VPN server is ready to start accepting VPN client connectionsYou need to define whos allowed to connectTwo ways to allow users to connect via remote access:Configuring dial-in settings in user accountsConfiguring a network policy in the Network Policy Server (NPS) console

17Configuring Dial-In Settings in User AccountsConfigure each users account properties in Active Directory or Local Users and Groups to allow remote accessIn the accounts Properties dialog box, click the Dial-in tabBy default, the Network Access Permission attribute is set to Control access through NPS Network Policy. Select the Allow access option to give the user permission to connect remotely via dial-in, VPN, and DirectAccessMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41118 Cengage Learning 2015Configuring Dial-In Settings in User Accounts

Configure each users account properties in Active Directory or Local Users and Groups to allow remote accessIn the accounts Properties dialog box, click the Dial-in tabBy default, the Network Access Permission attribute is set to Control access through NPS Network Policy. Select the Allow access option to give the user permission to connect remotely via dial-in, VPN, and DirectAccess

18Configuring Dial-In Settings in User AccountsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41119

Figure 5-6 Configuring the Network Access Permission attribute for a user account Cengage Learning 2015Configuring Dial-In Settings in User Accounts

Figure 5-6 Configuring the Network Access Permission attribute for a user account19VPN Client ConfigurationThe VPN client is configured by setting up a new connection in the Network and Sharing CenterChoose Connect to a workplace and choose how you will connectNext, enter the address of the VPN server youll connect to and enter a name for the connectionWhen you create a VPN connection, the default tunnel type is AutomaticThe VPN client attempts to make the connection by using each method until its successful or the connection failsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41120 Cengage Learning 2015VPN Client Configuration

The VPN client is configured by setting up a new connection in the Network and Sharing CenterChoose Connect to a workplace and choose how you will connectNext, enter the address of the VPN server youll connect to and enter a name for the connectionWhen you create a VPN connection, the default tunnel type is AutomaticThe VPN client attempts to make the connection by using each method until its successful or the connection fails

20Configuring Remote Dial-inA server supporting remote dial-in must have one modem connected to a phone line for each simultaneous remote access userRemote dial-in is configured almost the same way as VPN configurationIn the Network Selection window, choose the private network from which dial-in clients are assigned an IP addressRemote dial-in has been largely replaced by VPN and DirectAccess in Windows environmentsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41121 Cengage Learning 2015Configuring Remote Dial-in

A server supporting remote dial-in must have one modem connected to a phone line for each simultaneous remote access userRemote dial-in is configured almost the same way as VPN configurationIn the Network Selection window, choose the private network from which dial-in clients are assigned an IP addressRemote dial-in has been largely replaced by VPN and DirectAccess in Windows environments

21Configuring Remote Access OptionsRRAS allows multiple tunneling types by default for VPN connectionsYou may want to consider restricting connections to a particular tunneling methodYou can configure remote access settings in the properties of a user accountThis method can prove inefficient if many users need remote access permissionInstead, allow or disallow remote access to users based on connection-related group policiesMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41122 Cengage Learning 2015Configuring Remote Access Options

RRAS allows multiple tunneling types by default for VPN connectionsYou may want to consider restricting connections to a particular tunneling methodYou can configure remote access settings in the properties of a user accountThis method can prove inefficient if many users need remote access permissionInstead, allow or disallow remote access to users based on connection-related group policies

22Configuring Remote Access SecurityTo configure security settings for remote access, right-click the server in the Routing and Remote Access console and click PropertiesIn the Security tab you can configure:Authentication providerAuthentication methodsAccounting providerAllow custom IPsec policy for L2TP/IKE v2 connectionSSL Certificate BindingMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41123 Cengage Learning 2015Configuring Remote Access Security

To configure security settings for remote access, right-click the server in the Routing and Remote Access console and click PropertiesIn the Security tab you can configure:Authentication providerAuthentication methodsAccounting providerAllow custom IPsec policy for L2TP/IKE v2 connectionSSL Certificate Binding

23Configuring Available Tunnel TypesBy default, each tunneling type is enabled in the RRAS service when you configure a VPNEach type allows up to 128 connections or portsConfigure the number of ports in the Routing and Remote Access console by right-clicking Ports and clicking PropertiesDouble-click a tunnel type to see the Configure Device dialog boxChanging the number of ports to 0 effectively disables the tunnel typeMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41124 Cengage Learning 2015Configuring Available Tunnel Types

By default, each tunneling type is enabled in the RRAS service when you configure a VPNEach type allows up to 128 connections or portsConfigure the number of ports in the Routing and Remote Access console by right-clicking Ports and clicking PropertiesDouble-click a tunnel type to see the Configure Device dialog boxChanging the number of ports to 0 effectively disables the tunnel type

24Configuring Network PoliciesA user accounts Network Access Permission attribute is set to Control access through NPS Network Policy in the Dial-in tab of the Properties dialog boxBy default, NPS Network Policy disallows all remote accessYou must change the Network Access Permission attribute to Allow access on user accountsYou can also configure an NPS network policy in the Network Policy Server consoleFollow steps starting on page 185MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41125 Cengage Learning 2015Configuring Network Policies

A user accounts Network Access Permission attribute is set to Control access through NPS Network Policy in the Dial-in tab of the Properties dialog boxBy default, NPS Network Policy disallows all remote accessYou must change the Network Access Permission attribute to Allow access on user accountsYou can also configure an NPS network policy in the Network Policy Server consoleFollow steps starting on page 185

25Configure RoutingUsing RRAS, a Windows server can be configured as a router to connect multiple subnets in a network or connect a network to the InternetWindows Server 2012/R2 supports static routing and dynamic routing with Routing Information Protocol Version 2 (RIPv2)To configure a server as a router, select the Custom configuration option in the Configuration window of the RRAS Setup WizardThen select the LAN routing optionMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41126 Cengage Learning 2015Configure Routing

Using RRAS, a Windows server can be configured as a router to connect multiple subnets in a network or connect a network to the InternetWindows Server 2012/R2 supports static routing and dynamic routing with Routing Information Protocol Version 2 (RIPv2)To configure a server as a router, select the Custom configuration option in the Configuration window of the RRAS Setup WizardThen select the LAN routing option

26Configure RoutingMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41127

Figure 5-17 An RRAS server configured as a router Cengage Learning 2015Configure Routing

Figure 5-17 An RRAS server configured as a router27Routing TablesRouting table - a list of network destinations and information on which interface can be used to reach the destinationA routing table has the following columns:DestinationNetwork maskGateway InterfaceMetricProtocolMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41128 Cengage Learning 2015Routing Tables

Routing table - a list of network destinations and information on which interface can be used to reach the destinationA routing table has the following columns:DestinationNetwork maskGateway InterfaceMetricProtocol

28Configuring Static RoutesAfter routing is enabled, you can add routing protocols and configure static routesStatic routes instruct the router where to send packets destined for particular networksAn IPv4 static route has the following information:InterfaceDestinationNetwork maskGatewayMetricMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41129 Cengage Learning 2015Configuring Static Routes

After routing is enabled, you can add routing protocols and configure static routesStatic routes instruct the router where to send packets destined for particular networksAn IPv4 static route has the following information:InterfaceDestinationNetwork maskGatewayMetric

29Configuring Routing Information ProtocolIn the RRAS console, under the IPv4 node, right-click General and click New Routing ProtocolSelect RIP Version 2 for IPNext, configure RIP by enabling it on interfaces that RIP uses to send and receive routing informationRIPv2 uses the hop count metric for determining best pathHop count is the number of routers a packet must go through to reach the destination networkMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41130 Cengage Learning 2015Configuring Routing Information Protocol

In the RRAS console, under the IPv4 node, right-click General and click New Routing ProtocolSelect RIP Version 2 for IPNext, configure RIP by enabling it on interfaces that RIP uses to send and receive routing informationRIPv2 uses the hop count metric for determining best pathHop count is the number of routers a packet must go through to reach the destination network

30Configuring Network Address TranslationNetwork Address Translation (NAT) - a process where a router or other gateway device replaces the source or destination IP addresses in a packet before forwarding the packetUsed to allow networks to use private IP addressing while connected to the InternetPort Address Translation (PAT) - allows several hundred workstations to access the Internet with a single public Internet addressUses source TCP or UDP port numbers in addition to IP addressesMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41131 Cengage Learning 2015Configuring Network Address Translation

Network Address Translation (NAT) - a process where a router or other gateway device replaces the source or destination IP addresses in a packet before forwarding the packetUsed to allow networks to use private IP addressing while connected to the InternetPort Address Translation (PAT) - allows several hundred workstations to access the Internet with a single public Internet addressUses source TCP or UDP port numbers in addition to IP addresses

31Configuring Network Address TranslationTo configure NAT in the RRAS Setup Wizard, select the Network address translation (NAT) option in the Configuration windowFor LAN-based Internet access, choose the interface connected to the Internet in the NAT Internet Connection windowIf the Internet connection is dial-up, choose the option to create a new demand-dial interface to the InternetMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41132 Cengage Learning 2015Configuring Network Address Translation

To configure NAT in the RRAS Setup Wizard, select the Network address translation (NAT) option in the Configuration windowFor LAN-based Internet access, choose the interface connected to the Internet in the NAT Internet Connection windowIf the Internet connection is dial-up, choose the option to create a new demand-dial interface to the Internet

32Configuring Network Address TranslationMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41133

Figure 5-21 The NAT Internet Connection window Cengage Learning 2015Configuring Network Address Translation

Figure 5-21 The NAT Internet Connection window33Configuring Web Application ProxyWeb Application Proxy - allows remote users to access network applications from any device that supports a Web browserApplications made available to users with this method are said to be published applicationsWeb Application Proxy works with Active Directory Federation Services (AD FS) to enable features such as a single sign-onAD-FS is used to authenticate and authorize users who attempt to access published applicationsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41134 Cengage Learning 2015Configuring Web Application Proxy

Web Application Proxy - allows remote users to access network applications from any device that supports a Web browserApplications made available to users with this method are said to be published applicationsWeb Application Proxy works with Active Directory Federation Services (AD FS) to enable features such as a single sign-onAD-FS is used to authenticate and authorize users who attempt to access published applications

34Configuring Web Application ProxyRequirements for configuring Web Application Proxy include the following:A functioning AD FS deployment on the networkTwo NICs installed on the Web Application Proxy ServerA certificate in the Personal certificate store issued by a CA that covers the federation service name and one that covers the address of the Web application you publishFollow steps on page 192 to configureMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41135 Cengage Learning 2015Configuring Web Application Proxy

Requirements for configuring Web Application Proxy include the following:A functioning AD FS deployment on the networkTwo NICs installed on the Web Application Proxy ServerA certificate in the Personal certificate store issued by a CA that covers the federation service name and one that covers the address of the Web application you publishFollow steps on page 192 to configure

35The DirectAccess Role ServiceDirectAccess provides many of the same features as a VPN but adds client management and always-connected capabilityDirectAccess uses IPv6 and IPsec to create secure connections to the networkDirectAccess almost eliminates client connections problems caused by firewall settingsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41136 Cengage Learning 2015The DirectAccess Role Service

DirectAccess provides many of the same features as a VPN but adds client management and always-connected capabilityDirectAccess uses IPv6 and IPsec to create secure connections to the networkDirectAccess almost eliminates client connections problems caused by firewall settings

36DirectAccess RequirementsDirectAccess requirements in Windows Server 2012/R2:Two NICs, as for a VPN serverThe server must be a domain memberA public IP addressThere is an option for DirectAccess to use Kerberos proxy for authentication and encryptionKerberos proxy allows a client computer to authenticate to a domain controller, using the DirectAccess server as a proxyMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41137 Cengage Learning 2015DirectAccess Requirements

DirectAccess requirements in Windows Server 2012/R2:Two NICs, as for a VPN serverThe server must be a domain memberA public IP addressThere is an option for DirectAccess to use Kerberos proxy for authentication and encryptionKerberos proxy allows a client computer to authenticate to a domain controller, using the DirectAccess server as a proxy

37Optional Server ConfigurationsList of recommended enhancements for production environments:An internal PKISSL certificate issued by a public CA for IP-HTTPSSSL certificate issued by an internal PKI for Network Location ServerComputer certificate issued by an internal PKI for IPsec authenticationTwo consecutive public IP addresses

MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41138 Cengage Learning 2015Optional Server Configurations

List of recommended enhancements for production environments:An internal PKISSL certificate issued by a public CA for IP-HTTPSSSL certificate issued by an internal PKI for Network Location ServerComputer certificate issued by an internal PKI for IPsec authenticationTwo consecutive public IP addresses

38DirectAccess Client RequirementsNo special software needs to be installed on clientsRequirements for DirectAccess clients:Must be running at least Windows 7 Enterprise or Ultimate or Windows 8/8.1 Enterprise, Windows Server 2008 R2, or Windows Server 2012/R2The client must be a domain memberIPv6 must be enabled on the clientMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41139 Cengage Learning 2015DirectAccess Client Requirements

No special software needs to be installed on clientsRequirements for DirectAccess clients:Must be running at least Windows 7 Enterprise or Ultimate or Windows 8/8.1 Enterprise, Windows Server 2008 R2, or Windows Server 2012/R2The client must be a domain memberIPv6 must be enabled on the client

39How DirectAccess Connections WorkThe following basic steps explain the process:1. The client computer detects that it has a valid network connection2. Using an NLS server, the client determines if it is connected to the Internet or the main networkIf it isnt connected to the main network, the process continues to the next step3. The client attempts to connect to the DirectAccess server via IPv6 and IPsec4. The client and server authenticate with each other, using computer certificatesMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41140 Cengage Learning 2015How DirectAccess Connections Work

The following basic steps explain the process:1. The client computer detects that it has a valid network connection2. Using an NLS server, the client determines if it is connected to the Internet or the main networkIf it isnt connected to the main network, the process continues to the next step3. The client attempts to connect to the DirectAccess server via IPv6 and IPsec4. The client and server authenticate with each other, using computer certificates

40Installing and Configuring DirectAccessFollow the steps starting on page 196 to install a text network similar to Figure 5-24MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41141

Figure 5-24 A DirectAccess test network Cengage Learning 2015Installing and Configuring DirectAccess

Follow the steps starting on page 196 to install a text network similar to Figure 5-24

Figure 5-24 A DirectAccess test network

41Advanced DirectAccess Deployment OptionsAfter you have established a basic DirectAccess configuration, you might want to add some of the following features for security and convenience:Setting up a PKIConfiguring NLS on a separate Web serverConfiguring the name resolution policy table (NRPT)Configuring forced tunnelingConfiguring ISATAPMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41142 Cengage Learning 2015Advanced DirectAccess Deployment Options

After you have established a basic DirectAccess configuration, you might want to add some of the following features for security and convenience:Setting up a PKIConfiguring NLS on a separate Web serverConfiguring the name resolution policy table (NRPT)Configuring forced tunnelingConfiguring ISATAP

42Setting Up a PKIBasic steps to follow:1. On a server separate from the DirectAccess server, install AD Certificate Services configured as an Enterprise Certificate Authority2. Issue an SSL certificate to the NLS server, set up on a server separate from the DirectAccess server3. Issue machine certificates to the DirectAccess server and each DirectAccess client computer It is best to configure auto-enrollment so that each client computer can automatically request and be issued a machine certificateMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41143 Cengage Learning 2015Setting Up a PKI

Basic steps to follow:1. On a server separate from the DirectAccess server, install AD Certificate Services configured as an Enterprise Certificate Authority2. Issue an SSL certificate to the NLS server, set up on a server separate from the DirectAccess server3. Issue machine certificates to the DirectAccess server and each DirectAccess client computer It is best to configure auto-enrollment so that each client computer can automatically request and be issued a machine certificate

43Configuring NLS on a Separate Web ServerYou need IIS installed on any server in the networkDirectAccess clients connect to it with HTTPS, so it requires an SSL certificateMake sure a DNS record is created on internal DNS servers that points to the NLS server using a nameThe name is published to DirectAccess clients with a group policyMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41144 Cengage Learning 2015Configuring NLS on a Separate Web Server

You need IIS installed on any server in the networkDirectAccess clients connect to it with HTTPS, so it requires an SSL certificateMake sure a DNS record is created on internal DNS servers that points to the NLS server using a nameThe name is published to DirectAccess clients with a group policy

44Configuring the Name Resolution Policy TableWhen DirectAccess clients are connected to the Internet, the name resolution policy table (NRPT) makes sure DNS requests for network resources are directed to internal DNS serverYou may need to create NRPT exemptions for certain cases (referred to as split-brain DNS)Follow the steps outlined on page 205 to create exemptionsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41145 Cengage Learning 2015Configuring the Name Resolution Policy Table

When DirectAccess clients are connected to the Internet, the name resolution policy table (NRPT) makes sure DNS requests for network resources are directed to internal DNS serverYou may need to create NRPT exemptions for certain cases (referred to as split-brain DNS)Follow the steps outlined on page 205 to create exemptions

45Configuring Force TunnelingThe default DirectAccess client configuration is split tunnelingSplit tunneling is a remote access method in which only requests for resources on the network are sent over the DirectAccess tunnelIf you configure force tunneling, all traffic from the client goes over the DirectAccess tunnelYou configure force tunneling by using group policies with the same procedure for configuring NRPT exemptions, but enable the Route all traffic through the internal network policyMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41146 Cengage Learning 2015Configuring Force Tunneling

The default DirectAccess client configuration is split tunnelingSplit tunneling is a remote access method in which only requests for resources on the network are sent over the DirectAccess tunnelIf you configure force tunneling, all traffic from the client goes over the DirectAccess tunnelYou configure force tunneling by using group policies with the same procedure for configuring NRPT exemptions, but enable the Route all traffic through the internal network policy

46Configuring Force TunnelingMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41147

Figure 5-37 Configuring force tunneling Cengage Learning 2015Configuring Force Tunneling

Figure 5-37 Configuring force tunneling47Configuring ISATAPISATAP allows computers on the network to access DirectAccess clients that are connected via the InternetTwo ways to enable it on the network:Enable ISATAP for all computers on the networkEnable ISATAP for only certain computersISATAP is a good solution on networks that dont support IPv6 by defaultIf you need to initiate communication with DirectAccess clientsMCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-41148 Cengage Learning 2015Configuring ISATAP

ISATAP allows computers on the network to access DirectAccess clients that are connected via the InternetTwo ways to enable it on the network:Enable ISATAP for all computers on the networkEnable ISATAP for only certain computersISATAP is a good solution on networks that dont support IPv6 by defaultIf you need to initiate communication with DirectAccess clients

48MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-411SummaryRemote Access is a server role that provides services to keep a mobile workforce and branch offices securely connected to the main officeWhen you install the Remote Access server role, you can install three role services: DirectAccess and VPN, Routing, and Web Application ProxyA VPN is a network connection that uses the Internet to give users or branch offices secure access to a companys network resources on a private networkWindows Server 2012/R2 supports three tunnel types: PPTP, L2TP/IPsec, and SSTP49 Cengage Learning 201549Summary

Remote Access is a server role that provides services to keep a mobile workforce and branch offices securely connected to the main officeWhen you install the Remote Access server role, you can install three role services: DirectAccess and VPN, Routing, and Web Application ProxyA VPN is a network connection that uses the Internet to give users or branch offices secure access to a companys network resources on a private networkWindows Server 2012/R2 supports three tunnel types: PPTP, L2TP/IPsec, and SSTP

MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-411SummaryRemote dial-in uses the telephone system to connect a computer with a remote networkThe default settings for VPN and dial-up may be sufficient but you might need to support different OSs and different VPN clients over different tunneling methods, which require different security settingsUsing RRAS, a Windows server can be configured as a router to connect multiple subnets in the network or connect the network to the InternetNetwork Address Translation (NAT) is a process whereby a router replaces the source of destination IP addresses before forwarding a packet

50 Cengage Learning 201550Summary

Remote dial-in uses the telephone system to connect a computer with a remote networkThe default settings for VPN and dial-up may be sufficient but you might need to support different OSs and different VPN clients over different tunneling methods, which require different security settingsUsing RRAS, a Windows server can be configured as a router to connect multiple subnets in the network or connect the network to the InternetNetwork Address Translation (NAT) is a process whereby a router replaces the source of destination IP addresses before forwarding a packet

MCSA Guide to Administering Microsoft Windows Server 2012/R2, Exam 70-411SummaryWeb Application Proxy is a new Routing and Remote Access role service that allows users to access applications from any device that supports a Web browser from outside the networkThe DirectAccess role service provides many of the same features as a VPN but adds client management and always-connected capabilityA basic DirectAccess deployment requires only a domain controller, a member server to install the DirectAccess role service, and a client computer

51 Cengage Learning 201551Summary

Web Application Proxy is a new Routing and Remote Access role service that allows users to access applications from any device that supports a Web browser from outside the networkThe DirectAccess role service provides many of the same features as a VPN but adds client management and always-connected capabilityA basic DirectAccess deployment requires only a domain controller, a member server to install the DirectAccess role service, and a client computer