mcitp guide to microsoft windows server 2008 server administration (exam #70-646)

MCITP Guide to Microsoft Windows Server 2008 Server

Administration (Exam #70-646)

Chapter 10

Configuring Remote Access

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

2

Learning Objectives

• Understand Windows Server 2008 remote access services

• Implement and manage a virtual private network

• Configure a VPN server

• Configure a dial-up remote access server

• Troubleshoot virtual private network and dial-up remote access installations

Learning Objectives (cont’d.)

• Install and configure Terminal Services


3

Introduction to Remote Access

• Routing and Remote Access Services (RRAS)– Enable routing and remote access through virtual

private networking and dialup networking

• Virtual private network (VPN) – Tunnel through a larger network that is restricted to

designated member clients only

• Dial-up networking– Using a telecommunications line and a modem to dial

into a network or specific computers on a network


4

Introduction to Remote Access (cont’d.)

• Modem – Modulator/demodulator – Converts a transmitted digital signal to an analog

signal for a telephone line– Converts a received analog signal to a digital signal

for use by a computer

• RRAS – Turns server into a dial-up Remote Access Services

(RAS) server capable of handling hundreds of simultaneous connections


5


6

Figure 10-1 A VPN networkCourtesy Course Technology/Cengage Learning

Implementing a Virtual Private Network

• VPN – Uses LAN and tunneling protocols– Encapsulates data as it is sent across a public

network

• Benefits of using a VPN – Users can connect through a local ISP to the local

network– Ensures that any data sent across a public network is

secure– Encrypted tunnel


7

Using Remote Access Protocols

• Function of the remote access protocol – Encapsulate a packet– TCP/IP is the most commonly used transport protocol

• Encapsulated in a remote access protocol for transport over a WAN

• Other legacy transport protocols – IPX for legacy NetWare networks – NetBEUI for legacy Microsoft networks– Not supported by Windows Server 2008


8

Using Remote Access Protocols (cont’d.)

• Serial Line Internet Protocol (SLIP) – Originally designed for UNIX environments – Provides point-to-point communications using TCP/IP

• Compressed Serial Line Internet Protocol (CSLIP) – Newer version of SLIP – Compresses header information in each packet

• SLIP and CSLIP do not support– Network connection authentication


9


– SLIP and CSLIP do not support (cont’d.)• Automatic negotiation of the network connection through

multiple network connection layers at the same time

• Point-to-Point Protocol (PPP) – Has more capability than SLIP

• Remote access protocols– Point-to-Point Tunneling Protocol– Layer Two Tunneling Protocol– Secure Socket Tunneling Protocol


10


• Point-to-Point Tunneling Protocol (PPTP) – Offers PPP-based authentication techniques – Encrypts data carried by PPTP through using

Microsoft Point-to-Point Encryption

• Microsoft Point-to-Point Encryption (MPPE)– Starting-to-ending-point encryption technique that

uses special encryption keys varying in length from 40 to 128 bits


11


• Layer Two Tunneling Protocol (L2TP) – Works similarly to PPTP

• IP Security (IPsec)– IP-based secure communications and encryption

standards created through the Internet Engineering Task Force (IETF)

• Secure Socket Tunneling Protocol (SSTP) – Employs PPP authentication techniques– Encapsulates data packet in the Hypertext Transfer

Protocol (HTTP)


12


• Secure Sockets Layer (SSL) – Data encryption technique employed between a

server and a client

• PPP, PPTP, and L2TP are available in:– Windows 2000, Windows XP, Windows Vista,

Windows 7– Windows 2000 Server, Windows Server 2003,

Windows Server 2008

• SSTP is available in:– Windows Server 2008, Windows Vista, Windows 7


13



14

Table 10-1 Communications technologies

Configuring a VPN Server

• Install Network Policy and Access Services role

• Configure a Microsoft Windows Server 2008 server as a network’s VPN server– Configure protocols to provide VPN access to clients

• Configure a VPN server as a DHCP Relay Agent for TCP/IP communications

• Configure the VPN server properties

• Configure a remote access policy for security


15

Configuring a VPN Server (cont’d.)

• Windows Server 2008 requires at least two network interfaces in the computer:– One for the connection to the LAN – One for a connection to the physical VPN network

• Activity 10-1: Installing Network Policy and Access Services– Objective: Learn how to install Routing and Remote

Access Services

• Activity 10-2: Setting Up a VPN Server– Objective: Set up a VPN server


16



17

Table 10-2 Routing and remote access options



18

Table 10-3 Ports to open in the Windows Firewall for a VPN

Configuring a DHCP Relay Agent

• DHCP Relay Agent – Broadcasts IP configuration information– Use Routing and Remote Access tool to configure

VPN server as a DHCP Relay Agent

• Activity 10-3: Configuring a DHCP Relay Agent– Objective: Set up a DHCP Relay Agent

• Activity 10-4: Additional DHCP Relay Agent Configuration– Objective: Configure the DHCP Relay Agent hop

count


19

Configuring VPN Properties

• Routing and Remote Access tool – Right-click the VPN server

in the tree – Click Properties


20

Figure 10-9 Configuring the interface propertiesCourtesy Course Technology/Cengage Learning

Configuring VPN Properties (cont’d.)


21

Figure 10-10 VPN server propertiesCourtesy Course Technology/Cengage Learning

Configuring VPN Properties (cont’d.)


22

Table 10-4 VPN server properties tabs

Configuring Multilink and Bandwidth Allocation Protocol

• Multilink – Combine or aggregate two or more communications

channels so they appear as one large channel– Aggregated links

• Multilink must be implemented in the client as well as in the server

– Older connection technology compared with DSL or wireless metropolitan area networks

• Bandwidth Allocation Protocol (BAP) – Ensure that a client’s connection has enough speed

or bandwidth for a particular applicationMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

23

Configuring Multilink and Bandwidth Allocation Protocol (cont’d.)

• Windows Server 2008 version of Multilink PPP – Supports Bandwidth Allocation Control Protocol

(BACP)– Selects a preferred client when two or more clients vie

for the same bandwidth

• Activity 10-5: Using Multilink– Objective: Configure a VPN (or RAS) server to use

Multilink


24

Configuring VPN Security

• When a user accesses a VPN server: – Access is protected by the account access security

that already applies• Through a group policy or the default domain security

policy

• Elements of a Remote Access Policy– Access permission– Conditions– Constraints– Settings


25

Configuring VPN Security (cont’d.)

• Establishing a Remote Access Policy– Use Routing and Remote Access tool

• Accessed via Administrative Tools or as an MMC snap-in

• Activity 10-6: Configuring a Remote Access Policy– Objective: Configure a remote access policy


26



27

Table 10-5 Authentication types


28

Figure 10-15 Encryption optionsCourtesy Course Technology/Cengage Learning



29

Table 10-6 RAS encryption options

Configuring a Dial-Up Remote Access Server

• Dial-up remote access server compatible with:– Asynchronous modems – Synchronous modems– Null modem communications– Regular dial-up telephone lines– Leased telecommunication lines– ISDN lines (and digital ‘‘modems’’)– X.25 lines– DSL lines– Cable modem lines– Frame relay lines


30

Configuring a Dial-Up Remote Access Server (cont’d.)

• Install RAS using Routing and Remote Access tool– Steps very similar to installing a VPN server


31

Configuring Dial-Up Security

• Callback security – Server calls back the remote computer – Verify telephone number in order to discourage a

hacker

• Options available in Windows Server 2008:– No Callback– Set by Caller (Routing and Remote Access Service

only)– Always Callback to


32

Configuring Dial-Up Security (cont’d.)

• Control network access permission– Allow access– Deny access– Control access through NPS Network Policy

• Default selection


33

Configuring a Dial-Up Connection for a RAS Server

• Create other connections through the Network and Sharing Center

• Activity 10-7: Configuring a Dial-Up Network Connection– Objective: Configure a dial-up connection for a dial-up

RAS server


34

Configuring Clients to Connect to RAS Through Dial-Up Access

• Common dial-up RAS clients– Windows 98, 2000, XP, Vista, and 7

• Access a dial-up RAS server from other operating systems– Configure a dial-up connection on those clients


35

Configuring Clients to Connect to RAS Through Dial-Up Access (cont’d.)


36

Figure 10-17 Configuring a dial-up connectionCourtesy Course Technology/Cengage Learning

Troubleshooting VPN and Dial-Up RAS Installations

• Troubleshooting VPN or dial-up RAS server communications problem – Hardware and software troubleshooting tips


37

Hardware Solutions

• Use Device Manager to check network adapters, WAN adapters, and modems

• Make sure telephone line plugged in

• For external modems:– Make sure the modem cable is properly attached, that

you are using proper cable type

• For internal modems or adapter cards:– Check connection inside computer


38

Hardware Solutions (cont’d.)

• For a modem connection:– Test the telephone wall connection and cable

• For an external DSL adapter or a combined DSL adapter and router:– Ensure device is properly configured and connected

• Call your ISP to determine if problems are present on the ISP’s WAN


39

Software Solutions

• Use the Computer Management tool or Server Manager to verify status of:– Routing and Remote Access– Remote Access Auto Connection Manager– Remote Access Connection Manager services

• Ensure Windows Firewall is set up to allow remote access

• Make sure VPN or dial-up RAS server is enabled

• Check the remote access policy to be sure that access permission is granted


40

Software Solutions (cont’d.)

• Verify VPN or dial-up RAS server is started

• Check the network interface

• Ensure IP parameters are correctly configured to provide an address pool for either a VPN or dial-up RAS server

• If using a RADIUS server:– Ensure it is connected and working properly and that

Internet Authentication Service (IAS) is installed

• Ensure the remote access policy is consistent with the users’ access needs


41

Connecting Through Terminal Services

• Terminal server – Enables clients to run services and software

applications on Windows Server 2008 instead of at the client

– Enables thin clients to perform most CPU-intensive operations on the server

• Centralize control of how programs are used

• Install different role services for specific purposes: – TS Web Access– TS Gateway


42

Connecting Through Terminal Services (cont’d.)


43

Table 10-7 Terminal Services components



44

Table 10-8 Role services available through Terminal Services


• RemoteApp– New feature – Enables a client to run an application without loading

a remote desktop on the client computer

• TS Gateway – Provides a secure way to use Terminal Services over

the Internet


45

Installing Terminal Services

• Install TS Licensing role service – Manage terminal server user licenses obtained from

Microsoft– Licenses can be purchased either per user account or

by client device

• Network Level Authentication (NLA)– Enables authentication to take place before the

Terminal Services connection is established– Thwarts would-be attackers

• Create groups of user accounts in advance – Add these groups during installation


46

Installing Terminal Services (cont’d.)

• Activity 10-8: Installing Terminal Services– Objective: Learn how to install the Terminal Services

role


47

Configuring Terminal Services

• Activity 10-9: Configuring Terminal Services– Objective: Configure a terminal server


48

Configuring Terminal Services (cont’d.)


49

Table 10-11 Terminal Services permissions

Managing Terminal Services

• Terminal Services Manager– Monitor the number of users connected to the

terminal server– Add additional terminal servers to monitor– Determine if a user session is active– Determine which programs are running in a user’s

session– Disconnect a user’s session or log off a user– Reset a connection that is having trouble– Send a message to a user


50

Managing Terminal Services (cont’d.)

• Activity 10-10: Using Terminal Services Manager– Objective: Use Terminal Services Manager


51

Configuring Licensing

• Activate Terminal Services licensing server

• Configure licensing using TS Licensing Manager

• Activity 10-11: Using the TS Licensing Manager– Objective: Use TS Licensing Manager


52

Accessing a Terminal Server from a Client

• Remote Desktop Connection (RDC)– Client already installed in Windows 7, Windows Vista,

Windows Server 2008, and Windows XP

• Activity 10-12 (optional): Configuring Authentication in Windows Vista or Windows 7– Objective: Configure NLA authentication in Windows

Vista or Windows 7


53

Installing Applications on a Terminal Server

• Might need to reinstall some applications that were installed before Terminal Services role

• Use Control Panel to uninstall them

• Reinstall applications– In Control Panel Home view, click Programs– Click Install Application on Terminal Server


54


55

Summary

• Routing and Remote Access Services includes – Virtual private network (VPN) and dial-up services

• Remote access protocols include:– SLIP, CSLIP, PPP, PPTP, L2TP, and SSTP

• Use Server Manager to install the Network Policy and Access Services role

• VPN has many properties that can be configured– Configure a remote access policy to govern how a

VPN server is accessed

Summary (cont’d.)

• When you configure dial-up remote access– Also configure a DHCP Relay Agent, Multi-link (if

used), and a remote access policy for security

• Use Server Manager to install the Terminal Services role– Configure Terminal Services client access licenses


56

mcitp guide to microsoft windows server 2008 server administration (exam #70-646)

Documents

microsoft windows server

server administration

remote accessmcitp guide

remote access contd

networkmcitp guide

remote access protocols

remote accessrouting

legacy microsoft networksnot