Lesson 1: Managing DirectAccess CHAPTER 10 523 FIGURE 10-6 DirectAccess console 2. Select the Setup node. In the details pane, in the Remote Clients area, click Configure. This opens the DirectAccess Client Setup dialog box. Click Add and then specify the name of the security groups to which you add computer accounts when you want to grant access to DirectAccess to specific clients running Windows 7. These groups can have any names. The one in Figure 10-7 is called DA_Clients. FIGURE 10-7 DirectAccess client groups 5 2 4 CHAPTER 10 DirectAccess and VPN Connections 3. Use the DirectAccess Server Setup item to specify which interface is connected to the Internet and which interface is connected to the internal network. Performing this step will enable IPv6 transition technologies on the DirectAccess server, as shown in Figure 10-8. You use this item to specify the CA that client certificates must ultimately come from, either directly or through a subordinate CA. You also must specify the server certificate used to secure IP-HTTPS traffic. FIGURE 10-8 DirectAccess Server Setup 4. On the Infrastructure Server Setup page, you specify the location of the internal Web site (known as the Network Location Server) that DirectAccess clients attempt to contact to determine whether they are connected to the corporate intranet or a remote location. You must ensure that you secure this Web site with a Web server certificate, as shown in Figure 10-9. You also use this dialog box to specify which DNS servers and domain controllers the DirectAccess clients are able to contact for authentication purposes. 5. The final step involves specifying which resources on the corporate intranet are accessible to DirectAccess clients. The default setting is to allow access to all resources. In more secure environments, it is possible to use isolation policies to limit the contact to the membership of specific security groups. For example, you might create a security group and add the computer accounts of some file servers and mail servers, but not others. 6. When you click Finish, DirectAccess interfaces with a domain controller and creates two new GPOs in the domain. The first of these is targeted at the security groups that contain the computer accounts of DirectAccess clients. The second GPO is targeted at the DirectAccess server itself. You can see these GPOs in Figure 10-10. Lesson 1: Managing DirectAccess CHAPTER 10 525 FIGURE 10-9 Specifying the network location server FIGURE 10-10 Direct Access GPOs DirectAccess relies upon several other components in a Windows Server 2008 R2 network infrastructure. The domain in which you install the DirectAccess server must also have the following: n At least one domain controller running Windows Server 2008 R2 and DNS server on the internal network. n A server running Windows Server 2008 with Active Directory certificates installed, either as an enterprise root CA or an enterprise subordinate CA. 5 2 6 CHAPTER 10 DirectAccess and VPN Connections To make internal network resources available to remote DirectAccess clients, you need to do one of the following: n Ensure that all internal resources that will be accessed by DirectAccess support IPv6. n Deploy ISATAP on the intranet. ISATAP allows intranet servers and applications to be reached by tunneling IPv6 traffic over an IPv4 intranet. n Deploy an NAT-PT device. NAT-PT devices allow hosts that only support IPv4 addresses to be accessible to DirectAccess clients using IPv6. All application servers that DirectAccess clients access need to allow ICMPv6 traffic in Windows Firewall with Advanced Security (WFAS). You can accomplish this by enabling the following firewall rules using Group Policy. n Echo Request – ICMPv6-in n Echo Request – ICMPv6-out The following ports on an organization’s external firewall must be open to support DirectAccess: n UDP port 3544 Enables Teredo traffic. n IPv4 protocol 41 Enables 6to4 traffic. n TCP port 443 Allows IP-HTTPS traffic. n ICMPv6 and IPv4 Protocol 50 Required when remote clients have IPv6 addresses. eXaM tIP Remember which conditions necessitate the use of Teredo, 6to4, and IP-HTTPS on DirectAccess clients. Practice Configure DirectAccess with Netsh DirectAccess requires a Windows Server 2008 R2 network infrastructure, so it is not possible to simulate DirectAccess on a client running Windows 7 without also having access to several servers running Windows Server 2008 R2. In this practice, you simulate manually configuring different IPv6 DirectAccess components using Netsh. exercise 1 Netsh DirectAccess Configuration In this exercise, you simulate setting DirectAccess policies using the Netsh command-line utility. In reality, DirectAccess configuration comes through Group Policy, though there may be circumstances, such as when a client has been out of the office for some time and when the DirectAccess server address has changed, where you need to perform this type of manual configuration. 1. Log on to computer Canberra using the Kim_Akers user account and open an elevated command prompt. Lesson 1: Managing DirectAccess CHAPTER 10 527 2. Enter each of the following commands and press Enter: Netsh interface ipv6 set teredo enterpriseclient 131.107.0.5 Netsh interface 6to4 set relay 131.107.0.5 3. Now enter the following diagnostic commands and press Enter after each one to verify that the correct configuration was set. The configuration should match the IP address 131.107.0.5: Netsh interface 6to4 show relay Netsh interface ipv6 show teredo Lesson Summary n DirectAccess allows a client running Windows 7 Enterprise or Ultimate edition to connect automatically to a corporate intranet when an active Internet connection is established without requiring user intervention. n If a client running Windows 7 has a public IPv6 address, a direct IPv6 connection is made. If the client has a public IPv4 address, a connection is made using the 6to4 transition technology. If the client has a private IPv4 address, a connection is made using the Teredo transition technology. If the client has a private IPv4 address and is behind a firewall that restricts most forms of network traffic, a connection using IP-HTTPS is made. n DirectAccess clients require computer certificates from a CA that is trusted by the DirectAccess server. The DirectAccess server requires a certificate from a CA trusted by the DirectAccess client. n DirectAccess clients must be members of an AD DS domain. DirectAccess clients must be members of a special domain security group which has been configured during the setup of the DirectAccess server. n A DirectAccess server must run Windows Server 2008 R2. A domain controller running Windows Server 2008 R2 and a DNS server must also be present on the internal network to support DirectAccess. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing DirectAccess.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 5 2 8 CHAPTER 10 DirectAccess and VPN Connections 1. A client running Windows 7 is connecting to a hotel network. Clients on the hotel network are assigned IP addresses in the 10.0.10.0 /24 range. The hotel firewall blocks all traffic except that on ports 25, 80, and 443. Which DirectAccess connectivity method does the client use to make the connection? a. Teredo B. 6to4 c. Globally routable IPv6 address D. IP-HTTPS 2. You have 10 stand-alone laptop computers running Windows 7 Professional. You want to configure these computers so that they can use DirectAccess to access the internal network when users connect to remote networks. Your internal network has a Windows Server 2008 R2 functional level domain. Which of the following steps must you take before you can accomplish this goal? (Choose all that apply.) a. Upgrade the computers to Windows 7 Ultimate. B. Join the computers to the domain. c. Configure AppLocker policies. D. Configure BranchCache policies. 3. Which of the following computers can you configure as a DirectAccess server? a. A server running Windows Server 2008 R2 with two network adapters that has been assigned two consecutive public IPv4 addresses B. A server running Windows Server 2008 R2 with one network adapter that has been assigned two consecutive public IPv4 addresses c. A server running Windows Server 2008 R2 with two network adapters that has been assigned one public IPv4 address D. A server running Windows Server 2008 R2 with one network adapter that has been assigned one public IPv4 address 4. Kim Akers, who uses the Kim_Akers user account, has been using a computer running Windows 7 Enterprise named laptop-122 with DirectAccess to access the internal corporate network when working remotely. Laptop-122 is a member of the Direct_Access domain security group. Laptop-122 has developed a fault and Kim has been given Laptop-123, which also runs Windows 7 Enterprise and is joined to the Contoso.internal domain. When Kim is working remotely, she is unable to connect to the internal network. Which of the following steps should you take to resolve this problem? a. Add the computer account for Laptop-123 to the Direct_Access group in the domain. B. Add the computer account for Laptop-123 to the Direct_Access group on Laptop-123. c. Add the Kim_Akers user account to the Direct_Access group in the domain. D. Add the Kim_Akers user account to the Direct_Access local group on Laptop-123. Lesson 1: Managing DirectAccess CHAPTER 10 529 5. Your client running Windows 7 is connected to a hotel network, has an address on the 192.168.10.0 /24 network, and is located behind a Network Address Translation (NAT) device. The network blocks all outbound traffic except that on ports 80 and 443. You want the address of the DirectAccess IP-HTTPS server to be set correctly. Which of the following commands could you use? a. ipconfig B. netsh interface 6to4 show relay c. netsh interface ipv6 show teredo D. netsh interface httpstunnel show interfaces 5 3 0 CHAPTER 10 DirectAccess and VPN Connections Lesson 2: Remote Connections Although not every edition of Windows 7 supports DirectAccess, every edition of Windows 7 supports VPN using the PPTP, L2TP/IPsec, SSTP, and IKEv2 protocols. Traditional VPN technology is important because, except for IKEv2, these technologies are compatible with existing remote access infrastructures and do not require an organization to upgrade any servers to Windows Server 2008 R2. PPTP and L2TP/IPsec VPNS are also compatible with third-party remote access solutions. This is important if your organization does not rely upon a Windows Server remote access infrastructure. In this lesson, you learn about how to deal with clients that have been restricted to NAP quarantine and how to configure the Remote Desktop Client to access Remote Desktop Services servers on protected internal network without having to configure a VPN connection. After this lesson, you will be able to: n Establishing VPN connections. n Configuring VPN authentication. n Setting up VPN Reconnect. n Manage VPN security auditing. n Configure NAP quarantine remediation. Estimated lesson time: 40 minutes Virtual Private Networks VPNs allow people to make connections to remote networks over the Internet. VPN users can access resources on the LAN such as e-mail, shared folders, printers, databases, and calendars when they are using their computers in an out-of-office location. All they need to access a VPN is to have an active Internet connection and for the relevant VPN infrastructure to be set up on the corporate network to which they are connecting. Configuring VPNs means that resources on protected corporate networks can be made available to authorized users on the Internet through the VPN without making those resources directly available to users on the Internet. VPNs are like tunnels that allow specific authorized users from the Internet access to a configured list of internal network resources. Users without administrative privileges are able to create remote access connections. It is possible to limit user rights to create or modify remote access connections by configuring policies in the User Configuration\Administrative Templates\Network\Network Connections node of Group Policy. When you create a VPN connection, you need to specify the address of the VPN server that you are connecting to and your authentication credentials. You can create a new VPN connection in the Network And Sharing Center by clicking Set Up A New Connection Or Network and then Connect to a Workplace. When you create a new VPN connection, Lesson 2: Remote Connections CHAPTER 10 531 Windows 7 sets the VPN type to Automatic. You can configure a connection to use a specific VPN protocol, but if you do this, Windows 7 does not try to use other VPN protocols if the protocol you select is not available. You will create a VPN connection and then edit its properties to use a specific VPN protocol in the practice at the end of this lesson. When a VPN connection type is set to Automatic, Windows 7 attempts to make a connection using the most secure protocol. Clients running Windows 7 can use four different VPN protocols, which differ in the types of encryption and data protection they offer. The most secure protocols support: n Data confidentiality The protocol encrypts your data so that third parties cannot read it as it crosses public networks. n Data integrity You will know if a third party tampers with your data in transit. n Replay protection Ensures that the same data cannot be sent more than once. In a replay attack, an attacker captures and then resends data. n Data origin authentication The sender and receiver can be sure of the origin of transmitted and received data. The VPN protocols supported by Windows 7, listed from least to most secure, are: n PPTP PPTP VPNs are the least secure form of VPN. Because PPTP VPNs do not require access to a public key infrastructure (PKI), they are also the most commonly deployed type of VPN. PPTP connections can use the MS-CHAP, MS-CHAPv2, EAP, and PEAP authentication protocols. PPTP connections use MPPE to encrypt PPTP data. PPTP connections provide data confidentiality but do not provide data integrity or data origin authentication. Some older NAT devices do not support PPTP. Windows 7 uses PPTP to support incoming VPN connections. You will learn about configuring Windows 7 to support incoming VPN connections later in this lesson. n L2TP/IPsec L2TP/IPsec VPN connections are more secure than PPTP. L2TP/IPsec provides per-packet data origin authentication, data integrity, replay protection, and data confidentiality. L2TP/IPsec uses digital certificates, so it requires access to a certificate services infrastructure. Most third-party VPN solutions support L2TP/IPsec. L2TP/IPsec cannot be used behind NAT unless the client and server support IPsec NAT Traversal (NAT-T). Windows 7, Windows Server 2003, and Windows Server 2008 support NAT-T. You can configure L2TP to use either certificate-based authentication or a pre-shared key by configuring the advanced properties, as shown in Figure 10-11. n SSTP SSTP VPN tunnels use port 443, meaning that SSTP VPN traffic can pass across almost all firewalls that allow Internet access, something that is not true of the PPTP, L2TP/IPsec, and IKEv2 VPN protocols. SSTP works by encapsulating PPP traffic over the SSL channel of the HTTPS protocol. SSTP supports data origin authentication, data integrity, replay protection, and data confidentiality. You cannot use SSTP through a Web proxy that requires authentication. 5 3 2 CHAPTER 10 DirectAccess and VPN Connections FIGURE 10-11 L2TP Advanced Properties n IKEv2 IKEv2 is a VPN protocol new to Windows 7 and is not present in previous versions of Windows. IKEv2 supports IPv6 and the new VPN Reconnect feature. IKEv2 supports Extensible Application Protocol (EAP) and computer certificates for client- side authentication. This includes Microsoft Protected EAP (PEAP), Microsoft Secured Password (EAP-MSCHAP v2), and Microsoft Smart Card or Other Certificate, as shown in Figure 10-12. IKEv2 does not support POP, CHAP, or MS-CHAPv2 (without EAP) as authentication protocols. IKEv2 supports data origin authentication, data integrity, replay protection, and data confidentiality. IKEv2 uses UDP port 500. When you configure a new Windows 7 VPN connection with the default settings, Windows 7 attempts to make an IKEv2 connection first. FIGURE 10-12 Authentication protocols supported by IKEv2 . third-party VPN solutions support L2TP/IPsec. L2TP/IPsec cannot be used behind NAT unless the client and server support IPsec NAT Traversal (NAT-T). Windows 7, Windows Server 2003, and Windows. access to DirectAccess to specific clients running Windows 7. These groups can have any names. The one in Figure 10 -7 is called DA_Clients. FIGURE 10 -7 DirectAccess client groups 5 2 4 CHAPTER 10. UDP port 500. When you configure a new Windows 7 VPN connection with the default settings, Windows 7 attempts to make an IKEv2 connection first. FIGURE 1 0-1 2 Authentication protocols supported