Ch10 by shuifanglj


									Microsoft Windows
Server 2008 Server
  Chapter 10 Configuring
     Remote Access
Learning Objectives

 Understand Windows Server 2008 remote
  access services
 Implement and manage a virtual private
 Configure a VPN server
 Configure a dial-up remote access server
 Troubleshoot virtual private network and
  dial-up remote access installations
Introduction to Remote Access
   Routing and Remote Access Services
     Enable   routing and remote access through
      virtual private networking and dialup
   Virtual private network (VPN)
     Tunnel   through a larger network that is
      restricted to designated member clients only
   Dial-up networking
     Usinga telecommunications line and a
      modem to dial into a network or specific
      computers on a network
Introduction to Remote Access (cont’d.)
   Modem
     Modulator/demodulator
     Converts   a transmitted digital signal to an
      analog signal for a telephone line
     Converts a received analog signal to a digital
      signal for use by a computer
   RRAS
     Turnsserver into a dial-up Remote Access
     Services (RAS) server capable of handling
     hundreds of simultaneous connections
Figure 10-1 A VPN network

Implementing a Virtual Private Network
   VPN
     Uses LAN and tunneling protocols
     Encapsulates data as it is sent across a public
   Benefits of using a VPN
     Users  can connect through a local ISP to the
      local network
     Ensures that any data sent across a public
      network is secure
     Encrypted tunnel                                6
Using Remote Access Protocols
   Function of the remote access protocol
     Encapsulate  a packet
     TCP/IP is the most commonly used transport
          Encapsulated in a remote access protocol for
           transport over a WAN
   Other legacy transport protocols
     IPX for legacy NetWare networks
     NetBEUI for legacy Microsoft networks
     Not supported by Windows Server 2008                7
Using Remote Access Protocols
   Serial Line Internet Protocol (SLIP)
     Originallydesigned for UNIX environments
     Provides point-to-point communications using
   Compressed Serial Line Internet
    Protocol (CSLIP)
     Newer  version of SLIP
     Compresses header information in each
Using Remote Access Protocols
   SLIP and CSLIP do not support
     Network     connection authentication
       Automatic negotiation of the network connection
        through multiple network connection layers at the
        same time
   Point-to-Point Protocol (PPP)
     Has    more capability than SLIP

Using Remote Access Protocols
   Remote access protocols
     Point-to-Point
                  Tunneling Protocol
     Layer Two Tunneling Protocol
     Secure Socket Tunneling Protocol

   Point-to-Point Tunneling Protocol
     OffersPPP-based authentication techniques
     Encrypts data carried by PPTP through using
      Microsoft Point-to-Point Encryption
Using Remote Access Protocols
   Microsoft Point-to-Point Encryption
     Starting-to-ending-point encryption technique
      that uses special encryption keys varying in
      length from 40 to 128 bits
   Layer Two Tunneling Protocol (L2TP)
     Works   similarly to PPTP

Using Remote Access Protocols
   IP Security (IPsec)
     IP-based  secure communications and
      encryption standards created through the
      Internet Engineering Task Force (IETF)
   Secure Socket Tunneling Protocol
     Employs  PPP authentication techniques
     Encapsulates data packet in the Hypertext
      Transfer Protocol (HTTP)
Using Remote Access Protocols
   Secure Sockets Layer (SSL)
     Data encryption technique employed between
      a server and a client
   PPP, PPTP, and L2TP are available in:
     Windows 2000, Windows XP, Windows Vista,
      Windows 7
     Windows 2000 Server, Windows Server 2003,
      Windows Server 2008
   SSTP is available in:
     Windows Server 2008, Windows Vista,
      Windows 7
Using Remote Access Protocols

       Table 10-1 Communications technologies   14
Configuring a VPN Server
 Install Network Policy and Access
  Services role
 Configure a Microsoft Windows Server
  2008 server as a network’s VPN server
     Configure   protocols to provide VPN access to
 Configure a VPN server as a DHCP Relay
  Agent for TCP/IP communications
 Configure the VPN server properties
 Configure a remote access policy for
  security                                         15
Configuring a VPN Server (cont’d.)

   Windows Server 2008 requires at least
    two network interfaces in the computer:
     One for the connection to the LAN
     One for a connection to the physical VPN

Configuring a VPN Server (cont’d.)

       Table 10-2 Routing and remote access options

Configuring a VPN Server (cont’d.)

    Table 10-3 Ports to open in the Windows Firewall for a VPN

Configuring a DHCP Relay Agent

   DHCP Relay Agent
     Broadcasts IP configuration information
     Use Routing and Remote Access tool to
      configure VPN server as a DHCP Relay Agent

Configuring VPN Properties
   Routing and Remote
    Access tool
     Right-click the VPN
      server in the tree
     Click Properties

                            Figure 10-9 Configuring the interface

Configuring VPN Properties (cont’d.)

 Figure 10-10 VPN server

Configuring VPN Properties (cont’d.)

        Table 10-4 VPN server properties tabs

Configuring Multilink and Bandwidth
Allocation Protocol
   Multilink
     Combine  or aggregate two or more
      communications channels so they appear as
      one large channel
     Aggregated links
          Multilink must be implemented in the client as well
           as in the server
     Olderconnection technology compared with
      DSL or wireless metropolitan area networks
Configuring Multilink and Bandwidth
Allocation Protocol (cont’d.)
   Bandwidth Allocation Protocol (BAP)
     Ensure that a client’s connection has enough
      speed or bandwidth for a particular application
   Windows Server 2008 version of Multilink
     Supports    Bandwidth Allocation Control
      Protocol (BACP)
     Selects a preferred client when two or more
      clients vie for the same bandwidth
Configuring VPN Security
   When a user accesses a VPN server:
     Access  is protected by the account access
      security that already applies
          Through a group policy or the default domain
           security policy
   Elements of a Remote Access Policy
     Access  permission
     Conditions
     Constraints
     Settings
Configuring VPN Security (cont’d.)

   Establishing a Remote Access Policy
     Use   Routing and Remote Access tool
         Accessed via Administrative Tools or as an MMC

Configuring VPN Security (cont’d.)

          Table 10-5 Authentication types

Figure 10-15 Encryption options

Configuring VPN Security (cont’d.)

         Table 10-6 RAS encryption options

Configuring a Dial-Up Remote Access
   Dial-up remote access server compatible
     Asynchronous   modems
     Synchronous modems
     Null modem communications
     Regular dial-up telephone lines
     Leased telecommunication lines
     ISDN lines (and digital ‘‘modems’’)
     X.25 lines
     DSL lines                               30
Configuring a Dial-Up Remote Access
Server (cont’d.)
   Dial-up remote access server compatible
    with: (cont’d)
     Cablemodem lines
     Frame relay line

   Install RAS using Routing and Remote
    Access tool
     Steps   very similar to installing a VPN server

Configuring Dial-Up Security
   Callback security
     Server  calls back the remote computer
     Verify telephone number in order to
      discourage a hacker
   Options available in Windows Server
     No Callback
     Set by Caller (Routing and Remote Access
      Service only)
     Always Callback to
Configuring Dial-Up Security (cont’d.)

   Control network access permission
     Allowaccess
     Deny access
     Control access through NPS Network Policy
         Default selection

Configuring Clients to Connect to RAS
Through Dial-Up Access
   Common dial-up RAS clients
     Windows   98, 2000, XP, Vista, and 7
   Access a dial-up RAS server from other
    operating systems
     Configure   a dial-up connection on those

Configuring Clients to Connect to RAS
Through Dial-Up Access (cont’d.)

       Figure 10-17 Configuring a dial-up connection
Troubleshooting VPN and Dial-Up RAS
   Troubleshooting VPN or dial-up RAS
    server communications problem
     Hardware   and software troubleshooting tips

Hardware Solutions

 Use Device Manager to check network
  adapters, WAN adapters, and modems
 Make sure telephone line plugged in
 For external modems:
     Make  sure the modem cable is properly
      attached, that you are using proper cable type
   For internal modems or adapter cards:
     Check   connection inside computer
Hardware Solutions (cont’d.)

   For a modem connection:
     Test   the telephone wall connection and cable
   For an external DSL adapter or a
    combined DSL adapter and router:
     Ensure device is properly configured and
   Call your ISP to determine if problems are
    present on the ISP’s WAN
Software Solutions
   Use the Computer Management tool or
    Server Manager to verify status of:
     Routing  and Remote Access
     Remote Access Auto Connection Manager
     Remote Access Connection Manager
   Ensure Windows Firewall is set up to allow
    remote access

Software Solutions (cont’d.)
 Make sure VPN or dial-up RAS server is
 Check the remote access policy to be sure
  that access permission is granted
 Verify VPN or dial-up RAS server is
 Check the network interface

Software Solutions (cont’d.)

 Ensure IP parameters are correctly
  configured to provide an address pool for
  either a VPN or dial-up RAS server
 If using a RADIUS server:
     Ensure    it is connected and working properly
      and that Internet Authentication Service (IAS)
      is installed
   Ensure the remote access policy is
    consistent with the users’ access needs        41
Connecting Through Terminal Services
   Terminal server
     Enables   clients to run services and software
      applications on Windows Server 2008 instead
      of at the client
     Enables thin clients to perform most CPU-
      intensive operations on the server
 Centralize control of how programs are
 Install different role services for specific
     TS   Web Access/TS Gateway                   42
Connecting Through Terminal Services

       Table 10-7 Terminal Services components

Connecting Through Terminal Services

    Table 10-8 Role services available through Terminal Services

Connecting Through Terminal Services
   RemoteApp
     New  feature
     Enables a client to run an application without
      loading a remote desktop on the client
   TS Gateway
     Providesa secure way to use Terminal
     Services over the Internet

Installing Terminal Services
   Install TS Licensing role service
     Manage  terminal server user licenses
      obtained from Microsoft
     Licenses can be purchased either per user
      account or by client device
   Network Level Authentication (NLA)
     Enables  authentication to take place before
      the Terminal Services connection is
     Thwarts would-be attackers

   Create groups of user accounts
Configuring Terminal Services (cont’d.)

        Table 10-11 Terminal Services permissions

Managing Terminal Services
   Terminal Services Manager
     Monitor the number of users connected to the
      terminal server
     Add additional terminal servers to monitor
     Determine if a user session is active
     Determine which programs are running in a
      user’s session
     Disconnect a user’s session or log off a user
     Reset a connection that is having trouble
     Send a message to a user
Configuring Licensing

 Activate Terminal Services licensing
 Configure licensing using TS Licensing

Accessing a Terminal Server from a
   Remote Desktop Connection (RDC)
     Client
          already installed in Windows 7,
     Windows Vista, Windows Server 2008, and
     Windows XP

Installing Applications on a Terminal
 Might need to reinstall some applications
  that were installed before Terminal
  Services role
 Use Control Panel to uninstall them
 Reinstall applications
     In Control Panel Home view, click Programs
     Click Install Application on Terminal Server


   Routing and Remote Access Services
     Virtualprivate network (VPN) and dial-up
   Remote access protocols include:
     SLIP,   CSLIP, PPP, PPTP, L2TP, and SSTP
   Use Server Manager to install the Network
    Policy and Access Services role

Summary (cont’d.)
   VPN has many properties that can be
     Configure
              a remote access policy to govern
      how a VPN server is accessed
   When you configure dial-up remote access
     Also  configure a DHCP Relay Agent, Multi-link
      (if used), and a remote access policy for
   Use Server Manager to install the
    Terminal Services role
     Configure   Terminal Services licensing     53

To top