248 CHAPTER 6 Understanding and Troubleshooting Remote Access Connections EXERCISE 11 Confi guring Network Policy Services (NPS) In this exercise, you enable and confi gure the remote access policies required for an IKEv2-based VPN connection. Perform this exercise while you are still logged on to DC1 as a domain administrator. 1. Open the Routing and Remote Access console if it is not already open. 2. In the Routing and Remote Access console tree, expand DC1 (Local). 3. Select and right-click Remote Access Logging & Policies, and then select Launch NPS. The Network Policy Server console opens. 4. In the details pane, in the Network Access Policies section, click the Network Access Policies link. 5. In the details pane, in the Network Policies area, double-click Connections To Microsoft Routing And Remote Access Server. The Connections To Microsoft Routing And Remote Access Server Properties dialog box opens. 6. On the Overview tab, in the Access Permission section, select Grant Access. Grant Access If The Connection Request Matches This Policy. 7. Select the Constraints tab. In the Constraints list, Authentication Methods is selected by default. In the right pane, two EAP types are listed: Microsoft: Secured Password (EAP-MSCHAP v2) and Microsoft: Smart Card Or Other Certifi cate. In this exercise, only the fi rst authentication method is needed. 8. Select Microsoft: Smart Card Or Other Certifi cate and click Remove to remove this EAP type. 9. Click OK to save your changes. 10. Close all open windows. EXERCISE 12 Creating the VPN Connection on the VPN Client In this exercise, you create a VPN connection on Client1 that you will use later to connect to DC1. 1. If you have not already done so, log on the Nwtraders from Client1 as a domain administrator. 2. Click Start, type Network and Sharing Center, and then press Enter. The Networking And Sharing Center opens. 3. Click Set Up A New Connection Or Network. 4. Click Connect To A Workplace, and then click Next. 5. Click Use My Internet Connection (VPN). 6. Click I’ll Set Up An Internet Connection Later. 7. In the Internet Address text box, type DC1.nwtraders.msft. Leave VPN Connection as the destination name, and then click Next. 8. In the User Name and Password text boxes, type the name and password of the VPN user account you created in Exercise 1. C06627093.indd 248C06627093.indd 248 2/17/2010 10:24:12 AM2/17/2010 10:24:12 AM Lesson 1: Understanding VPN Client Connections CHAPTER 6 249 9. Select the Remember This Password check box. 10. In the Domain (Optional) text box, type nwtraders.msft. 11. Click Create, and then click Close. EXERCISE 13 Confi guring and Testing the VPN Connection In this exercise, you verify that you can establish a VPN connection between Client1 and DC1. You do this while still logged on to Client1 as a domain administrator. 1. In the Network and Sharing Center, click Change Adapter Settings. 2. Double-click VPN Connection, and then click Properties. 3. On the Security tab, in the Type Of VPN drop-down list, select IKEv2, and then click OK. 4. In the Connect VPN Connection dialog box, click Connect. The user is authenticated, and the VPN connection is established successfully. Lesson Summary ■ In a Windows network, a VPN infrastructure includes at least a VPN client, a VPN server running RRAS, and a DNS server. However, additional elements are typically used, such as a domain controller, a certifi cate server/PKI, a DHCP server, and an NPS server. ■ Four VPN tunneling protocols are available in Windows 7, and a Windows 7 VPN client attempts to negotiate tunneling protocols in this order: IKEv2, SSTP, L2TP/IPSec, and PPTP. ■ IKEv2 is a new tunneling protocol that requires Windows 7 and Windows Server 2008 R2. An advantage of IKEv2 is its support of VPN Reconnect, a feature that allows client mobility between wireless access points without losing the VPN connection. ■ To attempt a VPN connection, a VPN client fi rst contacts the VPN server with a request for a tunneling protocol. The terms of the VPN tunnel are then negotiated, after which the VPN tunnel is created. Remote access authentication of the user (and sometimes the computer) follows. Finally, if the user and connection request is determined to be authorized for remote access, the VPN connection is established. Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Understanding VPN Client Connections.” The questions are also available on the companion CD if you prefer to review them in electronic form. NOTE ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. NO T E ANSWERS E Answers to these questions and explanations of wh y each answer choice is correct or in co rr ect a r e l ocated in t h e “An s w e r s ” sect i o n at t h e e n d o f t h e boo k . C06627093.indd 249C06627093.indd 249 2/17/2010 10:24:12 AM2/17/2010 10:24:12 AM 250 CHAPTER 6 Understanding and Troubleshooting Remote Access Connections 1. You work as a desktop support technician in a large enterprise. The company has recently upgraded all client computers to Windows 7 Enterprise. All servers are running Windows Server 2008. Your company supports many mobile users who access the corporate network through a VPN. Your VPN users have complained that when they are connecting to the Internet wirelessly, they lose their VPN connection when they switch between wireless access points. You want VPN users to be able to move between wireless access points without losing a connection. Which of the following steps must you take to achieve this? A. Instruct VPN users to select SSTP as the Type Of VPN in the adapter settings of the VPN connection. B. Instruct VPN users to confi gure the maximum encryption strength in the adapter settings of the VPN connection. C. Confi gure the server running Windows acting as the VPN server to forward authentication to an NPS server. D. Upgrade the server running Windows acting as the VPN server to Windows Server 2008 R2. 2. Which of the following actions do you need to perform to enable a client running Windows 7 to access a corporate network through an IKEv2 VPN? A. Install the VPN server certifi cate on the client running Windows 7. B. Ensure that the root certifi cate of the CA that has issued the VPN server’s server certifi cate has been installed in the Trusted Root Certifi cation Authorities certifi cate store on the client running Windows 7. C. In the VPN connection properties on the client running Windows 7, confi gure the Type Of VPN setting as IKEv2. D. Obtain a computer certifi cate for the client running Windows 7. C06627093.indd 250C06627093.indd 250 2/17/2010 10:24:13 AM2/17/2010 10:24:13 AM Lesson 2: Understanding DirectAccess Client Connections CHAPTER 6 251 Lesson 2: Understanding DirectAccess Client Connections DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2 that automatically and transparently connects a remote user to a private corporate network from any location on the Internet. DirectAccess was developed to eventually replace traditional VPNs, which require users to initiate a VPN connect once their computer is connected to the Internet. This lesson provides an overview of the benefi ts of Direct Access, how it works, and how to troubleshoot settings on the DirectAccess client. After this lesson, you will be able to: ■ Understand the benefi ts of DirectAccess ■ Understand the prerequisites and features of a DirectAccess infrastructure ■ Understand the steps performed in a DirectAccess connection ■ Perform basic troubleshooting of DirectAccess client connections Estimated lesson time: 45 minutes Overview of DirectAccess DirectAccess is a new technology that automatically establishes bidirectional connectivity between a remote user’s computer and that user’s company intranet. The remote user does not have to initiate the connection to the intranet manually, and administrators can manage this and other remote computers outside the offi ce through the same DirectAccess connection. DirectAccess is supported on Windows 7 Enterprise, Windows 7 Ultimate, and Windows Server 2008 R2. Understanding the Limitations of VPNs Traditionally, users connect to intranet resources with a VPN. However, using a VPN has a number of disadvantages, including the following: ■ Connecting to a VPN takes several steps, and the user needs to wait for authentication. For organizations that check the health of a computer before allowing the connection, establishing a VPN connection can take several minutes. ■ Anytime users lose their Internet connection, they need to reestablish the VPN connection. ■ VPN client machines typically are not subject to Group Policy. ■ Internet performance is slowed if both intranet and Internet traffi c goes through the VPN connection. A fter this lesson, you will be able to: ■ U n de r s t a n d th e be n efi t s of Dir ec tA ccess ■ Understand the p rere q uisites and features of a DirectAccess infrastructur e ■ Understand the steps per f ormed in a DirectAccess connectio n ■ Per f orm basic troubleshootin g o f DirectAccess client connections Est im ated l esso n t im e: 4 5 min utes C06627093.indd 251C06627093.indd 251 2/17/2010 10:24:13 AM2/17/2010 10:24:13 AM 252 CHAPTER 6 Understanding and Troubleshooting Remote Access Connections Because of these inconveniences, many users avoid connecting to a VPN. Instead, they use application gateways, such as Microsoft Outlook Web Access (OWA), to connect to intranet resources. With OWA, users can retrieve internal e-mail without establishing a VPN connection. However, users still need to connect to a VPN to open documents that are located on intranet fi le shares, such as those that are linked to in an e-mail message. Understanding the Benefi ts of DirectAccess DirectAccess overcomes the limitations of VPNs by providing the following benefi ts to enterprises and their users: ■ Always-on connectivity Unlike with a VPN, a DirectAccess connection is always on, even before the user logs on to his or her computer. ■ Seamless connectivity To the user, the DirectAccess connection to the corporate network is completely transparent. Aside from any delay that could be caused by a slow Internet connection, the user experience is the same as if the user’s computer were connected directly to the corporate network. ■ Bidirectional access With DirectAccess, the user’s remote computer not only has access to the corporate intranet, but the intranet can also see the user’s computer. This means that the remote computer can be managed using Group Policy and other management tools in exactly the same way that computers located on the internal network are managed. ■ Enhanced security DirectAccess provides administrators with fl exibility in how they control access to internal resources for remote users and their computers. For example, DirectAccess can be confi gured to provide user access only to selected resources. In addition, Direct Access fully integrates with Server and Domain Isolation solutions and the NAP infrastructure to help ensure compliance with security, access, and health policies for both local and remote computers. In addition, DirectAccess includes the following security features: •• DirectAccess is built on a foundation of standards-based technologies: IPSec and IPv6. •• DirectAccess uses IPSec to authenticate both the computer and user. If you want, you can require a smart card for user authentication. •• DirectAccess also uses IPSec to provide encryption for communications across the Internet. Understanding DirectAccess and IPv6 Transition Technologies DirectAccess clients must have globally routable IPv6 addresses. For organizations that are already using a native IPv6 infrastructure, DirectAccess can easily extend this existing infrastructure to DirectAccess client computers. These client computers can also still access Internet resources by using IPv4. C06627093.indd 252C06627093.indd 252 2/17/2010 10:24:13 AM2/17/2010 10:24:13 AM Lesson 2: Understanding DirectAccess Client Connections CHAPTER 6 253 For organizations that have not yet begun deploying IPv6, a number of IPv6 transition technologies are available to begin IPv6 deployment without requiring an infrastructure upgrade. These technologies are described in the next sections. ISATAP Intra-site Automatic Tunnel Addressing Protocol (ISATAP) is a tunneling protocol that allows an IPv6 network to communicate with an IPv4 network through an ISATAP router, as shown in Figure 6-14. ISATAP Router ISATAP Host IPv6 Host IPv4-only Network IPv6 Network IPv6 IPv6 over IPv4 FIGURE 6-14 ISATAP routers allow IPv4-only and IPv6-only hosts to communicate with each other. ISATAP allows IPv4 and IPv6 hosts to communicate by performing a type of address translation between IPv4 and IPv6. In this process, all ISATAP clients receive an address for an ISATAP interface. This address is composed of an IPv4 address encapsulated inside an IPv6 address. ISATAP is intended for use within a private network. 6to4 6to4 is a protocol that tunnels IPv6 traffi c over IPv4 traffi c through 6to4 routers. 6to4 clients have their router’s IPv4 address embedded in their IPv6 address and do not require an IPv4 address. Whereas ISATAP is intended primarily for intranets, 6to4 is intended to be used on the Internet. You can use 6to4 to connect to IPv6 portions of the Internet through a 6to4 relay even if your intranet or your ISP supports only IPv4. A sample 6to4 network is shown in Figure 6-15. 6to4 Router 6to4 Relay IPv6 Host IPv6 Host IPv4 NetworkIPv6 Network IPv6 Network IPv6 over IPv4 IPv6IPv6 FIGURE 6-15 6to4 allows IPv6-only hosts to communicate over the Internet. C06627093.indd 253C06627093.indd 253 2/17/2010 10:24:13 AM2/17/2010 10:24:13 AM 254 CHAPTER 6 Understanding and Troubleshooting Remote Access Connections Teredo Teredo is a tunneling protocol that allows clients located behind an IPv4 NAT device to use IPv6 over the Internet. Teredo is used only when no other IPv6 transition technology (such as 6to4) is available. Teredo relies on an infrastructure, illustrated in Figure 6-16, that includes Teredo clients, Teredo servers, Teredo relays, and Teredo host-specifi c relays. NAT Teredo Relay Teredo Server Teredo Client Teredo Host-specific Relay IPv6 Host IPv4 internetIPv4 Intranet IPv6 Intranet IPv6 over IPv4IPv6 over IPv4 IPv6 FIGURE 6-16 Teredo allows hosts located behind a router performing IPv4 NAT to use IPv6 over the Internet to communicate with each other or with IPv6-only hosts. ■ Teredo client A Teredo client is a computer that is enabled with both IPv6 and IPv4 and that is located behind a router performing IPv4 NAT. The Teredo client creates a Teredo tunneling interface and confi gures a routable IPv6 address with the help of a Teredo server. Through this interface, Teredo clients communicate with other Teredo clients or with hosts on the IPv6 Internet (through a Teredo relay). ■ Teredo server A Teredo server is a public server connected both to the IPv4 Internet and to the IPv6 Internet. The Teredo server helps perform the address confi guration of the Teredo client and facilitates initial communication either between two Teredo clients or between a Teredo client and an IPv6 host. To facilitate communication among Windows-based Teredo client computers, Microsoft has deployed Teredo servers on the IPv4 Internet. ■ Teredo relay A Teredo relay is a Teredo tunnel endpoint. It is an IPv6/IPv4 router that can forward packets between Teredo clients on the IPv4 Internet and IPv6-only hosts. C06627093.indd 254C06627093.indd 254 2/17/2010 10:24:13 AM2/17/2010 10:24:13 AM Lesson 2: Understanding DirectAccess Client Connections CHAPTER 6 255 ■ Teredo host-specifi c relay A Teredo host-specifi c relay is a host that is enabled with both IPv4 and IPv6 and that acts as its own Teredo relay. A Teredo host-specifi c relay essentially enables a Teredo client that has a global IPv6 address to tunnel through the IPv4 Internet and communicate directly with hosts connected to the IPv6 Internet. IP-HTTPS IP-HTTPS is a new protocol developed by Microsoft for Windows 7 and Windows Server 2008 R2. It enables hosts located behind a Web proxy server or fi rewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based Hypertext Transfer Protocol Secure (HTTPS) session. HTTPS is used instead of HTTP so that Web proxy servers do not attempt to examine the data stream and terminate the connection. IP-HTTPS is used as the fallback technology for DirectAccess clients when neither 6to4 nor Teredo is available. IPv6/IPv4 NAT Some NAT routers are able to provide connectivity between global IPv6 addresses and private IPv4 addresses. To perform this function, these devices typically conform to the Network Address Translation/Protocol Translation (NAT-PT) standard or the Network Address Port Translation + Protocol Translation (NAPT-PT) standard, as defi ned in RFC 2766. Although these two technologies are still available on some networks, they have been deprecated by the Internet Engineering Task Force (IETF) because of technical problems. NAT64 is the name of another mechanism to perform this same function in the future. NOTE CONFIGURING IPv6 SETTINGS IN GROUP POLICY You can confi gure client settings for IPv6 transition technologies in Local Computer Policy or Group Policy. You can fi nd these settings in a GPO by navigating to Computer Confi guration\Policies\Administrative Templates\Network\TCPIPSettings\IPv6 Transition Technologies. Understanding DirectAccess Infrastructure Features Figure 6-17 shows the primary features of a DirectAccess infrastructure. These features include general network infrastructure requirements such as a PKI (including a certifi cation authority and CRL distribution points), domain controllers, IPv6 transition technologies, and DNS servers. A DirectAccess infrastructure also has the elements that form the core of the DirectAccess solution, including DirectAccess clients, DirectAccess servers, and a network location server. These elements of a DirectAccess infrastructure are described in more detail in the following section. NO T E CONFIGURING IP E v 6 S ETTIN GS IN G R OU P P O LI C Y You can con fi g ure client settin g s f or IPv6 transition technolo g ies in Local Computer Polic y or Group Polic y . You can fi nd these settin g s in a GPO b y navi g atin g to Computer Con fi guration\Policies\Administrative Templates\Network\TCPIPSettings\IPv6 Transition Technolo g ies. C06627093.indd 255C06627093.indd 255 2/17/2010 10:24:14 AM2/17/2010 10:24:14 AM 256 CHAPTER 6 Understanding and Troubleshooting Remote Access Connections Internet External CRL Distribution Point Internal CRL Distribution Point DirectAccess Client connecting from behind a firewall, or unable to connect via other methods. DirectAccess Client connecting from private (NAT) IPv4 address. DirectAccess Client connecting from public IPv4 address. DirectAccess Client connecting from globally routable IPv6 address. Intranet IPv6/IPv4NAT Domain Controllers DNS Servers NAP Servers Certification Authority Network Location Server Application Servers Running Native IPv6 Application Servers Running ISATAP Application Servers Running IPv4 ISATAP-tunneled IPv6 Traffic IPv6 IPv4 6to4 IPv6 Tere do IP-HTTPS DirectAccess Server IPv6 FIGURE 6-17 A DirectAccess infrastructure DirectAccess Server At least one domain-joined server must be running Windows Server 2008 R2 so it can act as the DirectAccess server. This server typically resides on your perimeter network and acts as both a relay for IPv6 traffi c and an IPSec gateway. The server can accept connections from DirectAccess clients and (like a VPN server) facilitate communication with intranet resources. The DirectAccess server needs to be confi gured with two physical network adapters and at least two consecutive, publicly-addressable IPv4 addresses that can be externally resolved through the Internet DNS. To create a DirectAccess server, use Server Manager to add the DirectAccess Management Console feature in Windows Server 2008 R2. Then use the DirectAccess Setup Wizard in this console to confi gure the server. DirectAccess Client Client computers must be domain-joined and running Windows 7 Enterprise or Ultimate to use DirectAccess. To perform the initial confi guration of computers as DirectAccess clients, add them to a Windows group, and then specify this group when you run the DirectAccess Setup Wizard on the DirectAccess server. C06627093.indd 256C06627093.indd 256 2/17/2010 10:24:14 AM2/17/2010 10:24:14 AM Lesson 2: Understanding DirectAccess Client Connections CHAPTER 6 257 To allow DirectAccess clients to separate Internet traffi c from intranet traffi c, Windows 7 and Windows Server 2008 R2 include the Name Resolution Poilcy Table (NRPT). The NRPT is applied to clients only through Local Computer Policy or Group Policy—it cannot be confi gured locally on the client. To locate NRPT settings in a GPO, navigate to Computer Confi guration\Policies\Windows Settings\Name Resolution Policy. NOTE WHAT IS THE NRPT? The NRPT is a new feature that allows a client to assign a DNS server address to particular namespaces rather than to particular interfaces. The NRPT essentially stores a list of name resolution rules that are applied to clients through Group Policy. Each rule defi nes a DNS namespace and DNS client behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared against the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. The settings determine the DNS servers to which each request will be sent. If a name query request does not match a namespace listed in the NRPT, it is sent to the DNS servers confi gured in the TCP/IP settings for the specifi ed network interface. Network Location Server A network location server is a Web server accessed by a DirectAccess client to determine whether the client is located on the intranet or Internet. The DirectAccess server can act as the network location server, but it is preferable to use a separate, high-availability Web server for the network location server instead. This separate Web server does not have to be dedicated as a network location server. You can confi gure network location server settings in Local Computer Policy or Group Policy. To fi nd the settings in a GPO, navigate to Computer Confi guration\ Policies\Administrative Templates\Network\Network Connectivity Status Indicator. Domain Controllers An AD DS infrastructure is required for DirectAccess. At least one domain controller in the domain needs to be running Windows Server 2008 or later. IPv6-capable Network DirectAccess uses IPv6 to enable remote client computers to maintain connectivity with intranet resources over an Internet connection. Because most of the public Internet currently uses IPv4, however, DirectAccess clients use IPv6 transition technologies when no IPv6 connectivity is available. The order of connection methods attempted by DirectAccess clients is as follows: 1. Native IPv6 This method is used if the DirectAccess client is assigned a globally routable IPv6 address. 2. 6to4 This method is used if the DirectAccess client is assigned a public IPv4 address. 3. Teredo This method is used if the DirectAccess client is assigned a private IPv4 address. 4. IP-HTTPS This method is attempted if the other methods fail. N OT E WHAT IS THE NRPT? E The NRPT is a new feature that allows a client to assign a DNS server address to particula r namespaces rather than to particular inter f aces. The NRPT essentiall y stores a list o f name resolution rules that are applied to clients through Group Policy. Each rule defi nes a DNS names p ace and DNS client behavior f or that names p ace. When a DirectAccess client is on the Internet, each name quer y request i s compared a g a i nst the namespace rules stored in the NRPT. I f a match is f ound, the request is processed according to the settings in the NRPT rule. The settin g s determine the DNS servers to which each request will be sent. I f a name quer y request does not match a namespace listed in the NRPT, it is sent to the DNS servers confi gured in the TCP/IP settings for the specifi ed network interface. C06627093.indd 257C06627093.indd 257 2/17/2010 10:24:14 AM2/17/2010 10:24:14 AM [...]... and IsHidden = 0 and CategoryIDs contains '8c3fcc8 4 -7 41 0-4 a9 5- 8 b89-a166a0190486' and CategoryIDs contains 'e 078 9628-ce0844 3 7- be7 4-2 495b842f43b')" * ServiceID = {0000000 0-0 00 0-0 00 0-0 00 0-0 00000000000} Third party service * Search Scope = {Machine} Validating signature for C: \Windows\ SoftwareDistribution\WuRedir\\muv4wuredir.cab: Microsoft signed: Yes The WindowsUpdate.log file will also detail update errors... Software C 076 270 9 3.indd 277 CHAPTER 7 277 2/18/2010 12:30:14 PM ■ Automatic Updates Detection Frequency Specifies how frequently the Windows Update client checks for new updates By default, this is a random time between 17 and 22 hours ■ Allow Non-Administrators To Receive Update Notifications Determines whether all users or only administrators will receive update notifications, as shown in Figure 7- 3 Non-administrators... Manager 20 07 Lesson 1: Updating Software C 076 270 9 3.indd 271 CHAPTER 7 271 2/18/2010 12:30:13 PM Windows Update Client Whether you download updates from Microsoft or use WSUS, the Windows Update client is responsible for downloading and installing updates on computers running Windows 7 and Windows Vista The Windows Update client replaces the Automatic Updates client available in earlier versions of Windows. .. enterprises You must install WSUS on at least one infrastructure server, such as a computer running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 To deploy updates to computers running Windows 7, you must have WSUS 3.0 SP2 or later installed on your server 272 C 076 270 9 3.indd 272 CHAPTER 7 Updates 2/18/2010 12:30:13 PM Internet Updat es p Windo ulled from ws Up date Microsoft Windows. .. -Microsoft-WindowsDeployment, and the -Microsoft -Windows- Shell-Setup features For detailed instructions, read “Add a Custom Command to an Answer File,” at http://technet.microsoft.com/library/dd7992 95. aspx For information about how to install updates from a script, read “How to Script Updates” later in this lesson • Edit the %windir%\Setup\Scripts\SetupComplete.cmd file in your Windows 7. .. click View Available Updates FIGURE 7- 2 Using the Windows Update tool to check for updates If an update does not appear on the list, it might have been hidden To fix this, click the Restore Hidden Updates link in the Windows Update window 276 C 076 270 9 3.indd 276 CHAPTER 7 Updates 2/18/2010 12:30:14 PM 4 Windows Updates downloads and installs the available updates 5 If required, restart the computer by... at http://technet.microsoft.com/library/ cc70 855 4.aspx x 282 C 076 270 9 3.indd 282 CHAPTER 7 Updates 2/18/2010 12:30: 15 PM 3 If you use Group Policy to configure the Windows Update client, use the Resultant Set of Policy (RSOP) tool (Rsop.msc) to verify the configuration Within RSOP, browse to the Computer Configuration\Administrative Templates \Windows Components \Windows Update node and verify the configuration... the first public IPv4 address assigned to the Internet interface of the DirectAccess server NativePrefix :55 55 if you are using a 48-bit native IPv6 prefix 55 55 is the Subnet ID value chosen by the DirectAccess Setup Wizard Understanding and Troubleshooting Remote Access Connections 2/ 17/ 2010 10:24: 15 AM Understanding the DirectAccess Connection Process A DirectAccess connection to a target intranet resource... Windows 7 image Windows 7 runs any commands in this file after Windows Setup completes Commands in the SetupComplete.cmd file are executed with local system privilege and actions are logged to the SetupAct.log file You cannot reboot the system and resume running SetupComplete.cmd; therefore, you must install all updates in a single pass Lesson 1: Updating Software C 076 270 9 3.indd 2 75 CHAPTER 7 2 75 2/18/2010... remove For that reason, this chapter is the most important chapter in the book to master for the real world 270 C 076 270 9 3.indd 270 CHAPTER 7 Updates 2/18/2010 12:30:13 PM Lesson 1: Updating Software Because security threats are evolving constantly, Microsoft must release updates to Windows 7 and other Microsoft software regularly Deploying and managing these updates are some of the most important security . and IPv6-only hosts. C066 270 9 3.indd 254 C066 270 9 3.indd 254 2/ 17/ 2010 10:24:13 AM2/ 17/ 2010 10:24:13 AM Lesson 2: Understanding DirectAccess Client Connections CHAPTER 6 255 ■ Teredo host-specifi. TemplatesNetworkTCPIPSettingsIPv6 Transition Technolo g ies. C066 270 9 3.indd 255 C066 270 9 3.indd 255 2/ 17/ 2010 10:24:14 AM2/ 17/ 2010 10:24:14 AM 256 CHAPTER 6 Understanding and Troubleshooting Remote Access. TCP/IP settings for the specifi ed network interface. C066 270 9 3.indd 257 C066 270 9 3.indd 2 57 2/ 17/ 2010 10:24:14 AM2/ 17/ 2010 10:24:14 AM 258 CHAPTER 6 Understanding and Troubleshooting Remote Access