Module 9: Configuring and Managing Remote Access Services
VPN Protocol Port Numbers
-1.Point-to-Point Tunneling Protocol (PPTP) 2. 1723/TCP -1.Layer Two Tunneling Protocol (L2TP) 2. 1701/TCP, 500/UDP, 4500/UDP (if using NAT) -1.Internet Key Exchange version 2 (IKEv2) 2. 1701/TCP, 500/UDP, 4500/UDP (if using NAT) -1. Secure Socket Tunneling Protocol (SSTP) 2. 443/TCP
VPN tunnels
-overlay network -provides encryption for network traffic -passes from a remote access client to a remote access server
Virtual private networks (VPNs)
-overlay network -provides encryption for network traffic -passes from a remote access client to a remote access server
dial-in permission
-permission -required for access to dial-up or VPN remote access -can be granted in properties of a user account or remote access policy
remote access policies
-policy -used by a RADIUS server -allow or prevent remote access based on characteristics of remote access connection
port forwarding/service forwarding
-process -whereby a NAT router forwards requests it receives on its external network interface to a server on internal network by service name or port number
remote access
-process -whereby a client accesses resource in an organization's network (e.g., DMZ) from outside of organization
VPN protocol
-protocol -provides VPN functionality between a remote access client and server
Transport Layer Security (TLS)
-protocol -provides data encryption for network traffic
Microsoft Point-to-Point Encryption (MPPE)
-protocol -provides data encryption for traffic -passes through a PPTP VPN
Generic Routing Encapsulation (GRE)
-protocol -provides for tunneling of other protocols
Remote Access Dial-IN User Authentication service (RADIUS)
-protocol -used to centralize authentication and logging for remote access and other technologies
Point-to-Point Protocol (PPP)
-protocol -used to transfer data between 2 devices, often across a telephone network -Dial-up remote access and PPPoE use PPP to transfer data
Remote Desktop Protocol (RDP)
-protocol -used by Remote Desktop to transfer info between a remote access client and server
Point-to-Point Protocol over Ethernet (PPPoE)
-protocol -used to transfer data using DSL
constraints
-remote access characteristic -enforced by a remote access policy
DirectAccess
-remote access tech -automatically creates IPSec tunnels to a remote access server when remote access clients are outside of organization
Next Generation Firewall (NGFW)
-router -provides additional security capabilities -like malware filtering and intrusion prevention
Remote Desktop Services
-service on a Windows Server 2019 system -provide for Remote Desktop
IP Security (IPSec)
-suite of protocols -used to provide data encryption for IPv4 and IPv6 packets
last mile technologies
-tech -connects an organization network to an ISP
reverse proxy
-tech -obtains server resources on behalf of a client
9-3c: Connecting to a VPN Server
no notes
9-3d: Creating a Demand-Dial Interface
no notes
9-7a: Installing Remote Desktop Services
no notes
9-7b: Configuring Remote Desktop Services
no notes
RADIUS client
-network device or server -forwards authentication and logging requests to a RADIUS server for validation
RemoteApp and Desktop Connections
-Control Panel tool -used to connect to Remote Desktop sessions and RemoteApp programs
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
-A version of CHAP supported natively by Microsoft operating systems -provides stronger authentication mechanisms. -In addition to authenticating user credentials -MS-CHAP v2 performs authentication for the computers involved in connection and varies encryption keys with each new connection.
Accounting folder hyperlinks to modify logging configuration
-Change Log File Properties: allows you to modify the events that are logged, as well as log file format, folder, and rotation (e.g., daily, weekly, monthly). -Change SQL Server Logging Properties: allows you to configure RADIUS server to log events to a table in a database on an SQL server. -Configure Accounting: starts a wizard that guides you through process of configuring log file properties and SQL server logging.
The 2 folders under Polices Section
-Connect Request Policies -Network Policies
Role service: Remote Desktop Licensing
-Description: Allows you to add and manage licenses required for Remote Desktop Services. Remote Desktop Services provides a 120-day grace period. After this period, you must purchase licenses from Microsoft and configure this service to continue using Remote Desktop Services. -Ports: none
Role service: Remote Desktop Connection Broker
-Description: If multiple Remote Desktop Session Host or Remote Desktop Virtualization Host servers are used, it allows remote access users ability to reconnect to a disconnected remote desktop session, as well as balances requests for remote desktop sessions across servers. -Ports: 443/TCP, 3389/TCP, 3389/UDP
Role service: Remote Desktop Web Access
-Description: Provides access to RemoteApp programs configured by Remote Desktop Session Host or Remote Desktop Virtualization Host, as well as access to Remote Desktop sessions through a Web browser using HTTPS. This role requires that you install an HTTPS certificate. -Ports: 443/TCP
Role service: Remote Desktop Session Host
-Description: Provides for session-based desktop deployment and RemoteApp using RDP. This role uses a self-signed HTTPS certificate when authenticating users. -Ports: 443/TCP, 3389/TCP, 3389/UDP
Role service: Remote Desktop Virtualization Host
-Description: Provides for virtual machine-based desktop deployment and RemoteApp using RDP. This role uses a self-signed HTTPS certificate when authenticating users. -Ports: 443/TCP, 3389/TCP, 3389/UDP
Role service: Remote Desktop Gateway
-Description: When users connect to a Remote Desktop Session Host or Remote Desktop Virtualization Host server using RDP, this service ensures that all RDP traffic between remote access server and client is encrypted by enclosing each RDP packet in an HTTPS packet. This role requires that you install an HTTPS certificate. -Ports: 443/TCP
Common last mile technologies used to connect to an ISP
-Digital subscriber line (DSL): uses a telephone network -Cable broadband: uses a television cable network -Gigabit Passive Optical Network (GPON): uses fiber optic cable -Long-range Wi-Fi: uses radio wireless, often using wireless transmitters positioned in a line of sight
DirectAccess Connectivity Assistant
-DirectAccess component on a Windows 7 Ultimate or Enterprise edition computer
network location server
-DirectAccess server -probed by remote access clients -determine whether they are inside or outside of organization
Network Connectivity Assistant
-DirectAccess service on a Windows 8 Enterprise or later computer -connects to network location server
Challenge Handshake Authentication Protocol (CHAP)
-Does not transmit user passwords across the network, but uses password to generate a hash of a message that is validated by the other system using a challenge and response mechanism. -While CHAP is widely supported by many different operating systems and technologies -cannot be used for PPTP VPNs.
Available constraints
-Idle Timeout: Specifies maximum amount of time a remote access session can remain idle before it is disconnected by the remote access server. The option shown in Figure 9-23 disconnects remote access sessions if remote access client does not send traffic to remote access server for 5 minutes. -Session Timeout: Specifies maximum amount of time before an active remote access session is disconnected by remote access server. -Called Station ID: Specifies phone number of the dial-up remote access server (only used for dial-up remote access). -Day and time restrictions Specifies days and times that remote access sessions are allowed. If an active remote access session persists beyond allowed time specified, it is disconnected by the remote access server. -NAS Port Type: Specifies type of network connections (e.g., Ethernet, wireless) that are allowed when connecting to the remote access server.
available configuration settings for remote access client
-Multilink and Bandwidth Allocation Protocol (BAP): Configures settings that allow multiple dial-up remote access connections to be used together in order to increase bandwidth. -IP Filters: Configures custom firewall filters for IPv4 and IPv6 traffic. -Encryption: Configures encryption levels for MPPE. -IP Settings: Specifies how IP configuration is determined for remote access client. default setting obtains IP configuration using method specified on the remote access server.
Microsoft VPN Authentication Methods
-Password Authentication Protocol (PAP) -Challenge Handshake Authentication Protocol (CHAP) -Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) -Extensible Authentication Protocol (EAP)
When you implement a remote access server using Windows Server 2019, 4 different VPN protocols are supported
-Point-to-Point Protocol (PPTP) -Layer Two Tunneling Protocol (L2TP) -Internet Key Exchange version 2 (IKEv2) -Secure Socket Tunneling Protocol (SSTP)
session-based desktop deployment
-Remote Desktop Services deployment type -provides Remote Desktop sessions to a remote access server
virtual machine-based desktop deployment
-Remote Desktop Services deployment type -provides Remote Desktop sessions to a Hyper-V virtual machine running on a remote access server
RemoteApp
-Remote Desktop feature -allows individual programs to be accessed on a remote access client using RDP
Network Policy and Access Services
-Windows Server 2019 server role -provides RADIUS services
Extensible Authentication Protocol (EAP)
-This is not an authentication method as much as it is an authentication system that allows multiple authentication methods to be configured. -client and server can negotiate which EAP authentication method to use. --default EAP authentication methods included with Windows Server 2019 include EAP-MSCHAP v2, Protected EAP (PEAP), and Smart Card or other certificate (also called EAP-TLS).
Password Authentication Protocol (PAP)
-Transmits user passwords across network in plain text (unencrypted). -This makes it unsuitable for use except as a last resort for clients that support no other authentication methods.
Remote Access
-Windows Server 2019 server role -provides for routing, as well as dial-up, VPN, and DirectAccess remote access
custom remote access server configuration services
-VPN access: Allows remote access clients to connect to remote access server using a VPN, and should be selected at minimum. -Dial-up access: Allows remote access clients to dial into a modem bank connected to remote access server (dial-up remote access). -Demand-dial connections: Allows you to create a demand-dial interface to connect to a VPN on a remote router in order to protect traffic that is sent to another network across the Internet. This option is typically selected if remote access server is configured as a LAN router or NAT router that is connected to the demarc. -NAT: Allows you to configure server as a NAT router. -LAN routing: Configures server as a LAN router. This option should be selected if you plan to use a different IP network for your VPN and DMZ, or if you plan to obtain IP configuration for your VPN using a DHCP relay agent.
split tunneling
-VPN configuration -prevents remote access client from forwarding all network traffic to VPN
Layer Two Tunneling Protocol (L2TP)
-VPN protocol -uses IPSec to encrypt data transfer
Internet Key Exchange version 2 (IKEv2)
-VPN protocol -uses IPSec to encrypt data transfer on networks
Point-to-Point Tunneling Protocol (PPTP)
-VPN protocol -uses MPPE to encrypt data transfer
Secure Socket Tunneling Protocol (SSTP)
-VPN protocol -uses HTTPS packets to transfer data on networks
Remote Desktop app
-app on a remote access client -creates a Remote Desktop session to a remote access server using RDP
remote access clients
-computer -accesses a network sing remote access
remote access server
-computer or device -provides remote access to a network
Connection Request Policies
-contains policies -used to determine whether a remote access request is authenticated by local RADIUS server or forwarded to a remote RADIUS server for authentication. -There is a default policy in this folder called Microsoft Routing and Remote Access Service Policy -allows the local RADIUS server to authenticate VPN remote access requests. -However, you can modify this policy to forward requests to a remote RADIUS server group (that includes one or more RADIUS servers) for authentication. -For example, you could configure default policy on a branch office RADIUS server to forward authentication requests to a head office RADIUS server group. -To create a remote RADIUS server group, you can right-click Remote RADIUS Server Groups and click New.
Network Polices
-contains remote access policies -used to determine whether a remote access client is allowed remote access, as well as any remote access characteristics (called constraints) that must be met for remote access. -You can create multiple remote access policies in this folder -provide unique sets of constraints for different types of remote access clients. Moreover, each remote access policy contains conditions that must be met for the policy to apply to the remote access client. -Remote access policies are processed in the order that they are listed in this folder, and remote access clients receive the first policy with conditions they match, ignoring all other remote access policies. The two default remote access policies deny remote access requests from Microsoft and other (non-Microsoft) remote access servers, and contain a Processing Order value -ensures they are only processed after other remote access policies.
Remote Desktop Connection
-default Remote Desktop app -used on Windows systems
demarcation point/demarc
-device or router in an organization -uses a last mile tech to connect to an ISP
dial-up remote access
-form of remote access -remote access client uses a modem to connect to a modem bank on a remote access server, using PPP
Remote Access Management Console
-graphical configuration tool for managing DirectAccess -as well as monitoring DirectAccess and VPN connections
Network Policy Server
-graphical tool -configures and manages RADIUS
Routing and Remote Access
-graphical tool -configures and manages routing, as well as dial-up and VPN remote access
collections
-group of remote access servers -provide Remote Desktop
Gigabit Passive Optical Network (GPON)
-last mile tech -transfer data across a fiber optic network
Cable broadband
-last mile tech -transfers data across a cable television network
Digital subscriber line (DSL)
-last mile tech -transfers data across a telephone network
Long-range Wi-Fi
-last mile tech -uses modified antenna or signaling methods to achieve a longer Wi-Fi signal range between 2 devices or computers
Secure Sockets Layer (SSL)
-legacy protocol -provides data encryption for network traffic
overlay network
-logical network -functions n an existing physical network
Remote Desktop
-method of remote access -provides remote access clients with a graphical desktop on a remote access server
demand-dial interface
-virtual network interface on a router -used to create a VPN to another router to protect traffic passing to a destination network
Microsoft provides 3 main remote access technologies that can be used to obtain access to servers in a DMZ from across the Internet
-virtual private networks (VPNs) -DirectAccess -Remote Desktop Services
Services Available for the Remote Desktop Services Server Role
down below