DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Access, VPNs and Terminal Services

UNIT 7

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Topics for this Unit

• Remote Administration

• MMCs

• Delegation of authority

• RRAS (Routing and Remote Access)

• VPN (Virtual Private Network)

• Terminal Server

• DHCP relay agent

• Multilink and Bandwidth Allocation Protocol (BAP)

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Administration

• You cannot use Server Manager to manage another computer remotely

• You use Remote Desktop to connect to another computer and run Server Manager within the Remote Desktop session

• You can also create your own MMC console for each server you want to manage

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

MMC Snap-ins • Standalone snap-ins

– A standalone snap-in is a single tool that you can install directly into an empty MMC console

– Standalone snap-ins appear in the first level directly beneath the console root in the console’s scope pane

• Extension snap-ins – An extension snap-in provides additional

functionality to specific standalone snap-ins. – You cannot add an extension snap-in to a

console without adding an appropriate standalone snap-in first

– Extension snap-ins appear beneath the associated standalone snap-in in the console’s scope pane

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Console Options

• By default, all new consoles you create are configured to use Author mode, which provides full access to all console functions

• The available modes you can choose from are as follows:

– Author Mode

– User Mode-Full Access

– User Mode-Limited Access, Multiple Windows

– User Mode-Limited Access, Single Windows

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Managing a Remote Computer

• Snap-ins supplied with Windows Server enable you to manage other Windows computers on the network as well

• There are two ways to access a remote computer using an MMC snap-in: which are as follows:

– Redirect an existing snap-in to another system

– Create a custom console with snap-ins directed to other systems

• In Windows, this capability is known as Remote Desktop

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Desktop • Windows Server includes licenses for two Remote

Desktop connections (three if you count the console)

• This means that there is no extra cost associated with Windows Server 2008’s remote administration capabilities

• To use Remote Desktop to administer a server on the network, you must complete the following tasks:

– Enable Remote Desktop on the server

– Configure Remote Desktop Connection (RDC) on the client

– Establish a connection between the client and the server

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Desktop Connections

• By default, the Administrators group has the permissions needed to establish a Remote Desktop connection

• If you want to grant other users the same permissions, you must add them to the Remote Desktop Users group on the server

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Connection Dialog Box

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Routing and Remote Access(RRAS)

• Routing and Remote Access Services (RRAS) - Enable routing and remote access through virtual private networking and dialup networking

• Virtual private network (VPN) - Tunnel through a larger network that is restricted to designated member clients only

• Dial-up networking - Using a telecommunications line and a modem to dial into a network or specific computers on a network

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

VPN (Virtual Private Network)

• VPN

– Uses LAN and tunneling protocols

– Encapsulates data as it is sent across a public network

• Benefits of using a VPN

– Users can connect through a local ISP to the local network

– Ensures that any data sent across a public network is secure

– Encrypted tunnel

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

VPN

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Access Protocols • Function of the remote access protocol

– Encapsulate a packet

– TCP/IP is the most commonly used transport protocol

• Serial Line Internet Protocol (SLIP)

– Originally designed for UNIX environments

– Provides point-to-point communications using TCP/IP

• Compressed Serial Line Internet Protocol (CSLIP)

– Newer version of SLIP that compresses header information in each packet

• Point-to-Point Protocol (PPP) - Has more capability than SLIP

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Access Protocols

• Point-to-Point Tunneling Protocol (PPTP)

– Offers PPP-based authentication techniques

– Encrypts data carried by PPTP through using Microsoft Point-to-Point Encryption

• Microsoft Point-to-Point Encryption (MPPE) - Starting-to-ending-point encryption technique that uses special encryption keys varying in length from 40 to 128 bits

• Layer Two Tunneling Protocol (L2TP) - Works similar to PPTP

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Remote Access Protocols • IP Security (IPsec) - IP-based secure

communications and encryption standards created through the Internet Engineering Task Force (IETF)

• Secure Socket Tunneling Protocol (SSTP)

– Employs PPP authentication techniques

– Encapsulates data packet in the Hypertext Transfer Protocol (HTTP) Secure Sockets Layer (SSL)

– Data encryption technique employed between a server and a client

– Available in Windows Server 2008, Windows Vista, Windows 7

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Configuring a VPN Server

• Install Network Policy and Access Services role

• Configure protocols to provide VPN access to clients

• Configure a VPN server as a DHCP Relay Agent for TCP/IP communications

• Configure the VPN server properties

• Configure a remote access policy for security by opening the following ports

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Configuring a VPN Server

• Windows Server 2008 requires at least two network interfaces in the computer:

– One for the connection to the LAN

– One for a connection to the physical VPN network

• DHCP Relay Agent

– Broadcasts IP configuration information

– Use Routing and Remote Access tool to configure VPN server as a DHCP Relay Agent

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Multilink & Bandwidth Allocation Protocol

• Multilink

– Combine or aggregate two or more communications channels so they appear as one large channel

– Aggregated links

• Multilink must be implemented in the client as well as in the server

• Bandwidth Allocation Protocol (BAP)

– Ensure that a client’s connection has enough speed or bandwidth for a particular application

• Windows Server version of Multilink PPP

– Supports Bandwidth Allocation Control Protocol (BACP)

– Selects a preferred client when two or more clients vie for the same bandwidth

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Terminal Services • Terminal server

– Enables clients to run services and software applications on the Server

– Enables thin clients to perform most CPU-intensive operations on the server

• Centralize control of how programs are used

• Install different role services for specific purposes:

– TS Gateway - Provides a secure way to use Terminal Services over the Internet

• TS Web Access

• RemoteApp – a new feature that enables a client to run an application without loading a remote desktop on the client computer

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Terminal Services • Install TS Licensing role service

– Manage terminal server user licenses obtained from Microsoft

– Licenses can be purchased either per user account or by client device

• Network Level Authentication (NLA)

– Enables authentication to take place before the Terminal Services connection is established

– Thwarts would-be attackers

• Create groups of user accounts in advance

– Add these groups during installation

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Managing Terminal Services

• Terminal Services Manager

– Monitor the number of users connected to the terminal server

– Add additional terminal servers to monitor

– Determine if a user session is active

– Determine which programs are running in a user’s session

– Disconnect a user’s session or log off a user

– Reset a connection that is having trouble

– Send a message to a user

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Summary • MMC provides a standardized, common interface for

application modules called snap-ins, which you can use to configure operating system settings, applications, and services

• There are two types of MMC snap-ins

– A standalone snap-in is a single tool that you can install directly into an empty MMC console

– An extension snap-in provides additional functionality to specific standalone snap-in

• Remote Desktop allows administrators to manage remote computers

• Windows Server Update Services (WSUS) is a program that downloads updates from the Microsoft Update Website

• Routing and Remote Access Services includes

– Virtual private network (VPN) and dial-up services

DPW © 2005-2010

DPW © Donna Warren

M

C

I

T

P

W

I

N

D

O

W

S

2

0

0

8

S

E

R

V

E

R

Lab 7 • Activity 10-1: Installing Network Policy and Access

Services

• Activity 10-2: Setting Up a VPN Server

• Activity 10-3: Configuring a DHCP Relay Agent

• Activity 10-4: Additional DHCP Relay Agent Configuration

• Activity 10-5: Using Multilink

• Activity 10-6: Configuring a Remote Access Policy

• Activity 10-8: Installing Terminal Services

• Activity 10-9: Configuring Terminal Services

• Activity 10-10: Using Terminal Services Manager

• Activity 10-11: Using the TS Licensing Manager