DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Access, VPNs and Terminal Services
UNIT 7
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Topics for this Unit
• Remote Administration
• MMCs
• Delegation of authority
• RRAS (Routing and Remote Access)
• VPN (Virtual Private Network)
• Terminal Server
• DHCP relay agent
• Multilink and Bandwidth Allocation Protocol (BAP)
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Administration
• You cannot use Server Manager to manage another computer remotely
• You use Remote Desktop to connect to another computer and run Server Manager within the Remote Desktop session
• You can also create your own MMC console for each server you want to manage
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
MMC Snap-ins • Standalone snap-ins
– A standalone snap-in is a single tool that you can install directly into an empty MMC console
– Standalone snap-ins appear in the first level directly beneath the console root in the console’s scope pane
• Extension snap-ins – An extension snap-in provides additional
functionality to specific standalone snap-ins. – You cannot add an extension snap-in to a
console without adding an appropriate standalone snap-in first
– Extension snap-ins appear beneath the associated standalone snap-in in the console’s scope pane
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Console Options
• By default, all new consoles you create are configured to use Author mode, which provides full access to all console functions
• The available modes you can choose from are as follows:
– Author Mode
– User Mode-Full Access
– User Mode-Limited Access, Multiple Windows
– User Mode-Limited Access, Single Windows
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Managing a Remote Computer
• Snap-ins supplied with Windows Server enable you to manage other Windows computers on the network as well
• There are two ways to access a remote computer using an MMC snap-in: which are as follows:
– Redirect an existing snap-in to another system
– Create a custom console with snap-ins directed to other systems
• In Windows, this capability is known as Remote Desktop
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Desktop • Windows Server includes licenses for two Remote
Desktop connections (three if you count the console)
• This means that there is no extra cost associated with Windows Server 2008’s remote administration capabilities
• To use Remote Desktop to administer a server on the network, you must complete the following tasks:
– Enable Remote Desktop on the server
– Configure Remote Desktop Connection (RDC) on the client
– Establish a connection between the client and the server
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Desktop Connections
• By default, the Administrators group has the permissions needed to establish a Remote Desktop connection
• If you want to grant other users the same permissions, you must add them to the Remote Desktop Users group on the server
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Connection Dialog Box
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Routing and Remote Access(RRAS)
• Routing and Remote Access Services (RRAS) - Enable routing and remote access through virtual private networking and dialup networking
• Virtual private network (VPN) - Tunnel through a larger network that is restricted to designated member clients only
• Dial-up networking - Using a telecommunications line and a modem to dial into a network or specific computers on a network
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
VPN (Virtual Private Network)
• VPN
– Uses LAN and tunneling protocols
– Encapsulates data as it is sent across a public network
• Benefits of using a VPN
– Users can connect through a local ISP to the local network
– Ensures that any data sent across a public network is secure
– Encrypted tunnel
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Access Protocols • Function of the remote access protocol
– Encapsulate a packet
– TCP/IP is the most commonly used transport protocol
• Serial Line Internet Protocol (SLIP)
– Originally designed for UNIX environments
– Provides point-to-point communications using TCP/IP
• Compressed Serial Line Internet Protocol (CSLIP)
– Newer version of SLIP that compresses header information in each packet
• Point-to-Point Protocol (PPP) - Has more capability than SLIP
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Access Protocols
• Point-to-Point Tunneling Protocol (PPTP)
– Offers PPP-based authentication techniques
– Encrypts data carried by PPTP through using Microsoft Point-to-Point Encryption
• Microsoft Point-to-Point Encryption (MPPE) - Starting-to-ending-point encryption technique that uses special encryption keys varying in length from 40 to 128 bits
• Layer Two Tunneling Protocol (L2TP) - Works similar to PPTP
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Remote Access Protocols • IP Security (IPsec) - IP-based secure
communications and encryption standards created through the Internet Engineering Task Force (IETF)
• Secure Socket Tunneling Protocol (SSTP)
– Employs PPP authentication techniques
– Encapsulates data packet in the Hypertext Transfer Protocol (HTTP) Secure Sockets Layer (SSL)
– Data encryption technique employed between a server and a client
– Available in Windows Server 2008, Windows Vista, Windows 7
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Configuring a VPN Server
• Install Network Policy and Access Services role
• Configure protocols to provide VPN access to clients
• Configure a VPN server as a DHCP Relay Agent for TCP/IP communications
• Configure the VPN server properties
• Configure a remote access policy for security by opening the following ports
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Configuring a VPN Server
• Windows Server 2008 requires at least two network interfaces in the computer:
– One for the connection to the LAN
– One for a connection to the physical VPN network
• DHCP Relay Agent
– Broadcasts IP configuration information
– Use Routing and Remote Access tool to configure VPN server as a DHCP Relay Agent
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Multilink & Bandwidth Allocation Protocol
• Multilink
– Combine or aggregate two or more communications channels so they appear as one large channel
– Aggregated links
• Multilink must be implemented in the client as well as in the server
• Bandwidth Allocation Protocol (BAP)
– Ensure that a client’s connection has enough speed or bandwidth for a particular application
• Windows Server version of Multilink PPP
– Supports Bandwidth Allocation Control Protocol (BACP)
– Selects a preferred client when two or more clients vie for the same bandwidth
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Terminal Services • Terminal server
– Enables clients to run services and software applications on the Server
– Enables thin clients to perform most CPU-intensive operations on the server
• Centralize control of how programs are used
• Install different role services for specific purposes:
– TS Gateway - Provides a secure way to use Terminal Services over the Internet
• TS Web Access
• RemoteApp – a new feature that enables a client to run an application without loading a remote desktop on the client computer
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Terminal Services • Install TS Licensing role service
– Manage terminal server user licenses obtained from Microsoft
– Licenses can be purchased either per user account or by client device
• Network Level Authentication (NLA)
– Enables authentication to take place before the Terminal Services connection is established
– Thwarts would-be attackers
• Create groups of user accounts in advance
– Add these groups during installation
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Managing Terminal Services
• Terminal Services Manager
– Monitor the number of users connected to the terminal server
– Add additional terminal servers to monitor
– Determine if a user session is active
– Determine which programs are running in a user’s session
– Disconnect a user’s session or log off a user
– Reset a connection that is having trouble
– Send a message to a user
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Summary • MMC provides a standardized, common interface for
application modules called snap-ins, which you can use to configure operating system settings, applications, and services
• There are two types of MMC snap-ins
– A standalone snap-in is a single tool that you can install directly into an empty MMC console
– An extension snap-in provides additional functionality to specific standalone snap-in
• Remote Desktop allows administrators to manage remote computers
• Windows Server Update Services (WSUS) is a program that downloads updates from the Microsoft Update Website
• Routing and Remote Access Services includes
– Virtual private network (VPN) and dial-up services
DPW © 2005-2010
DPW © Donna Warren
M
C
I
T
P
W
I
N
D
O
W
S
2
0
0
8
S
E
R
V
E
R
Lab 7 • Activity 10-1: Installing Network Policy and Access
Services
• Activity 10-2: Setting Up a VPN Server
• Activity 10-3: Configuring a DHCP Relay Agent
• Activity 10-4: Additional DHCP Relay Agent Configuration
• Activity 10-5: Using Multilink
• Activity 10-6: Configuring a Remote Access Policy
• Activity 10-8: Installing Terminal Services
• Activity 10-9: Configuring Terminal Services
• Activity 10-10: Using Terminal Services Manager
• Activity 10-11: Using the TS Licensing Manager