Module 9

Implementing remote access

Module Overview

Remote access overview

Implementing DirectAccess
• Implementing VPN
Lesson 1: Remote access overview

Overview of remote access technologies

Remote access features in Windows Server 2016
Overview of remote applications access
• When to deploy a PKI for remote access
Overview of remote access technologies

• Remote infrastructure solutions provide access to

an internal LAN infrastructure
• Remote application access solutions provide
access to applications or services remotely
• You must provide integrity and confidentiality of
data and means of communication
• You can deploy a combination of different
technologies to accomplish secure and robust
solutions
Remote access features in Windows Server 2016

• DirectAccess advantages include:

• Always-on connectivity
• Seamless connectivity
• Bidirectional access
• Remote management
• Improved security
• Integrated solution

• VPN:
• Can use with older operating systems
• Often requires users to establish connections
• Encrypts and protects data and communications
Overview of remote applications access

• Enterprise and organizational solutions:

• RDS
• Web Application Proxy
• RemoteApp by using RDS

• Cloud-based subscription solutions:

• Azure
• Azure RemoteApp
When to deploy a PKI for remote access

• Will you use PKI for the encryption of data

between the client computer and the server?
• Will you use PKI both for encryption and for
authenticating users and their computers?
• Will you use self-signed certificates, certificates
provided by internal private CAs, or external public
CAs?
Lesson 2: Implementing DirectAccess

Components of DirectAccess
How DirectAccess works for internal clients
How DirectAccess works for external clients
Requirements and prerequisites
Using the Getting Started Wizard
Demonstration: Configuring DirectAccess with the
Getting Started Wizard
Limitations of the Getting Started Wizard
Addressing the limitations of the Getting Started
Wizard
 Components of DirectAccess
AD DS domain
Internal clients controller
Internet websites
DNS server

DirectAccess
NRPT server

IPv6/IPsec

External clients

Internal network resources

Network Location
Server

PKI deployment
Components of DirectAccess

DirectAccess tunnelling protocols include:

• ISATAP
• 6to4
• Teredo
• IP-HTTPS
How DirectAccess works for internal clients
Internal
Internal client
client AD
ADDSDSdomain
domain
Internet computers
computers controller
controller
Internet
websites
websites DNSserver
DNS server
Connection
security rules

DirectAccess
DirectAccess
server
server

NRPT

Network
NLS
Internal network location
resources server
CRL distribution
point
 How DirectAccess works for external clients
AD DS domain
DNS server controller
DNS server

DirectAccess
server

u re
ct
ru

NLS
t
as

Connection
fr

security rules Internal network

In

resources
NRPT
r anet
Int

External
client
computers
Requirements and prerequisites

• The DirectAccess server:

• Must be a domain member
• Must have at least one network adapter connected to the
domain network
• Must have Windows Firewall enabled on all profiles
• Cannot be a domain controller

• You must deploy the DirectAccess server in one of

the following network topologies:
• Edge
• Behind the firewall with two network adapters
• Behind the firewall with one network adapter
Using the Getting Started Wizard

The Getting Started Wizard makes the following

configuration changes:
• GPO settings
• DirectAccess Server Settings GPO
• DirectAccess Client Settings GPO

• DNS server settings

• Remote clients
• Remote access server
• Infrastructure servers
Demonstration: Configuring DirectAccess with
the Getting Started Wizard

In this demonstration, you will see how to:

• Configure DirectAccess using the Getting Started
Wizard
• Verify that the DirectAccess client is configured
Limitations of the Getting Started Wizard

The following limitations of using the Getting

Started Wizard are identified:
• Uses self-signed certificates
• Based on network location server design
• No support for Windows 7 and earlier clients
Addressing the limitations of the Getting Started
Wizard

The following list are the advanced options that

you can use to configure DirectAccess:
• Scalable and customized PKI infrastructure
• Customized network configurations options
• Scalable and highly available server deployment
• Customized monitoring and troubleshooting
Monitoring DirectAccess

• The Remote Access Management Console

monitoring components include:
• Dashboard
• Operation status
• Remote Access client status
• Remote Access reporting

• You can troubleshoot DirectAccess connectivity by

using:
• A troubleshooting methodology
• Command-line tools
• GUI tools
Troubleshooting DirectAccess

To troubleshoot DirectAccess, verify the following:

1. The client is running a supported operating system
2. The client computer is part of an AD DS domain
3. The client computer belongs to a suitable AD DS
security group
4. Client GPOs are applying
5. The server configuration GPOs are applying
6. IPv6 connectivity is working
7. The DirectAccess client has IPv6 connectivity to the
intranet DNS servers
8. The DirectAccess client has correctly determined its
location
Troubleshooting DirectAccess

You can use the following netsh commands to help

troubleshoot DirectAccess:
• Netsh interface Teredo show state
• Netsh interface httpstunnel show interface
• Netsh namespace show policy
• Netsh namespace show effectivepolicy
• Netsh advfirewall show currentprofile
Troubleshooting DirectAccess

You can use the following Windows PowerShell

cmdlets to help investigate DirectAccess client
problems:
• Get-DAClientExperienceConfiguration
• Get-DAConnectionStatus
Lesson 3: Implementing VPN

VPN Scenarios
VPN tunneling protocols
Authentication options
Configuring a VPN infrastructure
Configuring a Network Policy Server
The process of configuring a VPN client
Advanced VPN features
• Demonstration: Configuring VPNs
 VPN Scenarios
A VPN provides a point-to-point connection between components of a private
network, through a public network such as the Internet
Corporate headquarters

Large branch office

Small branch
VPN office
server

VPN
server
VPN
server
Medium branch
office VPN
Home office with
VPN client

VPN
server
Remote user with VPN client
 VPN tunneling protocols

Windows Server 2016 supports the following four VPN

tunneling protocols:
Tunnelling Firewall access Description
protocol
PPTP TCP port 1723 • Provides data confidentiality but not data
integrity or data authentication

L2TP/IPsec UDP port 500, UDP • Uses either certificates or preshared keys for
port 1701, UDP authentication
port 4500, and IP • Certificate authentication is recommended
protocol ID 50
SSTP TCP port 443 • Uses SSL to provide data confidentiality,
data integrity, and data authentication

IKEv2 UDP port 500 • Supports the latest IPsec encryption

algorithms to provide data confidentiality,
data integrity, and data authentication
Authentication options

Protocol Description Security level

PAP Uses plaintext passwords; typically The least secure

used if the remote access client authentication protocol
and remote access server cannot
negotiate a more secure form of
validation

CHAP Uses the industry-standard MD5 An improvement over PAP;

hashing scheme; this is a that is, the password is not
challenge-response authentication sent over the PPP link
protocol

MS-CHAPv2 Provides two-way authentication, The protocol provides

also known as mutual stronger security than CHAP
authentication; this is an upgrade
of MS-CHAP

EAP Allows for arbitrary authentication The strongest security

of a remote access connection protocol by providing the
through the use of authentication most flexibility in
schemes, known as EAP types authentication variations
Configuring a VPN infrastructure

VPN server configuration requirements include:

• Two network interfaces (public and private)
• IP address allocation (static pool or DHCP)
• Authentication provider (NPS/RADIUS or the
VPN server)
• DHCP relay agent considerations
• Membership in the Local Administrators group
or equivalent
Configuring a Network Policy Server

A Windows Server 2016 Network Policy Server

provides the following functions:
• RADIUS server
• NPS performs centralized connection authentication,
authorization, and accounting for wireless, authenticating switch,
and dial-up and VPN connections
• RADIUS proxy
• You configure connection request policies that indicate which
connection requests that the NPS server will forward to other
RADIUS servers and to which RADIUS servers you want to
forward connection requests
Configuring a Network Policy Server

START

Yes No Go to next
Are there Does connection policy
No policies to Yes attempt match
process? policy conditions?
Yes
Is the remote access
permission for the user
No account set to Deny Access?
Reject
No Yes connection
attempt
Is the remote Is the remote access
Reject access permission on the
Yes No
connection permission for policy set to Deny
attempt the user account remote access
set to Allow permission?
Access? Yes Accept
connection
No Does the connection
attempt
attempt match the
user object and
profile settings?
The process of configuring a VPN client
The process of configuring a VPN client

The CMAK:
• Allows you to customize users’ remote connection
experiences by creating predefined connections on
remote servers and networks
• Creates an executable file that can be run on a client
computer to establish a network connection that you have
designed
• Reduces help desk requests related to the configuration of
RAS connections by:
• Assisting in problem resolution because the configuration is known
• Reducing the likelihood of user errors when users configure their
own connection objects
Advanced VPN features

• When you create and configure VPN connections,

you can implement a number of advanced
features

• The advanced features include:

• Always on
• App-triggered VPN
• Traffic filters
• LockDown VPN
Demonstration: Configuring VPNs

In this demonstration, you will see how to:

• Configure a VPN server
• Configure a VPN client
• Test a VPN connection
Lab: Implementing DirectAccess

Exercise 1: Configure DirectAccess using the

Getting Started Wizard
• Exercise 2: Testing DirectAccess

Logon Information
Virtual machines: 20743B-LON-DC1
20743B-LON-SVR1
20743B-INET1
20743B-LON-CL1
20743B-LON-RTR
User name: Adatum\Administrator
Administrator
Password: Pa55w.rd
Estimated Time: 45 minutes
Lab Scenario

A. Datum wants to implement a remote access solution for

its employees so they can connect to the corporate
network while away from the office. While a VPN solution
provides a high level of security, business management is
concerned about the complexity of the environment for
end users, and IT management is concerned that they are
not able to manage the remote clients effectively. To
address these issues, A. Datum has decided to implement
DirectAccess.
You will configure the DirectAccess environment and
validate that client computers can connect to the internal
network when operating remotely.
Lab Review

Your organization requires only selected computers

to be able to connect from the Internet to the
corporate network resources using DirectAccess.
How will you configure the DirectAccess settings to
meet the organization’s requirements?
• In the lab, you used the Getting Started Wizard to
configure DirectAccess. In what situations is using
the wizard inappropriate?
Module Review and Takeaways

• Review Questions