Ch10 by shuifanglj

VIEWS: 72 PAGES: 53

									Microsoft Windows
Server 2008 Server
Administration
  Chapter 10 Configuring
     Remote Access
Learning Objectives

 Understand Windows Server 2008 remote
  access services
 Implement and manage a virtual private
  network
 Configure a VPN server
 Configure a dial-up remote access server
 Troubleshoot virtual private network and
  dial-up remote access installations
                                             2
Introduction to Remote Access
   Routing and Remote Access Services
    (RRAS)
     Enable   routing and remote access through
      virtual private networking and dialup
      networking
   Virtual private network (VPN)
     Tunnel   through a larger network that is
      restricted to designated member clients only
   Dial-up networking
     Usinga telecommunications line and a
      modem to dial into a network or specific
                                                     3
      computers on a network
Introduction to Remote Access (cont’d.)
   Modem
     Modulator/demodulator
     Converts   a transmitted digital signal to an
      analog signal for a telephone line
     Converts a received analog signal to a digital
      signal for use by a computer
   RRAS
     Turnsserver into a dial-up Remote Access
     Services (RAS) server capable of handling
     hundreds of simultaneous connections
                                                       4
Figure 10-1 A VPN network


                            5
Implementing a Virtual Private Network
   VPN
     Uses LAN and tunneling protocols
     Encapsulates data as it is sent across a public
      network
   Benefits of using a VPN
     Users  can connect through a local ISP to the
      local network
     Ensures that any data sent across a public
      network is secure
     Encrypted tunnel                                6
Using Remote Access Protocols
   Function of the remote access protocol
     Encapsulate  a packet
     TCP/IP is the most commonly used transport
      protocol
          Encapsulated in a remote access protocol for
           transport over a WAN
   Other legacy transport protocols
     IPX for legacy NetWare networks
     NetBEUI for legacy Microsoft networks
     Not supported by Windows Server 2008                7
Using Remote Access Protocols
(cont’d.)
   Serial Line Internet Protocol (SLIP)
     Originallydesigned for UNIX environments
     Provides point-to-point communications using
      TCP/IP
   Compressed Serial Line Internet
    Protocol (CSLIP)
     Newer  version of SLIP
     Compresses header information in each
      packet
                                                     8
Using Remote Access Protocols
(cont’d.)
   SLIP and CSLIP do not support
     Network     connection authentication
       Automatic negotiation of the network connection
        through multiple network connection layers at the
        same time
   Point-to-Point Protocol (PPP)
     Has    more capability than SLIP


                                                            9
Using Remote Access Protocols
(cont’d.)
   Remote access protocols
     Point-to-Point
                  Tunneling Protocol
     Layer Two Tunneling Protocol
     Secure Socket Tunneling Protocol

   Point-to-Point Tunneling Protocol
    (PPTP)
     OffersPPP-based authentication techniques
     Encrypts data carried by PPTP through using
      Microsoft Point-to-Point Encryption
                                                10
Using Remote Access Protocols
(cont’d.)
   Microsoft Point-to-Point Encryption
    (MPPE)
     Starting-to-ending-point encryption technique
      that uses special encryption keys varying in
      length from 40 to 128 bits
   Layer Two Tunneling Protocol (L2TP)
     Works   similarly to PPTP


                                                  11
Using Remote Access Protocols
(cont’d.)
   IP Security (IPsec)
     IP-based  secure communications and
      encryption standards created through the
      Internet Engineering Task Force (IETF)
   Secure Socket Tunneling Protocol
    (SSTP)
     Employs  PPP authentication techniques
     Encapsulates data packet in the Hypertext
      Transfer Protocol (HTTP)
                                                  12
Using Remote Access Protocols
(cont’d.)
   Secure Sockets Layer (SSL)
     Data encryption technique employed between
      a server and a client
   PPP, PPTP, and L2TP are available in:
     Windows 2000, Windows XP, Windows Vista,
      Windows 7
     Windows 2000 Server, Windows Server 2003,
      Windows Server 2008
   SSTP is available in:
     Windows Server 2008, Windows Vista,
                                               13
      Windows 7
Using Remote Access Protocols
(cont’d.)




       Table 10-1 Communications technologies   14
Configuring a VPN Server
 Install Network Policy and Access
  Services role
 Configure a Microsoft Windows Server
  2008 server as a network’s VPN server
     Configure   protocols to provide VPN access to
     clients
 Configure a VPN server as a DHCP Relay
  Agent for TCP/IP communications
 Configure the VPN server properties
 Configure a remote access policy for
  security                                         15
Configuring a VPN Server (cont’d.)

   Windows Server 2008 requires at least
    two network interfaces in the computer:
     One for the connection to the LAN
     One for a connection to the physical VPN
      network




                                                 16
Configuring a VPN Server (cont’d.)




       Table 10-2 Routing and remote access options


                                                      17
Configuring a VPN Server (cont’d.)




    Table 10-3 Ports to open in the Windows Firewall for a VPN




                                                                 18
Configuring a DHCP Relay Agent

   DHCP Relay Agent
     Broadcasts IP configuration information
     Use Routing and Remote Access tool to
      configure VPN server as a DHCP Relay Agent




                                              19
Configuring VPN Properties
   Routing and Remote
    Access tool
     Right-click the VPN
      server in the tree
     Click Properties




                            Figure 10-9 Configuring the interface
                            properties

                                                               20
Configuring VPN Properties (cont’d.)



 Figure 10-10 VPN server
 properties




                                       21
Configuring VPN Properties (cont’d.)




        Table 10-4 VPN server properties tabs




                                                22
Configuring Multilink and Bandwidth
Allocation Protocol
   Multilink
     Combine  or aggregate two or more
      communications channels so they appear as
      one large channel
     Aggregated links
          Multilink must be implemented in the client as well
           as in the server
     Olderconnection technology compared with
      DSL or wireless metropolitan area networks
                                                             23
Configuring Multilink and Bandwidth
Allocation Protocol (cont’d.)
   Bandwidth Allocation Protocol (BAP)
     Ensure that a client’s connection has enough
      speed or bandwidth for a particular application
   Windows Server 2008 version of Multilink
    PPP
     Supports    Bandwidth Allocation Control
      Protocol (BACP)
     Selects a preferred client when two or more
      clients vie for the same bandwidth
                                                    24
Configuring VPN Security
   When a user accesses a VPN server:
     Access  is protected by the account access
      security that already applies
          Through a group policy or the default domain
           security policy
   Elements of a Remote Access Policy
     Access  permission
     Conditions
     Constraints
     Settings
                                                          25
Configuring VPN Security (cont’d.)

   Establishing a Remote Access Policy
     Use   Routing and Remote Access tool
         Accessed via Administrative Tools or as an MMC
          snap-in




                                                           26
Configuring VPN Security (cont’d.)




          Table 10-5 Authentication types

                                            27
Figure 10-15 Encryption options

                                  28
Configuring VPN Security (cont’d.)




         Table 10-6 RAS encryption options




                                             29
Configuring a Dial-Up Remote Access
Server
   Dial-up remote access server compatible
    with:
     Asynchronous   modems
     Synchronous modems
     Null modem communications
     Regular dial-up telephone lines
     Leased telecommunication lines
     ISDN lines (and digital ‘‘modems’’)
     X.25 lines
     DSL lines                               30
Configuring a Dial-Up Remote Access
Server (cont’d.)
   Dial-up remote access server compatible
    with: (cont’d)
     Cablemodem lines
     Frame relay line

   Install RAS using Routing and Remote
    Access tool
     Steps   very similar to installing a VPN server


                                                        31
Configuring Dial-Up Security
   Callback security
     Server  calls back the remote computer
     Verify telephone number in order to
      discourage a hacker
   Options available in Windows Server
    2008:
     No Callback
     Set by Caller (Routing and Remote Access
      Service only)
     Always Callback to
                                                 32
Configuring Dial-Up Security (cont’d.)

   Control network access permission
     Allowaccess
     Deny access
     Control access through NPS Network Policy
         Default selection




                                                  33
Configuring Clients to Connect to RAS
Through Dial-Up Access
   Common dial-up RAS clients
     Windows   98, 2000, XP, Vista, and 7
   Access a dial-up RAS server from other
    operating systems
     Configure   a dial-up connection on those
      clients



                                                  34
Configuring Clients to Connect to RAS
Through Dial-Up Access (cont’d.)




       Figure 10-17 Configuring a dial-up connection
                                                       35
Troubleshooting VPN and Dial-Up RAS
Installations
   Troubleshooting VPN or dial-up RAS
    server communications problem
     Hardware   and software troubleshooting tips




                                                     36
Hardware Solutions

 Use Device Manager to check network
  adapters, WAN adapters, and modems
 Make sure telephone line plugged in
 For external modems:
     Make  sure the modem cable is properly
      attached, that you are using proper cable type
   For internal modems or adapter cards:
     Check   connection inside computer
                                                   37
Hardware Solutions (cont’d.)

   For a modem connection:
     Test   the telephone wall connection and cable
   For an external DSL adapter or a
    combined DSL adapter and router:
     Ensure device is properly configured and
      connected
   Call your ISP to determine if problems are
    present on the ISP’s WAN
                                                   38
Software Solutions
   Use the Computer Management tool or
    Server Manager to verify status of:
     Routing  and Remote Access
     Remote Access Auto Connection Manager
     Remote Access Connection Manager
      services
   Ensure Windows Firewall is set up to allow
    remote access

                                              39
Software Solutions (cont’d.)
 Make sure VPN or dial-up RAS server is
  enabled
 Check the remote access policy to be sure
  that access permission is granted
 Verify VPN or dial-up RAS server is
  started
 Check the network interface



                                          40
Software Solutions (cont’d.)

 Ensure IP parameters are correctly
  configured to provide an address pool for
  either a VPN or dial-up RAS server
 If using a RADIUS server:
     Ensure    it is connected and working properly
      and that Internet Authentication Service (IAS)
      is installed
   Ensure the remote access policy is
    consistent with the users’ access needs        41
Connecting Through Terminal Services
   Terminal server
     Enables   clients to run services and software
      applications on Windows Server 2008 instead
      of at the client
     Enables thin clients to perform most CPU-
      intensive operations on the server
 Centralize control of how programs are
  used
 Install different role services for specific
  purposes:
     TS   Web Access/TS Gateway                   42
Connecting Through Terminal Services
(cont’d.)




       Table 10-7 Terminal Services components




                                                 43
Connecting Through Terminal Services
(cont’d.)




    Table 10-8 Role services available through Terminal Services




                                                                   44
Connecting Through Terminal Services
(cont’d.)
   RemoteApp
     New  feature
     Enables a client to run an application without
      loading a remote desktop on the client
      computer
   TS Gateway
     Providesa secure way to use Terminal
     Services over the Internet

                                                       45
Installing Terminal Services
   Install TS Licensing role service
     Manage  terminal server user licenses
      obtained from Microsoft
     Licenses can be purchased either per user
      account or by client device
   Network Level Authentication (NLA)
     Enables  authentication to take place before
      the Terminal Services connection is
      established
     Thwarts would-be attackers

   Create groups of user accounts
                                                     46
Configuring Terminal Services (cont’d.)




        Table 10-11 Terminal Services permissions




                                                    47
Managing Terminal Services
   Terminal Services Manager
     Monitor the number of users connected to the
      terminal server
     Add additional terminal servers to monitor
     Determine if a user session is active
     Determine which programs are running in a
      user’s session
     Disconnect a user’s session or log off a user
     Reset a connection that is having trouble
     Send a message to a user
                                                  48
Configuring Licensing

 Activate Terminal Services licensing
  server
 Configure licensing using TS Licensing
  Manager




                                           49
Accessing a Terminal Server from a
Client
   Remote Desktop Connection (RDC)
     Client
          already installed in Windows 7,
     Windows Vista, Windows Server 2008, and
     Windows XP




                                               50
Installing Applications on a Terminal
Server
 Might need to reinstall some applications
  that were installed before Terminal
  Services role
 Use Control Panel to uninstall them
 Reinstall applications
     In Control Panel Home view, click Programs
     Click Install Application on Terminal Server


                                                     51
Summary

   Routing and Remote Access Services
    includes
     Virtualprivate network (VPN) and dial-up
      services
   Remote access protocols include:
     SLIP,   CSLIP, PPP, PPTP, L2TP, and SSTP
   Use Server Manager to install the Network
    Policy and Access Services role

                                                 52
Summary (cont’d.)
   VPN has many properties that can be
    configured
     Configure
              a remote access policy to govern
      how a VPN server is accessed
   When you configure dial-up remote access
     Also  configure a DHCP Relay Agent, Multi-link
      (if used), and a remote access policy for
      security
   Use Server Manager to install the
    Terminal Services role
     Configure   Terminal Services licensing     53

								
To top