Troubleshooting and Supporting Windows® 7 in the Enterprise_06

Module 6

Troubleshooting Remote Connectivity

Issues

Module Overview

• Troubleshooting VPN Connectivity Issues

• Using Remote Desktop

• Troubleshooting User Issues by Using Remote Assistance

• Troubleshooting NAP Issues

• Troubleshooting DirectAccess Issues

Lesson 1: Troubleshooting VPN Connectivity Issues

• What Is a Virtual Private Network?

• VPN Tunneling Protocols

• VPN Authentication Methods

• Demonstration: How to Create a VPN Connection

• What Are Network Policies?

• Troubleshooting VPNs

• What Is VPN Reconnect?

What Is a Virtual Private Network?

Large Branch Office

Medium Branch Office

Small Branch Office

Home Office with VPN Client

Remote User with VPN Client

Corporate Headquarters

VPN

VPN Server

VPN Server

VPN Server

VPN Server

VPN Tunneling Protocols

Windows 7 supports four VPN tunneling protocols:

PPTP

L2TP/IPsec

SSTP

IKEv2

VPN Authentication Methods

Protocol Description Security Level

PAP

Uses plaintext passwords.

Used if remote access client and remote access server cannot negotiate a more secure form of validation.

Least secure authentication protocol.

Does not protect against: replay attacks, remote client impersonation, remote server impersonation.

CHAP

A challenge-response authentication protocol.

Uses the industry-standard MD5 hashing scheme to encrypt the response.

An improvement over PAP because password is not sent over the PPP link.

Requires plaintext version of the password to validate the challenge response.

Does not protect against remote server impersonation.

MS-CHAPv2

An upgrade of MS-CHAP.

Two-way/mutual authentication provided.

Remote access client receives verification that the remote access server has access to the user’s password.

Provides stronger security than CHAP.

EAP

Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types.

Offers the strongest security by providing the most flexibility in authentication variations.

Demonstration: How to Create a VPN Connection

In this demonstration, you will see how to:

• Configure user dial-in settings

• Configure Routing and Remote Access as a VPN server

• Configure a VPN client

The VPN Reconnect feature maintains connectivity across network outages. It requires Windows Server 2008 R2 or Windows 7.

What Are Network Policies?

Are there policies to process?

START

Does connection attempt match policy conditions?

Yes

Reject connection attempt

Is the remote access permission for the user account set to Deny Access?

Is the remote access permission for the user account set to Allow Access?

Yes

Yes

NoGo to next policy

No

Yes

Is the remote access permission on the policy set to Deny remote access permission?

Does the connection attempt match the user object and profile settings?

No

Yes

Accept connection attempt

Reject connection attempt

No

Yes

No

No

A network policy consists of the following elements:

Conditions

Constraints

Settings

Network policies enable you to designate who is authorized to connect to the network, and the circumstances under which they can or cannot connect.

Troubleshooting VPNs

Remote User with VPN Client

Corporate Headquarters

VPN

VPN Server

What Is VPN Reconnect?

The VPN Reconnect feature maintains connectivity across network outages. It requires Windows Server 2008 R2 or Windows 7.

VPN Reconnect:

Provides seamless and consistent VPN connectivity

Uses the Internet Key Encryption version 2 (IKEv2) technology

Automatically reestablishes VPN connections when connectivity is available

Maintains the connection if users move between different networks

Makes the connection status transparent to users

Lesson 2: Using Remote Desktop

• Overview of Windows Remote Desktop

• Practice: Enabling Remote Desktop

• Configuring Remote Desktop by Using GPOs

• Troubleshooting Remote Desktop

Overview of Windows Remote Desktop

Remote Desktop

• A Windows 7 feature that enables users to connect to their desktop computer from another device

• Enables administrators to connect to multiple remote servers for administrative purposes

Practice: Enabling Remote Desktop

In this practice, you will:

• Configure the Windows Firewall

• Enable Remote Desktop

• Use Remote Desktop

15 min

Configuring Remote Desktop by Using GPOs

Troubleshooting Remote Desktop

Cannot Connect to Remote Computer

Check the Windows 7 editionCheck Windows Firewall statusCheck that remote desktop is enabled on the targetEnsure the remote computer is not in sleep mode or hibernationCheck remote desktop permissions

Remote Computer Cannot be Found

Try using the IP addressCheck DNS records

Cannot Copy Text from Remote Computer

Ensure the clipboard is selected as a local resource

Lesson 3: Troubleshooting User Issues by Using Remote Assistance

• Using Remote Assistance to Assist Your Users

• Remote Assistance in Windows 7

• Demonstration: How to Use Remote Assistance (Optional)

• Configuring Remote Assistance by Using GPOs

Using Remote Assistance to Assist Your Users

• See remote desktop

• Chat session

• Take remote control

Remote Assistance in Windows 7

Remote Assistance

• A Windows 7 feature that enables support staff to connect to a remote desktop computer

• Optionally allows for remote control of that computer

• Assistance can be sought or offered

Demonstration: How to Use Remote Assistance (Optional)

In this demonstration, you will see how to:

• Create a Word document

• Request Remote Assistance

• Provide Remote Assistance

Configuring Remote Assistance by Using GPOs

Lesson 4: Troubleshooting NAP Issues

• What Is NAP?

• Components of NAP

• Discussion: How Would You Use NAP?

• Configuring Client-Side NAP Settings

• Best Practices for Troubleshooting NAP

What Is NAP?

Network Access Protection can:

• Enforce health-requirement policies on client computers

• Ensure client computers are compliant with policies

• Offer remediation support for computers that do not meet health requirements

Network Access Protection cannot:

• Enforce health requirement policies on client computers

• Ensure client computers are compliant with policies

Components of NAP

Intranet

Remediation Servers

Internet

NAP Health Policy Server

DHCP Server

Health Registration Authority

IEEE 802.1X

Devices

Active Directory

VPN Server

Restricted Network

NAP Client with limited access

Perimeter Network

Can you envision using NAP?

What NAP enforcement method would be suitable?

Discussion: How Would You Use NAP?

5 min

Configuring Client-Side NAP Settings

• Some NAP deployments that use Windows Security Health Validator require that you enable Security Center

• The Network Access Protection service is required when you

deploy NAP to NAP-capable client computers

• You also must configure the NAP enforcement clients on the NAP-capable computers

Best Practices for Troubleshooting NAP

• You can use tracing logs to:• Evaluate the health and security of

your network• Troubleshoot and perform maintenance

on your network

• You can use the netsh NAP command to helptroubleshoot NAP

• Use the Event Viewer to identify NAP-related problems

Lesson 5: Troubleshooting DirectAccess Issues

• What Is DirectAccess?

• How Does DirectAccess Work?

• Configuring DirectAccess

• Troubleshooting DirectAccess Client Issues

What Is DirectAccess?

• Always-on connectivity • Seamless connectivity• Bidirectional access • Improved security • Integrated solution

DirectAccess server

• Connects automatically to corporate network over public network• Uses various protocols, including HTTPS, to establish IPv6 connectivity• Supports selected server access and IPsec authentication• Supports end-to-end authentication and encryption• Supports management of remote client computers• Allows remote users to connect directly to intranet servers

Features of DirectAccess:

Benefits of DirectAccess:

How Does DirectAccess Work?

The DirectAccess client running Windows 7 detects whether it is connected to a network

The client attempts to connect to an intranet website that is specified during the DirectAccess configuration

The client connects to the DirectAccess server using IPv6 and IPsec

The DirectAccess client and server authenticate each other by using computer certificates to establish the IPsec session

The DirectAccess server verifies that the computer and user are authorized to connect by using DirectAccess

The client obtains a health certificate from an HRA located on the Internet prior to connecting to the DirectAccess server

The DirectAccess server begins forwarding traffic from the DirectAccess client to the intranet resources to which the user has been granted access

Steps to Configure DirectAccess:

Configuring DirectAccess

• Join the DirectAccess server to an Active Directory domain

• Configure the DirectAccess server on the perimeter network

• Enable ports and protocols needed for DirectAccess in the firewall exceptions

• Create a security group in Active Directory

• Install a web server on the DirectAccess server

• Designate one of the server network adapters as the Internet-facing interface

• Add and configure the Certificate Authority server role

Steps to Troubleshoot DirectAccess Client Issues:

Troubleshooting DirectAccess Client Issues

• Verify the version of Windows 7 on the client

• Verify that the client is joined to the domain and is a member of the security group

• Verify GPO application

• Verify IPv6 connectivity

• Verify correct identification of the internal and external network

• Verify the domain profile is not used on Internet

• Verify the DNS resolution for the internal network

• Verify IPsec connectivity

Lab: Resolving Remote Connectivity Issues

• Exercise: Resolving a Remote Connectivity Problem

Estimated time: 30 minutes

Logon information

Virtual machines6293A-NYC-DC16293A-NYC-SVR26293A-NYC-CL1

User name Contoso\AdministratorNYC-CL1\WSAdmin

Password Pa$$w0rd

Lab Scenario

A user reported a recent problem connecting to the corporate intranet from his home. He cannot connect to the intranet, and receives the error documented in the help desk ticket. The help desk checked the basic network settings, but is unsure how to proceed.

Lab Review

• In the lab, your user complained of being unable to logon. What solutions did you attempt?

• What solution was successful?

Module Review and Takeaways

• Review Questions

• Tools