Upload
zan
View
52
Download
0
Tags:
Embed Size (px)
DESCRIPTION
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646). Chapter 10 Configuring Remote Access. Learning Objectives. Understand Windows Server 2008 remote access services Implement and manage a virtual private network Configure a VPN server - PowerPoint PPT Presentation
Citation preview
MCITP Guide to Microsoft Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 10
Configuring Remote Access
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
2
Learning Objectives
• Understand Windows Server 2008 remote access services
• Implement and manage a virtual private network
• Configure a VPN server
• Configure a dial-up remote access server
• Troubleshoot virtual private network and dial-up remote access installations
Learning Objectives (cont’d.)
• Install and configure Terminal Services
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
3
Introduction to Remote Access
• Routing and Remote Access Services (RRAS)– Enable routing and remote access through virtual
private networking and dialup networking
• Virtual private network (VPN) – Tunnel through a larger network that is restricted to
designated member clients only
• Dial-up networking– Using a telecommunications line and a modem to dial
into a network or specific computers on a network
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
4
Introduction to Remote Access (cont’d.)
• Modem – Modulator/demodulator – Converts a transmitted digital signal to an analog
signal for a telephone line– Converts a received analog signal to a digital signal
for use by a computer
• RRAS – Turns server into a dial-up Remote Access Services
(RAS) server capable of handling hundreds of simultaneous connections
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
5
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
6
Figure 10-1 A VPN networkCourtesy Course Technology/Cengage Learning
Implementing a Virtual Private Network
• VPN – Uses LAN and tunneling protocols– Encapsulates data as it is sent across a public
network
• Benefits of using a VPN – Users can connect through a local ISP to the local
network– Ensures that any data sent across a public network is
secure– Encrypted tunnel
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
7
Using Remote Access Protocols
• Function of the remote access protocol – Encapsulate a packet– TCP/IP is the most commonly used transport protocol
• Encapsulated in a remote access protocol for transport over a WAN
• Other legacy transport protocols – IPX for legacy NetWare networks – NetBEUI for legacy Microsoft networks– Not supported by Windows Server 2008
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
8
Using Remote Access Protocols (cont’d.)
• Serial Line Internet Protocol (SLIP) – Originally designed for UNIX environments – Provides point-to-point communications using TCP/IP
• Compressed Serial Line Internet Protocol (CSLIP) – Newer version of SLIP – Compresses header information in each packet
• SLIP and CSLIP do not support– Network connection authentication
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
9
Using Remote Access Protocols (cont’d.)
– SLIP and CSLIP do not support (cont’d.)• Automatic negotiation of the network connection through
multiple network connection layers at the same time
• Point-to-Point Protocol (PPP) – Has more capability than SLIP
• Remote access protocols– Point-to-Point Tunneling Protocol– Layer Two Tunneling Protocol– Secure Socket Tunneling Protocol
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
10
Using Remote Access Protocols (cont’d.)
• Point-to-Point Tunneling Protocol (PPTP) – Offers PPP-based authentication techniques – Encrypts data carried by PPTP through using
Microsoft Point-to-Point Encryption
• Microsoft Point-to-Point Encryption (MPPE)– Starting-to-ending-point encryption technique that
uses special encryption keys varying in length from 40 to 128 bits
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
11
Using Remote Access Protocols (cont’d.)
• Layer Two Tunneling Protocol (L2TP) – Works similarly to PPTP
• IP Security (IPsec)– IP-based secure communications and encryption
standards created through the Internet Engineering Task Force (IETF)
• Secure Socket Tunneling Protocol (SSTP) – Employs PPP authentication techniques– Encapsulates data packet in the Hypertext Transfer
Protocol (HTTP)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
12
Using Remote Access Protocols (cont’d.)
• Secure Sockets Layer (SSL) – Data encryption technique employed between a
server and a client
• PPP, PPTP, and L2TP are available in:– Windows 2000, Windows XP, Windows Vista,
Windows 7– Windows 2000 Server, Windows Server 2003,
Windows Server 2008
• SSTP is available in:– Windows Server 2008, Windows Vista, Windows 7
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
13
Using Remote Access Protocols (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
14
Table 10-1 Communications technologies
Configuring a VPN Server
• Install Network Policy and Access Services role
• Configure a Microsoft Windows Server 2008 server as a network’s VPN server– Configure protocols to provide VPN access to clients
• Configure a VPN server as a DHCP Relay Agent for TCP/IP communications
• Configure the VPN server properties
• Configure a remote access policy for security
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
15
Configuring a VPN Server (cont’d.)
• Windows Server 2008 requires at least two network interfaces in the computer:– One for the connection to the LAN – One for a connection to the physical VPN network
• Activity 10-1: Installing Network Policy and Access Services– Objective: Learn how to install Routing and Remote
Access Services
• Activity 10-2: Setting Up a VPN Server– Objective: Set up a VPN server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
16
Configuring a VPN Server (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
17
Table 10-2 Routing and remote access options
Configuring a VPN Server (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
18
Table 10-3 Ports to open in the Windows Firewall for a VPN
Configuring a DHCP Relay Agent
• DHCP Relay Agent – Broadcasts IP configuration information– Use Routing and Remote Access tool to configure
VPN server as a DHCP Relay Agent
• Activity 10-3: Configuring a DHCP Relay Agent– Objective: Set up a DHCP Relay Agent
• Activity 10-4: Additional DHCP Relay Agent Configuration– Objective: Configure the DHCP Relay Agent hop
count
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
19
Configuring VPN Properties
• Routing and Remote Access tool – Right-click the VPN server
in the tree – Click Properties
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
20
Figure 10-9 Configuring the interface propertiesCourtesy Course Technology/Cengage Learning
Configuring VPN Properties (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
21
Figure 10-10 VPN server propertiesCourtesy Course Technology/Cengage Learning
Configuring VPN Properties (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
22
Table 10-4 VPN server properties tabs
Configuring Multilink and Bandwidth Allocation Protocol
• Multilink – Combine or aggregate two or more communications
channels so they appear as one large channel– Aggregated links
• Multilink must be implemented in the client as well as in the server
– Older connection technology compared with DSL or wireless metropolitan area networks
• Bandwidth Allocation Protocol (BAP) – Ensure that a client’s connection has enough speed
or bandwidth for a particular applicationMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
23
Configuring Multilink and Bandwidth Allocation Protocol (cont’d.)
• Windows Server 2008 version of Multilink PPP – Supports Bandwidth Allocation Control Protocol
(BACP)– Selects a preferred client when two or more clients vie
for the same bandwidth
• Activity 10-5: Using Multilink– Objective: Configure a VPN (or RAS) server to use
Multilink
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
24
Configuring VPN Security
• When a user accesses a VPN server: – Access is protected by the account access security
that already applies• Through a group policy or the default domain security
policy
• Elements of a Remote Access Policy– Access permission– Conditions– Constraints– Settings
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
25
Configuring VPN Security (cont’d.)
• Establishing a Remote Access Policy– Use Routing and Remote Access tool
• Accessed via Administrative Tools or as an MMC snap-in
• Activity 10-6: Configuring a Remote Access Policy– Objective: Configure a remote access policy
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
26
Configuring VPN Security (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
27
Table 10-5 Authentication types
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
28
Figure 10-15 Encryption optionsCourtesy Course Technology/Cengage Learning
Configuring VPN Security (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
29
Table 10-6 RAS encryption options
Configuring a Dial-Up Remote Access Server
• Dial-up remote access server compatible with:– Asynchronous modems – Synchronous modems– Null modem communications– Regular dial-up telephone lines– Leased telecommunication lines– ISDN lines (and digital ‘‘modems’’)– X.25 lines– DSL lines– Cable modem lines– Frame relay lines
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
30
Configuring a Dial-Up Remote Access Server (cont’d.)
• Install RAS using Routing and Remote Access tool– Steps very similar to installing a VPN server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
31
Configuring Dial-Up Security
• Callback security – Server calls back the remote computer – Verify telephone number in order to discourage a
hacker
• Options available in Windows Server 2008:– No Callback– Set by Caller (Routing and Remote Access Service
only)– Always Callback to
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
32
Configuring Dial-Up Security (cont’d.)
• Control network access permission– Allow access– Deny access– Control access through NPS Network Policy
• Default selection
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
33
Configuring a Dial-Up Connection for a RAS Server
• Create other connections through the Network and Sharing Center
• Activity 10-7: Configuring a Dial-Up Network Connection– Objective: Configure a dial-up connection for a dial-up
RAS server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
34
Configuring Clients to Connect to RAS Through Dial-Up Access
• Common dial-up RAS clients– Windows 98, 2000, XP, Vista, and 7
• Access a dial-up RAS server from other operating systems– Configure a dial-up connection on those clients
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
35
Configuring Clients to Connect to RAS Through Dial-Up Access (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
36
Figure 10-17 Configuring a dial-up connectionCourtesy Course Technology/Cengage Learning
Troubleshooting VPN and Dial-Up RAS Installations
• Troubleshooting VPN or dial-up RAS server communications problem – Hardware and software troubleshooting tips
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
37
Hardware Solutions
• Use Device Manager to check network adapters, WAN adapters, and modems
• Make sure telephone line plugged in
• For external modems:– Make sure the modem cable is properly attached, that
you are using proper cable type
• For internal modems or adapter cards:– Check connection inside computer
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
38
Hardware Solutions (cont’d.)
• For a modem connection:– Test the telephone wall connection and cable
• For an external DSL adapter or a combined DSL adapter and router:– Ensure device is properly configured and connected
• Call your ISP to determine if problems are present on the ISP’s WAN
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
39
Software Solutions
• Use the Computer Management tool or Server Manager to verify status of:– Routing and Remote Access– Remote Access Auto Connection Manager– Remote Access Connection Manager services
• Ensure Windows Firewall is set up to allow remote access
• Make sure VPN or dial-up RAS server is enabled
• Check the remote access policy to be sure that access permission is granted
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
40
Software Solutions (cont’d.)
• Verify VPN or dial-up RAS server is started
• Check the network interface
• Ensure IP parameters are correctly configured to provide an address pool for either a VPN or dial-up RAS server
• If using a RADIUS server:– Ensure it is connected and working properly and that
Internet Authentication Service (IAS) is installed
• Ensure the remote access policy is consistent with the users’ access needs
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
41
Connecting Through Terminal Services
• Terminal server – Enables clients to run services and software
applications on Windows Server 2008 instead of at the client
– Enables thin clients to perform most CPU-intensive operations on the server
• Centralize control of how programs are used
• Install different role services for specific purposes: – TS Web Access– TS Gateway
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
42
Connecting Through Terminal Services (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
43
Table 10-7 Terminal Services components
Connecting Through Terminal Services (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
44
Table 10-8 Role services available through Terminal Services
Connecting Through Terminal Services (cont’d.)
• RemoteApp– New feature – Enables a client to run an application without loading
a remote desktop on the client computer
• TS Gateway – Provides a secure way to use Terminal Services over
the Internet
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
45
Installing Terminal Services
• Install TS Licensing role service – Manage terminal server user licenses obtained from
Microsoft– Licenses can be purchased either per user account or
by client device
• Network Level Authentication (NLA)– Enables authentication to take place before the
Terminal Services connection is established– Thwarts would-be attackers
• Create groups of user accounts in advance – Add these groups during installation
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
46
Installing Terminal Services (cont’d.)
• Activity 10-8: Installing Terminal Services– Objective: Learn how to install the Terminal Services
role
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
47
Configuring Terminal Services
• Activity 10-9: Configuring Terminal Services– Objective: Configure a terminal server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
48
Configuring Terminal Services (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
49
Table 10-11 Terminal Services permissions
Managing Terminal Services
• Terminal Services Manager– Monitor the number of users connected to the
terminal server– Add additional terminal servers to monitor– Determine if a user session is active– Determine which programs are running in a user’s
session– Disconnect a user’s session or log off a user– Reset a connection that is having trouble– Send a message to a user
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
50
Managing Terminal Services (cont’d.)
• Activity 10-10: Using Terminal Services Manager– Objective: Use Terminal Services Manager
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
51
Configuring Licensing
• Activate Terminal Services licensing server
• Configure licensing using TS Licensing Manager
• Activity 10-11: Using the TS Licensing Manager– Objective: Use TS Licensing Manager
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
52
Accessing a Terminal Server from a Client
• Remote Desktop Connection (RDC)– Client already installed in Windows 7, Windows Vista,
Windows Server 2008, and Windows XP
• Activity 10-12 (optional): Configuring Authentication in Windows Vista or Windows 7– Objective: Configure NLA authentication in Windows
Vista or Windows 7
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
53
Installing Applications on a Terminal Server
• Might need to reinstall some applications that were installed before Terminal Services role
• Use Control Panel to uninstall them
• Reinstall applications– In Control Panel Home view, click Programs– Click Install Application on Terminal Server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
54
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
55
Summary
• Routing and Remote Access Services includes – Virtual private network (VPN) and dial-up services
• Remote access protocols include:– SLIP, CSLIP, PPP, PPTP, L2TP, and SSTP
• Use Server Manager to install the Network Policy and Access Services role
• VPN has many properties that can be configured– Configure a remote access policy to govern how a
VPN server is accessed
Summary (cont’d.)
• When you configure dial-up remote access– Also configure a DHCP Relay Agent, Multi-link (if
used), and a remote access policy for security
• Use Server Manager to install the Terminal Services role– Configure Terminal Services client access licenses
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
56