Upload
mparmer3
View
237
Download
0
Embed Size (px)
Citation preview
8/10/2019 MOAC 70-687 L18 RDC
1/56
8/10/2019 MOAC 70-687 L18 RDC
2/56
Using BranchCacheLesson 18: Configuring Remote Connections
2013 John Wiley & Sons, Inc. 2
8/10/2019 MOAC 70-687 L18 RDC
3/56
BranchCache BranchCache is a feature in Windows 8 and
Windows Server 2012 that enables networkswith computers at remote locations to
conserve bandwidth by storing frequentlyaccessed files on local drives.
2013 John Wiley & Sons, Inc. 3
8/10/2019 MOAC 70-687 L18 RDC
4/56
Understanding NetworkInfrastructure Requirements
To use BranchCache, you must have
o A server running Windows Server 2008 R2 orWindows Server 2012 at the main office
o Computers running Windows Server 2008 R2,Windows Server 2012, Windows 7, or Windows 8at the branch office
2013 John Wiley & Sons, Inc. 4
8/10/2019 MOAC 70-687 L18 RDC
5/56
Understanding BranchCacheCommunications
This is the BranchCache communicationsprocess:
1. Client request (BranchCache)
2. Server reply (metadata)3. Client cache check
4. Caching computer reply
5. Client request (non-BranchCache)
6. Server reply (data)
7. Client data cache
2013 John Wiley & Sons, Inc. 5
8/10/2019 MOAC 70-687 L18 RDC
6/56
Understanding ContentInformation Versions
Any BranchCache implementation thatincludes one or more computers runningWindows Server 2008 R2 or Windows 7 in any
role is said to use content information version1, or V1.
If all the computers involved in theBranchCache transactions are running
Windows Server 2012 or Windows 8, theimplementation can use contentinformation version 2, or V2.
2013 John Wiley & Sons, Inc. 6
8/10/2019 MOAC 70-687 L18 RDC
7/56
Understanding ContentInformation Versions
The Hash Version support for BranchCachepolicy setting
2013 John Wiley & Sons, Inc. 7
8/10/2019 MOAC 70-687 L18 RDC
8/56
Configuring BranchCacheSettings
To implement BranchCache on yournetwork, install the appropriate modules onyour server(s) and configure Group Policysettings on both servers and clients.
BranchCache requires a minimum of onecontent server and one or more branchoffice workstations.
You can install additional content servers atany location that serves files to branchoffices.
2013 John Wiley & Sons, Inc. 8
8/10/2019 MOAC 70-687 L18 RDC
9/56
Configuring a ContentServer
Once you have installed the requiredBranchCache modules, configure a GroupPolicy setting called Hash Publication forBranchCache.
This setting is located in the ComputerConfiguration\Policies\AdministrativeTemplates\Network\Lanman Server node of aGroup Policy object (GPO) or in LocalComputer Policy.
The Hash Publication for BranchCache settingenables the server to respond to file requestsfrom BranchCache clients with metadatainstead of the files themselves.
2013 John Wiley & Sons, Inc. 9
8/10/2019 MOAC 70-687 L18 RDC
10/56
Configuring a Content Server
The Hash Publication for BranchCache settingin Group Policy
2013 John Wiley & Sons, Inc. 10
8/10/2019 MOAC 70-687 L18 RDC
11/56
Configuring a Content Server
A shares Properties sheet in Windows Server 2012Server Manager
2013 John Wiley & Sons, Inc. 11
8/10/2019 MOAC 70-687 L18 RDC
12/56
Configuring BranchCacheClients
To configure BranchCache clients, configurethe appropriate Group Policy settings.
These are found in the Computer
Configuration\Policies\AdministrativeTemplates\Network\BranchCache node ofa GPO or in Local Computer Policy.
2013 John Wiley & Sons, Inc. 12
8/10/2019 MOAC 70-687 L18 RDC
13/56
Configuring BranchCache Clients
The BranchCache settings in Group Policy
2013 John Wiley & Sons, Inc. 13
8/10/2019 MOAC 70-687 L18 RDC
14/56
BranchCache GroupPolicy Settings
These are the BranchCache Group Policysettings:o Turn on BranchCacheo Set BranchCache Distributed Cache modeo
Set BranchCache Hosted Cache modeo Enable Automatic Hosted Cache Discovery by
Service Connection Pointo Configure Hosted Cache Serverso Configure BranchCache for network fileso
Set percentage of disk space used for clientcomputer cacheo Set age for segments in the data cacheo Configure Client BranchCache Version Support
2013 John Wiley & Sons, Inc. 14
8/10/2019 MOAC 70-687 L18 RDC
15/56
Configuring a HostedCache Mode Server
To use hosted cache mode on your branchoffice network, you must have a server runningWindows Server 2012 or Windows Server 2008 R2with the BranchCache feature installed.
You must also configure the Turn onBranchCache and Set BranchCache HostedCache mode Group Policy settings.
The hosted cache mode server must also have
a digital certificate issued by a certificationauthority (CA) that the BranchCache clientstrust.
2013 John Wiley & Sons, Inc. 15
8/10/2019 MOAC 70-687 L18 RDC
16/56
Using Remote NetworkConnections
Lesson 18: Configuring Remote Connections
2013 John Wiley & Sons, Inc. 16
8/10/2019 MOAC 70-687 L18 RDC
17/56
Understanding VirtualPrivate Networking
A dial-up connection is a dedicated linkbetween the two modems that remains inplace during the entire session.
The client and the server establish a Point-to-
Point Protocol (PPP) connection, during whichthe server authenticates the client and thecomputers negotiate a set of communicationparameters they have in common.
In a virtual private network (VPN) connection,
the remote client and the remote access serverare both connected to the Internet, using localservice providers.
2013 John Wiley & Sons, Inc. 17
8/10/2019 MOAC 70-687 L18 RDC
18/56
Understanding Virtual PrivateNetworking
A dial-up remote access connection
2013 John Wiley & Sons, Inc. 18
8/10/2019 MOAC 70-687 L18 RDC
19/56
Understanding Virtual PrivateNetworking
A VPN remote access connection
2013 John Wiley & Sons, Inc. 19
8/10/2019 MOAC 70-687 L18 RDC
20/56
Tunneling In the tunneling process, the two computers
establish a PPP connection, just as they would in adial-up connection, but instead of transmitting thePPP packets over the Internet as they are, theyencapsulate the packets again using one of the
VPN protocols supported by the Windows operatingsystems.
The original PPP data packet generated by thecomputer consists of an network layer IP datagram,encapsulated within a data-link layer PPP frame.
The system then encapsulates the entire frame inanother IP datagram, which the VPN protocolencrypts and encapsulates one more time, fortransmission over the network.
2013 John Wiley & Sons, Inc. 20
8/10/2019 MOAC 70-687 L18 RDC
21/56
Tunneling
VPN protocol encapsulation
2013 John Wiley & Sons, Inc. 21
8/10/2019 MOAC 70-687 L18 RDC
22/56
VPN Protocols These are the VPN protocols that Windows 8
supports:
o Point-to-Point Tunneling Protocol (PPTP)
o Layer 2 Tunneling Protocol (L2TP)o Secure Socket Tunneling Protocol (SSTP)
o Internet Key Exchange, Version 2 (IKEv2)
2013 John Wiley & Sons, Inc. 22
P i P i T li
8/10/2019 MOAC 70-687 L18 RDC
23/56
Point-to-Point TunnelingProtocol (PPTP)
The oldest and least secure of the VPN protocols, PPTPtakes advantage of the authentication, compression,and encryption mechanisms of PPP, tunneling the PPPframe within a Generic Routing Encapsulation (GRE)
header and encrypting it with Microsoft Point-to-PointEncryption (MPPE), using encryption keys generatedduring the authentication process.
For authentication, PPTP supports only the Microsoft
Challenge Handshake Authentication Protocol version1 (MS-CHAP v1), Microsoft Challenge HandshakeAuthentication Protocol version 2 (MS-CHAP v2),Extensible Authentication Protocol (EAP), or ProtectedExtensible Authentication Protocol (PEAP).
2013 John Wiley & Sons, Inc. 23
L 2 T li
8/10/2019 MOAC 70-687 L18 RDC
24/56
Layer 2 TunnelingProtocol (L2TP)
L2TP relies on the IP security extensions (IPsec) forencryption and performs a double encapsulation.
The system adds an L2DP header to the PPP frame andpackages it with the User Datagram Protocol (UDP).
Then it encapsulates the UDP datagram with the IPsecEncapsulating Security Payload (ESP) protocol,encrypting the contents using the Data Encryption
Standard (DES) or Triple DES (3DES) algorithm, with
encryption keys generated during IPsecs Internet KeyExchange (IKE) negotiation process.
L2TP/IPsec can use certificates or preshared keys forauthentication, although administrators typically usethe latter only for testing.
2013 John Wiley & Sons, Inc. 24
S S k
8/10/2019 MOAC 70-687 L18 RDC
25/56
Secure SocketTunneling Protocol (SSTP) Introduced in Windows Server 2008 and
supported only by clients running WindowsVista SP1 or later, SSTP encapsulates PPPtraffic using the Secure Sockets Layer (SSL)protocol supported by virtually all webservers.
SSTP uses certificates for authentication, withthe EAP-TLS authentication protocol, and inaddition to data encryption, providesintegrity checking and enhanced keynegotiation services.
2013 John Wiley & Sons, Inc. 25
I K E h
8/10/2019 MOAC 70-687 L18 RDC
26/56
Internet Key Exchange,Version 2 (IKEv2)
Internet Key Exchange Version 2 (IKEv2):
Was first introduced in Windows 7 andWindows Server 2008 R2.
Uses TCP port 500. Provides support for IPv6 and the new VPN
Reconnect feature, as well asauthentication by EAP, using PEAP, EAP-
MSCHAPv2, or smart cards. Does not support the older authentication
mechanisms, such as PAP and CHAP.
2013 John Wiley & Sons, Inc. 26
A h i i
8/10/2019 MOAC 70-687 L18 RDC
27/56
AuthenticatingRemote Users
In Windows 8, you configure theauthentication method a VPN connectionuses on the Security tab of the connections
Properties sheet. These are the options:
o Use Extensible Authentication Protocol (EAP)
o Allow these protocols
2013 John Wiley & Sons, Inc. 27
8/10/2019 MOAC 70-687 L18 RDC
28/56
Authenticating Remote Users
The Security tab of a connections Properties sheet
2013 John Wiley & Sons, Inc. 28
C ti VPN
8/10/2019 MOAC 70-687 L18 RDC
29/56
Creating a VPNConnection
To connect a computer running Windows 8to a remote access server, you must createa new VPN or dial-up connection.
In Windows 8, the Network Connectionswindow contains a connection for everynetwork interface adapter installed in thecomputer.
The Windows installation program createsthese connections automatically, but toconnect to a dial-up or VPN server, you mustcreate additional connections manually.
2013 John Wiley & Sons, Inc. 29
8/10/2019 MOAC 70-687 L18 RDC
30/56
Create a VPN Connection
The Choose a connection option page
2013 John Wiley & Sons, Inc. 30
8/10/2019 MOAC 70-687 L18 RDC
31/56
Create a VPN Connection
The How do you want to connect? page
2013 John Wiley & Sons, Inc. 31
8/10/2019 MOAC 70-687 L18 RDC
32/56
Create a VPN Connection
The Type the Internet address to connect to page
2013 John Wiley & Sons, Inc. 32
8/10/2019 MOAC 70-687 L18 RDC
33/56
Create a VPN Connection
The Networks pane
2013 John Wiley & Sons, Inc. 33
8/10/2019 MOAC 70-687 L18 RDC
34/56
Create a VPN Connection
The Network Authentication pane
2013 John Wiley & Sons, Inc. 34
8/10/2019 MOAC 70-687 L18 RDC
35/56
Using VPN Reconnect Windows 8 includes a feature called VPN
Reconnect, based on the IKEv2 Mobility andMultihoming (MOBIKE) protocol, which enablesa computer to reconnect to a VPN serverautomatically, after an interruption as long aseight hours.
To configure VPN Reconnect, you open theProperties sheet for a VPN connection, click theSecurity tab, and click Advanced settings.
In the Advanced Properties dialog box thatappears, click the IKEv2 tab and select theMobility check box.
2013 John Wiley & Sons, Inc. 35
8/10/2019 MOAC 70-687 L18 RDC
36/56
Using VPN Reconnect
Enabling VPN Reconnect
2013 John Wiley & Sons, Inc. 36
N t k A
8/10/2019 MOAC 70-687 L18 RDC
37/56
Network AccessProtection (NAP)
NAP is a component of the Network Policyand Access Services role in Windows Server2012, Windows Server 2008 R2, and Windows
Server 2008 It is designed to prevent potentially
dangerous clientslocal or remotefromconnecting to the network.
2013 John Wiley & Sons, Inc. 37
C eati a B oadba d
8/10/2019 MOAC 70-687 L18 RDC
38/56
Creating a BroadbandConnection
While many Internet Service Providers (ISPs)offer broadband services that providealways on connections to the Internet,
some still offer metered connections thatrequire users to log on and log off.
Windows 8 provides wizard options thatenable you to create a broadband
connection that you can activate anddeactivate at will.
2013 John Wiley & Sons, Inc. 38
8/10/2019 MOAC 70-687 L18 RDC
39/56
Create a Broadband Connection
The Type the information from your Internet ServiceProvider (ISP) page
2013 John Wiley & Sons, Inc. 39
8/10/2019 MOAC 70-687 L18 RDC
40/56
Create a Broadband Connection
The The connection to the Internet is ready to use page
2013 John Wiley & Sons, Inc. 40
8/10/2019 MOAC 70-687 L18 RDC
41/56
Create a Broadband Connection
The Networks display
2013 John Wiley & Sons, Inc. 41
8/10/2019 MOAC 70-687 L18 RDC
42/56
Using Remote Desktop Windows Server 2012 includes a role called
Remote Desktop Services, which providesclients with access to server resources in a
variety of ways. The Remote Desktop Session Host role
service functions much like the RemoteDesktop Services service in Windows 8,
except that it can provide multiple(licensed) users with access to the serverdesktop.
2013 John Wiley & Sons, Inc. 42
8/10/2019 MOAC 70-687 L18 RDC
43/56
DirectAccess DirectAccess is a feature in Windows 8 and
Windows Server 2012 that enables remoteusers to automatically connect to the
company network whenever they haveInternet access.
2013 John Wiley & Sons, Inc. 43
8/10/2019 MOAC 70-687 L18 RDC
44/56
DirectAccess Benefits Designed as a replacement for VPNs,
DirectAccess eliminates the need for client usersto manually establish wide area connections totheir networks.
DirectAccess provides many other benefits tousers and administrators, including:o Bidirectional
o Encrypted
o Authenticatedo Authorized
o Verified
2013 John Wiley & Sons, Inc. 44
Understanding the
8/10/2019 MOAC 70-687 L18 RDC
45/56
Understanding theDirectAccess Infrastructure
The DirectAccess implementation inWindows 8 and Windows Server 2012includes a number of improvements over
the Windows 7/Windows Server 2008 R2version, including the ability for DirectAccessto coexist on the same server with theRouting and Remote Access Service (RRAS)
that provides VPN server services.
2013 John Wiley & Sons, Inc. 45
Understanding the
8/10/2019 MOAC 70-687 L18 RDC
46/56
Understanding theDirectAccess Infrastructure
DirectAccess is heavily reliant on IPv6. IPv6 is notyet deployed universally, however. Manynetworks still rely on IPv4, most notably theInternet. Therefore, DirectAccess also relies on avariety of transition technologies that enableIPv4 networks to carry IPv6 traffic:o 6to4o Teredoo IP-HTTPSo Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP)o Network Address TranslationProtocol Translation
(NAT-PT)
2013 John Wiley & Sons, Inc. 46
8/10/2019 MOAC 70-687 L18 RDC
47/56
DirectAccess and IPsec IPsec is a collection of IP extensions that
provide additional security for networkcommunications.
DirectAccess relies on IPsec forauthentication of users and computers andfor encryption of the data exchanged byclients and servers.
2013 John Wiley & Sons, Inc. 47
8/10/2019 MOAC 70-687 L18 RDC
48/56
DirectAccess and IPsec
DirectAccess: The end-to-end access model
2013 John Wiley & Sons, Inc. 48
8/10/2019 MOAC 70-687 L18 RDC
49/56
DirectAccess and IPsec
DirectAccess: The end-to-edge access model
2013 John Wiley & Sons, Inc. 49
8/10/2019 MOAC 70-687 L18 RDC
50/56
DirectAccess and IPsec
DirectAccess: The modified end-to-edge access model
2013 John Wiley & Sons, Inc. 50
DirectAccess Server
8/10/2019 MOAC 70-687 L18 RDC
51/56
DirectAccess ServerRequirements
The DirectAccess server must be runningWindows Server 2012 and must also have:
o Membership in an AD DS domain
o At least one network interface adapter installedo A direct connection to the Internet (that does
not use NAT or a similar technology)
o A direct connection to the company intranet
o The Group Policy Management feature installed
2013 John Wiley & Sons, Inc. 51
DirectAccess Client
8/10/2019 MOAC 70-687 L18 RDC
52/56
DirectAccess ClientRequirements
DirectAccess clients must be runningWindows 8 Enterprise, Windows 7 Enterpriseor Ultimate, Windows Server 2012, orWindows Server 2008 R2, and they must be
joined to the same domain as theDirectAccess server.
You must deploy the client computers onthe company network first, so they can join
the domain and receive certificates andGroup Policy settings, before you send themout into the field.
2013 John Wiley & Sons, Inc. 52
Establishing a
8/10/2019 MOAC 70-687 L18 RDC
53/56
Establishing aDirectAccess Connection
These are the individual steps of the connection process:1. The client attempts to connect to a designated network detection
server on the intranet.2. The client connects to the DirectAccess server on the host network
using IPv6.3. The client and the DirectAccess server authenticate each other
using their computer certificates.4. The client establishes a second connection through theDirectAccess server to the domain controller and performs astandard AD DS user authentication, using NTLMv2 credentials andthe Kerberos V5 authentication protocol.
5. The DirectAccess server uses AD DS group memberships toauthorize the client computer and user to access the intranet.
6. lf required, the client submits a health certificate to a NetworkPolicy Server (NPS) on the host network, to verify its compliance withexisting policies.
7. The client begins to access application servers and other resourcesin the intranet, using the DirectAccess server as a gateway.
2013 John Wiley & Sons, Inc. 53
8/10/2019 MOAC 70-687 L18 RDC
54/56
Configuring DirectAccess The process of installing and configuring
DirectAccess is much simpler in WindowsServer 2012, requiring only that you install the
Remote Access role and run a simpleconfiguration wizard.
The wizard then configures the server andcreates the Group Policy settings needed to
configure the DirectAccess clients.
2013 John Wiley & Sons, Inc. 54
8/10/2019 MOAC 70-687 L18 RDC
55/56
Configuring DirectAccess
The DirectAccess prerequisite check
2013 John Wiley & Sons, Inc. 55
8/10/2019 MOAC 70-687 L18 RDC
56/56
Configuring DirectAccess
The Remote Access Management Console