Download MCITP Guide to Microsoft Windows Server 2008 Server

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Distributed firewall wikipedia, lookup

Extensible Authentication Protocol wikipedia, lookup

Wireless security wikipedia, lookup

Piggybacking (Internet access) wikipedia, lookup

Dynamic Host Configuration Protocol wikipedia, lookup

Cracking of wireless networks wikipedia, lookup

Server Message Block wikipedia, lookup

Microsoft Security Essentials wikipedia, lookup

Zero-configuration networking wikipedia, lookup

Hyper-V wikipedia, lookup

Lag wikipedia, lookup

Remote Desktop Services wikipedia, lookup

Transcript
MCITP Guide to Microsoft
Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 10
Configuring Remote Access
Learning Objectives
• Understand Windows Server 2008 remote access
services
• Implement and manage a virtual private network
• Configure a VPN server
• Configure a dial-up remote access server
• Troubleshoot virtual private network and dial-up
remote access installations
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
2
Learning Objectives (cont’d.)
• Install and configure Terminal Services
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
3
Introduction to Remote Access
• Routing and Remote Access Services (RRAS)
– Enable routing and remote access through virtual
private networking and dialup networking
• Virtual private network (VPN)
– Tunnel through a larger network that is restricted to
designated member clients only
• Dial-up networking
– Using a telecommunications line and a modem to dial
into a network or specific computers on a network
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
4
Introduction to Remote Access (cont’d.)
• Modem
– Modulator/demodulator
– Converts a transmitted digital signal to an analog
signal for a telephone line
– Converts a received analog signal to a digital signal
for use by a computer
• RRAS
– Turns server into a dial-up Remote Access Services
(RAS) server capable of handling hundreds of
simultaneous connections
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
5
Figure 10-1 A VPN network
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
6
Implementing a Virtual Private Network
• VPN
– Uses LAN and tunneling protocols
– Encapsulates data as it is sent across a public
network
• Benefits of using a VPN
– Users can connect through a local ISP to the local
network
– Ensures that any data sent across a public network is
secure
– Encrypted tunnel
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
7
Using Remote Access Protocols
• Function of the remote access protocol
– Encapsulate a packet
– TCP/IP is the most commonly used transport protocol
• Encapsulated in a remote access protocol for transport
over a WAN
• Other legacy transport protocols
– IPX for legacy NetWare networks
– NetBEUI for legacy Microsoft networks
– Not supported by Windows Server 2008
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
8
Using Remote Access Protocols
(cont’d.)
• Serial Line Internet Protocol (SLIP)
– Originally designed for UNIX environments
– Provides point-to-point communications using TCP/IP
• Compressed Serial Line Internet Protocol
(CSLIP)
– Newer version of SLIP
– Compresses header information in each packet
• SLIP and CSLIP do not support
– Network connection authentication
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
9
Using Remote Access Protocols
(cont’d.)
– SLIP and CSLIP do not support (cont’d.)
• Automatic negotiation of the network connection through
multiple network connection layers at the same time
• Point-to-Point Protocol (PPP)
– Has more capability than SLIP
• Remote access protocols
– Point-to-Point Tunneling Protocol
– Layer Two Tunneling Protocol
– Secure Socket Tunneling Protocol
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
10
Using Remote Access Protocols
(cont’d.)
• Point-to-Point Tunneling Protocol (PPTP)
– Offers PPP-based authentication techniques
– Encrypts data carried by PPTP through using
Microsoft Point-to-Point Encryption
• Microsoft Point-to-Point Encryption (MPPE)
– Starting-to-ending-point encryption technique that
uses special encryption keys varying in length from
40 to 128 bits
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
11
Using Remote Access Protocols
(cont’d.)
• Layer Two Tunneling Protocol (L2TP)
– Works similarly to PPTP
• IP Security (IPsec)
– IP-based secure communications and encryption
standards created through the Internet Engineering
Task Force (IETF)
• Secure Socket Tunneling Protocol (SSTP)
– Employs PPP authentication techniques
– Encapsulates data packet in the Hypertext Transfer
Protocol (HTTP)
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
12
Using Remote Access Protocols
(cont’d.)
• Secure Sockets Layer (SSL)
– Data encryption technique employed between a
server and a client
• PPP, PPTP, and L2TP are available in:
– Windows 2000, Windows XP, Windows Vista,
Windows 7
– Windows 2000 Server, Windows Server 2003,
Windows Server 2008
• SSTP is available in:
– Windows Server 2008, Windows Vista, Windows 7
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
13
Using Remote Access Protocols
(cont’d.)
Table 10-1 Communications technologies
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
14
Configuring a VPN Server
• Install Network Policy and Access Services role
• Configure a Microsoft Windows Server 2008 server
as a network’s VPN server
– Configure protocols to provide VPN access to clients
• Configure a VPN server as a DHCP Relay Agent for
TCP/IP communications
• Configure the VPN server properties
• Configure a remote access policy for security
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
15
Configuring a VPN Server (cont’d.)
• Windows Server 2008 requires at least two network
interfaces in the computer:
– One for the connection to the LAN
– One for a connection to the physical VPN network
• Activity 10-1: Installing Network Policy and Access
Services
– Objective: Learn how to install Routing and Remote
Access Services
• Activity 10-2: Setting Up a VPN Server
– Objective: Set up a VPN server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
16
Configuring a VPN Server (cont’d.)
Table 10-2 Routing and remote access options
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
17
Configuring a VPN Server (cont’d.)
Table 10-3 Ports to open in the Windows Firewall for a VPN
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
18
Configuring a DHCP Relay Agent
• DHCP Relay Agent
– Broadcasts IP configuration information
– Use Routing and Remote Access tool to configure
VPN server as a DHCP Relay Agent
• Activity 10-3: Configuring a DHCP Relay Agent
– Objective: Set up a DHCP Relay Agent
• Activity 10-4: Additional DHCP Relay Agent
Configuration
– Objective: Configure the DHCP Relay Agent hop
count
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
19
Configuring VPN Properties
• Routing and Remote
Access tool
– Right-click the VPN server
in the tree
– Click Properties
Figure 10-9 Configuring the interface
properties
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
Courtesy Course Technology/Cengage Learning
20
Configuring VPN Properties (cont’d.)
Figure 10-10 VPN server
properties
Courtesy Course Technology/Cengage
Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
21
Configuring VPN Properties (cont’d.)
Table 10-4 VPN server properties tabs
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
22
Configuring Multilink and Bandwidth
Allocation Protocol
• Multilink
– Combine or aggregate two or more communications
channels so they appear as one large channel
– Aggregated links
• Multilink must be implemented in the client as well as in
the server
– Older connection technology compared with DSL or
wireless metropolitan area networks
• Bandwidth Allocation Protocol (BAP)
– Ensure that a client’s connection has enough speed
or bandwidth for a particular application
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
23
Configuring Multilink and Bandwidth
Allocation Protocol (cont’d.)
• Windows Server 2008 version of Multilink PPP
– Supports Bandwidth Allocation Control Protocol
(BACP)
– Selects a preferred client when two or more clients
vie for the same bandwidth
• Activity 10-5: Using Multilink
– Objective: Configure a VPN (or RAS) server to use
Multilink
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
24
Configuring VPN Security
• When a user accesses a VPN server:
– Access is protected by the account access security
that already applies
• Through a group policy or the default domain security
policy
• Elements of a Remote Access Policy
–
–
–
–
Access permission
Conditions
Constraints
Settings
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
25
Configuring VPN Security (cont’d.)
• Establishing a Remote Access Policy
– Use Routing and Remote Access tool
• Accessed via Administrative Tools or as an MMC snapin
• Activity 10-6: Configuring a Remote Access Policy
– Objective: Configure a remote access policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
26
Configuring VPN Security (cont’d.)
Table 10-5 Authentication types
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
27
Figure 10-15 Encryption options
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
28
Configuring VPN Security (cont’d.)
Table 10-6 RAS encryption options
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
29
Configuring a Dial-Up Remote Access
Server
• Dial-up remote access server compatible with:
–
–
–
–
–
–
–
–
–
–
Asynchronous modems
Synchronous modems
Null modem communications
Regular dial-up telephone lines
Leased telecommunication lines
ISDN lines (and digital ‘‘modems’’)
X.25 lines
DSL lines
Cable modem lines
Frame relay lines
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
30
Configuring a Dial-Up Remote Access
Server (cont’d.)
• Install RAS using Routing and Remote Access tool
– Steps very similar to installing a VPN server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
31
Configuring Dial-Up Security
• Callback security
– Server calls back the remote computer
– Verify telephone number in order to discourage a
hacker
• Options available in Windows Server 2008:
– No Callback
– Set by Caller (Routing and Remote Access Service
only)
– Always Callback to
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
32
Configuring Dial-Up Security (cont’d.)
• Control network access permission
– Allow access
– Deny access
– Control access through NPS Network Policy
• Default selection
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
33
Configuring a Dial-Up Connection for a
RAS Server
• Create other connections through the Network and
Sharing Center
• Activity 10-7: Configuring a Dial-Up Network
Connection
– Objective: Configure a dial-up connection for a dial-up
RAS server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
34
Configuring Clients to Connect to RAS
Through Dial-Up Access
• Common dial-up RAS clients
– Windows 98, 2000, XP, Vista, and 7
• Access a dial-up RAS server from other operating
systems
– Configure a dial-up connection on those clients
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
35
Configuring Clients to Connect to RAS
Through Dial-Up Access (cont’d.)
Figure 10-17 Configuring a dial-up connection
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
36
Troubleshooting VPN and Dial-Up RAS
Installations
• Troubleshooting VPN or dial-up RAS server
communications problem
– Hardware and software troubleshooting tips
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
37
Hardware Solutions
• Use Device Manager to check network adapters,
WAN adapters, and modems
• Make sure telephone line plugged in
• For external modems:
– Make sure the modem cable is properly attached, that
you are using proper cable type
• For internal modems or adapter cards:
– Check connection inside computer
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
38
Hardware Solutions (cont’d.)
• For a modem connection:
– Test the telephone wall connection and cable
• For an external DSL adapter or a combined DSL
adapter and router:
– Ensure device is properly configured and connected
• Call your ISP to determine if problems are present
on the ISP’s WAN
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
39
Software Solutions
• Use the Computer Management tool or Server
Manager to verify status of:
– Routing and Remote Access
– Remote Access Auto Connection Manager
– Remote Access Connection Manager services
• Ensure Windows Firewall is set up to allow remote
access
• Make sure VPN or dial-up RAS server is enabled
• Check the remote access policy to be sure that
access permission is granted
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
40
Software Solutions (cont’d.)
• Verify VPN or dial-up RAS server is started
• Check the network interface
• Ensure IP parameters are correctly configured to
provide an address pool for either a VPN or dial-up
RAS server
• If using a RADIUS server:
– Ensure it is connected and working properly and that
Internet Authentication Service (IAS) is installed
• Ensure the remote access policy is consistent with
the users’ access needs
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
41
Connecting Through Terminal Services
• Terminal server
– Enables clients to run services and software
applications on Windows Server 2008 instead of at
the client
– Enables thin clients to perform most CPU-intensive
operations on the server
• Centralize control of how programs are used
• Install different role services for specific purposes:
– TS Web Access
– TS Gateway
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
42
Connecting Through Terminal Services
(cont’d.)
Table 10-7 Terminal Services components
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
43
Connecting Through Terminal Services
(cont’d.)
Table 10-8 Role services available through Terminal Services
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
44
Connecting Through Terminal Services
(cont’d.)
• RemoteApp
– New feature
– Enables a client to run an application without loading
a remote desktop on the client computer
• TS Gateway
– Provides a secure way to use Terminal Services over
the Internet
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
45
Installing Terminal Services
• Install TS Licensing role service
– Manage terminal server user licenses obtained from
Microsoft
– Licenses can be purchased either per user account or
by client device
• Network Level Authentication (NLA)
– Enables authentication to take place before the
Terminal Services connection is established
– Thwarts would-be attackers
• Create groups of user accounts in advance
– Add these groups during installation
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
46
Installing Terminal Services (cont’d.)
• Activity 10-8: Installing Terminal Services
– Objective: Learn how to install the Terminal Services
role
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
47
Configuring Terminal Services
• Activity 10-9: Configuring Terminal Services
– Objective: Configure a terminal server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
48
Configuring Terminal Services (cont’d.)
Table 10-11 Terminal Services permissions
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
49
Managing Terminal Services
• Terminal Services Manager
– Monitor the number of users connected to the
terminal server
– Add additional terminal servers to monitor
– Determine if a user session is active
– Determine which programs are running in a user’s
session
– Disconnect a user’s session or log off a user
– Reset a connection that is having trouble
– Send a message to a user
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
50
Managing Terminal Services (cont’d.)
• Activity 10-10: Using Terminal Services Manager
– Objective: Use Terminal Services Manager
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
51
Configuring Licensing
• Activate Terminal Services licensing server
• Configure licensing using TS Licensing Manager
• Activity 10-11: Using the TS Licensing Manager
– Objective: Use TS Licensing Manager
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
52
Accessing a Terminal Server from a
Client
• Remote Desktop Connection (RDC)
– Client already installed in Windows 7, Windows Vista,
Windows Server 2008, and Windows XP
• Activity 10-12 (optional): Configuring Authentication
in Windows Vista or Windows 7
– Objective: Configure NLA authentication in Windows
Vista or Windows 7
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
53
Installing Applications on a Terminal
Server
• Might need to reinstall some applications that were
installed before Terminal Services role
• Use Control Panel to uninstall them
• Reinstall applications
– In Control Panel Home view, click Programs
– Click Install Application on Terminal Server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
54
Summary
• Routing and Remote Access Services includes
– Virtual private network (VPN) and dial-up services
• Remote access protocols include:
– SLIP, CSLIP, PPP, PPTP, L2TP, and SSTP
• Use Server Manager to install the Network Policy
and Access Services role
• VPN has many properties that can be configured
– Configure a remote access policy to govern how a
VPN server is accessed
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
55
Summary (cont’d.)
• When you configure dial-up remote access
– Also configure a DHCP Relay Agent, Multi-link (if
used), and a remote access policy for security
• Use Server Manager to install the Terminal Services
role
– Configure Terminal Services client access licenses
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
56