On the Infrastructure Server Setup page, you specify the location of the internal Web site known as the Network Location Server that DirectAccess clients attempt to contact to determine
Trang 1FIgUre 10-6 DirectAccess console
2 Select the Setup node In the details pane, in the Remote Clients area, click Configure
This opens the DirectAccess Client Setup dialog box Click Add and then specify the
name of the security groups to which you add computer accounts when you want to
grant access to DirectAccess to specific clients running Windows 7 These groups can
have any names The one in Figure 10-7 is called DA_Clients
FIgUre 10-7 DirectAccess client groups
Trang 23 Use the DirectAccess Server Setup item to specify which interface is connected to the Internet and which interface is connected to the internal network Performing this step will enable IPv6 transition technologies on the DirectAccess server, as shown in Figure 10-8 You use this item to specify the CA that client certificates must ultimately come from, either directly or through a subordinate CA You also must specify the server certificate used to secure IP-HTTPS traffic
FIgUre 10-8 DirectAccess Server Setup
4 On the Infrastructure Server Setup page, you specify the location of the internal Web site (known as the Network Location Server) that DirectAccess clients attempt
to contact to determine whether they are connected to the corporate intranet or
a remote location You must ensure that you secure this Web site with a Web server certificate, as shown in Figure 10-9 You also use this dialog box to specify which DNS servers and domain controllers the DirectAccess clients are able to contact for authentication purposes
5 The final step involves specifying which resources on the corporate intranet are accessible to DirectAccess clients The default setting is to allow access to all resources
In more secure environments, it is possible to use isolation policies to limit the contact to the membership of specific security groups For example, you might create
a security group and add the computer accounts of some file servers and mail servers, but not others
6 When you click Finish, DirectAccess interfaces with a domain controller and creates two new GPOs in the domain The first of these is targeted at the security groups that contain the computer accounts of DirectAccess clients The second GPO is targeted at the DirectAccess server itself You can see these GPOs in Figure 10-10
Trang 3FIgUre 10-9 Specifying the network location server
FIgUre 10-10 Direct Access GPOs
DirectAccess relies upon several other components in a Windows Server 2008 R2 network
infrastructure The domain in which you install the DirectAccess server must also have the
following:
n At least one domain controller running Windows Server 2008 R2 and DNS server on
the internal network
n A server running Windows Server 2008 with Active Directory certificates installed,
either as an enterprise root CA or an enterprise subordinate CA
Trang 4To make internal network resources available to remote DirectAccess clients, you need to
do one of the following:
n Ensure that all internal resources that will be accessed by DirectAccess support IPv6
n Deploy ISATAP on the intranet ISATAP allows intranet servers and applications to be reached by tunneling IPv6 traffic over an IPv4 intranet
n Deploy an NAT-PT device NAT-PT devices allow hosts that only support IPv4 addresses
to be accessible to DirectAccess clients using IPv6 All application servers that DirectAccess clients access need to allow ICMPv6 traffic in Windows Firewall with Advanced Security (WFAS) You can accomplish this by enabling the following firewall rules using Group Policy
n Echo Request – ICMPv6-in
n Echo Request – ICMPv6-out
The following ports on an organization’s external firewall must be open to support DirectAccess:
n UDp port 3544 Enables Teredo traffic
n Ipv4 protocol 41 Enables 6to4 traffic
n tCp port 443 Allows IP-HTTPS traffic
n ICMpv6 and Ipv4 protocol 50 Required when remote clients have IPv6 addresses
eXaM tIP
Remember which conditions necessitate the use of Teredo, 6to4, and IP-HTTPS on
DirectAccess clients.
Practice Configure Directaccess with Netsh
DirectAccess requires a Windows Server 2008 R2 network infrastructure, so it is not possible
to simulate DirectAccess on a client running Windows 7 without also having access to several servers running Windows Server 2008 R2 In this practice, you simulate manually configuring different IPv6 DirectAccess components using Netsh
exercise 1 Netsh DirectAccess Configuration
In this exercise, you simulate setting DirectAccess policies using the Netsh command-line
utility In reality, DirectAccess configuration comes through Group Policy, though there may
be circumstances, such as when a client has been out of the office for some time and when the DirectAccess server address has changed, where you need to perform this type of manual configuration
1 Log on to computer Canberra using the Kim_Akers user account and open an elevated command prompt
Trang 52 Enter each of the following commands and press Enter:
Netsh interface ipv6 set teredo enterpriseclient 131.107.0.5
Netsh interface 6to4 set relay 131.107.0.5
3 Now enter the following diagnostic commands and press Enter after each one to verify
that the correct configuration was set The configuration should match the IP address
131 107 0 5:
Netsh interface 6to4 show relay
Netsh interface ipv6 show teredo
Lesson Summary
n DirectAccess allows a client running Windows 7 Enterprise or Ultimate edition to
connect automatically to a corporate intranet when an active Internet connection is
established without requiring user intervention
n If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is
made If the client has a public IPv4 address, a connection is made using the 6to4
transition technology If the client has a private IPv4 address, a connection is made
using the Teredo transition technology If the client has a private IPv4 address and
is behind a firewall that restricts most forms of network traffic, a connection using
IP-HTTPS is made
n DirectAccess clients require computer certificates from a CA that is trusted by the
DirectAccess server The DirectAccess server requires a certificate from a CA trusted by
the DirectAccess client
n DirectAccess clients must be members of an AD DS domain DirectAccess clients must
be members of a special domain security group which has been configured during the
setup of the DirectAccess server
n A DirectAccess server must run Windows Server 2008 R2 A domain controller running
Windows Server 2008 R2 and a DNS server must also be present on the internal
network to support DirectAccess
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing DirectAccess ” The questions are also available on the companion DVD if you
prefer to review them in electronic form
note aNSWerS
Answers to these questions and explanations of why each answer choice is correct or incorrect
are located in the “Answers” section at the end of the book
Trang 61 A client running Windows 7 is connecting to a hotel network Clients on the hotel network are assigned IP addresses in the 10 0 10 0 /24 range The hotel firewall blocks all traffic except that on ports 25, 80, and 443 Which DirectAccess connectivity method does the client use to make the connection?
a Teredo
B 6to4
c Globally routable IPv6 address
D IP-HTTPS
2 You have 10 stand-alone laptop computers running Windows 7 Professional You want to configure these computers so that they can use DirectAccess to access the internal network when users connect to remote networks Your internal network has
a Windows Server 2008 R2 functional level domain Which of the following steps must you take before you can accomplish this goal? (Choose all that apply )
a Upgrade the computers to Windows 7 Ultimate
B Join the computers to the domain
c Configure AppLocker policies
D Configure BranchCache policies
3 Which of the following computers can you configure as a DirectAccess server?
a A server running Windows Server 2008 R2 with two network adapters that has been assigned two consecutive public IPv4 addresses
B A server running Windows Server 2008 R2 with one network adapter that has been assigned two consecutive public IPv4 addresses
c A server running Windows Server 2008 R2 with two network adapters that has been assigned one public IPv4 address
D A server running Windows Server 2008 R2 with one network adapter that has been assigned one public IPv4 address
4 Kim Akers, who uses the Kim_Akers user account, has been using a computer running Windows 7 Enterprise named laptop-122 with DirectAccess to access the internal corporate network when working remotely Laptop-122 is a member of the Direct_Access domain security group Laptop-122 has developed a fault and Kim has been given Laptop-123, which also runs Windows 7 Enterprise and is joined to the Contoso internal domain When Kim is working remotely, she is unable to connect to the internal network Which of the following steps should you take to resolve this problem?
a Add the computer account for Laptop-123 to the Direct_Access group in the domain
B Add the computer account for Laptop-123 to the Direct_Access group on
Laptop-123
c Add the Kim_Akers user account to the Direct_Access group in the domain
D Add the Kim_Akers user account to the Direct_Access local group on Laptop-123
Trang 75 Your client running Windows 7 is connected to a hotel network, has an address on the
192 168 10 0 /24 network, and is located behind a Network Address Translation (NAT)
device The network blocks all outbound traffic except that on ports 80 and 443 You
want the address of the DirectAccess IP-HTTPS server to be set correctly Which of the
following commands could you use?
a. ipconfig
B. netsh interface 6to4 show relay
c. netsh interface ipv6 show teredo
D. netsh interface httpstunnel show interfaces
Trang 8Lesson 2: remote Connections
Although not every edition of Windows 7 supports DirectAccess, every edition of Windows 7 supports VPN using the PPTP, L2TP/IPsec, SSTP, and IKEv2 protocols Traditional VPN technology
is important because, except for IKEv2, these technologies are compatible with existing remote access infrastructures and do not require an organization to upgrade any servers to Windows Server 2008 R2 PPTP and L2TP/IPsec VPNS are also compatible with third-party remote access solutions This is important if your organization does not rely upon a Windows Server remote access infrastructure In this lesson, you learn about how to deal with clients that have been restricted to NAP quarantine and how to configure the Remote Desktop Client to access Remote Desktop Services servers on protected internal network without having to configure
a VPN connection
After this lesson, you will be able to:
n Establishing VPN connections
n Configuring VPN authentication
n Setting up VPN Reconnect
n Manage VPN security auditing
n Configure NAP quarantine remediation
Estimated lesson time: 40 minutes
Virtual Private Networks
VPNs allow people to make connections to remote networks over the Internet VPN users can access resources on the LAN such as e-mail, shared folders, printers, databases, and calendars when they are using their computers in an out-of-office location All they need to access
a VPN is to have an active Internet connection and for the relevant VPN infrastructure to be set up on the corporate network to which they are connecting Configuring VPNs means that resources on protected corporate networks can be made available to authorized users on the Internet through the VPN without making those resources directly available to users on the Internet VPNs are like tunnels that allow specific authorized users from the Internet access
to a configured list of internal network resources Users without administrative privileges are able to create remote access connections It is possible to limit user rights to create or modify remote access connections by configuring policies in the User Configuration\Administrative Templates\Network\Network Connections node of Group Policy
When you create a VPN connection, you need to specify the address of the VPN server that you are connecting to and your authentication credentials You can create a new
VPN connection in the Network And Sharing Center by clicking Set Up A New Connection
Or Network and then Connect to a Workplace When you create a new VPN connection,
Trang 9Windows 7 sets the VPN type to Automatic You can configure a connection to use a specific
VPN protocol, but if you do this, Windows 7 does not try to use other VPN protocols if
the protocol you select is not available You will create a VPN connection and then edit its
properties to use a specific VPN protocol in the practice at the end of this lesson
When a VPN connection type is set to Automatic, Windows 7 attempts to make
a connection using the most secure protocol Clients running Windows 7 can use four
different VPN protocols, which differ in the types of encryption and data protection they
offer The most secure protocols support:
n Data confidentiality The protocol encrypts your data so that third parties cannot
read it as it crosses public networks
n Data integrity You will know if a third party tampers with your data in transit
n replay protection Ensures that the same data cannot be sent more than once In
a replay attack, an attacker captures and then resends data
n Data origin authentication The sender and receiver can be sure of the origin of
transmitted and received data
The VPN protocols supported by Windows 7, listed from least to most secure, are:
n pptp PPTP VPNs are the least secure form of VPN Because PPTP VPNs do not
require access to a public key infrastructure (PKI), they are also the most commonly
deployed type of VPN PPTP connections can use the MS-CHAP, MS-CHAPv2, EAP,
and PEAP authentication protocols PPTP connections use MPPE to encrypt PPTP data
PPTP connections provide data confidentiality but do not provide data integrity or
data origin authentication Some older NAT devices do not support PPTP Windows 7
uses PPTP to support incoming VPN connections You will learn about configuring
Windows 7 to support incoming VPN connections later in this lesson
n L2tp/Ipsec L2TP/IPsec VPN connections are more secure than PPTP L2TP/IPsec
provides per-packet data origin authentication, data integrity, replay protection,
and data confidentiality L2TP/IPsec uses digital certificates, so it requires access to
a certificate services infrastructure Most third-party VPN solutions support
L2TP/IPsec L2TP/IPsec cannot be used behind NAT unless the client and server
support IPsec NAT Traversal (NAT-T) Windows 7, Windows Server 2003, and Windows
Server 2008 support NAT-T You can configure L2TP to use either certificate-based
authentication or a pre-shared key by configuring the advanced properties, as shown
in Figure 10-11
n SStp SSTP VPN tunnels use port 443, meaning that SSTP VPN traffic can pass across
almost all firewalls that allow Internet access, something that is not true of the PPTP,
L2TP/IPsec, and IKEv2 VPN protocols SSTP works by encapsulating PPP traffic over
the SSL channel of the HTTPS protocol SSTP supports data origin authentication, data
integrity, replay protection, and data confidentiality You cannot use SSTP through
a Web proxy that requires authentication
Trang 10FIgUre 10-11 L2TP Advanced Properties
n IKev2 IKEv2 is a VPN protocol new to Windows 7 and is not present in previous
versions of Windows IKEv2 supports IPv6 and the new VPN Reconnect feature IKEv2 supports Extensible Application Protocol (EAP) and computer certificates for client-side authentication This includes Microsoft Protected EAP (PEAP), Microsoft Secured Password (EAP-MSCHAP v2), and Microsoft Smart Card or Other Certificate, as shown
in Figure 10-12 IKEv2 does not support POP, CHAP, or MS-CHAPv2 (without EAP) as authentication protocols IKEv2 supports data origin authentication, data integrity, replay protection, and data confidentiality IKEv2 uses UDP port 500 When you configure a new Windows 7 VPN connection with the default settings, Windows 7 attempts to make an IKEv2 connection first
FIgUre 10-12 Authentication protocols supported by IKEv2